 Hi everybody, welcome back to Boston. You're watching theCUBE's coverage of Reinforce 2022. Last time we were here, live was 2019. Had a couple years of virtual. Merritt Baer is here. She's with the office of the CISO for AWS Merritt. Welcome back to theCUBE. Good to see you. Thank you for coming on. Thank you so much. It's good to be back. Yes, CISO, Chief Information Security Officer for folks who are an acronym phobia, phobic. Yeah. Okay, so what do you do for the office of the, is it CISO or CISO? Ah, whatever. Is it SIM or SIEM? I work in three areas. So I sit in AWS security and I help us do security. We're a shop that runs on AWS. I empathize with folks who are running shops. It is process driven. It takes hard work. But we believe in certain mechanisms and muscle groups. So, you know, I work on getting those better. Everything from how we do threat intelligence to how we guard real employees and think about vending accounts and those kinds of things. I also work in customer facing interactions. So when a CISO wants to meet AWS a CISO, that's often me. And then the third is product side. So ensuring that everything we deliver and not just security services are aligned with security best practices and expectations for our customers. So I have to ask you right off the bat. So we do a lot of spending surveys. We have a partner, ETR. I look at the data all the time and for some reason, AWS never shows up in the spending metrics. Why do you think that is? Maybe that talks to your strategy. Let's double click on that. Yeah, so first of all, turn on GuardDuty. Get Shield Advanced for the accounts you need. The 3K is relatively small and a large enterprise. Like, this doesn't mean don't spend on security. There is a lot of goodness that we have to offer in ESS external security services. But I think one of the unique parts of AWS is that we don't believe that security is something you should buy. It's something that you get from us. It's something that we do for you a lot of the time. I mean, this is the definition of the shared responsibility model, right? Everything that you interact with on AWS has been subject to the same rigorous standards. And we, AWS security, have umbrella arms around those, but we also ensure that service teams own the security of their service. So a lot of times when I'm talking to CISOs and I say security teams, or sorry, service teams own the security of their service, they're curious, like, how do they not get frustrated? And the answer is we put in a lot of mechanisms to allow those to go through. So there's automation, there are robots that resolve those trouble tickets, you know, like, and we have MSAs, we call them guardian champions that are embedded in service teams. At any rate, the point is, I think it's really beautiful, the way that customers who are, you know, enabling services in general benefit from the inheritances that they get. And in some definition, this is like, the value proposition of cloud. When we take care of those lower layers of the stack, we're doing everything from the concrete floors, guards and gates, HVAC, you know, in the case of something like AWS bracket, which is our quantum computing, like we're talking about, you know, near vacuum environments. Like these are sometimes really intricate and beautiful ways that we take care of stuff that was otherwise manual and ugly. And then we get up and we get really intricate there too. So I gave a talk this morning about DDoS protection and all the stuff that we're doing where we can see because of our vantage point, the volume, and that leads us to be a leader in volumetric attack signatures. For example, managed rule sets, like, that costs you nothing, turn on your DNS firewall. Like there are ways that you just, as an AWS customer, you inherit our rigorous standards and you also are able to benefit from the rigor with which we, you know, exact ourselves to really... So you're not trying to make it a huge business, at least as part of your portfolio, it's just, it's embedded, it's there, take advantage of each other. I want everyone to be secure. And I will go to bat to say like, I want you to do it and if money is a blocker, let's talk about that because honestly, we just want to do the right thing by customers and I want customers to use more of our services. I genuinely believe that they are enablers. We have pharma companies that have helped enable, you know, personalized medicine and some of the COVID vaccines. We have, you know, like there are ways that this has mattered to people in really intimate ways and then fun ways, like Formula One. You know, like there are things that allow us to do more and our customers to do more and security should be a way of life. It's a way of breathing. You don't wake up and decide that you're going to bolt it on Monday. Okay, so we heard CJ Moses keynote this morning. I presume you were listening in. We heard a lot about, you know, cool tools, you know, threat detection and DevOps and container security, but he didn't explicitly talk about how AWS is simplifying the life of the CISO. So what are you doing in that regard and what's, let's just leave it there for now. I talk to CISOs every day and I think most of them have two main concerns. One is how to get their organization to grow up, like to understand what security looks like in a cloudy way. And that means that, you know, your login monitoring is going to be the forensics. It's not going to be getting into the host. That's on our side, right? And