 Live from Las Vegas, it's theCUBE! Covering AWS re-invent 2019. Brought to you by Amazon Web Services and Intel, along with its ecosystem partners. Okay, welcome back everyone. CUBE coverage, Las Vegas live action, AWS re-invent 2019. Third day of a massive show. We're our seventh year of the eight years of documenting the history and the rise and the changing landscape of the business. I'm John Furrier, Stu Miniman, my co-host, our next guest, Bill McGee, senior vice president, general manager of the Hybrid Cloud Security Group within Trend Micro. Sold this company to those guys, now lead executive of the Cloud. Hybrid Cloud Security, you got Hybrid in there. Welcome to theCUBE. And I've been to every re-invent, every single one. Congratulations, welcome to theCUBE. Thank you, nice to be here. So eight years, what's changed in your mind real quick? Wow, yeah, certainly the amount of adoption is now massive, mainstream. You don't have the question, should I go to the cloud? It's all about how and how much. Probably the biggest change we've seen is how it's really being embraced all around the world. We're a global company. We saw initially a US and Australia type focus, UK. Now it's all over the place. And so really relevant everywhere. Oh Bill, at least from my standpoint, and I have enough friends of mine in the security industry. When we first started coming to the show, I mean, security was here. But security is not only, is so front and center in the discussion of cloud that they had all show for it here. So, you know, give us the 2019 view of security inside the broader hybrid cloud discussion here at re-invent. Sure, let me tell you a couple of things. Kind of what we're seeing within our customer base and then what matters from a security perspective. So we see some organizations doing cloud migration, moving workloads to the cloud of various forms. Had a couple meetings yesterday. One was called evacuating their data center. The other one was celebrating that two weeks ago they closed their data center. So that's a big step. Windows and Linux workloads moving to the cloud and really changing existing security controls to work better in the cloud. But certainly what a lot of these cloud builders are here for is, you know, developing cloud native applications. And originally, you know, back seven, eight years ago that was on top of what now seem like pretty simple services like S3, EC2. Now you've got containers and serverless and other platforms that people are using. And then the last thing, a lot of companies are establishing a cloud center of excellence and they're trying to optimize their use of the cloud. They still have compliance requirements that they need to achieve. So these are what we see happening and really the challenge for the customer. Okay, how do we secure all this? How do we secure the aggressive, cloud native application development? How do we help a customer achieve compliance easily from a cloud center of excellence? So that's where we see us fitting and we made a big announcement a couple of weeks ago about a new platform that we've created and would love to talk to you a little bit about that as well. Let's dig into that. But first, when we went and reinforced was Amazon's first security conference. Dave Vellante and I were talking about, wow, cloud security versus on-prem security. And then what's happening here is I had a conversation with someone who was close to the CIA, can't say his or her name. And they said cloud has changed again for them because their cost line was pretty much flat but the demand for missions was going scaling. So we're seeing that same dynamic you were referring to it earlier that costs and data standards is kind of flat but the demand for application, new stuff's happening so there's a real increase in demand for apps. This is the real driver of how people are flexing and deploying technology. So the security becomes really the built-in conversation. Correct. Comment on that dynamic and what do you recommend? Well, so here's a couple of things we've seen. Really, again, we've been doing cloud security for about a decade and really it was primarily focused on one service of AWS which is EC2. Now that's a pretty darn big service and widely used within their customer base. There's now 170 services I think is the most recent number so the developers are embracing all these new services. We acquired a new capability in October, company called Cloud Conformity based in Sydney, Australia very focused on AWS, analyzes implementations against the AWS well-architected framework. So the first step we see for customers is you got to get visibility into use of the cloud for the security team. What services are being used? Then can you set up a set of security guardrails to allow those services to be used in a secure manner? Then we help our customers turn to more detailed specialized protection of EC2 or containers or serverless. So that's what we've recognized ourselves. We had to create a very modest version of what Amazon has created themselves which is a platform that allows builders to connect to and choose what security services they want to use. How broad is your service base? Is it all the services are you guys now picking shoes? I can't, it's hard to do all but the main ones, what are the highlights? Yeah, I'll give you the ones where we provide a very large breadth of protection. So in the what we're calling Cloud One Conformity service so that's this technology we acquired a couple months ago it cuts across about 70 services right now and gives you visibility of potential security configuration errors that you have in your environment. Now if it's in a dev team, maybe not such a big deal but if it's in production, that is a big deal. Even better, you can scan your cloud formation templates