Cloud · · 32 min read

#LetsTalkCloud: AWS re:Invent 2019 Kick-Off

S01E05 - Host, Mark Nunnikhoven, interviews Head of Security, Cloud One Conformity at Trend Micro, Paul Hortop. Together they kick off the biggest conference in cloud at what is sure to be a crazy week in Las Vegas.


An icon representing a document where the bottom half of it has been drawn with a dotted outline, implying a copy This post was originally written for Trend Micro .

Reasonably Accurate 🤖🧠 Transcript

Mark: We are going, uh, live. We're gonna try to come to you live here from AWS Reinvent 2019. We are in the expo hall before it opens, one of the perks of being a sponsor, um, though it is absolutely chaotically loud, as you guys can here, uh, but hopefully not too much.

We're just gonna double check the audio and, uh, see how we're doin' for bandwidth because that is always a challenge when it comes to, uh, driving, uh, these streams on cell connections because lord help me if you try to connect to the conference wifi to upload. It is optimized for down. Um, but it seems like we're good.

Lemme just double check with Joy. We haven't popped up on there. I'm seeing it live on LinkedIn. Uh, already got people jumpin' on board, which is nice.

[00:00:50] Um, as you can see, uh, to, uh, my right, uh, we have Paul Hortop from our Cloud Conformity, uh, um, team. Um, let me just give you a quick rundown before Paul and I get to chattin' here. Uh, my name's Mark, I'm the VP of Cloud Research here at Trend Micro. I'm also an AWS community hero. Uh, we are in Las Vegas right now.

Uh, you can tell a bit from the unusual background. This is the back of the Trend Micro booth. Uh, 2820 if you're in the expo hall when it opens up at 4:00. Um, but you can probably hear a lot of background noise. And we are mic'd up and hopefully that'll cut down on it. Um, but there's chaos going on.

We've got 90 minutes before this opens up so everyone's sort of in that last mad scramble. Cranes are goin' by, forklifts goin' by, boxes, all that kinda stuff.

[00:01:31] Um, we're streaming live on LinkedIn, we're streaming live on Twitter and YouTube. Hashtag is #letstalkcloud. Um, Paul and I are going to be talking about the show this week because we are here, obviously, and we're gonna be active on the show floor but also attending it. Um, and that's, that's the deal.

If you have questions, hit us up, uh, live, um, on LinkedIn, um, or on Twitter or on YouTube. Um, Joy is, uh, just outta the shot but she has volunteered wonderfully to kinda collect those and, uh, give us the a, uh, what's what so we can answer your questions live. Um, thank you. Uh, so with that, Paul; welcome back.

[00:02:06] Paul: Thank you very much.

[00:02:06] Mark: Our-

[00:02:06] Paul: Good to be back.

[00:02:07] Mark: Our first second-time guest-

[00:02:08] Paul: [laughs].

[00:02:08] Mark: ...uh, on the show, which is great. Um, but, you know, you've... So you've flown all the way in from Australia. Um, you're awake-

[00:02:14] Paul: [laughs].

[00:02:15] Mark: job well done already. Uh, this is not your first AWS-

[00:02:19] Paul: No, this is my second. But it's bigger already.

[00:02:23] Mark: So last year was your first.

[00:02:24] Paul: Yes, it was.

[00:02:24] Mark: So last year capped out around 45, 50,000 people.

[00:02:27] Paul: Yep.

[00:02:27] Mark: This year we're saying 60, 65,000. Um, and yeah, you can see, you know, we're-

[00:02:31] Paul: You can see it's bigger.

[00:02:32] Mark: We're day one. Uh, even just to get here, to walk through the hall, uh, was insane. Like, it was just bumper to bumper, like, you couldn't barely move and you're hoping you're migrating in the, in the same level. And the show really, this is the day one. Right? People are still arriving, I know. So Joy just came in today, um, a lot of people local in the States are, are flying in.

[00:02:51] Um, you know, we've got people on, online already from Austin, from Brazil. Um, you know, thanks for jumping on. Um, we're... While you're, you're watchin' this, if you guys have questions about the show, let us know 'cause we can probably answer those or point you in the right direction.

[00:03:04] But let's start with, with a real easy one, Paul. This is your second event. You're all, obviously steeped in AWSness.

[00:03:08] Paul: [laughs].

[00:03:09] Mark: Um, because, you know, that's you're, you're head of security for Cloud Conformity, um, you work with AWS every single day-

[00:03:14] Paul: Yeah.

[00:03:15] Mark:, you work a lot with AWS behind the scenes as well, uh, helping spearhead new features and things like that around, uh, serverless and various, uh, security features. So what... You know, knowing you have to, to be careful what you say, what are you most hoping for from the show this week?

[00:03:32] Paul: I'm hoping that there'll be some big security announcements. Uh, there's definitely a lot coming down the line. Uh, I'm hoping I... I don't know that it'll be at this AWS but I'm hoping for, uh, some consolidation in the main security services that AWS offers.

So bringing some of those to, together and en, and enhancing them. There's a really good ecosystem there, whether it is Guard Duty, Security Hub, uh, a web application Firewall. And we're seeing all of these being improved on a almost daily basis.

[00:04:04] Mark: Mm-hmm [affirmative].

[00:04:04] Paul: So the web application Firewall has just had some brilliant improvements. AWS are now doing, uh, a set of manage rules for that.

[00:04:12] Mark: Yeah.

