 Live from Manhattan, it's theCUBE, covering AWS Summit New York City 2017, brought to you by Amazon Web Services. And welcome back here to New York with the Javits Center here in Midtown Manhattan for AWS Summit 2017, along with Stu Miniman. I'm John Wall. I was glad to have you here on theCUBE. We continue our coverage here from New York City. Well, if you're making that move to the cloud these days, you're thinking about privacy, you're thinking about security, you're thinking about compliance, big questions, and maybe some big problems that Bill Shin can answer for you. He is the principal security architect at AWS, and Bill, thanks for being with us. Good to have you here today. A cube rookie, right? This is your maiden voice. First time for everything. Glad to have you, yeah. So I just hit on some of the high points. These are big questions for a lot of folks, I would say, just in general, before we jump in, how do you go about walking people into the water a little bit and getting them thinking, get their arms around these topics? Absolutely. Still, among the first conversations we have with customers, it's our top priority at AWS and security, and customers are concerned about their data security, regardless of where that data is, and certainly when they move to the cloud, it's a real opportunity to be more secure. It's an opportunity to kind of think about how they're doing security and adapt and be a little faster. So we have a really prescriptive methodology for helping customers understand how to do cloud adoption and improve their security at the same time. We have a framework called the Well-Architected Framework, and there's a security pillar in that framework. It's built around five key areas, identity access management, which is really what you should be thinking about first, because authorization is everything. Everything's code, everything's an API, so it all has to be authorized properly. Then we move into kind of detective controls and talk about visibility and control and things turning on cloud trail, getting logging set up, all the detective controls, so that before you even move a workload into the cloud, you know exactly what's happening, right? And then we've moved into infrastructure security, which includes kind of your network trust boundaries, and zone definition, things like firewall rules, and load balancers, and kind of segmentation, as well as system security, hardening and kind of configuration state of all the resources in their account. Then we move on to data protection as we walk customers through this adoption journey, things like encryption, backup, recovery, access control on data, and then finally, incident response, we want to make sure that they have a really good solid plan for incident response as it begins to move more and more in their business into the cloud. So to help them way through the waters, we bring it up, right? I mean, the CISO is a key partner in cloud adoption. Organizations need to make sure security's in lockstep with engineering as they move to the cloud. So we want to help with that. We also have the cloud adoption framework, and there's a security perspective in that framework. The methodology for really treating security more like engineering these days, right? So you have dev ops, and now you have dev sec ops, and you've got security needs to have a backlog, they need to have sprints, they need to have user stories. It's very similar to how engineering would do it, and that way they're partnering together as they move workloads into the cloud. Amazon's releasing so many new features. It's tough for a lot of us to keep up. Andy Jassy last year said, every day when you wake up, there's at least three new announcements coming out, so it's a new day, number of announcements in your space, maybe bring us up to speed as to what we missed if you just woke up on the West Coast. Sure, sure, so customers love the pace of innovation, especially security organizations, they really like the fact that when we innovate on something, it means they might not have to put as much resources on that particular security opportunity or security concern. They can focus more on their code quality, more on engineering principles, things like that. So today, we happily announced Amazon Macy, so love it, it forms data classification on your S3 objects, it provides user activity monitoring for who's accessing that data, uses a lot of our machine learning algorithms under the hood to determine what is normal access behavior for that data, and it has a very differentiated classification engine, so it does things like topic modeling and regular expressions and a variety of other things to really identify that data. People are storing trillions of objects in S3, and they really want to know what their data is, whether it's important to them, and certainly, customer's data is the most important thing. So being able to classify that data, perform user analytics on it, and then be able to alert an alarm on inappropriate activity, so take a look at Macy, really going to make a big difference for customers who want to know that their data is secure in S3. Yeah, I actually got a question from the community when looking at Macy came out, we got a lot of questions about GDPR coming out, so if Macy or the underlying tech can that be used? Yeah, absolutely a great tool. We think AWS is the greatest place to perform GDPR compliance. You really got to know your data. You have to know if you're moving data about European citizens around, you really have to understand that data. I think Macy will be a big part of a lot of customer strategy on GDPR compliance. But to finish your question, we've announced quite a few things today, so Macy's one of them. We announced the next iteration of CloudHSM, so cheaper, more automated, feels more of the clustering that you don't have to do, deeper integration with things like CloudTrail. Customers really wanted a bit more control and integration with the services than what the previous iteration was, so we've offered that. We announced EFS volume encryption too, so EFS or elastic file system encryption at rest, it natively integrates with the key management system the same way that many of our services do when you're storing data. We announced some config rules today to help customers better understand the access policies on their S3 buckets. Good stuff. Busy day. Busy day. I mean, just from the security standpoint, when you are working with a new client, do you ever uncover or do they