Corey Quinn, The Duckbill Group | AWS re:Inforce 2019Jun 11, 2021
from Boston Massachusetts is the cube covering AWS Hardened
2019presented by Amazon Web Services and its ecosystem partners Hello, welcome everyone keep the live coverage of AWS Hardened in Boston Massachusetts I'm John Ferrier with Dave Volante this is hardened this is the conference inaugural for adsr in the security and cloud security market, a new category is forming from an event standpoint around cloud security, our next guest is Keep Alumni guest analyst Corey Quinn , the cloud economist at the Duck-billed
group. I love that you come back and because you're in the halls, you get all the data, you bring it in and you report it, but at this event, unlike the others, you had great feedback and analysis, you were mentioned on stage during the keynote speech of Stephen Smith congratulations thanks I'm still not quite sure who's going to get fired for that, but somehow it happened and I didn't know it was going to happen, it was incredibly flattering that it happened, but it was first, uh, amazing. does he know who I am followed quickly by oh boy does he know who I am and at this point I'm not quite sure what to make of that Lucie, it's good news, it's good business, all press is good press as they say, but let's get to the point. grain. obviously security is a security conference this is the inaugural event we always love going to inaugural events because in case there isn't a second event we were there oh yeah an event so it's always been that way, having been there since the principle is usually a great bragging right and If there isn't a second one, you don't need to mention it again, so if they've already announced that there will be another one in Houston next year, it will be entertaining, a lot of people were telling us that security event re
inforced some somewhat optimistic skepticism about the sector obviously the cloud is in fashion but the comment was that no one will be there, it will be more of an educational event, so yes, it is more of an educational event, I'm sure they are talking about things. who may not have time to do it, but a lot of investments are being made there, there are players here from McAfee companies, name the renowned companies here, they are sitting on real people, many business developers are trying.
To understand how to develop the sector, there are many technical technologists here and they also delve into some of the deep conversations. Do you agree? What is your opinion about the event? It surprises me that I expected it to be a bunch of people trying to sell things to other people who are trying to sell them things in return and it's not like that, there are people who are using the cloud for interesting things and that's fantastic, one thing that always bothers me. It's seemed kind of strange and I guess I feel spiritually aligned here if nothing else has a cost and security will always be behind the features, no company is excited about investing in those things until right after, they really should have been investing in those things and it was not the time to market them.
Speed is always going to be a much more valuable and strategically important thing for any company, but we're seeing people start to get ahead of the curve in some ways and that's refreshing and frankly surprising, which is the main story in your mind. The three main stories to come. without re
inforcement from an industry point of view or from a product point of view that you think needs to be said or amplified or if they don't tell you, let them tell you well, there have been things that we have seen on stage and that It's fantastic and I think I've probably repeated them a little bit with other guests for me, what I'm seeing is that the story that resonates as I walk through the showroom here is that we're seeing a
groupof companies that have deep roots in environments of data centers and now We are trying to come up with stories that resonate with the cloud and if they don't, this is a transformative moment, they are probably indeed in decline, but they are not differentiating from each other particularly well, there are some Very key things we're seeing people operate on, like with the new mirroring port coming out of PC NV traffic.
You're right, you have a lot of companies that can consume them or flow logs if you want to go back in time. a little bit and spit out some analysis on this, but you're not seeing differentiation around this or well, we'll take all your security events and spit out the useful stuff, okay, that's valuable and you should be able to do it the way How many vendors? Do they need a company to do exactly the same thing? You know we had a lot of site CISOs here and professionals in one of the comments on that point is yeah, he says, look, I don't need any more alerts, I need things fixed.
Not just tell me what's going on and fix it so the automation story is pretty important too. The DCP traffic meme. I think it will be great for analysis. Great just to get that data out, but what's the real impact and automation part of it? and okay, there's an alert, pay attention or ignore it or fix it seems to be kind of a next level conversation, your thoughts on that piece. I think as we take a look at this space and see that companies continue to look at things. like autocorrect automation is great until the first time it does something you didn't want it to do and deletes something, at which point no one trusts it again and that becomes too much to deal with.
I also think we're starting to see a new chapter as an alliance with this AWS thing and its relationship with partners. I mean, historically, you're looking to reinvent yourself and you're sitting in the exhibit hall and watching the keynote and it feels like it's the AWS red wedding where you're trying to see who's about to die for a feature that just came out and now we are seeing that they have largely left aspects of the security space alone, they have had DPC flow records for a long time, but they are classifying them. that was always like filtering sewage with your teeth, you had to find a partner solution or build something yourself from open source tools with saliva and duct tape, there has never been a great tool there and it almost feels like they were abandoning that area. for example, alone and leaving that as an option for partners, how do you partner with something like AWS?
