 From Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Hey, welcome back everyone to theCUBE's live coverage of AWS Reinforce in Boston, Massachusetts. I'm John Furrier with Dave Vellante. This is Reinforce. This is the inaugural conference for AWS around the security and cloud security market. A new category being formed from an event standpoint around cloud security. Our next guest is CUBE alumni guest analyst, Corey Quinn, cloud economist with the Duckbill Group. Good to see you again. Great to have you on. Love to have you come back because you're out in the hallways. You're out getting all the data and bringing it back and reporting. But this event, unlike the other ones you had great commentary and analysis on, you were mentioned on stage during the keynote from Stephen Smith. Congratulations. Thank you. I'm still not quite sure who is getting fired over that one, but somehow it happened. And I didn't know it was coming. It was incredibly flattering to have that happen. But it was first, huh, awesome. He knows who I am. Followed quickly by, oh dear, he knows who I am. And at this point, I'm not quite sure what to make of that. We'll see. It's good news, it's good business. All press is good press, as they say. But let's get down to it. Obviously, security, it's a security conference. This is the inaugural event. We always love to go to inaugural events because in case there's no second event, we were there for one event. So that's always the case. Been there since the beginning is often great bragging rights. And if there isn't a second one, well, you don't need to bring it up ever again. So if they've already announced there's another one coming to Houston next year, so that'll be entertaining. So a lot of people were saying to us, reinforce security event. Some skepticism, some bullish on the sector. Obviously cloud is hot, but the commentary was, oh, no one's really going to be there. It's going to be more of an educational event. So yeah, so more of an educational event for sure. They're talking about stuff that they can't have time to do at re-invent. But there's a lot of investment going on. There are players here from the companies, McAfee, you name the big name companies here. They're sending real people a lot of biz dev folks, trying to understand how to build out the sector. A lot of technical technologists here as well, digging into some of the deep conversations. Do you agree? What's your thoughts of the event? I'm surprised. I was expecting this to be a whole bunch of people trying to sell things to other people who are trying to sell them things in return. And it's not. There are people who are using the cloud for interesting things, walking around. And that's fantastic. One thing that has always struck me as being sort of strange and why I guess I feel spiritually aligned here with nothing else is cost and security are always going to be trailing functions. No company is excited to invest in those things until immediately after, they really should have been investing in those things and weren't. So at time to market, velocity are always going to be something much more valuable and important to any company strategically. But we're seeing people start to get ahead of the curve in some ways. And that's, it's refreshing and frankly surprising. What's the top story in your mind? Top three stories coming out of reinforcement, industry standpoint or from a product standpoint that you think need to be told or amplified or if not being told, be told. Well, there's been the stuff that we've seen on the stage and that's terrific. And I think that you probably rehash those a fair bit with other guests. For me, what I'm seeing, that the story that resonates as I walk around the expo hall here is we're seeing a bunch of companies that have deep roots in data center environments. And now they're trying to come up with stories that resonate with cloud. And if they don't, this is a transformational moment. They're going to effectively likely find themselves in decline. But they're not differentiating themselves from one another particularly well. There are a few very key things that we're seeing people operate within such as with the new port mirroring stuff coming out of VPC traffic. You have a bunch of companies that are able to consume those or flow logs if you want to go back in time a little bit and spit out analysis on this. But you're not seeing a lot of differentiation around this or, hey, we'll take all your security events and spit out the useful things. Okay, that is valuable and you need to be able to do that. How many vendors do you need in one company doing the exact same thing? You know, we had a lot of sites, CISOs on here and practitioners. And one of the comments that's on that point is, yeah, he's like, look it, I don't need more alerts. I need things fixed. Don't just tell me what's going on, fix it. So the automation story is also a pretty big one. The VCP traffic mirror, I think it's going to be just great for analytics, great for just for getting that data out. But what does it actually impact? And the automation piece and the, okay, there's an alert, pay attention to it or ignore it or fix