 From around the globe, it's theCUBE with digital coverage of AWS re-invent 2020, sponsored by Intel, AWS, and our community partners. Hey, welcome back, everybody. Jeff Frick here with theCUBE, coming to you from our Palo Alto studios today for our ongoing coverage of AWS re-invent 2020. It's a digital event like everything else in 2020, and we're excited for our next segment. So let's jump into it. We're joined in our next segment. Andrew Rafla, he is the principal and zero trust offering lead at Deloitte and Touche LLP. Andrew, great to see you. Thanks for having me. Absolutely, and joining him is Robbie Davle. He is the AWS cyber risk lead for Deloitte and Touche LLP. Robbie, good to see you as well. Hey, Jeff, good to see you as well. Absolutely, so let's jump into it. You guys are all about zero trust, and I know a little bit about zero trust. I've been going to RSA for a number of years, and I think one of the people that you like to quote, the analyst is Chase Cunningham from Forrester, who's been doing a lot of work around zero trust, but for folks that aren't really familiar with it. Andrew, why don't you give us kind of the 101 about zero trust? What is it, what's it all about, and why is it important? Sure thing. So zero trust is, it's a conceptual framework that helps organizations deal with kind of the ubiquitous nature of modern enterprise environments. And at its core, zero trust commits to a risk-based approach to enforcing the concept of least privilege across five key pillars, those being users, workloads, data, networks, and devices. And the reason we're seeing zero trust really come to the forefront is because modern enterprise environments have shifted dramatically, right? There's no longer a defined, a clearly defined perimeter where everything on the outside is inherently considered untrusted and everything on the inside could be considered inherently trusted. There's a couple, what I call macro-level drivers that are changing the need for organizations to think about securing their enterprises in a more modern way. The first macro-level driver is really the evolving business model. So as organizations are pushing to the cloud, maybe expanding into what they would consider high-risk geographies, dealing with M&A transactions and further relying on third and fourth parties to maintain some of their critical business operations. The data and the assets by which the organization transact are no longer within the walls of the data center, right? So again, the perimeter is very much dissolved. The second macro-level driver is really the shifting and evolving workforce, especially given the pandemic and the need for organizations to support almost an entirely remote workforce nowadays. Organizations are starting to think about how they revamp their traditional VPN technologies in order to provide connectivity to their employees and to other third parties that need to get access to the enterprise. So how do we do so in a secure, scalable and reliable way? And then the last kind of macro-level driver is really the complexity of the IT landscape. So in legacy environments, organizations only have to support managed devices. And today you're seeing the proliferation of unmanaged devices, whether it be, you know, BYOD devices, internet of things devices or other smart connected devices. So organizations are now, you know, have the need to provide connectivity to some of these other types of devices. But how do you do so in a way that, you know, limits the risk of the expanding threat surface that you might be exposing the organization to by supporting some of these connected devices? So those are some three kind of macro-level drivers that are really, you know, constituting the need to think about security in a different way. Right. Well, I downloaded, you guys have a zero trust point of view document that I downloaded. And I like the way that you put real specificity around those five pillars. Again, users, workloads, data networks and devices. And as you said, you have to take this kind of approach that it's kind of on a need to know basis, the less, you know, at kind of the minimum they need to know, but then to do that across all of those five pillars. How hard is that to put in place? I mean, there's a lot of pieces of this puzzle. And I'm sure, you know, we talk all the time about baking security in throughout the entire stack. How hard is it to go into a large enterprise and get them started or get them down the road on this zero trust journey? Yeah, so you mentioned the five key pillars. And one thing that we do in our framework is we put data at the center of our framework. And we do that on purpose because at the end of the day, you know, data is the center of all things. It's important for an organization to understand, you know, what data it has, what the criticality of that data is, how that data should be classified and the governance around who and what should access it from a, you know, users, workloads, networks and devices perspective. I think one misconception is that if an organization wants to go down the path of zero trust, there's a misconception that they have to rip out and replace everything that they have today. It's likely that most organizations are already doing something that fundamentally aligned to the concepts of least privilege as it relates to zero trust. So it's important to kind of step back, you know, set a vision and strategy as far as what it is you're trying to protect, why you're trying to protect it and what capabilities you have in place today and take more of an incremental and iterative approach towards adoption, starting with some of your kind of lower risk use cases or lower risk parts of your environment and then implementing lessons learned along the way, along the journey before enforcing, you know, more of those robust controls around your critical assets or your crown jewels, if you will. Right, right. So Ravi, I want to follow up with you. You know, Andrew just talked about a lot of the kind of macro trends that are driving this and clearly COVID and work from anywhere is a big one. But one of the ones that he didn't mention that's coming right around the pike is 5G and IoT, right? So 5G and IoT, we're going to