[00:04:12] Paul: Uh, Guard Duty was recently improved, some new rules put in there, uh, following a, a major breach, uh, with a, a banking company in the US. So all the time, these services are, are being improved and reinvented as that focus for, for the year.

If you're gonna see the biggest, largest announcements, this is the place to see them, hear them, and being here it's incredibly exciting. There's always that, that keynote excitement. You know there's gonna be some, something big. And every year there's always stuff that surprises us.

[00:04:42] Mark: Yeah, yeah, yeah, yeah, I totally agree. And it's interesting now; since we had the initial Reinforce, which is the security only conference, um, in June or July, and the next one's coming up. And now there's sort of that twice a year cadence for security-

[00:04:55] Paul: Yeah.

[00:04:55] Mark: ...which is great. Um, and you mentioned the, the WAF rules, um, which has been a long time coming. So for the longest time when you had WAF, it was literally just a framework and you had to insert your own rules.

So I know for Trend we launched two rule sets, um, through the marketplace about a year and a half again, um, but from AWS themselves, up until last week you had to go to the AWS labs GitHub account-

[00:05:14] Paul: Yep.

[00:05:15] Mark: ...if you knew that account existed to get a bunch of rules-

[00:05:19] Paul: Yep.

[00:05:19] Mark: ...and now they've got this manage set, which, uh, from what I read and digging into the docs, there are gonna be-

[00:05:23] Paul: They're so much better.

[00:05:24] Mark: And they're gonna be updating regularly, right?

[00:05:26] Paul: Yeah, they've got, they've got-

[00:05:26] Mark: So you don't have to do anything.

[00:05:27] Paul: They've got a threat research team behind them now.

[00:05:29] Mark: Yes.

[00:05:29] Paul: That's the first time I've seen, seen that mentioned. So, you know, AWS Guard Duty, that takes in information from the third party threat service. But this is an actual AWS team, so clearly they're going to be focused on whenever there is any kind of security issue on the AWS platform, who's going to have the best information about that?

It's gonna be an AWS team. They've got access to information on the control playing DNS look-ups, VVC flow logs. All of this really rich information. And they're able to see across the whole of the AWS customer base.

[00:05:59] Mark: Yeah.

[00:06:00] Paul: Who is in the best protection... Oh, best position to be able to protect AWS customers? And it's gonna be at AWS. And there's a real richness in those rules. You can do a pick and mix, and that's, that's a re, really good step forward. Uh, I'm hoping to see if that's an announcement pre-Reinvent-

[00:06:17] Mark: Yeah [laughs].

[00:06:17] Paul: ...what are we gonna see here? So, so that gets me really excited when I, when I see stuff like that.

[00:06:21] Mark: Yeah I, I agree and that's a... So as Reinvent, this is the eighth already, which is insane. Um, as the Reinvent is involved, there's been more and more announcement beforehand and that now is my own biggest personal challenge is the two, three weeks leading up to Reinvent.

It's crazy enough with, you know, gettin' the, the team reading, talkin' to other AWS heroes, gettin' coor, everything coordinated to try to keep up with the announcements. So there was some really great serverless stuff too, which we'll dig into in a minute.

[00:06:47] Um, but yeah the WAF rules were fantastic and, you know, your point about them being in the best position, um, is really, really a, a solid one. Um, 'cause for me the easy example there is all of the work with, um, AWS Shield.

[00:07:00] Paul: Yeah.

[00:07:00] Mark: Right? The, the distributed denial

of service, uh, um, system that nobody ever knows that they're using.

[00:07:05] Paul: We never, we never see why they-

[00:07:06] Mark: I know.

[00:07:06] Paul: We never see why they're-

[00:07:07] Mark: And I always ask that. When I give talks to, to people I always go, "Oh, whose heard of Shield before?" And everyone's like, "Uh," and I'm like, "Who uses Shield?" And nobody raises their hand. I'm like, "It's a trick question. You all use Shield.

[00:07:16] Paul: Yeah.

[00:07:16] Mark: It's on automatically. But again-

[00:07:18] Paul: But you don't see the results of it. It's there, it's on by default.

[00:07:20] Mark: Yeah.

[00:07:21] Paul: And they may be helping you, they may not. So again, more rich-

[00:07:24] Mark: Mm-hmm [affirmative].

[00:07:25] Paul: ...information that can be put into this. I'd like to say, I think in a couple of years time, that all of these individual AWS services will be in one central capability.

[00:07:36] Mark: Yeah.

[00:07:36] Paul: And I think at the same time... And I really hope that AWS tackles this issue. It's very easy to turn something on in a single region, but then when you have to turn it on in multiple regions and-

[00:07:45] Mark: Mmm.

[00:07:45] Paul: ...they're always adding new regions.

[00:07:47] Mark: Yeah, yeah, yeah.

[00:07:48] Paul: And who has one account? Who has 10 accounts? How do you manage that multi-region multi-account thing when you've got 500 accounts?

[00:07:55] Mark: Yep.

[00:07:55] Paul: And we've seen some chipping away at this who have Firewall manager that allows you to manage the web application-

[00:08:01] Mark: Yeah, yeah.

[00:08:01] Paul: ...Firewall from one place. But you really need this across all of the security capabilities-

[00:08:05] Mark: Yeah.

[00:08:05] Paul: ...and bring it all into one place.

[00:08:07] Mark: Well, it's not just security capabilities, right? So they've tried that with Control Tower-

[00:08:11] Paul: Yep.

