 Live from Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Well, welcome back everyone. Day two of live coverage here in Boston, Massachusetts for AWS Amazon Web Services. An inaugural conference called Reinforce. This is a cloud security conference, the first of its kind. It's the beginning of what we see as a new generational shift in now a new category called cloud security. Obviously, cloud has been growing. The security equation is changing and evolving. We've got a great guest here, Colby Allen, who's the platform architect at ZipWhip based in Seattle, great for joining us. Thanks for coming on. Yeah, thanks for having me. So we were chatting before we came on about your journey and your DevOps chops you guys have built over there. I want to get into that. Just quickly explain what you guys do real quick set the context. Yeah, so ZipWhip is an SMS text messaging provider. We specialize in toll-free messaging. We also text enable landline phone numbers. Our business is kind of really split into two parts. We have your traditional SaaS application that runs like a SaaS. And that's where you can have the UI to interface your landline phone number, 800 number with text messaging. Now, on top of that, we run a carrier grade network. So we have direct binds into all the major carriers in the US, bringing online some Canadian carriers. That's really where the power of our platform in is we own the network. And so we started in the Colo and over the last year which has been nine months, moving all that into Amazon and bringing it up. Let's talk about that. So explain the architecture. You guys move, you had some Colos, get the network, you move to Amazon with three people. Just classic DevOps, a lot of hard work I'm sure. Take us through what happened, what was the old environment and now what does it look like now? Yeah, so when I started at ZipWhip, they were an interesting place. They were just starting huge growth. At that point they existed in a few data centers in the US and running VMware workloads on, or bare metal databases. And the problem was there was just a scaling problem, right? I mean, we couldn't, we were looking at the type of scale we needed and trying to procure hardware and we just couldn't physically get it fast enough with the right amount of budget. And so I'd come from a previous place doing AWS. I mean, that's kind of what I've done for a lot of years. And so I convinced my boss, say here, let's try the SaaS app in AWS. So we built that, ran it, launched our new version of our SaaS application in Amazon. And at that point, our traffic skyrocketed. I think last year we had somewhere 280% growth. And our core infrastructure just wasn't surviving as outages and problems. And so we took it and we went to Amazon with it and we rebuilt it all. And it was a really interesting thing because Amazon was literally releasing features and we were consuming them, right? The five series and Nitro came out and we're like, finally we can get performance on the networking interfaces. Then they released the D instances with the NVMEs. We're like, finally our databases will survive and they can go fast enough. And then we leveraging huge Aurora instances to be able to power the back end of this thing. So you guys really tapped really at the right time. You guys were growing. You saw the scale potentially bursting. You saw the scale coming in, you had growth coming in the company. You could almost see, okay, look, we got a plan. So you go to Amazon, new services. What's the impact been on the staff? You guys been adding more people? What's been the impact on the DevOps? I think the big thing is the initial move, we did it for three of us. I mean, it was a lot of work. We spent a lot of time doing it. A lot of sleepless nights, a lot of long weekends. But now we've got a really stable platform and we were able to really continue processing. Our message growth has increased and we haven't had to totally re-architect things again. The architecture's worked because it's grown and expanded. The scalability has been fantastic for us. The performance, of course, is some of the best. The walking commercial for AWS, of course. The people have that same experience. But what's interesting is you guys essentially are, in my opinion, representative of the trend that we're seeing, which is certainly in security as they catch up the DevOps. That's a big story here. Securities now can level up with the speed of the DevOps kind of engineering philosophy and deploying. But it's the trend of building your own. And a lot of companies are reinvesting in teams of people because they're close to the action and they can actually codify, quickly, use cases that they know are bona fide, whether it's a low level platform service primitive or right up into the app using machine learning and using data. So you have now that now you add security in there. This is where the action is. And so companies, I mean, I see the successful ones like you guys coming in saying, hey, you know what? Let's not boil the ocean over. Let's just solve the one problem scale and then let's look at the services that we can leverage to do more. Take us through these philosophies. I think you guys are a great example of that. So I mean, if we touch on the security aspect, I think that that was a big thing is, we don't run a dedicated security team. My team is the security team, right? And that was a big thing that both me and my director is we wanted the people building it to be doing the security. And that was what was really easy with AWS is we could turn on all these fancy features and it was just a flag in terraform and all of a sudden we have encryption at rest is something we've never had before. And so there's that. And then to the builder methodology, because we came from such a scrappy, like we got to go fast, like we didn't have time to evaluate software, bring in consultants. And so we've kind of just kind of adopted that. It's better for us a lot of times to kind of roll our own