see, you know, the scale and the volume and the mass of machine generated data, which is really what 5G is all about, grow again exponentially. We've seen enough curves up into the right on the data growth, but we've barely scratched the surface in what's coming on 5G and IoT. How does that work into your plans and how should people be thinking about security around this kind of new paradigm? Yeah, I think that's a great question, Jeff. And as you said, you know, IoT continues to accelerate especially with the recent investments in 5G that's, you know, pushing, pushing more and more industries and companies to adopt IoT. Deloitte has been helping our customers leverage a combination of these technologies, cloud, IoT, ML and AI to solve their problems in the industries. For instance, we've been helping restaurants automate their operations. We've helped automate some of the food safety audit processes they have, especially given the COVID situation that's been helping them a lot. We are currently working with companies to connect smart wearable devices that send the patient vital information back to the cloud. And once it's in the cloud, it goes through further processing upstream through applications and data lakes, et cetera. The way we've been implementing these solutions is largely leveraging a lot of the native services that AWS provides, like device manager that helps you onboard hundreds of devices and group them into different categories. We leveraged a device defender that's a monitoring service for making sure that the devices are adhering to a particular security baseline. We also have implemented AWS Greengrass on the edge where the device actually resides so that it acts as a central gateway and a secure gateway so that all the devices are able to connect to this gateway and then ultimately connect to the cloud. One common problem we run into is a lot of the legacy IoT devices, they tend to communicate using insecure protocols and then clear text. So we actually had to leverage AWS Lambda function on the edge to convert these legacy protocols into a very secure MQTT protocol that ultimately sends data encrypted to the cloud. So the key thing to recognize and then the transformational shift here is cloud has the ability today to impact security of the device and the edge from the cloud using cloud native services. And that continues to grow and that's one of the key reasons we're seeing accelerated growth and adoption of IoT devices. And you brought up a point about 5G and that's really interesting and a recent set of investments that AWS for example has been making and they launched their AWS Wavelength Zones that allow you to deploy compute and storage infrastructure at the 5G edge. So millions of devices they can connect securely to the compute infrastructure without ever having to leave the 5G network or go over the internet and securely talking to the cloud infrastructure. That allows us to actually enable our customers to process a large volumes of data in a short near real time and also it increases the security of the architecture. And I think truly this 5G combination with IoT and cloud AIML are the technologies of the future that are collectively pushing us towards a future where we are going to see more smart cities that come into play, driverless connected cars, et cetera. That's great. Now I want to impact that a little bit more because we are here at AWS re-invent and I was just looking up we had Glenn Goron 2015 introducing AWS's IoT cloud. And it was a funny little demo they had a little greenhouse and you could turn on the water and open up the windows. But it's a huge suite of services that you guys have at your disposal, leveraging AWS. I wonder, I guess Andrew, if you could speak a little bit more to the suite of tools that you can now bring to bear when you're helping your customers go through this zero trust journey. Yeah, sure thing. So obviously there's a significant partnership in place and we worked together pretty tremendously in the market. One of the service, one of the solution offerings that we've built out which we dub Deloitte Fortress is a concept that plays very nicely into our zero trust framework more along the kind of horizontal components of our framework which is really the fabric that ties it all together. So the two horizontals in our framework are around telemetry and analytics as well as automation orchestration. And if I peel back the automation orchestration capability just a little bit we built this Deloitte Fortress capability in order for organizations to kind of streamline some of the vulnerability management aspects of the enterprise. And so we're able through integration through AWS Lambda and other functions quickly identify cloud configuration issues and drift so that organizations can not only quickly identify some of those issues that open up risk to the enterprise but also in real time take some action to close down those vulnerabilities and ultimately remediate them, right? So it's way for to have a more kind of proactive approach to security rather than a reactive approach. Everyone knows that cloud configuration issues are likely the number one kind of threat factor for attackers. And so we're able to not only help organizations identify those but then close them down in real time. Yeah, it's interesting because we hear that all the time when there's a breach and if AWS is involved often it's a configuration, you know somebody left the door open basically and it really drives something you were talking about Ravi is the increasing importance of automation and using big data and you talked about this kind of horizontal telemetrics and analytics because without automation these systems are just getting too big and crazy for people to manage by themselves but more importantly it's kind of a signal to noise issue when you just have so much traffic, right? You really need help surfacing that signal as you said so that you're proactively going after the things that matter and not being just drowned in the things that don't matter. Ravi, you're shaking your head up and down I think you probably agree with this point. Yeah, yeah Jeff and definitely agree with you and what you're saying truly automation is a way of dealing with