[00:08:11] Mark: ...with Orgs, with the Firewall manager, and there's, uh, two or three more that are trying to tackle the problem in different ways.

[00:08:19] Paul: Yeah.

[00:08:19] Mark: So I would love also... And I mean, unfortunately that's sort of the weakest point for AWS is they're really good with those teams, but when I have a team and you have a team and we need to work together, that's where things start to break down.

And I think that's the biggest challenge because, yeah, the same thing. I for personal demo reasons and, like, my own projects have more than a dozen AWS accounts.

[00:08:38] Paul: Yeah.

[00:08:39] Mark: Let alone if I was in an organization or an enterprise, like, yeah, you've got hundreds and hundreds. And to remember, like, oh, account 382-

[00:08:46] Paul: Uh.

[00:08:46] Mark: ...doesn't have that on today.

[00:08:48] Paul: How, how do you keep up with it? And it's great because AWS is so well set up for people building things, that's really great but then sometimes when you say I want to be able to deploy this feature-

[00:08:59] Mark: Mm-hmm [affirmative].

[00:08:59] Paul: ...across 2,000 lambdas, they go, "Well, you can add it on one lambda at a time." It's like, no-

[00:09:05] Mark: [laughs].

[00:09:05] Paul: ...I don't have... That's not the problem that I have and I can't hand roll it for everything.

[00:09:09] Mark: Yep.

[00:09:09] Paul: And they're like, "Well, you're an engineer. Get on with it."

[00:09:12] Mark: Yes.

[00:09:12] Paul: So it's kind of in, in some ways it brings a lot of features because AWS, if you're a builder it's fantastic. You, you can stitch so many different bits and pieces together and you can go and grab someone else's lambda code and run that-

[00:09:24] Mark: Mm-hmm [affirmative]. Yeah.

[00:09:24] Paul: ...and just link it up through SNS or, or whatever it happens to be. But then sometimes it's also the achilles heel in that you have to go and build everything. And so often there is, there is a promise of just being able to roll this out, just do a tick box and do this.

[00:09:40] Mark: Yep.

[00:09:40] Paul: But then inevitably, to really get the most benefit from it you've got to build some of it yourself.

[00:09:45] Mark: Yeah. And, and hopefully, you know... I, I see that quite often and I'm hoping at some point, they boil it all down to what they did for Cloud Trail to finally... You know, it was on by default, but just before they turned it on my default they had that one magical checkbox-

[00:10:00] Paul: For all regions.

[00:10:00] Mark: ...that you could turn it on for all regions.

[00:10:00] Paul: Yeah.

[00:10:01] Mark: We need that for all accounts.

[00:10:03] Paul: Yeah.

[00:10:03] Mark: So all accounts, a ideal world, this is me just spit-ballin', ideal world would be for me to log in to a master, you know, the master member pattern where there's one account that's a master, um, for consolidated billing and say anything under consolidated billing I want to look like this.

[00:10:18] Paul: Yes. Yeah, yeah.

[00:10:19] Mark: And that would be, like, oh. Could you imagine just one checkbox and now your WAF is configured everywhere? And Shield's configured. All this stuff would be... AWS, if you're listening-

[00:10:28] Paul: [laughs].

[00:10:29] Mark:, Steve get on it. I know you're prepping for your talk but, like, come on. Um, so, you know, you mentioned the, the on, influx of announcements, um, this week. You know, we had a bunch leading up to it, uh, in pre-event, uh, and now we've got, uh, more coming which is great.

Um, the, uh, biggest thing, um, or a couple things that people need to be aware of, especially if you're not here in Vegas; uh, tonight, uh, Vegas time, 7:30 is Monday Night, uh, Live with Peter Desantis. Uh, two years ago Steve Schmidt did eight minutes in that keynote of just wonderful, like, security nirvana-

[00:11:03] Paul: Yep.

[00:11:03] Mark: ...or how AWS did security, so you can live stream that at home right now. Um, well tonight when it's on. You can live stream that. Um, there's also a reinvent session security 201-L, which is a leadership session. Now, it's unfortunately it's labeled as a 200, um, but it's not actually a 200.

There's, uh, these across all the, um, tracks. They're leadership sessions. So the security one's actually Steve Schmidt coming out, and from what I've heard unofficially, those leadership sessions, there is a very good opportunity that they will be announcing new services or features there that don't make it to, uh, either Monday Night Live, Andy's Keynote Tuesday or Verner's Keynote on Thursday. So the big four keynotes, uh, including the global partner are live streamed.

[00:11:43] If you're tuning in online you can absolutely, um, uh, do that. You just go to reinvent. ... Uh, go to the main Reinvent site and sign up, um, and, uh, for the sec 201 you have to wait until YouTube, but, uh, I'm sure one of us will be live tweeting it, um, and a bunch of people will.

[00:11:58] Um, I see on the stream here, um, Ahmad's got a question. Absolutely Ahmad, just fire away and, uh, we'll tackle it. Um, I should double check, uh, to make sure that we don't have anything, uh, there. But yeah, just fire up the questions, uh, we will answer they in, uh, in the flow. Um, and we got, uh, a fellow Australian joined from Brisbane-

[00:12:15] Paul: Excellent.

[00:12:15] Mark: ...uh, which I'm sure I said wrong 'cause when-

[00:12:17] Paul: [laughs].

[00:12:17] Mark: ...I did visit Australia, I pronounced too many syllables-

[00:12:20] Paul: [laughs].

