Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Hey, everybody. How are you doing today? Uh Mark here. Good to see you, smiling faces. It's been a little while. Um And the reason for that is last week was Aws re Invent 2018 in Las Vegas. It was the biggest conference in Cloud. It's the biggest re invent yet. Over 50,000 builders descended on Las Vegas for a week of learning of announcement um of networking just uh of generally fantastic time.
Um Now I've been sort of processing since re invent um because there was a record number of uh announcements again, features functionality, new services that A BS just kind of dumps on the community. And it's wonderful. It's absolutely fantastic, but it's a lot to take in. Um And that's what I wanted to talk to you about today, not the reinvented announcements if you want to follow those um go uh to my medium page.
So uh just look for Mark NC A on medium.com um and you see a bunch of summaries there and of course you can follow me on Twitter and I'll, I'll tweet all those out as they get published um throughout the week. Um What I wanted to talk to you about was actually um the perspectives on those information.
So what's interesting is as a community hero, is a longtime cloud builder, as a security um professional. I sit and listen to these announcements and I hear a certain angle on it right by default, this is sort of my, my perspective and I go, oh OK, you can use it in this manner, in this manner, in this manner.
Um But I talked to other people throughout the week and they had completely different interpretations of some of the things now, not of the technologies, but of how they're going to be using those technologies. And it was a real reminder um that communicating a message and communicating in intent and is can be really tricky and as a follow up to that, not just communicating intent, but how people take something you've built, especially if you're building a set of uh primitives or building blocks like Aws does and what they do with that is a completely different cause.
And I think that happens all the time in securities. Um mainly because people lack the context um to make a proper decision or to understand what's happening or why it's happening. Um But I think it is the, the point is, is relevant is that we have this challenge. So if you roll out something like multi factor authentication, normally you're gonna say, hey, this is gonna make you more secure.
Um Please take the time to um complete the enrollment and start using multi factor authentication for all of your key passwords. Maybe you mandate it so they can't log in without it. Um You know, something like that and that'll probably be relatively successful. But I would ask the key question is after that effort, after you have multi factor rolled out to all your uh team members to your organization, do they understand why you said it was to make things more secure?
Sure they can gar you know, regurgitate that back to you and say, oh, it, it makes things more secure. But do they understand how or why it does that? Um And I think that's a great uh example of, you know, an opportunity to inform, to educate and to teach and to help expand people's security perspective.
And the challenge I saw last week at Rein event was because these announcements were just coming, coming, coming, coming, coming super, super fast and you know, all of them were crazy and amazing and you kept going like, oh wow squirrel, squirrel squirrel. Um It made it really hard to kind of uh push a perspective or to push um some guidance.
And it was interesting because one of those announcements was a well architected tool which is designed exactly to do that, to help people understand how to build with an Aws. And if you're at the point where you need to build a tool to help people understand how to build with their other tools.
I think that talks to a community issue that talks to an audience fracturing and the Aws a scale that's totally understandable and it's totally normal. Um The problem is I see that in much smaller organizations, um so much smaller organizations have that same fracturing problem and that same communications problem because they're not teaching context.
So if we go back to that M fa um example, if you're gonna roll an M fa to your organization, you absolutely should. It's a critical thing. Um But let users know, just say, look, there's a risk of password reuse. You know, we don't recommend you reuse passwords and we really hope you're pushing towards pass phrases.
Um But adding this multi factor authentication um adds about a second or two to your login experience. But what it does for the Attackers is it puts a significant barrier to entry for them. So in case they did hack your password and they've got your user name, adding multi factor for that extra second or two, it takes you in the morning to log in, makes a significant barrier for uh the criminals because now they need to hack every individual user multi factor, they need to time that multi factor because it refreshes every 30 seconds or 60 seconds.
Um It really sets uh a huge in the way of Attackers. That's why we ask you to sacrifice a second or two in the morning to log in using this additional factor, communicating it in that manner, I think is far more effective and people go, oh, that's the context. Ok.
So yeah, it's a little bump for me in the morning, but look at how much harder it makes uh Attackers jobs, right? Attackers attempts to, to hack our company. Um So I think that's a really key point is if you're communicating something, communicating in context, communicating in a relatable way um and helping people align with the perspective that you intend as the deployment or as the builder um as the person setting up that system, I think that's critical and that's uh how I'm continuing to approach uh my rein event coverage.
Um Looking back at the announcements around machine learning around contain um lambda and serverless. Um the lack of container announcements around security around all this stuff. I'm trying to help that perspective and provide my viewpoint and share that out with the audience. So look for more for me uh on medium uh at market NC A um from rein event.
But also, um you know, take that thought away if you're setting up something, especially as you're leading into the New Year or if you have a holiday, push around security, try to add that context. Take that extra moment to explain to people because it really does make a world of difference.
What do you think? Uh let me know, hit me up online at Mark NC A and for those of you in the vlogs on the comment down below. Um and as always by email me at Mark N dot Ca, I hope you have a fantastic day. I hope you have had a fantastic past week and a half.
I'm glad to be back on the air with you. I look forward to talking to you online and on the show tomorrow.