クラウドで最悪の日々を乗り切る

00:03 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation company. Today, I'm joined by Shawn Kirk, Worldwide Leader for Security Go to Market at Amazon Web Services. At AWS, Shawn is responsible for leading the global security and compliance specialist team. Prior to his current role, Shawn spent 20 years in the security industry across networking and startup companies, in various business development and sales positions. Today, Shawn is joining us to discuss the shared responsibility model, making incremental Zero Trust improvements in the cloud, and understanding cloud economics and ROI. Hey Shawn, thank you so much for joining us on The Segment, it's a pleasure to have you.

00:52 Shawn Kirk: Absolutely, Raghu, I appreciate you having me on.

00:54 Raghu Nandakumara: I know that you've been in the security industry for about 20 years now. Give us your journey to where you are today at AWS.

01:02 Shawn Kirk: If we go back to the early 2000s, I was just getting out of the Air Force where I was a survival instructor of all things. So teaching people which bugs to eat and which bugs not to eat, and that sort of thing. And I realized I wasn't going to probably be doing 20 years and retire in the military, and that I had to think about a career, and there wasn't much of a demand at least at that time for folks with skills in survival.

01:23 Shawn Kirk: So I had to start thinking about alternatives and for whatever reason, I also found myself as a resident expert in MS-DOS in our fighter squadron that I reported to. And so I put two and two together and thought, "Well, if I get out, maybe I'll do something in tech." I ended up separating, getting out, and I moved into tech procurement. I was a purchasing manager for a while and then that really wet my appetite for tech. So I moved into a net admin job, I moved into a sysadmin job. Eventually, I got picked up by Cisco as a solutions architect or some folks call it a systems engineer. So I did that for quite a while. While doing that, again, very early security days relatively speaking, security was still pretty nascent, got pulled into some really interesting customer projects working on if you could remember Cisco PIX's and local directors.

02:09 Raghu Nandakumara: Yep, yep.

02:10 Shawn Kirk: So I was working on those and then ta-da, overnight I found myself as a security subject matter expert as again, sometimes that happens. So from there, I shifted from systems engineering into sales and go to market, which I got endless amounts of crap from my SE peers, constantly asking me why I would do something like that. And it's funny, invariably my response would be – You remember there was a bank robber back in the 1950s. It was a guy named Willie Sutton. And when they finally caught Willie Sutton and they sat him down and they said, "Hey, why is it that you rob banks?" And Willie replies, "Because that's where they keep the money." Right? So that's usually my answer for why I shifted from being an SE into sales.

02:51 Shawn Kirk: And anyway, to wrap it up, long story short, four years ago I got the call from the AWS recruiter saying, "Hey, we're doing some new stuff here. Do you want to come lead our go-to-market activities in security?" And so the rest is history.

03:03 Raghu Nandakumara: Love the story. And I'm just going back to something at the beginning. You became the resident MS-DOS expert. That must be quite a niche title to hold, particularly in the early 2000s. I have to wonder what you are still doing, poking around MS-DOS in the early 2000s?

03:16 Shawn Kirk: Yeah. Had a lot to do with Edlin, my Edlin skills, if you remember that.

03:22 Raghu Nandakumara: Yeah. And it's funny, the story also about how you said your SE counterparts when you moved over onto more the go to market side, like, "What you doing?" And I associate with that because when I moved from being a customer to being on the vendor side, the feedback I got from my colleagues, "Are you going over to the dark side?" And I said, it's the same reason. I just want to go back to what you said about being that MS-DOS resident expert. And so from there, just where beyond now today and your role at the world's largest hyperscaler driving GTM for security. What has been your observation about how that change in what we consume from a technology perspective, how we consume it, the trends that have shaped that and where we are today?