it, seems to be kind of the next level conversations, your thoughts around that piece. I think that as we take a look at this space and we see companies continuing to look at things like auto remediation, automations terrific until the first time it does something you didn't want it to do and take something down, at which point no one trusts it ever again. And that becomes something hard to tend to. I also think we're starting to see a bit of a new chapter as a alliance with this from AWS and its relationship with partners. I mean, historically, you look at who to reinvent and you're sitting on the expo hall and watching the keynote. And it feels like it's AWS red wedding where you're trying to see who's about to get killed by a feature that just comes out. And now we're seeing that they've largely left aspects of the security space alone. They've had VPC flow logs for a long time but sorting through those yourself was always like straining raw sewage with your teeth. You had to find a partner solution or build something yourself out of open source tooling from spit and duct tape. There's never been a great tool there. And it almost feels like they're leaving that area for example, alone. And leaving that as an area right for partners. Now, how do you partner with something like AWS? That's a hard question to answer. Well, so one of the other things we heard from practitioners is they don't want incrementalism. They're kind of sick of that. They want step functions that do as John said, remediate. So, you called the red wedding at the main stage. What does a partner have to do to stay viable in this ecosystem? Historically, the answer to that has always been to continue innovating ahead of the bow wave of AWS's own innovation. The problem is you see that slide that they put on at every event that everyone who doesn't work at AWS sees that shows the geometric increase in number of feature and service releases. And we all feel the sinking sensation of not even the partner side but the they're releasing so much that I know some of that is going to fix things for my company but I'll never hear it because it's drowned in the sheer volume of what they're releasing. AWS is rapidly increasing their pace of innovation to the point where companies that are not able to at least match that are going to be in for a bad time as they find themselves outpaced by the vendor they're partnering with. Well, and you heard Liberty Mutual say that number one challenge was actually the pace of cloud being able to absorb all these new features. Yes. And so, and you imagine the partner ecosystem. I mean, so it's not just the partners, it's the customers as well that bow is coming faster than they can move. I can sit here now and talk very convincingly about services that don't exist and not get called out on them by an AWS employee who happens to be sitting here because no one person can have all of this in their head anymore. It's outpaced most people's ability to wrap their heads around that and contextualize it. So people specialize, people focus. And I think to some extent that might be an aspect of why we're seeing reinforces its own conference. So we talked a lot of CISOs this trip, a lot of one-on-ones. We had some interviews. Some private meetings. I'm going to read you a list of key areas that they brought up as concerned. I want to get your reaction to. Pick the ones out that you think are very relevant. Sure. Just speedily, it's very fast. Vendor lock-in, spend, security-native, service provider, supplier, relationship, metrics, cloud security is different, integration, identity, automation, workforce talent, coding security, and the human equation. These are all kind of key areas that seem to glob and be categorically formed. Your thoughts to those, which ones do you think jump out as criticalities on the market? Sure, I think right now people talking about lock-in are basically wasting their time and spinning their wheels. If you, for example, you go with two cloud providers because you don't want to be locked into one, well now there's a rife partner ecosystem because translating things like IAM into another provider's environment is completely foreign. You have to build an entire new security model on top of things in order to do that effectively. That's great. In security we're seeing less of an aversion to lock-in than we are in other aspects of the business, and I think that is probably the right answer. Again, I'm not partisan in this battle. If someone wants to go with a different cloud provider than AWS, great, awesome, pick the one that makes sense for your business. I don't think that it necessarily matters, but pick one and go all in on that. Well, this came up too in a couple of ways. One was the general consensus was who doesn't like multicloud? If you could seamlessly move stuff between clouds without having to do the modification on all this code that has to be developed, who wouldn't love that? But the reality is it doesn't exist. To your point, this came up again as that workforce talent is. One CISO said, I'm with AWS. I have a little bit of Google. I probably could go Azure. Maybe I bought a company, we'd deal with some