That's a tough question, so one of the other things we hear from practitioners is that they don't want incrementalism, they're a little fed up with it. They want tiered features that make Johnson remedy, yeah, so hey, you called the red wedding on the main stage, what does a partner have to do to remain viable in this ecosystem? Historically, the answer has always been to continue innovating ahead of the goal. The AWS wave is its own innovation, the problem is that you see that slide that they put at every event that everyone who doesn't work at AWS sees and that shows the geometric increase in the number of releases of functions and services and we all feel the sensation of sinking. not even on the partner side, but they're releasing so much stuff that I know some of it will fix things for my company, but I'll never listen to it because it's drowned out in the sheer volume of what they're releasing.
AWS is increasing rapidly. their pace of innovation to the point where companies that can't at least match it will find themselves in a bad time as they will be outpaced by the supplier they are partnering with and you heard Liberty Mutual say number one. The challenge was actually the pace of the cloud being able to absorb all these new features, yes, and you mentioned the partner ecosystem. I mean, it's not just the partners, but also the clients that that arc is coming faster than they can move at all. I can sit here now and talk very convincingly about services that don't exist and not be called out by an AWS employee who happens to be sitting here because no one can keep all of this in their head anymore, it's overtaken most people. ability to understand that and contextualize it so that people specialize, people focus and I think to some extent that might be one aspect of why we're seeing it bolster its own conference, so we talked to a lot of CISOs on this journey .
One on one, we had some interviews, some private meetings. I'm going to read you a list of key areas that they mentioned, as Ben said. I want to know your reaction to choose the ones that you think are very relevant. Safe speed. Ly is a pretty fast vendor lock in Japan, our native security service providers, cloud vendor relationship metrics, different integration of security, identity automation, workforce, talent, coding, security and the human equation, These are all key areas that seemed global and B categorically formed their thoughts on which Do you think it is obvious that there is something critical in the market?
I sure think right now people who talk about lock-in are basically wasting their time and going around in circles if, for example, you choose two cloud providers because you don't want to be one. stuck in a hole, now there is a proper partner ecosystem because translating things like me to another vendor environment is completely foreign, you have to build a whole new security model on top of things to be able to do it effectively, that's right, so that people and security we can We are seeing less aversion to lockdown than in other aspects of the business and I think that's probably the right answer again.
I'm not partisan on this path, it's a battle if someone wants to go with a cloud provider other than a great, awesome Dobis, make them choose the one that makes sense for your business. I don't think it necessarily matters, but pick one and do it all. This also came up and in a couple of ways, one was the general consensus on who. You wouldn't like multi-cloud if you could seamlessly move things between clouds without having to make modifications or all this code that needs to be developed. Who wouldn't love that, but the reality is that it doesn't exist.
Well see your point, this came up. again, as workforce talent in the workplace, you see, so I said I'm with AWS. I have Scylla from Google. I could probably go like you, maybe I bought a company that does a few things there, for the most part, all my talent peaks at AWS. Because? I'd like to have three separate security teams looking at different things, but I want everyone in our stack to be building their own stacks and then outsource using vendors where supported? Sheriff, the approach of building your own stacks, your own security coding. was critical and having a competition split into codebases just to make it multicore.
I think it was a non-starter. I think multi-cloud has been a symptom. I mean, it's more than a strategy. I think if it's largely a bit of a desperate attempt by multiple vendors that don't have their own cloud to say, hey, you need to have a multi-cloud strategy, but multi-cloud has actually been the result of multiple projects. , as you say, M&A forces for course business lines. So my question is: I think you just answered that multi-cloud is more complex, less secure, and probably more expensive, but is it a viable strategy for things other than locking down to some degree?
There are stories about durability. There are business reasons if you have a committee of a customer that doesn't want their data to live on a particular cloud provider, those are strategic reasons to move away from it and to be clear, I would love exactly the same thing that you just mentioned, where I could take what I built and run it smoothly on other providers, but I don't want it to be just a bunch of VMs and maybe some disk. I want them to be higher level services that take care of large amounts of my business and I want them to flow. no issues between vendors and there just isn't any history of it, for anything reasonable or modern, and history would say that there will never be any kind of open source movement, some of the other cloud providers that are talking broadly about multi-cloud. translates it through a slight filter: we think you should consider multi-cloud because if you go with a single provider there is no way in the world that it will be us and that is the challenge if you Take a look at multiple companies here, if anyone Go for a single supplier, you won't have much or anything to sell them of differentiated value and that becomes the general challenge for a large number of companies and I empathize with that.