04:08 Shawn Kirk: We've just seen so much evolution, particularly in the security space in terms of how we think about security mental models, and we'll get into some of that, I think, hopefully a little bit later around security that have just been absolutely turned completely upside down. And then of course the advent of hyperscaling and private cloud and public cloud has just been completely transformational in terms of allowing companies to be transformative in driving their business and how they think about their go-to-market strategies. But it's also at the same time, created great opportunities for the ne'er-do-wells who would want to take advantage of the tech sprawl and technologies like work from home and just the ever expanding edge and the footprint of the network.

04:52 Raghu Nandakumara: I was just watching your intro video about your role, something that you mentioned is you're helping secure your customers' cloud migrations, and what you find is that customers are often very familiar with how they secure on-prem but have lots of questions of how they secure in cloud. So can you explain how you articulate the key similarities and key differences and ensure that they're focused on the right things when they're securing cloud?

05:19 Shawn Kirk: I would say that again, the best thing about my job or the best part of my job is the fact that we do get to help customers avoid what we call “having a bad day in the cloud”. In really everything, every program, every initiative, everything that we do, whether it's training and education, or certification, or helping customers understand best practices, introducing the technologies, either ours or partner technologies, really revolves around this idea of just helping customers not have a bad day.

05:48 Shawn Kirk: But to answer your question more specifically, one of the areas that we spend a lot of time with customers on almost invariably is this notion of a shared responsibility model. And while conceptually, a lot of our customers get it and understand the idea that it's a partnership between the cloud service provider and the entity that's running on that platform, there's a lot of nuance to that model. And oftentimes, a lot of that nuance is lost with the customer. They don't know exactly where that line is, where you've got this notion of security of the cloud, which is again, the responsibility of the hyperscaler or the cloud security provider, which is to provide physical security, network security, platform security, but then it becomes the responsibility of the customer or the person running on the cloud to provide data security and application security.

06:35 Shawn Kirk: But as you begin to break those down even a little bit further, that's where it starts to get a little bit murky for our customers where we got to come in and explain where those lines are. And then if you overlay that with managed services, it becomes yet even more murky. And so we spend a lot of time, like I said, helping our customers with understanding the nuance of that concept and familiarizing them again, with all the best practices, controls and those sorts of things that are available to them to make their environments a little bit more resilient.

07:04 Raghu Nandakumara: I'm glad you brought up the shared responsibility model because in one of my previous roles as a cloud security engineering lead, I remember presenting that shared security responsibility model a number of times, and I was just actually just looking at an ESG report of the state of security in 2022. And to reflect what you just said, is that four out of five organizations that they surveyed reported that they still found a confusion in the shared security model. And then you alluded to some of those, the nuances about they weren't clear particularly on those boundaries about where those responsibilities lied. Now, if I again think back that I know AWS, for example, have been talking about the share responsibility model in your best practices for the best part of almost a decade now. So why is there still a lack of clarity and a lack of understanding in customers?

07:55 Shawn Kirk: Full understanding requires that the customer fully shifts their mental model around on-prem controls versus cloud-based controls. And we frequently get into these discussions with customers that immediately go deep into the controls. And so what they want to try to understand or to better rationalize is this is the environment that I'm coming from and I need to understand the environment that I'm going to. And they immediately want to gravitate towards analogs of their current on-prem security controls and want to understand immediately, "Okay, well what is the analog for the cloud and is it like for like, and can I just simply lift and shift my firewall or my proxy or my endpoint or whatever it might be from a control standpoint?" And frankly, AWS as other hyperscalers, offers their own native security services and that's a big part of my team's job, is to help customers understand what those are and how to use them. And again, rationalize on-prem controls with now cloud native controls. And so again, it gets nuanced and it can get complex, but the customer just needs to make that shift and understand and rationalize the differences between those controls.

09:14 Raghu Nandakumara: Cloud security is such a vast and continuously evolving subject in its own right. Going back to what you said is essentially your mission is to ensure your customers don't have a bad day. From your perspective, what role does Zero Trust have to play in cloud security? Is that something that you regularly discuss with your prospects and your customers?

09:36 Shawn Kirk: Yes.

09:37 Raghu Nandakumara: Thank God.