thing. And then there are times where there's software that's a good fit for it. I mean, we do use some external vendors on things, you know. And- But that's really more of a decision on the platform side as you look at the platform engineer, you go, okay, we got a build here. Let's, we know we don't release, not maybe not be a core competency. Let's go look at some vendors for this, this and that. But ultimately, if you look at something that's really core you can dig into it. And certainly with Kubernetes and with a lot of the services coming out, the SaaS apps are taking advantage of these cloud native. Takes through your piece there. Yeah, so we're huge Kubernetes. We're 100% Kubernetes everywhere. And I think that that's really been another big thing for us is, it's brought our application up a level to be able to integrate and be more reliable. I mean, where you used to have this external service discovery piece and then you have your security piece, where Kubernetes, I can go deploy a container or an application and I describe it all at once. It's all in my code config. So I can audit it for our compliances. We can code review it for our compliances but at the same time I deploy the whole thing. I'm not, here's this team deploying the app. Here's this other team then coming by trying to secure the app, it's all together. So the old way would have been kind of build it out, maybe use some software, have all these silo teams. And that's kind of all kind of built in. Yeah, we've kind of just opened it out, right? I mean, from our SaaS teams leveraging a lot of the security features that are available to us to our core piece, which is a very different type of software. You know, it's leveraging the same pieces and same type of monitoring principles. It's interesting, you know, the key note is some, people hanging around like the word dev sec ops. I mean, I love dev ops. We've been part of that since day one and it's been fun to be part of it. But we saw the benefits of it, clearly. You see no doubt, there's no debate. But when you start getting into some of the semantic definitions, when you go to security, I know and feel that by the way is fragmented like crazy. And now you got the growth of the cloud. You're starting to see cloud security become its own thing that's different than the on-premises side. So what's your take on that? Because a lot of people are wanting, they're going to the cloud anyway. So what's interesting on-premise security posturing and cloud security in your opinion? Yeah, so I mean, it is drastically different. I think part of it's the tool set that's available, right? I mean, we ran data centers. I've automated data centers, but, you know, they're just not at the level of which I can do the automation and the auditing in the cloud. And so I feel like the cloud actually, in some respects, makes it easier, you know, for me to do security and run security and audit security, you know, versus the data center, you know, I had to run a lot of tooling and a lot of things to get all the views I needed. But there was a lot of really separate systems, you know. In the cloud, you have like this one nice fundamental API that I, as a person who has to build the infrastructure can use. But it's the same API that when I put my security hat on that like I used to manage security, right? Security groups, things of that sort. It's all the same, right? We're not having to learn five different applications. It's been really important for our team, because, you know, my team comes from the vast majority of, you know, true DevOps to, you know, we've been upgraded from people in our knock, you know, and to have them really just learn the one ecosystem is. You don't want to fragment the team. Yeah. You don't want to have five different skill sets kind of fragment. Well, and our big thing is we just don't, we didn't want to have tools that only one person knew how to do, right? We wanted people to take vacations, right? And like, we don't want to have a tool that's like, oh, well, only, you know, only that person knows how to run it. Nobody else does. And so that was the big thing for us. Colby, what do you think about the show here? Reinforce, obviously it's not an Amazon website for the summit. They do the summits, which is essentially a commercial version of reinvent in regions. This is a branded show. It's obviously their cloud security going hard at it. What's your take so far this first event? I've really enjoyed it. I mean, so I've gone to summits. I've been to reinvent for a few years, spoken to reinvent once, you know, but, you know, those things are fun, but they're so big and there's so much going on. You know, it's refreshing to be at this Reinforce conference and like, focus on the security side, you know, to sit in talks where like, you have people getting into KMS and like, some of these really pivotal tools. And so it's been really, really exciting. So you can get down and dirty here. Yeah. And people talk to you, you know, approachable. Without like having to deal with all of Amazon, right? I can focus on like, this one little portion of it. I mean, reinvent, you can't even walk through the hallways. It's like, you know, sort of a screen. Yeah, I mean, well, we're one hotel are you going to be at at that point now, right? Yeah, yeah, yeah. Okay, so I got to ask you about the DevOps question. We've been commenting yesterday, Dave Vellante, who's on his way in, you know, we're talking with a lot of CISOs and a lot of practitioners. And the conversation generally was security needs to catch up to DevOps. And depending who you talk to, they may or may not believe that. And we think that to be true. We think security now has to level up with the speed of DevOps and there's agility things that are highlighted through the examples you guys have. What's your take on that when someone says, hey, security's got to catch up to DevOps? Is it really catching up? Is it more transformation? What's your view on this? Well, I think, I feel like when