 Live from Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Okay, welcome back everyone. It's theCUBE's live coverage here in Boston, Massachusetts for AWS Reinforce. This is Amazon Web Services inaugural conference around cloud security. They're first of what looks like will be more focused events around deep dive security. Kind of like a reinvent for security, but not no one's actually saying that, but it's not a summit. It's a branded event, Reinforce. We're here with Mark Rylan, Director Office of the CISO at AWS. Thanks for coming back. Good to see you. You keep alumni? Yeah, I'm sitting here before. It's fun. We had a great chat at AWS Summit in New York City last year. We were talking about some of these same issues, but now you have a dedicated conference here. And the feedback from the CISOs we've talked to and the partners in the ecosystem is, it's great to have an event where they can go deep dives on some of the key things that are really, really important to security. Absolutely. And this is really kind of the vibe that how Reinvent started, right? So Reinvent was a similar thing for commercial. You go deep dive easy too, S3. Here it's deeper on Amazon, but with security. Yeah, security lens on some of the, all those same issues. One thing that happened and kind of signaled to us that we needed an event like this over the years with Reinvent was, consistently over the years, the security and compliance track became one of the most important tracks that was oversubscribed and overflow rooms. Like, hey, there's a signal here, right? And so, but at the same time, we wanted to be able to reach an audience maybe they wouldn't go to Reinvent because they thought it's, hey, all the crazy DevOps guys are doing this cloud thing. But now, of course, they're getting the strong message in their security organizations, like, hey, we're doing cloud and maybe as a security professional, I need to really get smart about this stuff. And so it's been a nice transition from still a lot of the same people, but definitely the different crowd that's coming here. Well, it was a cross-pollination between multiple, and I was just at public sector, some of that they talk about cyber security from a national defense and intelligence standpoint. Obviously, Theresa Carlson leads that team. You got on the commercial side, comes like Splunk who are, you know, data and they get into cyber. So you're starting to see kind of the intersection of all the kind of Amazon ecosystems kind of coming around security where it's now part of, it's a horizontal, it's not just these are the security vendors and partners, it's pretty much everyone's kind of becoming native into thinking about security and there's benefits that you guys have with that. So talk about that. I mean, Amazon has to have a framework, a posture. They call it shared responsibility, but I get that you're sharing Amazon with the ecosystem. Makes sense? Talk about the Amazon web services posture for this new security world. Well, the new security world is, if you look at like a typical security framework, like NIST 800-53, 250 controls, all these different things that you need to worry about for your security professional. And so what AWS is able to do is say, look, there's a whole bunch of these that we can take care of on your behalf. There's some that we'll do some things and you got to do some things and there's some there's still your responsibility, but we'll try to make it easy for you to do those parts. So right off the bat, we can, we get a lot of wins from just, hey, there's a lot of things we'll just take care of and you can essentially delegate to us. And for what remain, you'll take your expertise and you'll refocus it on more like applications securing is still maybe some operating systems or whatever, if you're using virtual machine service, you still have to think about that. But even there, we'll use, we have systems manager, we'll make it easy to do patch management, updating, et cetera. And if you're willing to go all the way to like a Lambda or some kind of a platform capability, we'll make it super easy because all you got to do is make sure your code is good and we'll take care of all the infrastructure automatically on your behalf. So that share responsibility remains, there's a lot of things you still need to be careful about and do well, but your experts can refocus, they can be very, there's just a lot of us to worry about. So it's a nice message for how to raise the bar for the whole community, but yet still have that spread. And it stays online with the AWS value proposition, which is build stuff, ship fast, lower prices, Amazon ethos in general. But when you think about the core AWS, what made it so great was, you can reduce the provisioning of resources to get something up and running. And I think that's what I'm taking away from the security piece. You guys are saying, hey, we know Amazon, web services really well. And we're going to do these things, you can do that, so us and them, and then parts to innovate. So I get that, that's good. The other trend I want to get your reaction to is comments we've had on theCUBE, what CISOs and customers is a trend towards building in-house, coding security. To your point about Lambda, some cool things are being enabled through AWS. There's a real trend of big, large companies with security teams to saying, hey, you know what, I want to optimize my talent to code and be security focused on use cases that they care about. So you know, Andy Jazzy talks about builders, you guys talk about builders. You've got companies, your customer is building. Absolutely. Yet they don't want to be security vendors per se. But they are becoming security. So you have a builder mindset going on in the big enterprises. Yes. Talk about that dynamic. That's a really important trend. And we see that even in security organizations, which