stuff over there, but for the most part, all my talent is peaked on AWS. Why would I want to have three separate security teams peaking on different things when I want everyone on our stack? They're building their own stacks, then outsourcing or using suppliers where it supports it. But the focus of building their own stacks, their own security, coding up was critical and having a split competency on code basis just to make it multicloud wasn't non-starting. And I think multicloud has been a symptom. I mean, it's more than a strategy. I think it's in a large part, it's a somewhat desperate attempt by a number of vendors who don't have their own cloud to say, hey, you need to have a multicloud strategy, but multicloud has been really an outcome of multiple projects, as you say, M&A, Horses for Courses, Lines of Business. So my question is, I think you just answered it. Multicloud is more complex, less secure and probably more costly, but is it a viable strategy for things other than lock-in? To a point, there are stories about durability, there's business reasons. If you have a customer who does not want their data living on one particular cloud provider, those are strategic reasons to get away from it. And to be clear, I would love the exact same thing that you just mentioned, where I could take what I've built and run that seamlessly on other providers. But I don't just want that to be a pile of VMs and maybe some disk. I want those to be the higher-level services that take care of massive amounts of my business for me and I want to flow those seamlessly between providers. And there's just no story around that for anything reasonable or modern. And history would say there won't really ever be without some kind of open source movement. Oh yes, a more honest reading of some of the other cloud providers that are talking about multicloud extensively translates that through a slight filter to we believe you should look into multicloud because if you're going all in on a single provider, there is no way in the world it's going to be us. And that's sort of the challenge, is if you take a look at a number of companies out here, if someone goes all in on one provider, they will not have much, if anything, to sell them of differentiated value. And that becomes the larger picture challenge for an awful lot of companies. And I empathize with that, I really do. Amazon's starting to do a lot of channel development. I'll see their emphasis on helping people make some cash. I'll see their vendors and ecosystems afraid, always afraid. So shared responsibility at one level is like, well, we only have one security model. We do stuff and you do stuff. So obviously it's inherently shared. So I think that's really not a surprise for me. The issue is how to get successful monetization in the ecosystem, clearly defining lines of rules of engagement around where the white spaces are. And where the differentiation can occur, your thoughts on how that plays out. Yeah, and that's a great question because I don't think you're ever going to get someone from Amazon sitting in a room and saying, okay, if you build tool that does this, we're never, ever, ever going to build a thing that does that. They just launched a service at Reinvent that talks to satellites in orbit. If they're going to build that, there's nothing that I will say they're never going to get involved with. The product strategy from the outside feels like it's a Post-it note that says yes on it. And how do you wind up successfully building and scaling a business around that? I don't have a clue. Andy Jassy's on the record here on theCUBE and privately with me on my reporting, saying never say never, we will never say never. So that is actually an explicit, same word on that one. And I'm a independent consultant where my first language is sarcasm. So I basically make fun of AWS in the newsletter and podcast and that seems to go reasonably well. But I'm never going to say that they're not going to move into self-deprecation as a business model. Look at some of their service names. They're clearly starting to make inroads in that space. So I have to keep innovating ahead of that bow wave. And for now, okay, I can't fathom trying to build a business model with a 300-person company and being able to continue to innovate at that pace and avoid the rapid shifts as AWS explores new offers. And what I look about, well, we're always kind of goofing on AWS. We're fanboys as well, as you know. But one of the things I love about AWS is that they give the opportunity for their partners and they give them plenty of heads up. It's pretty much the rules of engagement is never say never. But if they're not differentiating, that's their job. Their job is to be better. Now, one thing Amazon does say is, hey, we might have a competing service, but we're always going to favor the customer. So the partner, if a customer wants an Amazon cloud trail, they want cloud trail for a great example. There's been requests for that. So why wouldn't they do it? But they also recognize there's few people in the ecosystem that do similar things. And they're not going to actively try to put them out of business, per se. Oh