[00:12:20] Mark: ...and too many consonants.

[00:12:21] Paul: I'm English. I get them all wrong.

[00:12:22] Mark: Fair enough. So yeah, there's gonna be a ton of announcements this week. You know, the challenge is keeping up with them-

[00:12:27] Paul: Yeah.

[00:12:27] Mark: ...for sure, um, but, you know, besides obviously living in a security world, um, Cloud Conformity's serverless-

[00:12:33] Paul: Yes.

[00:12:33] Mark: Right? So that's very cutting edge itself because, I mean, Cloud Conformity was not built this week. Um, you've been living in it for a couple years now. Um, there was a couple really cool announcements around event routing for secure, uh, for serverless earlier.

[00:12:47] Paul: Yes.

[00:12:47] Mark: Um, is there anything on the serverless side you're hoping to see this, this week that would make your life easier, be it from the pure engineering and building or from the security perspective.

[00:12:54] Paul: Uh, it's more from the pure engineering, pure building side of things. So serverless has, has been, like, doing things like monitoring, um, can be a bit challenging-

[00:13:05] Mark: Mm-hmm [affirmative].

[00:13:06] Paul: ...but the full tool suite for serverless isn't there and there are bits and pieces that, that you have to build and manage yourself. But AWS is, um, creating new capabilities all the time so we've had some really good things in DynamoDB.

[00:13:20] Mark: Mm-hmm [affirmative].

[00:13:21] Paul: You're talking about the event routing stuff so that there is stuff come in all the time. And I envisage in a few years time that serverless will be even more center stage so-

[00:13:31] Mark: Yeah.

[00:13:31] Paul: the way that there was a virtualization revolution and all enterprises had to switch over to serverless. I'd see that as being the future and people will leap past containers-

[00:13:43] Mark: Mm-hmm [affirmative].

[00:13:43] Paul: ...and they will start, they will create engineering departments and any new capability that an enterprise is organized, is looking to launch, they will build that on serverless.

[00:13:52] Mark: Yeah.

[00:13:52] Paul: There will be a real move toward serverless first, and the rest of the serverless ecosystem needs to be fully beat, built out, and that's coming. So improvements in monitoring-

[00:14:03] Mark: Mm-hmm [affirmative].

[00:14:03] Paul: ...and that kind of thing and really understanding the whole of the serverless infrastructure and the, the serverless ecosystemf so, you know DynamoDB, obviously, uh, lambdas, fire gate, step functions-

[00:14:16] Mark: Yeah.

[00:14:16] Paul: ...all of those things working together, that bit more, um, more support in the CI/CD tool chain-

[00:14:22] Mark: Yeah.

[00:14:22] Paul: ...and still we see, um, a large number of serverless security companies.

[00:14:27] Mark: Mm-hmm [affirmative].

[00:14:28] Paul: So again, the initial promise, uh, around serverless which was there are no issues with security. It's all... There's nothing to see here. You know?

[00:14:37] Mark: Yeah.

[00:14:38] Paul: Move along. Uh, it was only last year there was maybe one or two companies that was specializing purely in serverless security. Now there's about 10, and pretty well everyone has, you know, all the large secure, cloud security companies, they've all gone onboard with serverless capability and added it to their product suite.

[00:14:55] Mark: Mm-hmm [affirmative].

[00:14:55] Paul: So I would see more of that coming again fro, from AWS as an in-built feature. And more enterprise capabilities that, from AWS that help you manage serverless scale. So there's a lot of organizations that'll be using serverless as a point solution here.

[00:15:14] Mark: Yeah.

[00:15:14] Paul: So for example, an insurance company that uses, uh, serverless to read forms and put that data into a database as opposed to building the whole of their application on serverless.

And it's when you go over to that that you see some of these scaling issues. And I don't mean scaling issues from the point of view of the stack scaling to the load. Does that fantastically, brilliantly.

[00:15:34] Mark: Yeah.

[00:15:34] Paul: That is just, that just-

[00:15:35] Mark: That's one of the huge advantages, right?

[00:15:36] Paul: Amazing. It's so cheap, it's so, um, sturdy, so r-robust, so easy to, to build a, a serverless architecture-

[00:15:44] Mark: Mmm.

[00:15:45] Paul: ...and scale that out and reuse and reuse and really go down that micro services architecture. But then the scaling of monitoring and working-

[00:15:54] Mark: Yeah.

[00:15:55] Paul: ...out what's happening in your environment and being able to manage thousands of lambdas at a time.

[00:16:00] Mark: Yep.

[00:16:00] Paul: And I'm sure there are organizations if they went fully serverless and the, the, that number of, uh, lambdas increasing more, they would have even more challenges than, than we face.

[00:16:09] Mark: Yeah.

[00:16:10] Paul: And we've found that we've had to engineer around some of those issues.

[00:16:14] Mark: And it's kind of a chicken and an egg, right? like, problem when you need more companies to get to that point-

[00:16:18] Paul: Yeah.

[00:16:18] Mark: ...where they start making the demands that they need better. Um, as you were saying that, what kept running through my head was, like, x-ray. AWS x-ray team-

[00:16:27] Paul: Ah.

[00:16:27] Mark: ...if you are listening, huge opportunity, right? That's the, the, the distributed tracing service. The promise of it is phenomenal. It is a long way from the, from where it should be, um, but that for me, I'm like, that's a great because just the main interface of the graph of showing where data's flowing between different functions to different services; that seems like a really good starting point if it supported the scale and a bunch of other things.

