 Okay, we're back at AWS Reinforced 2022. My name is Dave Vellante and this is theCUBE. We're here in Boston, home of Lobster and Chowda, and we're here at the convention center where theCUBE got started in 2010. Shar Koreshi is here, he's the senior manager at Deloitte and Touche LLP, and Merritt Bear is back on theCUBE. Good to see you guys. Thank you. Can't keep me away. Well, we love having you on theCUBE. Shar, set up your role at Deloitte and Touche. What's your swim lane, if you will? Yeah, sure. I wear a lot of hats. I spend a lot of time in the assurance, the controls, advisory, audit type of role. So I spend a lot of time working with our clients to understand regulatory requirements, compliance requirements, and then controls that they need to have in place in order to address risks, technology risks, and ultimately business risks. So I like to put forth a premise, you know, when I walk around a show like this and come up with some observations, and I like to share them, and then people like Merritt go, well, you know, maybe, so help me, of course, correct. My epiphany at this event is the cloud is becoming the first line of defense. The CISO at your customers is now the second line of defense. I think audit is maybe the third line of defense. Do you buy that sort of organizational layered approach? No, because in fact, what we're here to talk about today is audit manager, which is integrated, right? Like if you're doing so, the whole notion of cloud is that we are taking those bottom layers of the stack, right? So the concrete floors up through layer four, the hypervisor, the racks and stacks and HVAC and guards and gates up through the hypervisor, right? Our proprietary hardware nitro ecosystem, which has security inheritances. Okay, upon that, we are then virtualized, right? And so what we're really talking about is the ways that audit looks different today that you can reason about what you're doing. So you're doing infrastructure as code, you can do securities code, you can do compliance as code, and that's the beauty of it. So like, for better or in your case, for worse in your analogy, you know, these are integrated. These are woven together and they are, it's an API call. Like you can- It's seamless. It's like easy to describe, right? I mean like you can command line knowledge about your resources. You can also reason about it. So like, this is something that's embedded, for example, in an inspector. You can do network reachability. Know whether you have an internet facing endpoint, which is a PCI requirement, but that'll be dashboarded in your security hub. So there's, the cloud is all the stuff we take away that you don't have to deal with. And also all the stuff that we manage on top of it, that then you can reason about and augment and take action on. Okay, so at the same time, you can't automate the audit entirely, right? So, but talk about the challenges of automating and auditing a cloud environment. Yeah, I mean, when I look at cloud, you know, organizations move to take advantage of cloud characteristics and cloud capabilities, right? So elasticity, scalability is one of them. And you know, for market conditions, business outcomes, you know, resources expand and contract. And one of the questions that we often get as an auditor is how do you maintain a control environment for resources that weren't there yesterday, but are there today? Or that are no longer there and that are there today? So how do you maintain controls and how do you maintain security consistently, uniformly, throughout an audit environment? It's not there. So that's a challenge. Auditors, you know, historically, when you look at the on-prem environment, you have servers that are there. It's a physical box. You can touch it and see it. And if it goes down, then you know it's still there. You can hug it if you're some people. But it's still there. But you know, with cloud, things get torn down that you don't see. So how do you maintain controls? That's one of the challenges. It sounds like you're describing a CMDB for audit. Well, I mean, that's an outcome of having, you know, getting good controls as having a CMDB to keep track and have an inventory of your assets. But the problem with CMDB is they're out of date, you know, like so quickly. Is it different in the cloud world? Yeah, exactly. I mean, yes, and yes, they are out of date. Cause like anything static will be manual and imprecise. Like it's going to be, did John go calculate, like go count how many servers we have? That's why I was joking about server huggers. Versus like virtualizing it. So you put out a call and you know, not just whether it exists, but whether it's been patched, whether it's, you know, like there are ways that we can reason about what we've done, permissioning, pruning, you know, like, and these, by the way, correspond to audit and compliance requirements. And so yes, we are not like there. It's not a click of a, whatever, snap of the fingers, right? It takes work to translate between auditors and us. And it also takes work to have customers understand how they can augment the way that they think about compliance. But a lot of this is just the good stuff that they already need to be doing, right? Knowing internet-facing endpoints or whatever, you know, like pruning, permissioning. And there's a lot of ways that, you know, access analyzer, for example, these are automated reasoning tools that come from our formal reasoning group, automated reasoning group that's in identity. Like they, computers can reason about things in ways that are more complex as long as it can be resolved. It's like Euclidean mathematics. You don't go out and try to count every prime number. We accept the infinitude of primes to be true. If you believe in math, then we can reason about it. Okay, so I'm hearing that there's a changing landscape in compliance, shift from a lot of manual work to one that's much more highly automated, maybe not completely integrated and seamless, but working in that direction. Is that right? And maybe you could describe that in a little bit