historically were full of experts, but not full of engineers and people that could write code. And what we're seeing now is people say, look, I have all this expertise, but I also see that with a software-defined infrastructure and everything's an API, if I pair up an engineering team with a security professional team, then good things will happen because the security professionals will say, gosh, I do this repetitive task all the time. Can you write code to do that? Like, yeah, we can write code to do that. So now I can focus on things that require judgment instead of just more repetitive. So there's a really nice synergy there and our security customers are becoming builders as well. And they're codifying, if you don't mind the expression, in code a policy that used to be in a document, and now they write code that says, well, if that policy is whatever, password length or how often we rotate credentials, whatever the policy is, we'll write code to ensure that that's actually happening. So it's a real nice confluence of security expertise with the engineering disciplines. And they're not building the full stack themselves. This becomes, again, a key agility piece. I had one customer on who's an SMS business. They imported to AWS Cloud with three engineers. And they wrote all the Kubernetes code themselves. They could have used other things, but they wanted to make sure it was stable then so they can bring in some suppliers that could add value. So again, this is new. It used to be this way back in the old days. In-house developers build the apps on the mainframe, build the apps on the mini computers, and then that went to outsourcing. So we're kind of back to this. Kind of insourcing is the big trend now, right? I can, with a smaller engineering team, I can do a lot that used to require so many more people with a big waterfall method and long-term projects. And now I take all these powerful building blocks and put an engineering team, five people, or what we would call it, two pizza team, five or six people, off to the side, give them three, four weeks, and they can generate a really cool system that would have required months and not years before. So that's a big trend, and it applies across the board, including two security jobs. I think there's a sea change, and I think it's clear. What I like about this show is it's cloud security, but it's also, they have the on-premises conversation because it's legacy applications that have been secured, and they need to be secured as they evolve, and then you've got cloud native and all these things together where security has to be built in. This is a key theme. So I want to get your thoughts on this notion of built-in security from day one. What's your view on this, and how should customers start thinking about it, and what are you guys bringing to the table? Well, I think that's just a general, let's say, maturation that goes on in the industry, whether it's cloud or on-prem, is that people realize that the old methods we used to use, like, hey, I'm going to build an app, and then I'm going to hand it to this security team, and they're going to put firewalls around it. It's not really going to have a good result. So security by design, having security as equal co-aspect of, hey, if I'm doing an architecture, I look at performance, I look at cost, I look at security, it's just part of my system design. I don't think of it as like a bolt-on afterwards. So that leads to things like, you know, secure DevOps and kind of integration of teams. These are, this can be happening on-premises too. It's just part of IT modernization, I think. But cloud is clearly a driver as well, and cloud makes it easier because it's all programmable. So things that are still manual on-premises you can do in a more automated fashion. They're getting into a lot of conversations here under the covers, a lot of under the hood conversations here at this around security. EC2, one of the most popular services you guys have, obviously compute, big part of your mission to land another feature. VPC, traffic flows, mirroring was a big announcement. A lot of people talking about that. A lot of people talking about the EC2 Nitro, you gave a talk on that. I did, yeah. You just unpacked it a little bit because this has been nuanced out there, it's out there. But people are interested in it. What's that talk about? Inscription is a popular conversation. Take a minute to explain your talk. Sure. So we've talked for now a year and a half about how we've essentially imagined, reinvented our virtual machine architecture to go from a primarily software defined system where you have a main board with memory and Intel processor and all the kind of accoutrements of a standard server and then your virtualization layer would run a full copy of an operating system, which we would call a DOM zero or privileged OS that would mediate access between the guest OSs in this and the outside world because it would maintain the device model. Like how do I talk to a network card? How do I talk to a storage device? I talk through the hypervisor, but through also a DOM zero, a copy of Linux, a copy of Windows to do all that IO. So what we've just did over the past few years, we began to take all the things that were running inside that privileged OS and move that into dedicated hardware, software-harbor combination, where we now have components we call Nitro components. They're actual separate little computers that do EBS processing. They do VPC processing. They do instant storage. So at this point now, we've taken all of the components of that DOM zero. We've moved it out into these, you could call co-processors. I almost think of them as like the Nitro controller as the main processor and the Intel motherboard is a co-processor where customer workloads run because the trust now is in these external systems. And when you go to talk to the outside