 Okay, welcome back everyone. CUBE's coverage here in Boston, Massachusetts. AWS Reinforced 22, the security conference. It's AWS's big security conference. Of course the CUBE's here. All the re-invent, re-s, re-mar, re-enforced. We cover them all now in the summit. I'm John Furrier. My host, Dave Vellante. With IDC weighing in here with their analysis. Got some great guests here. Jay Bresman, Research VP at IDC and Phillip Luz, Research Manager for Cloud Security. Gentlemen, thanks for coming on. Appreciate it. Great to be here. I appreciate the opportunity. That's so cool, right? Security's more interesting than storage, isn't it? Dave and Jay worked together. This is a great segment. I'm psyched that you guys are here. We had Crawford and Matt Eastwood on at HPE Discover a while back. And really the data you guys are getting and the insights are fantastic. So congratulations to IDC. You guys doing great work. We appreciate your time. I want to get your reaction to the event and the keynotes. AWS has got some posture and they're very aggressive on some tones. Some things that they didn't, we didn't hear. What's your reaction to the keynotes? Share your assessment. So, you know, I managed two different research services at IDC right now. They are both cloud security and identity and digital security, right? And what was really interesting is the intersection between the two this morning. Because every one of those speakers that came on had something to say about identity or least privilege access. Or, you know, enable MFA or make sure that you control who gets access to what and deny explicitly, right? And it's always been a challenge a little bit in the identity world because a lot of people don't use MFA. And in RSA, that was another big theme at the RSA conference, right? MFA everywhere. Why don't they use it? Because it introduces friction and all of a sudden people can't get their jobs done, right? And the whole point of a network is letting people on to get that data that they want to get to. So that was kind of interesting. But, you know, as we have in the industry this shared responsibility model for cloud computing, we've got shared responsibility between Philip and I. I have done in the past more security of the cloud and Philip, there was more security in the cloud. And now with cloud operation or super cloud, as we call it, you have on-premises private cloud coming back or hasn't really gone anywhere all that on-premises cloud operations, public cloud and now edge is exploding with new requirements. It's really an ops challenge right now. Not so much dev. So the sec and ops side is hot right now. Yeah, well we've made this move from monolithic to microservices-based applications. And so during the keynote this morning, the announcement around the guard duty malware protection component and that being built into the pricing of current guard duty I thought was really key. And there was also a lot of talk about partnering and security certifications. Which is also so very important. So we're seeing this move towards filling in that talent gap which I think we're all aware of in the security industry. So Jay, square the circle for me. So Kirk Cuffel talked about Amazon AWS identity. Where does AWS leave off and companies like Okta or Ping Identity or Cybroc Pickup, how are they working together? Does it just create more confusion and more tools for customers? We know the overused word of seamless. It's never seamless. How should we think about that? So identity has been around for 35 years or something like that. It started with the mainframes and all that. And if you understand the history of it, you make more sense of the current market. You have to know where people came from and the baggage they're carrying because they're still carrying a lot of that baggage. Now when it comes to the cloud service providers they're more in a combination from the identity standpoint. Let's make it easy inside of AWS to let you single sign on to anything in the cloud that they have. Let's also introduce an additional MFA capability to keep people safer whenever we can and provide people with tools to get into those applications somewhat easily while leveraging identities that may live somewhere else. So there's a whole lot of the world that is still Active Directory centered. There's another portion of companies that were born in the cloud that were able to jump on things like OCTA and some of the other providers of these universal identities in the cloud. So like I said, if you understand where people came from in the beginning you start to say, yeah, this makes sense. It's interesting, you talk about mainframe. I always think about Rack F and it's okay, who did what, when, where? And you hear about a lot of those themes. So what's the best practice for MFA that's non-SMS based? Is it you got to wear something around your neck? Is it to have sort of a third party authenticator? What are people doing that you guys would recommend? Yeah, one quick comment about adoption of MFA. If you ask different suppliers what percent of your base that does SSO also does MFA one of the biggest suppliers out there, Microsoft will tell you it's under 25%. That's pretty shocking, right? All the messaging that's come out about it. So another big player in the market was called Duo. Cisco bought them, right? And because they provide networks, a lot of people buy their MFA. They have probably the most prevalent type of MFA. It's called push, right? And push can be a red X and a green check mark to your phone. It can be a QR code somewhere. It can be an email push as well. So that is the next easiest thing to adopt after SMS. And as you know, SMS has been denigrated by NIST and others saying, you know, it's susceptible to man and middle attacks. It's built on a telephony protocol called SS7. Yep. You know, predates anything. There's no certification either side. The other real dynamic and identity is they hold adoption of PKI infrastructure. As you know, certificates are used for all kinds of things. Network sessions, data encryption, well, identity increasingly. And a lot of the, you know, consumers and especially the work from anywhere people these days have access through smart devices, right? And what you can do there is you can have an agent on that smart device, generate your private key, and then push out a public key. And so the private key never leaves your device. That's one of the most secure ways to access it. So if your SIM card gets hacked, you're not going to be at vulnerable? Yeah, well, the SIM card is another, you know, challenging associated