[00:16:51] Paul: And, and the promise is there. So if, if you look at your serverless stack and tag it from beginning to end as an application all the way through, you should be able to turn on x-ray at every single-

[00:17:02] Mark: Yep, yep.

[00:17:02] Paul: along the way-

[00:17:03] Mark: Yeah, yeah, yeah.

[00:17:03] Paul: ...and then filter it on the tags for that application and then that light up, and then you're able to see the whole of your application and its performance from beginning to end. And again, my, my request there would be that, uh, it's simple to do. We run, uh, serverless in three regions and in multiple accounts.

[00:17:22] Mark: Yep.

[00:17:22] Paul: And it's very easy to where... Typically when these things come out, you can do it in one place here but then we have that issue of we've got 2,000 lambdas. How do I roll it out multi-region, multi-account-

[00:17:33] Mark: Yeah, yeah.

[00:17:33] Paul: ...and we're still on a small scale so those organizations that are running serverless much larger or in the future need to be able to do that, need the tooling to be able to really scale the administration management-

[00:17:44] Mark: Mm-hmm [affirmative].

[00:17:45] Paul: ...around serverless.

[00:17:46] Mark: Yeah, 'cause I think for me, so I give a talk at Serverless Conf in New York again this year and I was breaking serverless down at a really security wise to four major areas. So service selection, um, you know, make sure that there, there, the services meet the needs you have for your information management.

So if you're doing healthcare, is it supported by HIPAA, or PCI for finance? That kind of stuff. Um, code quality, which is, you know, dependencies, um, so that's what our friends at-

[00:18:08] Paul: Yeah, yeah, yep.

[00:18:09] Mark: a really good job.

[00:18:10] Paul: Yep.

[00:18:10] Mark: Um, you know, so, you know, are you writing high quality code? Not creating new security vulnerabilities.

[00:18:13] Paul: Yep.

[00:18:14] Mark: Um, the data flow and monitoring between all of your pieces, um, and then service configuration, right? Because people keep making mistakes, and simple mistakes-

[00:18:23] Paul: Aw, yeah.

[00:18:23] Mark: ...and blowing themselves up and going, "Oh, this is a problem." Well yeah, you made a simple mistake. Um, but the other thing besides monitoring that popped in, and not specifically to security, um, but with, um, like, debugging when you're writing your lambdas. So if you've ever done a in cloud nine, which is AWS's in browser IDE, it's a wonderful experience.

You've got this instant back and forth with a... 'Cause there's in the background there's a container running lambda locally and then you just push to lambda and you read cloud watch natively. But nobody programs in cloud nine [laughs].

[00:18:53] Paul: [laughs].

[00:18:54] Mark: We all have, you know, uh, either, um, a visual, uh, studio or, um, the baby version of that or Sublime or Eclipse or something like that and that experience for the developer is still a little bit clunky-

[00:19:06] Paul: Yeah.

[00:19:06] Mark: ...even with a localized container, I find that, you know. But I think this week we're gonna see lots of... Last year or the year before, uh, there was that keynote. I think it was two years ago. There was, uh, like, a 20 minute section. Um, Abby Fuller from AWS came on and was talking containers, containers, containers, containers. I think this is the serverless year where we're gonna see that; we're gonna have a huge chunk of talk just be like, "Serverless, serverless, serverless, serverless."

[00:19:30] Paul: Oh whenever you see the screens-

[00:19:32] Mark: Yep.

[00:19:32] Paul: ...and they're doing the, which of the top key words-

[00:19:34] Mark: Yep.

[00:19:34] Paul:'s always lambda, it's always serverless-

[00:19:36] Mark: Yes, yes it is, it is.

[00:19:37] Paul: ...way more than anything else. And, you know, with so many people here, that reflects, you know, everyone's a builder-

[00:19:42] Mark: Mmm.

[00:19:43] Paul: ...everyone's a developer, everyone's an engineer. That reflects where people's passion is and where-

[00:19:47] Mark: Yep.

[00:19:47] Paul: ...where the future is, uh, and I think that's where, where we're going.

[00:19:50] Mark: Yeah.

[00:19:50] Paul: And there is still, there's still so much more in that ecosystem to help with, so privileged management, again, when, you know, you're meant to have an individual role for every single lambda, how does that scale over that-

[00:20:01] Mark: Yep.

[00:20:01] Paul: ...that larger-

[00:20:02] Mark: Yeah.

[00:20:03] Paul: ...fleet of lambdas. It's really hard-

[00:20:05] Mark: It's tricky.

[00:20:05] Paul: ... managing all of that. Um, there is a regular change to, uh, the code that you're running your lambdas on. So for example, Javascript-

[00:20:12] Mark: Mm-hmm [affirmative].

[00:20:12] Paul: ... it's changing about every year, every year and a half.

[00:20:16] Mark: Yeah.

[00:20:16] Paul: And you're always running up again, oh, we've gotta re-engineer, we've gotta-

[00:20:19] Mark: Yes.

[00:20:19] Paul: And so then you've gotta change out 2,000 lambdas-

[00:20:22] Mark: Yeah.

[00:20:22] Paul: ... and that, right there.

[00:20:23] Mark: Which, you know, is a really interesting blue green deployment scenario. And then on permissions as well, if you guys haven't seen it, um, the, uh, new role based access control, um, based on tags-

[00:20:34] Paul: Yep, that's awesome.