more detail, how that journey has progressed. I mean, just the fact alone that you have, you know, a lot of services, a lot of companies that are out there that are trying to remove the manual component and to automate things, to make things more efficient so then, you know, developers can develop and we can be more agile. And to do the things that, you know, really what the core competencies are of the business, to remove those manual, you know, components to take out the human element, and there's a growing need for it. You know, like, we always look at security as, you know, like a second class citizen. We don't take advantage of, you know, the opportunities that we need to do to maintain controls. So, you know, there's an opportunity here for us to look at and automate compliance, to automate controls and to make things, you know, seamless. As a fun side benefit, you will actually hopefully have improved your actual security and also retain your workforce because people don't want to be doing manual processes. You know, they want to be doing stuff that humans are designed for, which is creative thinking, innovation, you know, creating ways to make new pathways instead of just like re-walking these roads that a computer can analyze. You mentioned audit manager. What is that? I mean, let's give a plug for the product or the service. What's that all about? What problems does it solve? Let's get into that. I mean, audit manager is a first of its kind service. You're not going to find this offered through any other hyperscaler. It's specifically geared and tailored towards the second line, which is security and compliance, and a third line function, which is internal audit. So what is it looking to do and what is it looking to address? Some of those challenges working in a cloud space, working in if you have a cloud footprint. So for example, you know, most organizations operate in a multi-account strategy, right, you don't just have one account, but how do you maintain consistency of controls across all your accounts? Auto manager is a service that can give, you know, kind of that single pane of view that to see across your entire landscape, just like a cartographer has a map to see, you know, the entire view of what he's designing. Auto manager does the same thing only from a cloud perspective. So there's also other, you know, features and capabilities that auto managers trying to integrate, you know, that presents challenges for those in compliance, those in the audit space. So, you know, most companies, organizations that have, you know, not just one framework like SOC2 or GDPR, high trust, HIPAA, PCI, you know, you can select an industry accepted framework and evaluate your cloud consumption against, you know, an industry accepted framework to see where you stand in terms of your control posture, your security hygiene. And that's exclusive to AWS? Is that what you're saying? You won't find that on any other hyperscaler? You'll find similarities in other products, but you won't find something that's specifically geared towards the second line and third line. There's also other features and capabilities to collect evidence, which is, I don't see that in the marketplace. Well, the only reason I ask that is because, you know, everybody has multiple clouds and I would love a, you know, an audit manager that transcends one cloud. Is that possible or is that something that is just not feasible because of the deltas between clouds? I mean, anything's possible with the APIs right now, the way that, you know, you have to ingrain it, right? There's, you know, a feature that was introduced recently for audit manager was the ability to pull in APIs from third party sources. So now you're not just looking exclusively at one cloud provider, you're looking at your entire digital ecosystem of services, your tools, your SaaS solutions that you're consuming to get a full comprehensive picture of your environment. So compliance, risk, audit, security, they're like cousins that are all sort of hanging out on the same holiday, but they're different. Like what, help us understand and squint through those different disciplines. Yeah, I mean, each of them have, you know, a different role and a hat to wear. So internal audit is more of your independent arm of management working or reporting directly towards, you know, to the audit committee or to the board to give an independent view on company control and posture. Security and compliance works with management to help design the controls that are intended to prevent or detect or even correct, you know, controls breakdowns, you know, those action verb items that you want to prevent unauthorized access or you want to restrict changes from making its way into production unless it's approved and documented and tracked and so on and so forth. So each, you know, these roles, they're very similar but they're all so different in terms of what their function is. How are customers dealing with regional differences, you mentioned GDPR, different regulations, data sovereignty, what are the global nuances and complexities that cloud brings and how are you addressing those? Yeah, Mayor, I don't know if you had any thoughts on that one. I mean, I think that a lot of what, and this will build off of your response to the sort of then diagrams of security and risk and compliance and audit, I think, you know, what we're seeing is that folks care about the same stuff. They care about privacy, they care about security, they care about incentivizing best practices. The form that that takes when it's a compliance framework is by definition a little bit static over time whereas security tends to be more quickly evolving with standards that are like industry standards. And so I think one of the things that, you know, all these compliance frameworks have in mind is to go after those best practices. The forms that they take may take different forms, you know what I mean? And so I see them as hopeful in the motivation sense that we are helping entities get the wherewithal they need to grow up or mature or get even