09:38 Shawn Kirk: Yeah, unambiguously, yes. It's in every conversation we have and customers are really trying to understand what to do about it. And it's a different thing in different contexts, which is why I think there's a lot of still, ongoing confusion because of the diversity of use cases that it can be applied to. And vendors would like you to believe it's just this turnkey off the shelf thing you can just buy and then you can just buy Zero Trust and you're good. And that's not really the case, at least not yet. You've got to think deeply about the use cases. Is it a machine to machine? Is it a humint application? Is it a transformative control IoT connected vehicle thing, which is completely off your network? It starts to get really esoteric, but those are the kinds of discussions we're having every day. And then how do you think about it from an on-prem, private cloud, public cloud standpoint and how do you bring that all together?

10:33 Raghu Nandakumara: Like what you said about really focusing on use cases and saying, "Okay, this is the best way to deliver security for this use case." And then tying that back into an approach like Zero Trust, and I guess it's a bit of a chicken and egg question. With your customers, how does the question of Zero Trust come up? Is it a customer saying, "Oh, well hey, we want to adopt AWS and by the way, the security must fall into a Zero Trust approach," or is it more the case of you lead with the use case and then you ultimately show them how to build security around it that follows a least privileged model that then obviously lines up to Zero Trust?

11:11 Shawn Kirk: I think it's pretty safe to say that when we're having conversations like that with customers, which again is every day, we are very reluctant to put the actual technology or the feature or the control at the beginning of the conversation. Because particularly with something as nuanced as Zero Trust, you really have to have a much more in-depth understanding of the problem that they're trying to solve. That's really the key thing. What is the problem that they're trying to solve and what are the very specific use cases? And so once you understand, and that's the Amazon way of viewing things just generally is to work back from the customer and the customer problem and what they're trying to solve, these types of conversations are no different.

11:56 Shawn Kirk: And then once we get through that and we understand the problems that they're trying to solve, then we're still not ready for a technology conversation. What we should be then thinking about is particularly in this environment with the macroeconomic conditions and reserve looking very closely at their spend. And so what existing technologies, whether on-prem networking technologies are a cloud service provider technologies like VPCs and that sort of thing are in place that can be then leveraged with the simple augmentation of more granular identity control capabilities. And that's where we start. And we don't want the customer to think about solving for a 100% of the problem right out of the gate because it's just too big. Let's shoot for 80% and then let's make constant but steady incremental improvements as we go. That's how we think about it.

12:49 Raghu Nandakumara: I think that's a really great approach and it's such a practical approach, and I feel that the more we hear that and a lot of my other guests have echoed the same thing, is that the more we hope that customers actually approach their adoption in that same way, rather [than] be massively transformative in the get-go, make those small steps. When I first started looking at AWS specifically, and I looked at the identity access management approach that you had wrapped around all your services. And essentially every service was almost built least privilege from the get-go. And I thought... it's instilling real security best practice from the moment you adopt. So given that and given all the best practice and etc. that you've published that's available, why is it that we still see examples of open world readable S3 buckets or world writeable S3 buckets, because it just feels like customers are not leveraging the tools that they have at their disposal to do better.

13:53 Shawn Kirk: I think philosophically, AWS is headed down the right path, meaning this notion of least privileged, this notion of security by default is a path that we're going to continue to go down because whatever the reason that customers sometimes don't adhere to the best practices or what have you, CSPs should be doing absolutely as much as they possibly can to make these capabilities more intrinsic, to make them secure by default, which doesn't obviate the need for a shared responsibility model, that's not what I'm saying. But we should be doing everything we possibly can to reduce the tax that our customers have to pay on security and building these capabilities into the fabric of the architecture. That's how we think about it intrinsically.

14:37 Shawn Kirk: Will customers sometimes still make mistakes? Sure. But we should be able to help them with those mistakes by quickly identifying the impact and then help them quickly remediate and get back to the business that they want to do. As an industry, I believe we put too much undifferentiated heavy lifting on the shoulders of the customer to go off and try to run their IT and secure their environment. And again, we as an industry ought to be doing more to take that undifferentiated heavy lifting off their shoulders and just build a lot of these capabilities in by default.