yeah, one company that's done fantastically well partnering with everyone is PagerDuty. And even if AWS were to announce a service that wakes you up in the middle of the night when something breaks, it's great, awesome. How about you update your status page in a timely fashion first, then talk about me depending on the infrastructure that you run to tell me when the infrastructure that you run is now degraded. The idea of being able to take some function like that and outsource worked well enough for them to go public. So where are the safe points in the ecosystem? So obviously a partner that has a strong on-prem presence that Amazon wants to get access to, that's a short-term, maybe even a mid-term strategy, okay, professional services. If you're Accenture and Ernie Young and Deloitte, PwC, you're probably okay, right? Because that's not a business that Amazon really wants to be in. They might want to automate as much of that as possible, but the world's going to do that anyway. But what's your take? I would also add cost optimization to that. Or not from a basis of technical capability, and I think their current tooling is disappointing. I'd argue that cost explorer and the rest of their billing situation is the asterisk next to customer obsession if we're being perfectly honest. But there's always going to be some value in an external party coming in from that space and what form that takes is going to change, but it is not very defensible internally to say, our cloud spend is optimized because the vendor we're writing those large checks to tells us it is, there's always going to be a need for some third-party validation. And whether that can come through software. How big is that business? It's a great question. We're right now we're seeing that people are spending over $30 billion a year on AWS and climbing. One thing we can say with a certainty in almost every case is that people's cloud bills are not getting smaller month over month, so it's a growing market. It's one that people feel incredibly acutely, and when you get a few drinks into people and they start complaining about various aspects of cloud, one of the first most common points that comes up is the bill. Not that it's too high, but that it is inscrutable. And so, just to do a back in napkin, Tam, how much optimization potential is there? Is it a 10% factor or more? It depends on the level of effort you're willing to invest. I mean, there's a story for almost environments where you can save 70% in your cloud bill. All you have to do is spend 18 months of rewriting everything to use serverless primitives. Six of those months, you'll be hard down across the board and then wait, where did everyone go? Because no one's going to do that. Yeah, you might be out of business. So it's always a question of effort spent doing optimization versus improving features, speeding time to market, and delivering something that will generate far more revenue. The theoretical upside of cost optimization is 100% of your cloud bill. Launching the right service or product can bring in multiples of that in revenue. I think my theory on differentiation, Dave, is that I think Amazon's basically saying, in so many words, not directly, but it's my interpretation, hold on to the rocket ship of AWS as long as you can. And if you can get stable, hold on. If you fall off, that's just your fault, right? So what that means is, to me, move up the stack. So Amazon's clearly going to continue to grow and create scale. So the benefits of the company is to create a value proposition that can extract rents out of the marketplace from value that they create on the Amazon growth, which means they got a lockstep with Amazon on growth and constantly pivot up to where there's space. And Amazon's just a steamroller will come in, the rocket ship that's going so fast, whatever metaphor. And so people who just say, we made a deal with Amazon, we're in, and then kind of sit idle, we'll probably end up getting spun off. Because it's like they'll fall off on Amazon. All right, so we did that, you didn't differentiate enough, you didn't innovate enough, but they're going to give everyone the opportunity to take a place with the growth. So the strategy management-wise is just constantly pushing the envelope. So that's implicit in the sort of Amazon posture. What's explicit in Amazon's posture is build applications on our platform. And you should be okay, you know, for a while. Yeah, and again, and I think a lot of engineers get stuck in the trap of building something and spending all their time making their code quality as best as possible. But that's not going to lead to a business outcome one way or another. We see stories of companies hitting success with a tire fire of an infrastructure all the time. Twitter used to be played by massive downtime until they were large enough to justify the time and expense of a massive rewrite. And now Twitter is effectively up all the time. Whether that's good or not is a separate argument, but they're there, so there's always going to be time to fix things. Well, the great example is they built it on Rails and they put it in the Amazon cloud. It was just kind of a hack. And