discover things about themselves that need to be addressed? Yeah, I think the number one thing, and it's true for many organizations when they move to the cloud, is they want that agility, right? And when we talk to security organizations, one of the top things we advise them on is how to move faster. As much as we're having great conversations about WAF and SHIELD, the web publication firewall, and SHIELD, our DDoS solution inspector, which performs configuration assessments, all the security services that we've launched. We're also having pretty deep conversations with security organizations these days about CodeStar, CodePipeline, CodeDeploy, and the DevOps tool chains because security can get that fast engineering principles down, and they're just as responsive. It also puts security in the hands of engineers and developers. So that's really kind of the conversations we're having. And they discover that they kind of need to get a little closer to how development does their business, talking in the same vocabularies, engineering, and development. That's one of the things I think customers discover. Also, it's a real opportunity, right? So if you don't have to look after a data center footprint and all the patch panels and switches and routers and firewalls and load balancers and things that you have on-premises, it really does allow a shift in focus for security organizations to focus on code quality, focus on user behavior, focus on a lot of things that every season would like to spend more time on. Yeah, Bill, one of the things a lot of companies struggle with is how they keep up with everything that's happening, all the change there. When I talk to my friends in the security industry, it's one of the things that they're most excited about is we need to be up on the latest fixes and the patches. And when I go to public cloud, you don't ask somebody, hey, what version of AWS, or Azure, are you running on? It's, you're going to take care of that behind the scenes. How do you manage the application portfolio for customers and get them into that framework so that they can, we were talking off camera, Gene Kim, just buy into that as security just becomes part of the process if I get more agile. Yeah, so the question is really about helping customers understand all the services and really get them integrated deeply, a couple of things. So certainly the well-architected framework, like I mentioned, is helping with that. We have solution architects, professional services consultants, a very, very rich partner ecosystem that helps customers. A lot of training for security. There's some free training online. There's classroom instructor led training as well. So that training piece is important. I think the solutions are really, they're better together. So we have a lot of great building blocks, but when you look at something like CloudTrail, CloudWatch events and Lambda together, we try to talk about the solutions, not just the individual building blocks. I think that's one key component too to help them understand how to solve a security problem. Take for example, monitoring the provisioning of identities and roles and permissions. We really want customers to know that that CloudTrail log, when someone attaches a role to a policy, that can go all the way to a Slack channel, that can go all the way to a ticket system. We really want to talk about the end-to-end integration with our customers. And really to help them keep pace with our pace of innovation, we really try to get the blog in front of them. The security blog is a great source of information for all the security announcements we make. Follow Jeff Bar's Twitter, bunch of things to help keep pace with all of our launches and things, yeah. You brought up serverless. If I look at the container space, which is related of course, security's been one of those questions. Bring us up to speed as to where you are with security kind of containers. Yeah, sure. I think Lambda's tenant isolation is very strong in Lambda. We have a really high confidence in the tenant isolation model for those functions. The nice thing about serverless, right, is that when there's no code running, you really don't have a surface area to defend. And I think for a security perspective, if you were building an application today, and you go to your security team and say, well I'd really like to just build this little piece of code and tie these pieces of code together. And when they're not running, there's nothing there that you need to defend. Or would I like to build this big set of operating systems and fleet management and all the things I have to do. And it's kind of a pretty easy conversation, right? But all the primitives are there in serverless. You have strong cryptography, TLS endpoints. You've got the IIM policy framework. So identity access management has really consistent language across all the services. So principles, actions, resources and conditions is the same across every service. It's not any different for serverless so they can leverage the knowledge they have of how to manage identities and authorization in the same way. You've got integration with CloudTrail. So all the primitives are there and then customers can focus on their code and being builders. So it sounds like that's part of the way to attack security for IoT then. Yeah, I think for IoT, it's a very similar architecture too. So you have similar policies that you can apply to what a device can write to in the cloud. We have a really strong set of authorization and authentication features within the IoT platform so that it makes it easy for developers to build things, deploy them and maintain them in a secure state. But you go back to the well-architected framework and the CAF, the Cloud Adoption Framework, you take those five key areas, identity, detective controls, infrastructure security, data protection and IR, instant response. It's pretty similar across all the different services. It just comes back to the fundamentals. It does, yeah, absolutely. And for customers, those control objectives haven't changed, right? I mean, they have those control objectives today. We'll have them in the cloud and we just want to make it easier and faster. Well, Bill, thanks for being with us. You bet, thank you very much. Good to have you on theCUBE. Look forward to seeing you again for the second time around. I'll see you in event, hopefully. Bill Shin from AWS, joining us here on theCUBE. Continuing our coverage from AWS Summit here in New York in just a bit.