problems at scale. When you have hundreds of accounts and that spans across, you know multiple cloud service providers it truly becomes a challenge to establish a particular security baseline and continue to adhere to it and you want to have some automation capabilities in place to be able to react and respond to it in real time versus it goes down to a ticketing system and some person is having to do some triaging and then somebody else is bringing in a solution that they implement and eventually by the time your systems could be compromised. So a good way of doing this and is leveraging automation and orchestration is just a capability that enhances your operational efficiency by streamlining some of the manual and repetitive tasks. There's numerous examples of what automation and orchestration could do but from a security context some of the key examples are automated security operations, automated identity provisioning, automated incident response, et cetera. One particular use case that Deloitte identified and built a solution around is the identification and also the automated remediation of cloud security misconfiguration. This is a common occurrence and use case we see across all our customers. So the way in the context of AWS the way we did this is we built a event driven architecture that's leveraging AWS config service that monitors the baselines of these different services as and when it detects a drift from the baseline and it fires off an alert that's picked up by the CloudWatch event service that's ultimately feeding it upstream into our workflow that leverages event-based service. From there, the workflow goes into our policy engine which is a database that has a collection of hundreds of rules that we put together, compliance activities. It also maps back to a large set of controls frameworks so that this is applicable to any industry, any customer. And then based on the violation that has occurred or based on the misconfiguration and the service the appropriate Lambda function is deployed and that Lambda is actually performing the corrective actions or the remediation actions. While it might seem like a lot but all of this is happening in near real time because it's leveraging native services. And some of the key benefits that our customers see is truly the ease of implementation because it's all native services on AWS. And then it can scale and cover any additional AWS accounts as the organization continues to scale. And one key benefit is we also provide a dashboard that provides visibility into what are the top violations that are occurring in your ecosystem. How many times a particular Lambda function was set off to go correct that situation. And ultimately that kind of view is informing the upfront processes of developing secure infrastructure as code. And then also correcting the security guardrails that might have drifted over time. So that's how we've been helping our customers. And this particular solution that we developed it's called Deloitte Fortress and it provides coverage across all the major cloud service providers. Yeah, that's a great summary. And I'm sure you have huge demand for that because these misconfiguration things we hear about them all the time. Andrew, I want to give you the last word before we sign off. It's easy to sit on the side of the desk and say, yeah, we got a big security into everything and you got to be thinking about security from the time you're in development all the way through obviously deployment and production and ongoing maintenance. I wonder if you could share, you're on that side of the glass and you're out there doing this every day just a couple kind of high level thoughts about how people need to make sure they're thinking about security not only in 2020 but really looking down the road. Yeah, sure thing. So first and foremost, it's important to align any transformation initiative including your trust to business objectives. Don't let this come off as another IT security project. Make sure that you're aligning to business priorities whether it be pushing to the cloud for scalability and efficiency whether it be a digital transformation initiative whether it be a new consumer identity and authorization capability you're trying to build. Make sure that you're aligning to those business objectives and baking in and aligning to those guiding principles of zero trust from the start, right? Because that'll ultimately help drive consensus across the various stakeholder groups within the organization and build trust if you will in the zero trust journey. One other thing I would say is focus on the fundamentals. Very often organizations struggle with some, what we call general cyber hygiene capabilities that being IT asset management and data classification, data governance. To really fully appreciate the benefits of zero trust it's important to kind of get some of those table stakes right, right? So you have to understand what assets you have what the criticality of those assets are what business processes are driven by those assets. What your data criticality is how it should be classified and tagged throughout the ecosystem so that you can really enforce tag based policy decisions within the control stack, right? And then finally, in order to really push the needle on automation orchestration make sure that you're using technologies that integrate with each other, right? So take an API driven approach so that you have the ability to integrate some of these heterogeneous security controls and drive some level of automation and orchestration in order to enhance your efficiency along the journey, so those are just some kind of lessons learned about some of the things that we would tell our clients to keep in mind as they go down the adoption journey. That's a great summary. So we're going to have to leave it there but Andrew Robbie, thank you very much for sharing your insight and again, supporting this move to zero trust because that's really the way it's got to be as we continue to go forward. So thanks again and enjoy the rest of your re-invent. Yeah, absolutely, thanks for your time. Alrighty, he's Andrew, he's Robbie. I'm Jeff, you're watching theCUBE from AWS re-invent 2020. Thanks for watching, see you next time.