Amazon really began to develop the channel a lot. I will see your emphasis on helping people make some money. I'll see your suppliers or those ecosystems afraid, always afraid that there's a shared responsibility and a level of like well, we only have so much security. We make things and you make things, so obviously they're inherently shared, so I guess that's not really a surprise to me. The question is how to achieve successful monetization in the ecosystem, clearly defining the lines of the rules of interaction with the spaces inwhite and us. As for differentiation, your thoughts may come up about how that plays out, yeah, and that's a great question because I don't think you're ever going to get someone from Amazon to sit in a room and say it's okay if you build a tool that Do this.
We are never ever going to build something that does that, I mean, they just launch the service on reinvent that talks to the satellites in orbit, if they are going to build that, I won't, there is nothing I will say, they will never do it. Getting involved with product strategy from the outside feels like a sticky note that says yes, there is and how do you end up successfully building and scaling a business around which I have no idea what Jesse is saying. the record here in the cola has been with me privately in my report saying never say never members never say never so that's absolutely explicit take your meetings at their word and I'm an independent consultant where my first language is sarcasm so basically I'm making fun of AWS in the newsletter and the podcast and that seems to be going reasonably well, but I'm never going to say that they're not going to move on to self-deprecation as a business model.
Look at some of the names of their services that they are clearly starting to do. There are advances in that space, so I have to continue to innovate before that bow wave and for now, okay, I can't imagine trying to build a business model with a 300-person company and being able to continue to innovate at that pace and avoid rapid changes. as AWS scouts you offer what I see from Wyatt, well we always agree on a dress but we are fans as you know but what I loved about 8fs is that they give their partners the opportunity and give them they experiment with a lot of caveats the rules compromises Never say never, but if you don't differentiate, that's your job, your job is to be better now, one thing Amazon does say is, hey, we may have a competing service, but we're always going to favor the customer, so the partner, if a customer wants an Amazon Cloud Trail, they want a cloud trail, a great example.
There have been requests for that, so why wouldn't they? But they also recognize Steve's business people in the ecosystem who do something similar. things, yes, and they're not going to actively try to put them out of business per se, oh yeah, a company that has done fantastically well partnering with everyone is the duty pager and even if AWS were to announce a service that wakes you up in the middle of the night something breaks, that's cool, awesome, how about you first update your status page in a timely manner and then talk over the knee depending on the infrastructure you run to tell me when the infrastructure you run now is degraded?
The idea of being able to take some functions like that and outsourcing worked well enough that they could go, where are the safe spots in the ecosystem? So obviously a partner that has a strong local presence, yes, that Amazon wants to have access to, it's short-term and maybe even medium-term. strategy, okay, professional services, if you know Accenture, Ernie Young and Deloitte PwC, you're probably fine because that's not a business that Amazon really wants to be in right now, they might want to automate as much as possible. but the world is going to do that anyway, but what's your opinion?
Optimization cost for that or not from a technical capability basis and I think their current tools are disappointing. I would say the cost of Explorer and the rest of their billing system is the asterisk. In addition to the client's obsession with being perfectly honest, no, no, but there will always be some value in an external party coming from that space and the form that takes that is going to change, but it is not very defensible internally to say that our spending on The cloud is optimized because the vendor that we're writing those big checks to tells us that third-party validation will always be necessary and if that can be done through the software, what that business looks like, is a big question that we have right now.
We're seeing people spend over thirty billion dollars a year on AWS and it's going up. One thing we can say with certainty in almost all cases is that people's cloud bills are not reducing month to month, yes, so it is a growing market. one that people feel incredibly strongly about and when you give people a few drinks and they start complaining about various aspects of the cloud, one of the first most common points that arises is that the bill is not too high but rather inscrutably good , so just to flip the back of the napkin, Tim, how much optimization potential there is is a factor of 10% or more depends on the level of effort you're willing to invest.
I mean, there's a story for most environments where you can save 70% on your cloud bill, all you have to do, spend 18 months rewriting everything to use serverless primitives, six of those months you'll be depressed across the board and then wait, where did everyone go? because no one is going to do that, you might be out of business. Therefore, it is always a question of effort dedicated to optimization versus improving features, speeding up time to market, and offering something that generates much more revenue. The theoretical advantage of cost optimization is one hundred percent of your bill in the cloud.
Launching the right service or product can generate multiple benefits. of that in the revenue people, I think my theory on the differentiation for you is that I think Amazon is basically saying in so many words, not directly, that's my interpretation, hold on to the AWS rocket as long as you can if you can get a support stable. If you fall, it's your fault, so what that means to me is moving up the stack so that Amazon clearly continues to grow and create scale so that the benefits to companies by creating a value proposition can extract rents from the market from the value that they create in the growth of Amazon, which means that they joined Amazon in the growth and constantly pivot to where there is room and Amazon is just a steamroller, it will come on the rocket that goes so fast, whatever the metaphor, and the people who are I'm just saying we made a deal with Amazon that we're in and then we went dormant, we're probably going to end up getting spun off like some guy was taken away from Amazon, so we did that, you didn't differentiate it enough.