that's a luxury. I think there are elements of the CISO job that have changed, but that even if CJ didn't explicitly call them out, these are beauties, things like least privilege that you can accomplish using Access Analyzer. And all these ways that Inspector, for example, does network reachability, and then all of these get piped to Security Hub and there's just ways that make it more accessible than ever to be a CISO and to enable and embolden your people. The second side is how CISOs are thinking about changing their organization. So what are you reporting to the board? How are you thinking about hiring? And in the metrics side, I would say, you know, being, and I get a lot of questions that are like, how do we exhibit a culture of security? And my answer is, you do it. You just start doing it. You make it so that your VPs have to answer trouble tickets. And I don't mean literally like every trouble ticket, but I mean they are, 100% of executives will say that they care about security, but so what? Like, you know, set up your organization to be responsive to security and to have to answer to them because it matters and notice that because a non-decision is a decision, and the other side is workforce, right? And I think I see a lot of promise, some of it unfulfilled, in folks being hired who look different than traditional security folks and act different and maybe a first grade teacher or an architect or an artist and who don't consider themselves like particularly technical. Like the gorgeousness of cloud is that you can, one, teach yourself this. I mean, I didn't go to school for computer science. Like this is the kind of thing we all had to teach ourselves, but also you can abstract on top of stuff. So you're not writing code every day necessarily, although if you are, that's awesome. And we love Debbie folks. But you know, there's a lot of ways in which the machine of the security organization is adjusting. I think CJ was, to answer your question pointedly, I think CJ was trying to be really responsive to like all the stuff we're giving you, all the goodness, all the sprinkles on your cupcake. Not all the organizational stuff that is kind of like, you know, the good stuff that we know we need to get into. So I think, sir, you're saying it's inherent. It's inherently helping the CISO, her life, his life become less complex. And I feel like the cloud, you said the customers are trying to make their security more cloudy. So I feel like the cloud has become the first line of the defense. Now the CISO, your customer CISO is the second line of defense. Maybe the audit is the third line. What does that mean for the role of the CISO? How does that, they become a compliance officer? What does that mean? No, no. I think actually increasingly they are married or mariable. So when you're doing, so for example, if you are embracing ephemeral and immutable infrastructure, then we're talking about using something like cloud formation or terraform to bend environments and being able to use Control Tower and AWS organizations to dictate truisms through your environment. There are ways that you are basically in golden armies and you can come back to a known good state. You can embrace that kind of cloudiness that allows you to get good, to refine, to kill it and spin up a new infrastructure. And that means though that your IT and your security will be woven in in a really lovely way, but in a way that contradicts certain existing structures. And I think one of the beauties is that your compliance can then wake up with it, right? Your audit manager and your security hub and other folks that do compliance as code. So Inspector, for example, has a tooling that can, without sending a single packet over the network, do network reachability so they can tell whether you have an internet-facing endpoint. Well, that's a PCI standard. But that's also a security truism. You shouldn't have internet-facing endpoints you don't approve of. So these are, I think these can go hand in hand. There are certainly, I don't know that I totally disregard a defense and dev notion but I don't think that it's linear in that way. I think it's like circular, that we hope that these mechanisms work together, that we also know that they should speak to each other and be augmented and aware of one another. So an example of this would be that we don't just do perimeter detection, we do identity-based fine-grain controls and that those are listening to and reasoned about using tooling that we can do using security. Yeah, we heard a lot about reasoning as well but I want to ask about zero trust. Like AWS I think resisted using that term. The industry was a buzzword before the pandemic. Probably more buzzy now. Although in a way it's a mandate depending on how you look at it. So I mean, anything that's not explicitly allowed is denied in your world and you have tools and... I mean, that's a definition. If it's a dye that overrides an allow. If it's a deny call that will override an allow. Yeah, that's true. Although, anyway, finish your question. Yeah, yeah, so my, it's like if there's doubt, there's no doubt it seems. But you have a lot of capabilities. Seems to me that this is how you apply AWS internal security and bring that to your customers. Do customers talk to you about zero trust? Are they trying to implement zero trust? What's the best way for them to do that when they don't have, they have a lack of talent. They don't have the skill sets and the knowledge that AWS