world from an EC2 now, you're talking through these very trusted, very powerful co-processors that do encryption. They do identity management for you. They do a lot of work that's off the main processor, but we can accelerate it. We can be more assured that it's trustworthy. It can protect itself from potential types of hacks that might have been exposed if that, say an encryption key was in the main motherboard. Now it's not. So it's a long story. I did a one-hour version and I'm doing it in three minutes now, but overall we feel that we built a much more trustworthy system for virtual machine services. What was the title of the talk so people can find it online? So it's just called the Nitro architecture, security implications of the Nitro architecture. So it's taking information that we had out there, but we're like highlighting the fact that if you're a security professional, you're going to really like the fact that this system has no dom zero, it has no shell. You can't log into the system as a human being. It's impossible to log in. It's all software defined, software driven, and all the encryption features are in these co-processors so we can do like full line-made encryption of a hundred gigabits of network traffic. It's all encrypted. Like that's never been done before really in the history of computing. So. What's the benefit of the Nitro architecture? We'll simply build one of these. So in a nutshell, more trust built into a trusted route that's not the main board, encryption offload, and more isolation because even if I somehow were to manage to the impossible combination of facts to get sort of like ownership of that main board, I still don't have access to the outside world from there. I have to go through a whole another layer of very secure software that mediates between the inner world of where customer workloads run and the outside world where the actual cloud is. So it's just a bunch of layers that make things more secure. And I'm sure Alpose will have that as well. Can't wait to hear about that. Okay, encryption, encrypt everything is a philosophy we heard in the keynote. You also talked about that as well. Encrypting traffic on the outside, inside. Talk about what that means, what was talked to you. What's the big conversation around encryption within AWS? Just inside it was outside. What's the main story there? So there's a lot of pieces to the pie, but a big one that we were talking about this week is a pretty long term project we call Project Lever. It was actually named after a female cryptographer in Betchley Park team that was helped, one of the major factors in winning World War II are these mathematicians and cryptographers. So we wanted to do a big scale encryption project. And we had a very large scale network and we had all the features you normally have, but we wanted to make it so that we really encrypted everything when it was outside of our physical control. So we've done that, took a long time, huge investment, really exciting now going forward, everything we build. So anytime data that customers give to us or have traffic between regions, between instances, within the same region, outside regions, whenever that traffic leaves our physical control, so kind of our building boundaries or gates and guards, and it's going down a street on a fiber optic to another data center, maybe not far away, or going intercontinental links, or going sub-oceanic links, all those links now, we encrypt all the traffic all the time. And what's the benefit of that? So the benefit of that is there's still, it's obscure, but there is a threat model where governments have special submarines that are known to exist that go and sniff those trans-oceanic links and potentially a bad guy could somehow get into one of those network junction points or whatever in spec traffic. It's not a, I would say a high risk, but it's possible. And so now, that's a whole nother level of phishing attacks, isn't it? Yeah, phishing attacks, yeah. You get a submarine, you're highly motivated to sniff that line, good one, couldn't resist. Yeah, so that's now, so people can feel comfortable that that protection exists. And even things like, here's kind of a little bit of an obscure example, we had customers that say, look, I'm a European customer and I have a very strong sense of regionality, I want to be inside the European community with all my data, et cetera. And what about Brexit? So now I've got all this traffic going through a very large internet pairing point in London and London won't be part of Europe anymore according to kind of legal norms. So what are you doing in that case? Well, how about this? How about if, yes, the packets are moving through London, but they're always encrypted all the time, does that make you feel good? Yeah, that makes me feel good. I mean, so my notion of where as extraterritorial, extra-regional can be modified to accept the fact that, hey, if it's just ciphertext, it's not quite the same as unencrypted data. I think people generally like the idea of encrypted traffic, I mean, just makes a lot of sense. It absolutely does. Why wouldn't you want to do that? All right, now a final question. At this event, a lot of attendee, high-caliber people on the spectrum. Is from BizDev, people building out the ecosystem, to hardcore techies looking under the hood, to CISOs who oversee the regimes within companies, either with the CIO or whatever, how that ever is formed. And every company's different, but there's a lot of CISOs here, Chief Information Security Officers. You are in the office of the Chief Security Information Officer. So what is the conversations they're having? Because we're hearing a lot of dev ops-like conversations in a security, with a security backdrop, about, you know, not just chess and dev, but hackathons, getting new stuff built and then moving into production, little operations, little