 Live from Las Vegas, it's theCUBE, covering AWS re-invent 2018. Brought to you by Amazon Web Services, Intel, and their ecosystem partners. Hi everybody, welcome back to Las Vegas. I'm Dave Vellante with theCUBE. The leader in live tech coverage, this is day three from AWS re-invent. Hashtag re-invent 18, amazing. We have four sets here this week, two sets in the main stage. This is day three for us, our sixth year at AWS re-invent, covering all the innovations. Marcus Strauss is here as a product manager for database security at McAfee. Marcus, welcome. Hi Dave, thanks very much for having me. You're very welcome, topic dear and dear to my heart, just generally database, security, privacy, compliance, governance, super important topics. But I wonder if we can start with some of the things that you see as an organization, just general challenges in securing database. Why is it important? Why is it hard? What are some of the critical factors? Most of our customers, one of the biggest challenges they have is the fact that whenever you start migrating databases into the cloud, you inadvertently lose some of the controls that you might have on premise. Things like monitoring the data, things like being able to do real-time access monitoring and real-time data monitoring, which is very, very important regardless of where you are, whether you're in the cloud or on premise. So these are probably really the biggest challenges that we see for customers. And also a point that holds them back a little in terms of being able to move database workloads into the cloud. I want to make sure I understand that. So you're saying, if I can rephrase and reinterpret and tell me if I'm wrong. You've got, you're saying, you've got great visibility on prem. And you're trying to replicate that degree of visibility in the cloud. Correct. It's almost the opposite of what you hear often times in hybrid, people want to bring the cloud model on prem. It's the opposite here. It's the opposite, yeah. Because traditionally we're very used to monitoring databases on prem, whether that's native auditing, whether that is in memory monitoring, network monitoring, all of these things. But once you take that database workload and push it into the cloud, all of those monitoring capabilities essentially disappear. Cause none of that technology was essentially moved over into the cloud, which is, it's a really, really big point for customers. Cause they cannot take that and just have a gap in their compliance. So database discovery is obviously a key step in that process. Correct. What is database discovery? Why is it important? And where does it fit? One of the main challenges most customers have is the ability to know where the data sits. And that begins with knowing where the database and how many databases customers have. Whenever we talk to customers and we ask how many databases are within an organization, generally speaking, the answer is 100, 200, 500. And when the actual scanning happens, very often the surprises, it's a lot more than what the customer initially thought. And that's because it's so easy to just spin off a database, work with it, and then forget about it. But from a compliance point of view, that means you're now sitting there having data and you're not monitoring it. You're not compliant. You don't even know what exists. So data discovery in terms of database discovery means you've got to be able to find where your database workload is and be able to start monitoring that. It's interesting, 10 years ago, database was kind of boring. I mean, it was like Oracle, SQL Server, maybe DB2, maybe a couple others, and all of a sudden the no SQL explosion occurred. So when we talk about moving databases into the cloud, what are you seeing there? Obviously Oracle is the commercial database, market share leader, maybe there's some smaller players. Well, Microsoft SQL Server, obviously, are very big, those are the two big ones. Are we talking about moving those into the cloud, kind of a lift and shift? Are we talking about conversion? Maybe you could give us some color on that. I think there's a bit of both, right? A lot of organizations who have proprietary applications that run since many, many years, there's a certain amount of lift and shift, right? Because they don't want to rewrite the applications that run on these databases. But wherever there is a chance for organizations to move into some of their, let's say, more newer database systems, most organizations will take that opportunity because it's easier to scale, it's quicker, it's faster, they get a lot more out of it, and it's obviously commercially more valuable as well, right? So we see quite a big shift around no SQL, but also some of the open source engines like MySQL, Postgres, Percona, MariaDB, a lot of the other databases that, traditionally within the enterprise space, we probably wouldn't have seen that much in the past, right? And are you seeing that in a lot of those sort of emerging databases that the attention to security detail is perhaps not as great as it has been in the traditional transaction environment, whether it's Oracle, DB2, even, you know, certainly SQL Server. So talk about that potential issue and how you guys are helping solve that. One of the big things, and I think it was two years ago, when one of the open source databases got discovered essentially online via some tools, and I'm not going to name names, but the initial default installation had admin as a username and no password, right? And it's very easy to install it that way, but unfortunately it means you potentially leave a very, very big gaping hole open, right? And that's one of the challenges with having open source and easily deployable solutions because Oracle, SQL Server, they don't let you do that that quickly, right? But it might happen with other not as large database instances. One of the things that McAfee, for instance, does is helps customers making sure that configuration scans are done, so that once you have set up a database instance, that as an organization you can go in and can say, okay, I need to know whether it's up to patch level, whether we have any sort of standard users with standard passwords, whether we have any sort of very weak passwords that are within the database environment, just to make sure that you cover all of those points, but because it's also important from a compliance point of view, right? It brings me always back to the compliance point of view of the organization being the data stewards, the owner of the data, and it has to be our, I suppose, biggest point to protect the data that sits on those databases, right? Yeah, well there's kind of two sides of the same coin, the security and then compliance, governance, privacy, those edicts, those compliance and governance edicts. I presume your objective is to make sure that those carry over when you move to the cloud. How do you ensure that? So I suppose the biggest point to make that happen is essentially that you have one set of controls that applies to both environments. It brings us back to the hybrid point, right? Because you've got to be able to reuse and use the same policies and measures and