you say catching up, like it takes a negative combination and you know, I don't want to be negative there. And so I feel like it's a transformation. I mean, it's the same thing of going from the data center as just as an operational engineer to Amazon. It wasn't catching up. It was, you just are changing everything you do and how you think. And I think, you know, that's the same thing that a lot of security people I've seen struggle with. The ones that are successful are the ones that have gotten it and understand that like. What do you think is the most important story happening in this world, security, cloud security, security in general, that should be covered by media, that should be covered by the industry that is covered or should be amplified more or isn't covered and should be talked about? What is the most important stories that should be told? Well, so again, you know, I'm a fundamental layer. So things to me that are always overshadowed are like, you know, just encryption, right? I mean, everybody's like, you know, turn encryption on, but, you know, a few of the talks I've gone to today are deeper dives into that. And I feel like, you know, the KMS product in Amazon, I feel like is a very powerful product that isn't super talked about. I mean, it's been nice here because they talked about it a ton. But like you go to re-invent, you don't really see a lot of like KMS type things or cloud HSM. And you know, I think it makes some of those very difficult products to run in a data center very easy. You know, what you hear on the security side is unsecured S3 buckets, or like security groups are configured incorrectly, and you know, right? Everyone knows that. It's like the Gecko commercial, everyone knows that. You know, Elasticsearch has now turned into the new S3, right? You know, it compromises, you know, choose your database of choice to the public. But for me, I think it's like, the part that I feel is missing with Amazon is the ease of use of like clicking a button and now I have full Aurora encryption by default. Yeah, and the services you can just turn on. What's next for you guys? Give us a peek into some of the things you're working on. What are you excited about? So, I mean, we're making a big thing is, you know, so we spent a lot of time building and now we're kind of going back and really kind of wrapping a lot of our compliances. So, ZipWhip as a whole has been working towards a lot of SOC2 type compliances and things like that. So, you know, we've been working through governance and deploying, you know, software that kind of is more actively watching our environments and alerting us or helping us make sure we're staying at CIS type benchmarks so that, you know, when my boss comes to me and says, show me that we're doing this, I can just say, oh, here's dashboard. Yeah, yeah, yeah, exactly, not a lot of heavy lifting. So, we've been rolling out like VMware SecureState is the big product that we're working with right now. We've leveraged Cloud Health and those are kind of the two external vendors that we've really partnered with and so, you know, this year's been adapting those into the system. So, that's when the AWS side, you know, we still just run Kubernetes so there's a lot going on in the Kubernetes ecosystem that we're also working on. So, you know, service mesh and things of that sort, like, you know, how can I take this idea of security groups and this least trust model infrastructurally up to Kubernetes, which by default is kind of flat and open. And so, you know, we've been exploring Envoy and Istio and Linkerd or right our own and, you know, and looking through those things and then again, making more robust CI CD pipelines so container scanning, vulnerability, you know, protecting our edge. You know, we've been running CloudFront and WAF for a while but, you know, a lot of this year's going to be spent, you know, evaluating that. You know, we deployed OWASPOP 10 and got it turned on, right? Because it works but, you know, diving more deeply into like some of the auto remediation stuff. Kind of a fun environment right now, isn't it? You can knock down some core business processes, scale them up and then you got the toys to play with on the open source front. You got Kubernetes, really a robust ecosystem there. It's just, it's a lot of fun. Yeah, Kubernetes has definitely been exciting to play with. Advice to fellow practitioners and platform engineers because, you know, you guys have been successful with the transformation of AWS. You got your hands in a lot of cool things. You got a good view of the landscape both on security side and the DevOps side. For the people out there who are like, they want to jump in with a parachute open, whatever, you know, they're nervous. Some people are aggressively going at a hardcore. Some have cultural change issues. What's your general advice to your fellow peers? My advice is just jump in and do it, right? I mean, no, don't be afraid. I mean, we had a really fast transformation and we failed a lot very fast and we weren't afraid of it. I mean, you know, if we weren't failing, we weren't doing it right, you know, in my opinion, right? We had to fail a few times to figure out what was going to work. And so I think, you know, don't be scared to jump in and just build, you know, write the automation, see what it does, run some tests against it, you know. It's almost like knowing what not to do is the answer. Like, go get some testing out there, get a hands dirty. Yeah, what's going to work for you, what's going to work for your business and the only way you're going to be able to do that is to actually do it. Yeah, and then code up and specialize. Colby, thanks for coming on, sharing the great insight. Colby Allen, platform engineer for ZipWhip, great company here at theCUBE, bringing all the action, extracting the signal from the noise, great insights in here coming from Reinforce here in Boston, AWS's first conference around cloud security. We'll be right back after this short break.