You didn't innovate enough, but they're going to give everyone a chance to have a place in the growth, so the management strategy is to just push the envelope, that's implicit in Amazon's kind of stance, which is explicit in the Amazon positions. applications on our platform and you should be fine time and time again and many engineers get caught in the trap of building something and spending all their time making the quality of their code as good as possible but that won't lead to a business result one way or another. In another, we see stories of companies that achieved success with an infrastructure fire.
All the time Twitter used to be plagued by massive downtimes until they were big enough to justify the time and expense of a massive rewrite and now Twitter is effectively in full swing. Whether that is good or not is a separate argument, but they are there, so there will always be times when everything is excellent examples. They built it in Rails, yes, and put it in the Amazon cloud. It was just kind of a trick and then also. and people loved it and that to me is the benefit of the cloud once you get that escape velocity the investment to start Twitter was pretty low yeah and what was the success and then they had to rewrite because the scale was exploding , that's called prototyping, oh. yes that's what pricing has to do, this is the agility thing, start as a theme, just dig deeper, do a hackathon, but don't confuse that with scale, that's where the rubber meets the the right way and the oh.
The cloud is not for us because we are an exceptional case. There are very few companies for whom that statement is true in the modern era and they first do an honest analysis before deciding that we are going to build our own data centers because we can do it. It's cheaper if your Dropbox has excellent storage, otherwise you'll end up in this story where, well, now we have 20 instances, so we can do this cheaper somewhere in Iraq. I'll bet you a house you're wrong, but that's okay. people are telling it, okay, last question for you while you were wandering around and participating in the sessions, you have been on the analyst topic, what are some aspects of life, type of comments, stories that you came across and What did you find funny, intelligent, insulting or humorous? floor What are some of the conversations?
One of the best was a company I won't name, but the story they told was fantastic. They're primarily on Azure and they also have a strong secondary presence with AWS and that's fascinating. For me, how does that work internally? It turns out that their cloud of choice is Asher and they have to enforce that with guardrails in place because if you give developers a choice, everyone will go and build on AWS, which is fascinating and there are business reasons behind it. why they're doing what they're doing, but that story was really funny. I can't confirm or deny if it was true or not because it was someone who had had too much to drink telling an incredible story, but the thought of having to do it.
Forcibly drag your developers away from one thing in favor of something else, well that's like a bad party, it's much better to cover up that their friends are there, a commitment, right, they have a commitment to Microsoft software, yeah, so that's probably why they're not saying this is necessarily the wrong approach. Oh, my running meters might be the right business decision, but when you ask the developers, we see that all the time, Joe, you know, I mean, I had developers who were stars of the company from a long time ago, like look, we think about it.
It would be great to build on Azure, they were actually paying us, they were writing checks that incentivized us and I had a revolution. The engineers were rebelling because the reverse proxies for us were makeshift services and they weren't clean, primitive native services, so The engineers were rebelling, so they turned down Microsoft's cash and went back to Amazon. Surely it is much better now, but they have to leave behind that inherited shadow. It wasn't great at first and people tried something that was terrible once. Well, would you like to try it again now? Why do that?
It was terrible and it takes time to get over that knee-jerk reaction, but to your point about the business decision, it might make business sense to do that with Microsoft, it's maybe a little more predictable than Amazon as a partner. Oh, the way to optimize your bill. Another non-AWS cloud provider these days is to call your account rep and yell at them if you're willing to buy business at most. cases and that's not specific to any one vendor, most of them are a challenge to optimize for free, so we don't see the same level of expensive invoice issues in most companies there.
The good news is at Microsoft and I was a big criticism of Azure going backwards a few years ago is that they have absolutely changed their philosophy from two, three years ago, in the last two years, particularly 24 months, they have really been accelerating it and pedaling. as fast as they can, they are serious about committing from the top to Nutella, so there is no doubt that they are doing it in house with the kubernetes work that you are seeing with the one who has been there: it is phenomenal, there are great developers where they are. are in the long-term game, they're not going to be a fad, certainly not, and we won't see, for example, the Verizon public cloud or the HP public cloud, both of which were disabled, but the ones we're seeing today they will largely be here to stay among the big three, including Alibaba, and I'm not worried about the long-term viability of any of them, it's just a matter of finding their niche, finding their market. its lanes acorrea it's great to keep you up to date with some of the stories thanks for the comment thanks as always excellent guest analysts cube alumni friend analyst corte Quinn here at the cube brings you all the main action from AWS reinforces its first inaugural security conference The Start of security coverage of cloud security and cubes continues after this pause.
If you have any copyright issue, please Contact