with the older ways. But yeah. So what do you guys think about the open source connection? And they mentioned it up top, don't bolt on security, implying shift left, which is embedding it in like sneak, companies like sneak do that. Very container-oriented, a lot of Kubernetes, kind of cloud-native services. So I want to get your reaction to that. And then also this reasoning angle they brought up. Kind of a higher level AI of reasoning decisions. So open source and this notion of AI reasoning. And you see more open source discussion happening, right? So, you know, you have your building maintaining and embedding of the upstream open source code, which is critical. And so I think AWS talking about that today, they're certainly hitting on a nerve as, you know, open source continues to proliferate. Around the automated reasoning, I think that makes sense. You want to provide guide rails and you want to provide road maps and you want to have sort of that guidance as to, okay, what's the correlation analysis of different tools and products? And so I think that's going to go over really well. One of the other key points about open source is everybody's in a multi-cloud world, right? And so they're worried about vendor lock-in. They want an open source code base so that they don't experience that. Yeah, and they can move the code around and make sure it works well on each system. Dave and I were just talking about some of the dynamics around data control planes. So they mentioned encrypt everything, which is great message, by the way, I love that one. But, oh, and he mentioned data at rest. I'm like, what about data in flight? And you hear that one. So one of the things we're seeing with super cloud and now multi-cloud kind of as destination to that is that in digital transformation, customers are leaning into owning their data flows. Yeah. Independent of, say, the control plane aspects of what could come in. This is huge implications for security. We're sharing data, it's huge. Even Schmidt on stage said, we have billions and billions of things happening that we see things that no one else sees. So that implies they're sharing. One trillion. One trillion, 15 zero. 15 zero. 15 zero, yeah. So that implies they're sharing that or using that, pushing that into something. So sharing is huge with cyber security. So that implies open data, data flows. How do you guys see this evolving? I know it's kind of emerging, but it's becoming a nuanced point that's critical to the architecture. Well, yeah, I think another way to look at that is the sharing of intelligence and some of the recent directives from the executive branch, making it easier for private companies to share data and intelligence, which I think strengthens the cyber community overall. Depending upon the supplier, right, it's either an aggregate level of intelligence that has been anonymized or it's specific intelligence for your environment that everybody's got a threat feed, maybe two or three, right? But back to the encryption point, I was working for an encryption startup for a little while, right, after I left IBM. And the thing is that people are scared of it, right? They're scared of key management and rotation. And so when you provide- Because they may lose the key. Exactly. It's like shooting yourself in the foot, right? So that's when you have things like, you know, KMS services from Amazon and stuff that really help out a lot and help people understand, okay, I'm not alone in this. Yeah, crypto owners. They call it the hybrid key. They call it what they call the day, they call it the hybrid- Key management service, yeah. Oh, hybrid HSM, correct. What is that? What is that? I didn't get that. I don't understand what he meant by the hybrid post, hybrid post-quantum key agreement. And that still notes that. Hybrid post-quantum key exchange. You know, AWS never made a product name that didn't have four words in it. But he did reference the new NIST algos. And I think I inferred that they were quantum proof or the claim to be, and AWS was testing those. Correct, yeah. So that was kind of interesting. But I want to come back to identity for a second. Okay. So this idea of bringing traditional IAM and privileged access management together, is that a pipe dream? Is that something that is actually going to happen? What's the timeframe? What's your take on that? So, you know, there are aspects of privilege in every sort of identity. Back when, you know, it was only the back office that used computers for calculations, right? Then you were able to control how many people had access. There were two types of users. Admins and users, right? These days, everybody has some aspect of privilege. It's a real spectrum. Yeah. You've got the C-suite, the finance people, the DevOps people, even partners and whatever. They all need some sort of privileged access. And the term you hear so much is least privileged access, right? Shut it down. Control it. So, you know, in some of my research, I've been saying that vendors who are in the PAM space, privileged access management space, will probably be growing their suites, playing a bigger role, building out a stack because they have the expertise and the perspective that says we should control this better. How do we do that, right? And we've been seeing that recently. Is that a combination of old kind of antiquated systems meets proprietary hyperscale or kind of like build your own? Because I mean, Amazon, these guys, they all build their own stuff. Yes, they do. And then enterprises buy services from general purpose identity management systems. So, as we were talking about, you know, in the past and whatever, privileged access management used to be about compliance reporting, right? Just making sure that I knew who accessed what and could prove it so it didn't fail or not. Was it a critical infrastructure item? No. And now these days, what it's transitioning into is much more risk management, okay? I know what our risk is. I'm ahead of it. And the other thing in the PAM space was really session monitoring, right? Everybody wanted to watch every keystroke, every screens grape, all that kind of stuff. A lot of the new privileged access management doesn't really require that. It's a nice to have feature. You kind of need it on the list, but is anybody really going to implement it? That's the question, right? And then, you know, if you do all that session monitoring, does anybody ever go back and look at it? It's only so many hours in the day. How about passwordless access? You know, right? I've heard people talk about that. Yeah. I mean, as a user, I