[00:20:35] Mark: ... uh, fantastic. Uh-

[00:20:36] Paul: [crosstalk 00:20:37] But there's still so much more, though, out there.

[00:20:37] Mark: There is, there is, but this week, uh, Security 316 by Bridgette Johnson is covering just that, um, and that should be really, really good. Uh, but yeah, it's, again, it's, it's [inaudible 00:20:46] and there's a lot more that you can do from that that's gonna be really, really cool.

[00:20:50] Um, one thing I wanted to call out was, yes, I removed the paper from our water bottle.

[00:20:53] Paul: [laughs].

[00:20:53] Mark: If you've been following me on Twitter, Chris, thank you. Uh, didn't make the same mistake this year. Um, but Ahmad followed up with this question, and he was saying, and I think this is relevant to your experience directly; was he was saying what steps can an information security team take to implement this capability?

So you're cutting... You know, you're running security for, for Cloud Conformity, um, without it, you know, you're serverless. You know, I think you started serverless, right? So you-

[00:21:15] Paul: Aw, yeah we were born in the cloud but it-

[00:21:17] Mark: You, so you had the advantage of [crosstalk 00:21:18] starting with Greenspace.

[00:21:18] Paul: Yeah.

[00:21:19] Mark: But based on your experience, and I mean, you've been in the industry a long time. This is not your first rodeo. What would you say is maybe your top one or two things that people would do from a security perspective when you're dealing with serverless and with new stuff in the cloud?

How do you, how do you keep a handle on it? Or how do you get, start to understand it?

[00:21:36] Paul: Automate. So I'd say automate and get visibility. So the visibility allows you to see what your exposure is-

[00:21:44] Mark: Mm-hmm [affirmative].

[00:21:44] Paul: ... and then you can say I've got these... These are the top 10 issues in my infrastructure. Get your head of security, head of [inaudible 00:21:52] ops-

[00:21:52] Mark: Yep.

[00:21:53] Paul: ... it down together and then choose out of those 10 what are the things that we can do today to make our infrastructure better? And cherry pick from those and take the top three and implement them. And then when you go to implement them, make sure that it's automated. Make sure you're doing everything in cloud formation templates.

[00:22:09] Mark: Yep, yes.

[00:22:10] Paul: And that way you only have to fix it once. There is nothing more soul destroying than you sort out something and then it re, and you go and tell the developers, "Please don't do this," explain the security reason why, coach them around it and then it reappears next week.

[00:22:23] Mark: Yep.

[00:22:23] Paul: It's really hard. You're a developer, an engineer, you're fixing one point on a ticket. It's there, you're just fixing one thing, you go through it really quickly. There's a whole bunch of stuff happens in the background, you don't necessarily know the infrastructure that's running behind there and you've just reintroduced a whole bunch of that before.

[00:22:39] Mark: Yep.

[00:22:40] Paul: Whereas if you're taking a cloud formation template that the team has worked on collectively, then it's that much easy. You're fixing it once-

[00:22:46] Mark: Yep.

[00:22:46] Paul: ... so if you do that, get the visibility, see what's wrong in the infrastructure, prioritize on what is going to make a real difference? There are some things that really don't matter that much-

[00:22:57] Mark: Hmm.

[00:22:57] Paul: ... and other things that are really, really important. Make sure you're, that you hit those, but be fixing them once and then you come through, you come back through the next time and then you take the next three things. And if you get working in that cadence, you're only fixing things once, you're cherry picking the best things, you're nailing them every week, you are going to improve.

[00:23:13] Mark: Yep.

[00:23:14] Paul: And you've gotta be improving because there is so much more. We're gonna see a, 100 more features come out today.

[00:23:19] Mark: At least.

[00:23:20] Paul: We're all gonna try and implement them in, in our environment-

[00:23:23] Mark: Mm-hmm [affirmative].

[00:23:23] Paul: ... and if you're not automating that and choosing the best things for you then you're going to be way behind.

[00:23:30] Mark: Yep. And as you're taking those cloud formation templates, it's a very easy thing to check into version control and keep-

[00:23:35] Paul: Absolutely.

[00:23:35] Mark: ... track of, right?

[00:23:36] Paul: Aw.

[00:23:36] Mark: And, you know, as you're describing that I was just flashbacked to early, early days in my career, um, and I'm sure you've had a similar experience where, you know, it's the Saturday night change window and you've got, uh, you know, your checklist, your printed out checklist of steps you're gonna take on a firewall or on the IPS and you log into IPS-1, typie, typie, typie, typie, typie, typie.

You think you got it all right, you're good. 'Kay, log out, log into number two, go, go, go. Why would you ever want to do that again? I didn't wanna do it when I was [inaudible 00:24:06]-

[00:24:06] Paul: Yeah.

[00:24:06] Mark: ... why would you ever [inaudible 00:24:07]? So that, that advice of automate, that advice of, you know, you fix it once, um, is absolutely key because we can finally do it better, we just need to take advantage of, of the tools, right? Um, so let me ask you something completely off the wall, um, um, you know, like most of this event, so.

[00:24:22] Paul: Mm-hmm [affirmative].

[00:24:22] Mark: You're getting to know me well enough-

[00:24:23] Paul: [crosstalk 00:24:24] Yeah, you do this every time [laughs].