then all of a sudden, boom, people loved it. And then that's to me the benefit of cloud. Once you get that escape velocity, the investment to start Twitter was very low given what the success was. And then they had the rewrite because the scale was bursting up. That's called prototyping. Oh yeah. But that's what enterprises have to do. This is the theme of Agile. Get started as a theme. Just dig in, do a hackathon, but don't confuse that with scale. That's where the rubber meets the road. Right. And the, oh cloud isn't for us because we're an exception case. There are very few companies for whom that statement is true in the modern era. And do an honest analysis first before deciding we're going to build our own data centers because we can do it for cheaper. If you're Dropbox putting storage in, great. If otherwise you're going to wind up in this story, we're, oh well, we have 20 instances now so we can do this cheaper in Iraq somewhere. I will bet you a house you're wrong, but okay. People are telling me, okay, final question for you. As you wandered around and been in the sessions, been in the analyst thing, what are some slice of life kind of commentary stories you bumped into that you found either funny, clever, insulting or humorous? What's out on the floor? What are some of the conversations? One of the best ones was a company, I'm not going to name, but the story they told was fantastic. They're primarily on Azure and, but they also have a strong secondary presence with AWS and that's fascinating to me. How does that work internally? It turns out their cloud of choice is Azure and they have to mandate that with guardrails in place because if you give developers a choice they will all go and build on AWS instead. Which is fascinating and there are business reasons behind why they're doing what they're doing but that story was just very humorous. I can't confirm or deny whether it was true or not because it was someone with way too much to drink telling an awesome story but the idea of having to forcibly drag your developers away from a thing in favor of another thing? That's like being at a bad party. It's like, oh the better party's over there. All my friends are over there. They have a commitment, they have a commitment to Microsoft's software estate so that's likely why they're- Or a business deal with Microsoft. And I'm not saying this is necessarily the wrong approach. No, it might be the right business decision but when you ask the developers we see that all the time, John. All the time. I mean I had a developer on the one time company who started like, look we thought it would be great to build on Azure. We were actually being paid. They were running checks to incent us and I had a revolt. Engineers were all revolting because the reverse proxies us they were cobbled together services and they weren't clean native services and primitives so the engineers were revolting so we had to turn down the cash from Microsoft and go back to Amazon. Azure is much better now but they have to outrun that legacy shadow of at first it wasn't great and people try something once and that was terrible. Well would you like to try it again now? Why would I do that? It was terrible. And it takes time to overcome that knee-jerk reaction. Well but to your point about the business decision it might make business sense to do that with Microsoft. It's maybe a little bit more predictable than Amazon is as a partner. Oh the way to optimize your bill on another cloud provider that isn't AWS these days is to call up your account rep and yell at them. They're willing to buy business in most cases. Now that's not specific to any one provider that's most of them. It's challenging to optimize free so we don't see the same level of expensive bill problems in most companies there as well. Well the good news is on Microsoft and I was a real big critic of Azure going back a few years ago is that they absolutely have changed their philosophy going back I'd say two, three years ago in the past two years in particular 24 months they've really been cranking. They've been peddling as fast as they can. They're serious, they're committed from the top so I didn't tell them. So there's no doubt they're doing it obviously with the Kubernetes work you're seeing what they're doing is phenomenal. So they've got a great developer job today. They're in for the long game. They're not going to be a fad. No doubt about it. No, and we're not going to see for example the Verizon public cloud the HP public cloud both of which were turned off. The ones that we're seeing today are largely going to be here to stay of the big three, big four we include Alibaba and it's, I'm not worried about the long term viability of any of them. It's just finding their niche, finding their market. To find their lanes. Corey, great to have you on. Good to hear some of those stories. Thanks for the commentary. Thank you. As always great guest analyst, Cube alumni friend analyst, Corey Quinn here in the Cube bringing you all the top action from AWS reinforce their first inaugural security conference around cloud security and cubes initiation of security coverage continues after this break.