has. What are you hearing from customers in that regard? Yeah, that's a really nuanced phrasing which I appreciate because I think, so I think you're right. Zero trust is a term that like means everything and nothing. I mean, like this, this notebook is zero trust. Like no internet comes in or out of it. Like congratulations, you also can't do business on it, right? You do a lot of business on this one. You know what I mean? You can't transact something to other folks. And if I lose it, I'm screwed. Yeah, exactly. I usually have a water bottle or something that's even more inanimate than your notebook. But I guess my point is I don't think that the terms zero trust is a truism. I think it's a conceptual framework, right? And the idea is that we want to make it so that someone's position in the network is agnostic to their permissioning. So whereas in the olden days, like a decade ago, we might have assumed that when you're in the perimeter, you just accept everything. That's no longer the right way to think about it. And frankly, like COVID and work from home may have accelerated this, but this was ripe to be accelerated anyway. What we are thinking about is both, like you said, under the network. So like the network layer, are we talking about machine to machine? Are we talking about, like, you know, every API call goes over the open internet with no inherent assurances. Or human to app. It's protected by SIGV4. You know, like there is an inherent zero trust case that we have always built. This goes back to a Jeff Bezos mandate from 2002 that everything be an API call. That is again, this kind of like building security into it. When we say security is job zero, it not only reflects the fact that like when you build a terraform or a cloud formation template, you better have permission things appropriately or try to, but also that like there is no cloud without security considerations. You don't get to just bolt something on after the fact. So that being said, now that we embrace that and we can reason about it and we can use tools like access analyzer, you know, we're also talking about zero trust in that, like I said, augmentation, identity centric, fine grained controls. So an example of this would be a VPC endpoint policy where it is, the perimeter is that long live, the perimeter, right? You'll have your traditional perimeter, your VPC or your VPN, augmented by an aware of the fine grained identity centric ones, which you can also reason about prune down, continuously monitor and so on. And that'll also help you with your login and monitoring because you know what your ingress and egress points are. How concerned should people be with quantum messing up all the encryption algos that we've created, right? Okay, so we heard about this in the keynote, right? So is it just the quantum so far off by the time we get there? Is it like a Y2K? You're probably not old enough to remember Y2K, but Y2K moment, right? I mean. I can't take you anywhere. How should we be thinking about quantum in the context of security and. Sure, yeah, I mean, I think we should be thinking about quantum in a lot of dimensions as operationally interesting and how we can leverage. I think we should be thinking about it in the security future for right now. AES-256 is something that is not broken. So we shouldn't try to fix it. Yeah, cool. Encrypt all the things that you can do it natively. You know, like I love talking about quantum, but it's more of an aspirational and also like we can be doing high power compute to solve problems, you know, but like for it to get to a security, potentially vulnerable state or like something that we should worry about is a bit off. Yeah. It's show me an application that can actually run stable. Yeah, and I mean, and I think at that point we're talking about homomorphic and personal, another thing. I kind of feel the same way is that, you know, there's a lot of hype around it. A lot of IBM talks about a lot. You guys talked about it in your keynote today. And when I really talk to people who understand this stuff, it seems like it's a long, long way off. I don't think it's a long, long way off, but everything is dog ears and tech world. But for today, you know, like for today, encrypt your stuff, we will always keep our encryption up to standard. And, you know, that will be for now, like the industry grade standard that folks, I mean, like I have never heard of a case where someone had their KMS keys broken into. I always ask like awesome security people this question. Did you, like how'd you get into this? Did you have like, did you have a favorite superhero as a kid that was going to save the world? I was always the kid who probably would have picked up a book about the CIA and I like find this in here. I don't remember who I was before. I was a security person. But I also think that as a woman from an American Indian family walking through the world, I think about the relationship between dynamics with the government and companies and individuals and how we want to construct those and the need for voices that are observant of the ways that those interplay. And I always saw this as a feel where we can do a lot of good. Yeah, amazing. Merit, thanks so much for coming to theCUBE. You're a great guest. John said you would be really appreciate your time. Of course. Thank you for having me. You're very welcome. Keep it right there. This is Dave Vellante for theCUBE. We'll bring you right back at AWS Reinforced 2022 from Boston. Be right there.