more security-minded. I think there are times that they feel a little clunky but, you know, that's just frank. Yeah. It can audit managers sort of help me solve that problem? Is that the intent? And I see what you're saying, Merit, that security is at a different pace than, you know, a GDPR, a privacy, you know, a personal idea. Right, I mean, like security says we want this outcome. We want to have, you know, data be protected. The compliance may say it must be this particular encryption standard, you know what I mean? Like the form I see things taking over time will evolve and feels dynamic. Whereas I think that sometimes when we think about compliance and it's exactly why we need stuff like Audit Manager, it's to like help manage exactly what articulation of that are we getting in this place at this time for this regulated industry. And like almost every customer I have is regulated. If you're doing business, you're probably in PCI, right? And there's never just one silver bullet. So security is a number of things that you're going to do. Number of tools that you're going to have. And it's often the culture and what you develop in your people, your process and technology. So Audit Manager is one of the components of a robust strategy on how to address security. But it's also one of those things where like, there are very few entities, maybe Deloitte is one, that are like built to do compliance. They're built to do manufacturing, automotive, hospitality, you know, like they're doing some other industry as their industry, right? And we want to let them have less lag time as they make sure that they can do that core business. And the point is to enable them to move far. I mean like, sure, I think that folks should move to the pod because of security, but you don't have to. You should move because it enables your business. And this is one of the ways in which it just like, minimizes, you know, like whatever, are tailwinds lagging or push it? Anyway, it pushes you, right? I mean like it minimizes the lag. Definitely tailwind. So are you suggesting Merritt that you can inject that industry knowledge and specificity into things like audit manager and actually begin to automate that? And of course Deloitte has industry expertise, Shar, but how should we think about that? I mean, you're going to look at your controls comprehensively across the board. So if you operate in an industry, you're going to look to see like what's important for you. What do you have to be mindful of? So if you have data residency concerns, you want to make sure that you've tailored your controls based on the risks that you're addressing. So if there's a framework within our manager. And remember that you can go in the console and choose what region you're in. You know, like we never remove your data from your region that you have chosen. You know, like there's an intentionality and an ability to do this with a click of a mouse or with an API call that's, you know, or with a cloud formation template that's like, there is a deliberateness there. There's not just like best wishes. ESG is in scope, I presume. Helping the CISO become more green, more diverse. Increasingly you're seeing ESG reports come out from major organizations. I presume that's part of the compliance, but maybe not, maybe it hasn't seeped in yet. Are you seeing demand for that? I think it's still a new service. Auto manager, it's still, you know, being developed, but you know, continuous feedback to make sure that, you know, we're covering a broad range of services and those considerations are definitely in the scope. Yeah. I mean, are you hearing more of that from clients? So, I mean, we have an internal commitment to sustainability that has been very publicly announced and that I'm passionate about. We also have some other native tools that probably, you know, are worth mentioning here, like Security Hub that does, you know, CIS benchmarking and other things that are traffic-lated in their dashboard. You know, like there are ways, a lot of this is going to be the ways that we can take what might have been like an ugly ETL process and instead take the manage-ness on top of it and consume that and allow your CISO to make high velocity, high quality decisions. What's the relationship between your two firms? How do you work together? I'm like, we just met. No. Yeah. I sense that. So, is it, how do you integrate, I guess, this question? Yeah. I mean, from the audit perspective, our perspective, working with clients and understanding, you know, their requirements and then bringing the service audit manager from the technical aspect and how we can work together. So we have a few use cases. One, we're working with the tech company who wanted to evaluate, you know, production workload that had content, you know, critical client information, client data. So they needed to create custom controls. We were working with them to create custom controls which auto manager would evaluate their environment, which would, you know, there's a reporting aspect of it which was used to, you know, to present to senior leadership. So we were working together with AWS and helping craft what those custom controls were and implement it at the customer. Yeah. I mean, among other things, Deloitte can help augment, work for us. It can help folks interpret their results when they get outputs and act upon them and understand industry standards for responsiveness there. I mean, like, it's a way to augment your approach by, you know, bringing in someone who's done this before. Yeah, cool, cool collaboration on a topic that's generally considered, sorry, don't hate me for saying this, boring, but really important in the fact that you're automating it makes it a lot more interesting. Guys, thanks for your sharp first time in theCUBE. Thank you for coming on, Merritt. I appreciate it. You're rapidly becoming a VIP. Thanks for coming on. Hey, I'll take it. All right, keep it right there. Thank you. This is Dave Vellante for theCUBE. You're watching our coverage of AWS Reinforce 2022 from Boston, but we're right back.