devs, sack ops, so these kinds of things are all kind of coming together. What are you hearing from those customers inside Amazon? Because I know you guys are customer-driven. You listen to the customers. And the CISOs, as your customer, what are they saying? What are they asking for? So CISOs are, first of all, getting their own minds around this big technical transformations that are happening. And they're thinking about risk management and compliance and things that they're responsible for. They've got to report to a board or a board committee to say, hey, we're doing things according to the norms of our industry or the regulated industries that we sit in. So they're building the knowledge base and the expertise and the teams that can translate from this sort of modern dev ops-y thing to these more traditional frameworks, like, hey, I've got this oversight by the Securities and Exchange Commission or by the banking regulators or what have you. And we have to be able to explain to them why our security posture not only is maintained, but in some ways improved in this new world. So they're challenged now as both developing their own understanding, which I think they're doing a good job at, but also kind of building the muscle and the strength, the terminology to translate between these new technologies, new worlds, and more traditional frameworks that they sit within and people who have oversight over them. So they've got a risk, so there's risk committees on boards of these large public organizations. And the risk committees don't know a lot about cloud computing. So part of what they do now is they do that translation function and they can say, look, I've got assurances based on my work that I do and the technology and my compliance frameworks that I can meet the risk profiles that we've traditionally met in other ways with this new technology. So it's a pretty interesting translation. I know you guys had good contacts with the CIA, certainly in the public sector, those big security oriented companies, as well as the other trend of they got to educate the boards and they're secure and not get hacked, obviously. And then there's the innovation side of it, where they actually got to build out. Yes. This is what we just talked about earlier. Well, and again, a big change for RC says that we talk to and work with all the time is, hey, we're an engineering community now. We didn't use to write a lot of code and now we do. We're getting strong in that way or else we're partnering very closely with an engineering team who has dedicated teams that support our security requirements and build the tools we need to know that things are going well from our perspective. So that's a really cool, I think, change in the environment. I think that is probably one of my favorite trends that I see because it really shows the criticality of security, which pretty much all critically, you don't want to hack, but having that code coding focus really shows that they're building in-house use cases that they care about and the fact that I can now get native network traffic. And you guys are exposing new sets of services with land and other things over the top. It just makes for a good environment to do these cloud security things. That seems to be the show in a nutshell. Yeah, and I think that's one of the nice things about the show is it's a very positive energy here. It's not like the fear and scary stuff that you sometimes hear at security conferences, like, hey, the sky's falling by my product kind of thing. Here, it's much more of a collaborative, like, hey, we got some serious challenges. There's some bad guys out there. They're going to come after us. But as a community, using new tooling, new techniques, modern approaches, modernization generally, like, let's get rid of a lot of these crafty old systems we've never updated for 10 or 20 years. It's a positive energy, which is really exciting. It's good to be part of that. Well, Mark, great to get your insights out. So this is your wheelhouse show. Congratulations. Thank you, it's great. I'm going to ask you the question, just take your CISO Amazon hat off, just as an industry participant, riding this way, being involved in it. What is the most important story that needs to be told in the press, in the media, that should be told, that is important? Either it's being told, it should be amplified, or not being told and be written out. What's the top story that you think? Well, I still think that even after all this time, that when people hear public cloud computing, they still have this kind of instinctive reaction, like, oh, that sounds kind of scary, or a little bit risky, and we need to get to the point where those words don't elicit some sense of risk in people's minds, but rather elicit like, oh, cool, that's going to help me be secure instead of being a challenge. Now, there's a journey and people have to get there, and our customers who go deep very consistently say, and I'm sure you've had them say to you, hey, I feel more confident in my cloud-based security than I do in my on-premises security. But that's still not kind of the initial reaction, so we still have a ways to go. So we're moving from a fear-based mentality to much more of a modernization-based, like, this is the modern way to get the results and the outcomes I want, and cloud is a part of that, and it not only doesn't scare me, I want to go there. Well, it's going to take a community as well. Yeah, absolutely, sure. Mark, thanks so much for coming back on the field and sharing, great. Mark Ryla, director of the Office of the Chief Information Security Office at Amazon Web Services here, sharing his insight, extracting the signal about the top stories and the most important things being said and discussed and executed here at Reinforce on theCUBE. Thanks for watching. We'll be right back with more after this short break.