[00:24:25] Mark: Yeah, I know. I'm not gonna ask you... You're not gonna come out anymore, you're just gonna be like, "No, I'm not doing it." Um, no, so we're here at Reinvent and there's a ton of ridiculous things going on.

[00:24:32] Paul: Mm-hmm [affirmative].

[00:24:33] Mark: Um, do you, do you have a bunch of sessions booked?

[00:24:35] Paul: [crosstalk 00:24:37] Well no, no I don't. I'm... Because I can always catch up with it afterwards-

[00:24:42] Mark: Yep.

[00:24:42] Paul: ... I can dial into it live.

[00:24:44] Mark: Yes.

[00:24:44] Paul: Here it's meeting people.

[00:24:46] Mark: Yeah.

[00:24:46] Paul: Uh, I don't know what's going to happen during the week. Everyone is so busy so if I get a slot I'll typically get there is a chance to meet this person-

[00:24:55] Mark: Mm-hmm [affirmative].

[00:24:55] Paul: ... now-

[00:24:55] Mark: Yep.

[00:24:56] Paul: ... just go there and do it. That's the best thing. It's the people here, it's the teams it's the A, AWS engineers, it's meeting customers who are... We're based in Australia. This is one of the few times I get to meet our customers-

[00:25:07] Mark: Fair. Good point. Yeah, yeah.

[00:25:08] Paul: ... customers around the world so it's fantastic to be able to do that. I find that the time that I spend on the stand meeting up with customers, wh-whether they are new people coming to the stand and going, "So what's Cloud Conformity about?

[00:25:19] Mark: Mm-hmm [affirmative].

[00:25:19] Paul: How could we help you?" That kinda thing, then all of that is really, really good.

[00:25:23] Mark: Good.

[00:25:23] Paul: It's the people.

[00:25:23] Mark: Yeah.

[00:25:24] Paul: And there's a lot of them here.

[00:25:25] Mark: Yes, oh yes. And I mean, that lines up with the advice that I try to give people. So I was, um, at the kickoff dinner for, um, the we, we power tech grant. So, um, AWS turned [inaudible 00:25:35] have sponsored 102 people from around the world, um, from under represented, uh, areas of technology, uh, or, uh, under represented, uh, areas of the community to come and, uh, experience Reinvent for the first time.

And that was, uh, my advice to them was saying, "Okay, you can't take it all in. Try to take in two or three sessions a day if you can and then focus on talking to people.

[00:25:55] Paul: Yeah.

[00:25:56] Mark: Um, because if, you know, if you have a question about the cloud, this is probably the best place on earth you can have to get, you know, have it answered. Um, and you're never gonna take everything all in, right? So your point about they're all up on the YouTube channel afterwards for all-

[00:26:07] Paul: Yeah.

[00:26:08] Mark: ... the actual sessions, bunch of them are streamed live. Um, so I actually, this is, this is the first time in four Reinvents that I took in a talk this morning. I went to [inaudible 00:26:17] 12, um, which was about eight of US's vulnerability disclosure process.

[00:26:22] Paul: Oh, wow.

[00:26:23] Mark: So I went 'cause a friend of mine, Cory Quin, somehow connived his way onto the stage.

[00:26:27] Paul: Yeah.

[00:26:27] Mark: Um, with, uh, Zack from the eight of US security team and they were talking about 'cause Cory had reported a vulnerability in sage maker's permissions-

[00:26:34] Paul: Yeah.

[00:26:35] Mark: ... um, and they talk about how that process worked but on the eight of US side, how they had to build a vulnerability, uh, reporting-

[00:26:42] Paul: Yeah.

[00:26:42] Mark: ... feature from the outside and how to handle that. And the security team going, "Well, we don't own the, the actual issue, but we have to manage the issue and push it through." And it was really interesting and good, but that's a great one to check out. Uh, well I tweeted a bunch of, uh, quotes from that, um, but also check it out online after 'cause it's a glimpse at something you don't normally see-

[00:26:59] Paul: Yeah.

[00:26:59] Mark: ... if you're not in security, um, because it's, you know, who sets up a, a vulnerability disclosure process internally.

[00:27:05] Paul: We, we, we're just doing, we're just doing one now publicly on our, on our website-

[00:27:09] Mark: Yeah.

[00:27:09] Paul: ... to, to do exactly that thing because inevitably there's everyone out in the world and they're looking at your website, they might find an issue and-

[00:27:16] Mark: Yep.

[00:27:17] Paul: ... and if they try and report it to, I don't know, security at Cloud Conformity or whatever it is-

[00:27:21] Mark: Mm-hmm [affirmative].

[00:27:21] Paul: ... having a formal process in the background there that really deals with that can make things much, much easier and work slickly.

[00:27:27] Mark: Yeah.

[00:27:27] Paul: But how do you go about doing that? I'd love to see how AWS-

[00:27:29] Mark: [crosstalk 00:27:30] And, and this is interesting because it was the AWS side and Cory was saying, "This is what I felt coming from the outside and reporting it." So he was... You know, I like when they made a commitment and followed up on it and so there was, you know, that email address, uh, coming back in 24 hours from a human-

[00:27:44] Paul: Yeah.

[00:27:45] Mark: ... not an automated response saying, "Paul, I got your email. We've started the process. Here's what's gonna happen next." Um, and you know, there's a bunch of resources, uh, in the Trend family, so now that you're part of the bigger Trend family, um, ZEI or ZEI-

[00:27:57] Paul: Yeah.