on the way to being live. Then we have a set of specialized protection that will run on a workload and protect it, protect a containerized environment, a library that can sit within a serverless application. So that's kind of how we look at it. So, Bill, one of the things of going to the more and more cloud for customers is that there's that shared responsibility model. We know that security is everyone's responsibility. It needs to be built in from the ground up. How are your customers doing with that shift and are they understanding what they need to do? There's been some pretty visible like, oh wait, I really had to configure that? I forgot about that and Amazon's trying to close the gap on some but bring us through some of those cases. We've seen a big positive change over the years. Initially, I would say that there was what I would call a naive perception that the cloud was magic and it was perfectly secure and that I don't have to worry about it, right? Amazon did the industry a real favor by establishing the shared responsibility model and making crystal clear what they've got covered that you don't need to worry about anymore as a customer. And then what are the capabilities you still need to worry about? They've delivered a set of security tools that help their customers and then they rely on partners like us to deliver a set of more in depth tools to specialize markets. All right, you actually used a word that we've been talking about a lot this week, naive. So we said there's the one letter difference between being cloud native and being cloud naive there. What does it mean to be cloud native in the security world? Well, I would say what allows you to be, so first, the most important thing in every customer's mind, I don't care how good the security capabilities you're helping me with. If you're going to slow down the improvements that I've just made to my development lifecycle, I'm not interested. So that is the most important thing is, are you able to inject your security technology and allow the customer to deliver at the rate that they're currently or continuing to improve? That is by far the most important thing. Then it's are your controls fitting into an environment in a way that are as easy as possible for the customer? One part that's been very critical for us, we've been a lead adopter of the AWS Marketplace, allowing customers to procure security technology easily. They don't actually have to talk to us to buy our product. That's pretty revolutionary. Talk about the number of breaches that have gone on and what's changed with you guys over the year because new vectors are coming out. There's more surface area obviously that's been discussed. What's changed most in your business? I'll tell you what we're worried about and what we expect to see. Although I would say the evidence is early. The reality in our traditional data centers, they were so porous at runtime in terms of the infrastructure and vulnerabilities that it was relatively easy for attackers to get in. The cloud has actually improved the level of security because of automation, less configuration errors. Unfortunately, what we expect is attackers to move to the developers, move to the Dev pipeline, injecting code, not at runtime, but injecting it earlier in the life cycle. We've seen evidence of container images up on Docker Hub getting infected and then developers just pulling in without thinking about it. That's where attackers are going to move to the Dev pipeline and we need to move some of our security technology to the Dev pipeline to help customers defend themselves. What about international geo issues around compliance? How is that changing the game or slowing it down or can you talk about that dynamic? Because they're coming up with regions. For sure. The US is the most innovative market and the most risk-taking market and therefore people move to the cloud quite bravely over this decade. Some of the markets, so for example, we're a Japanese headquartered company. In general, Japanese companies really take into a lot of considerations before they make that type of big bet, but now we're seeing it. We're seeing auto manufacturers embrace the cloud. So I think it was a struggle for us in the early days how regional the adoption of cloud was. That's not the case anymore. It's really a relevant conversation in every one of our markets. Bill, thank you for coming on theCUBE and sharing your insights on hybrid cloud security. I got to ask you to end the segment. What's going on for you this year? Obviously, hybrid's in your title. That's obviously the operating model is cloud, center of gravity, cloud's going to the edge or data center and just the operating model. What's on your mind this year? What are you trying to do to accomplish? What are you excited about? Yeah, what we're really excited about was this product announcement we made called Cloud One. And what Cloud One is, is a set of security services which customers can access through common access, common billing infrastructure, common cloud account management, and choose what to use. Andy put it pretty well in his keynote where he talked about, he doesn't think of AWS as a Swiss Army knife. He thinks of it as a specialized set of tools that builders get to adopt. We want to create a set of security tools in a similar way where customers can choose which of these specialized security services that they want to adopt. Bill, great pleasure to meet you and have this conversation. Pro and then security area entrepreneur, sold this company to Trend Micro. This is the hybrid world. It's all about the cloud operating model. It's all about agility and getting things done with application developers. It's a cube bringing you all the data from re-invent. Stay with us for more coverage after this short break.