controls that you have on-prem and be able to shift these into the cloud and apply them to the same rigor into the cloud databases as you would have been used to on-prem, right? So that means being able to use the same set of policies, the same set of access control, whether you're on-prem or in the cloud. Yeah, so I don't know if folks in our audience are today but Werner Vogels gave a really, really detailed overview of Aurora. He went back to 2004 when their Oracle database went down because they were trying to do things that were unnatural, that they were scaling up and they had the global distribution. But anyway, he talked about how they re-architected their systems and gave inside baseball and Aurora huge emphasis on recovery. So you know, being up, very important to them, data accessibility, obviously security's a big piece of that. You're working with AWS on Aurora and RDS as well. Can you talk specifically about what you're doing there as a partnership? So AWS has, I think it was two days ago, essentially put the Aurora database activity stream into private preview, which is essentially a way for third-party vendors to be able to read a activity stream of Aurora, enabling McAfee, for instance, to consume that data and bring customers the same level of real-time monitoring to the database as a service world as we're used to on-prem or even in an EC2 environment where it's a lot easier because customers have access to the infrastructure, install things, that's always been a challenge within the database as a service world because that access is not there, right? So customers need to have an ability to get the same level of detail and with the database activity stream and the ability for McAfee to read that, we give customers the same ability with Aurora Postgres at the moment as customers have on-premise with any of the other databases that we support. So you're bringing your expertise, which is really being able to identify anomalies and squinting through all this noise and identifying the signal that's dangerous and then obviously helping people respond to that, that's what you're enabling through that connection point. Correct, because for organizations using something like Aurora is a big saving and the scalability that brings comes with it is fantastic, but if I can't have the same level of data control that I have on-premise, it's going to stop me as an organization moving critical data into that because I can't protect it and I have to be able to. So with this step, it's a great first step into being able to provide that same level of activity monitoring in real time as we're used to on-prem. Same for RDS, is that pretty much what you're doing there? It's the same for RDS, yes. There's a certain set level of obviously, we go through before things go into GA, but RDS is part of that program as well, yes. So I want to be able to step back a little bit and talk about some of the big picture trends in security. You know, we've gone from a world of hacktivists to organized crime, which is very lucrative. So even the state-sponsored terrorism, I think Stuxnet, interesting. You probably can't talk about Stuxnet, but anyway. Not really. But conceptually, now the bar is raised and the sophistication goes up. It's an arms race. How are you keeping pace? What role does data have? What's the state of security technology at? It's very interesting because traditionally, databases, nobody wants to touch the database. We were all very, very good in building walls around and being very perimeter oriented when it comes to data center and all of that. I think that has changed a little bit with the, I suppose the increased focus on the actual data. Since a lot of the legislations have changed since the tread of what of GDPR came in, a lot of companies had to rethink their take on protecting data at source. Because when we start looking at the exfiltration part of data breaches, almost all exfiltration happens essentially out of the database. Of course, it makes sense, right? I mean, I get into the environment through various different other ways, but essentially my main goal is not to see the network traffic. My main goal as any sort of hacker is essentially get onto the data, get that out because that's where the money sits. That's what essentially brings the most money in the open market. So being able to protect that data at source is going to have a lot of companies make sure that that doesn't happen, right? Now, the other big topic I want to touch on in the minute we have remaining is ransomware. It's a hot topic. People talk about creating air gaps, but even air gaps, you can get through an air gap with a stick or you know. People get through. Your thoughts on ransomware, how are you guys are combating that? There is very specific strains actually developed for databases. They're usually interesting topic, but essentially what it does is it doesn't encrypts the whole database, it encrypts very specific key fields, leaves the public key present for a longer period of time than what we're used to see on the endpoint world where it's a lot more like a shotgun approach and somebody is going to pick it up, I'm going to pay the 200, 300, 400 dollars, whatever it is. On the database side, it's a lot more targeted, but generally it's a lot more expensive, right? So that essentially runs for six months, eight months. Make sure that all of the backups are encrypted as well and then the public key gets removed and essentially you have lost access to all of your data. Because even the application that access to data can't talk to the database anymore. So we have put specific controls in place that monitor for changes in the encryption level. So even if only one or two key fields starting to get encrypted with a different encryption key, we're able to pick that up and alert you on it and say, hang on, there is something different to what you usually do in terms of your encryption. And that's the first step to stopping that and being able to roll back and bring in a backup and change and start looking where the attacker essentially gained access into the environment. Marcus, are organizations at the point where they're automating that process or is it still too dangerous? A lot of it is still too dangerous. Although having said that, we would like to go more into the automation space and I think it's something as an industry we have to. Because there's so much pressure on any security personnel to follow through and do all of the rules and sift through and find the needle in a haystack. But especially on the database, the risk of automating some of those points is very great because if you make a mistake, you might break a connection or you might break something that's essentially very, very valuable in that state. The ground jewels, the data within the company. Right, all right, we got to go. Thanks so much. Thank you very much. It's a really super important topic. I appreciate all the good work you're doing. Thanks for having me. You're very welcome. All right, keep it right there, everybody. You're watching theCUBE, we'll be right back right after this short break from AWS re-invent 2018 from Las Vegas. We'll be right back.