[00:27:59] Mark: ZEI, Canadian. Um, the zero data issue.

[00:28:01] Paul: Yeah. [crosstalk 00:28:01] Progress.

[00:28:02] Mark: Those, uh-

[00:28:02] Paul: Yep.

[00:28:03] Mark: ... disclosures for a bunch. There's a ton of things 'cause every company's different. Um, and, uh, I have to chuckle here because one of our team, Ingrid, um, she runs social media, uh, with, with Joy. Ingrid is defending us from, uh, people who are trying to set up free beer and free food, which I'm not sure if she's really defending us if she's between us and free beer and free food. I appreciate the initiative and the spirit 'cause she's trying to keep the stream-

[00:28:26] Paul: [laughs].

[00:28:27] Mark: ... going, but, I mean, maybe that's a good pole we should run next time to say if someone's preventing free beer and food from being set up-

[00:28:33] Paul: [laughs].

[00:28:33] Mark: ... next to you, is that truly helping or is that just stopping you from getting a free beer? But I'm sure it'll circle around. But that's, that's why we're chuckling 'cause it was just, you had to picture it.

[00:28:43] Paul: [laughs].

[00:28:43] Mark: It was amazing.

[00:28:44] Paul: The table nearly went [laughs].

[00:28:45] Mark: It, the table did almost go, but thankfully it didn't. So, um, yeah, but yeah, so ch-check out Sector 12 on that. Um, but yeah, that's, uh, the, the thing about Reinvent is, you know, is back to your point of meeting people, talking to people, um, there's a bunch of lounges set up around the campus with different themes.

Um, they're not, like, locking you into you must talk about manufacturing at this. Um, but again, they're trying to... Everything that, uh, Jill and Annie and the team at AWS set up for Reinvent is to try to encourage that interaction, even for relatively introverted people; board game night-

[00:29:14] Paul: Yeah.

[00:29:14] Mark: ... movie night. Um, they've kind of gotten away from the pub crawl because nobody really moved because you can't move.

[00:29:20] Paul: [laughs].

[00:29:21] Mark: And gone to a little more casual perceptions to try to encourage that.

[00:29:24] Paul: Yeah.

[00:29:24] Mark: Um, which I agree. It's the opportunity to catch up with people. Like, this is the first time we've been able to meet you in person, um, which is great, it's... You know, we had a great conversation on the, on the last episode and then afterwards, um, and now it's nice to, to meet you in person. Um, and yeah, that's a real big advantage and, you know, despite there being 65,000 people, you can find those people around.

[00:29:43] Um, so I think we're gonna, we're gonna start to wrap this up. We've been going, uh, you know, and Ingrid's gonna lose it if she has to defend another team, uh-

[00:29:50] Paul: [laughs].

[00:29:50] Mark: ... of free beer and food away from us. Um, but for those of you that have been following us online, we are here live all week. If you are, um, in the, in, uh, Reinvent, um, Trend Micro setup in the Venetian at 2820. Um, we’ll be kickin’ around. Cloud Conformity, do you know the booth number?

[00:30:06] Paul: Uh, I’ve got it.

[00:30:07] Mark: Let’s put him on the spot. It’s all good. If you come to 2820-

[00:30:09] Paul: [crosstalk 00:30:10] It’s really close to here.

[00:30:11] Mark: It’s a stone’s throw.

[00:30:12] Paul: Yeah.

[00:30:12] Mark: It’s really, really close. It’s in the main map. Um, if you are on site, download the mobile app. It is frustrating and annoying ‘cause it keeps kicking you out, but it is worth staying in there because, uh, all of the session guides, the evaluations, the maps to everything are there. Um, the opening reception starts in an hour here in the Venetian and in the [inaudible 00:30:30].

[00:30:30] Um, if Ingrid allows them to, there will be free food and beer, uh, which is always nice, uh, and drinks and non-alcoholic drinks which is good ‘cause the challenge of being on site is remembering to eat. That sounds really weird if you’re not here, but it is, the lines are long, it’s easy to get caught up of like, oh my first session’s at 8:00, and then my last session, you know, there’s dinner time sessions now that don’t serve dinner. So you’ve gotta try to, you know… At the end of the day you’re like, “Oh, I had a whole bunch of appetizers-

[00:30:55] Paul: Yeah, yeah.

[00:30:55] Mark: … but never an actual dinner or lunch or anything.” So, um, I have a bunch of tips for that on my Ultimate Guide to Reinvent, um, in my backpack. I follow my own advice. I’ve got a bunch of granola bars and all that kinda stuff. Uh, but Paul, thank you for joining us. Uh, welcome to the live.

[00:31:08] Paul: Thank you very much.

[00:31:08] Mark: This is fantastic. Um, swing by. If not, hit us up on social @trendmicro, uh, or on LinkedIn. I’m happy to answer any questions about security in general, cloud in general or what’s going on at the show. One of our goals this week here is to help, uh, you know, kind of bring you guys along with us. Uh, Trend’s been a long time sponsor, uh, all eight Reinvents I believe that we’ve sponsored. I know I’ve been here for all eight, this is your second.

[00:31:31] Paul: Yep.

[00:31:31] Mark: Um, we’ve figured out a lot of stuff about it but we’re still being surprised, uh, so let us help you kinda enjoy this experience. Um, thanks for joining us and, uh, we’ll see you on the next show. Thanks again, Paul.

[00:31:41] Paul: Thank you.

Read next