can't wait, but, you know. It's somewhere we want to all go, right? We all want identity security to just disappear and be recognized when we log in. So the thing with passwordless is there's always a password somewhere. And it's usually part of a registration, you know, action. I'm going to register my device with a username password, and then beyond that, I can use my biometrics, right? I want to register my device and get a private key that I can put in my enclave, and I'll use that in the future. Maybe it's got a touch ID, maybe it doesn't, right? So even though there's been a lot of progress made, it's not, quote, unquote, truly passwordless. There's a group, industry standards group, called FIDO, right, which is fast identity online. And what they realized was these whole registration passwords, that's really a single point of failure. Because if I can't recover my device, I'm in trouble. So they just did a new extension to sort of what they were doing, which provides you with much more of a, like an iCloud vault, right? That you can register that device in and other devices associated with that same identity. That you can get to it if you have to. Exactly. I'm all over the place here, but I want to ask about ransomware. It may not be your wheelhouse, but back in the day, Jay, you remember you used to cover tape, all the backup guys now were talking about ransomware. AWS mentioned it today and they showed a bunch of best practices and things you can do. Air gaps wasn't one of them. I was really surprised, because that's all anybody ever talks about is air gaps. And a lot of times that air gaps, that air gap could be a guest to the cloud, I guess. I'm not sure, what are you guys seeing on ransomware and air gaps? You know, we've done a lot of great research around ransomware as a service and ransomware. And you know, we just had some data come out recently that I think in terms of spending and spend and as a result of the Ukraine-Russia war, that ransomware assessments rate number one. And so it's something that we encourage, you know, when we talk to vendors and in our services, in our publications, that we write about taking advantage of those free strategic ransomware assessments, vulnerability assessments, right, as well and then security and training rank very highly as well. So we want to make sure that all of these areas are being funded well to try and stay ahead of the curve. Yeah, I was surprised to not see air gaps on the list. That's all everybody talks about. You know, the old model for air gapping in the land days, the novell days, you took your tapes home and put them in the sock drawer. Well, it's a form of air gap. And then the internet came around and ruined it. Guys, final question I want to ask you as we kind of zoom out. Great commentary, by the way, I appreciate it. As we've seen this in many markets, a collection of tools emerge and then it's tool sprawl. So side where we're seeing trend now where mom goes up on stage, of all the ecosystem, probably other vendors doing the same thing where they're organizing a platform on top of AWS to be this super platform of super cloud capability by building more platform thing. So we're saying there's a platform war going on because customers don't want the complexity. I got a tool, but it's actually making it more complex if I buy the other tool. So the tool sprawl becomes a problem. How do you guys see this? Do you guys see this platform emerging? I mean, tools won't go away, but they have to be easier. Yeah, we do see a consolidation of functionality and services and we've been seeing that, I think through a 2020 cloud security survey that we released that that was definitely a trend. And that certainly happened for many companies over the last six to 24 months, I would say. And then platformization absolutely is something we talk and write about all the time. So, yeah. More M&A. A couple of years ago, I called the Amazon tool set and a Rector set because it really required assembly. And you see the emphasis on training here too, right? You definitely need to go to AWS University to be competent. It wasn't Lego blocks yet, it was a Rector set. Very good distinction. Lose, yeah. And then you lose a few. It's still too many tools, right? You see, we need more consolidation. It's getting interesting because a lot of these companies have runway and you look at sale point that stock price is held up because of the Tomah Bravo acquisition, but all the rest of the cyber stocks have been crushed. Especially the high flyers like a Sentinel-1 or a CrowdStrike, but just still M&A opportunities out there. So platform wars. Okay, final thoughts, what do you think's happening next? What's your outlook for the next year or so? So, in the identity space, I'll talk about Philipp can cover cloud for us. It really is more consolidation and more adoption of things that are beyond simple SSO, right? It was just getting on the systems and now we really need to control what you're able to get to and who you are and do it as transparently as we possibly can because otherwise, people are going to lose productivity. They're not going to be able to get to what they want. And that's what causes the C-suite to say, wait a minute, DevOps, they want to update the product every day, make it better. Can they do that or did security get in the way? People every once in a while call security the department of no, right? Yeah, well. They ditch it on stage. You want to be the department of yes. Exactly. And the department that creates additional value. If you look at what's going on with B2C or Siam, a consumer-oriented identity, that is all about opening up new direct channels and treating people like they're old friends, right? Not like you don't know them, you have to challenge them. We always say, you want to be in the boat together. It sinks or not, right? Yeah, exactly. Fill up on credit. Okay, what's your take? What's your outlook for the year? Yeah, I think something that we've been seeing is consolidation and integration. And so companies looking at from build time to run time, investing in shift left, infrastructure as code. And then also in the runtime detection, it makes perfect sense to have both the agent and agent lists so that you're covering any of the gaps that might exist. Awesome. Jerry, Philip, thanks for coming on the queue with IDC and sharing your perspective, commentaries, and insights and outlook. Appreciate it. You bet. Okay, we've got the great direction here from IDC analysts here on the queue. I'm John Furrier, Dave Vellante. We'll be back more after this short break.