15:07 Raghu Nandakumara: Absolutely. That, I think, is a really interesting thing about making it easier for customers to adopt these capabilities rather than trying to necessarily be it about differentiating. So, how much of that responsibility do you think it's about on the cloud service providers to provide those capabilities natively so that customers can do as much as possible through... I'm going to say that single platform that they're interfacing with vs. how much of this is on third-party vendors to develop value add services? Where do you see the balance between that?

15:45 Shawn Kirk: Yeah, I don't think it's one or the other, but because of the nature of this industry and just security more broadly, it changes daily. It's just constantly and very rapidly evolving community. So for one either cloud service provider or one security vendor to assert that they've got all of the answers that the questions could have, it's a moment in time thing. Wait 10 minutes and the problem will be different or have evolved. So yes, what I'm saying is that while the CSP should own a big part of helping the customer secure their environment with native tools and capabilities, I think again as an industry, because it's a moving target, we should all be working more together in a collective. The cloud service provider is not going to be able to solve all the problems that address all the controls that a customer might need, and that's the case for us as well as others. We need partners that can be able to come in and either to solve for a problem that we just are not solving for, or maybe it's to come in and solve problem better than we're solving for it.

16:47 Shawn Kirk: And we are just as likely to recommend that a customer look at a third-party solution that they are as to look at a native AWS solution, because the right answer is to solve the problem. Right? The right answer is not to solve the problem necessarily just with a tool that Amazon provides. It could well be with a tool that somebody else provides, but we have to solve the problem for the customer. While at the same time again, we are working to build more intrinsic capabilities internally and into the fabric of the platform.

17:18 Raghu Nandakumara: Yeah, absolutely. And I think that brings us nicely on another question: Really from a security perspective, how do you factor in the ROI benefits of cloud security? Is that a key part of the conversations that you have?

17:34 Shawn Kirk: Yeah, they are. And I think they're becoming increasingly more top of mind. Again, back to the macroeconomic conditions that we see today. We're increasingly seeing customers ask us to help them rationalize their costs. And it's not just security costs, it's all of their costs, at least on our platform, and I'm sure other platforms are seeing the same thing. Help us understand where we can optimize our spend. Do we have duplicate spend? Do we have redundant spend? And we're having the same conversations when it comes to security. Customers are saying, "Either I'm spending all of this money on third-party technologies and I want to reduce that. AWS, can you help me?"

18:17 Shawn Kirk: And again, that knife cuts both ways, meaning we also know that customers are looking to third parties and saying, "Hey listen, I'm spending, I think I'm spending a lot on my cloud service provider. Can you help me optimize those spends as well?" And that's great. We want at the end of the day, whatever's best for the customer, both in terms of effectiveness and risk reduction, spend as well. Like I said, it goes both ways. And again, we are increasingly seeing those customers asking about cost optimization and the derivative security cost optimization questions as well.

18:50 Raghu Nandakumara: Yeah. Absolutely, ultimately what is best for the customer and it's adopting security in a way that is also that they're able to show the returns on it just in the same way they're able to show the returns on migrating to cloud. Going back to that and going back to your day job, when you have those conversations with customers and you're helping them migrate to cloud, what are the top three security challenges that they bring up vs. the ones that you communicate to them or the ones that you observe across your customers?

19:25 Shawn Kirk: I think first and foremost is the idea now of the shared responsibility model. That's right out of the gate, whether they're using our MAP program to help with their assistance or whatever it is, the question of just security and how do we think about security now in this hybrid environment - on prem, and then cloud and then maybe even hybrid and multi-cloud. They want to understand how they should be thinking about it and where the responsibility lies. That's the conversation we have right out of the gate. Second again, this notion of control portability and I've made all these investments in my on-prem security environment and the controls. How many of these can I bring with me? Can I bring all of them? Can I bring some of them? So we have to sit down and rationalize how they do that and how many of the controls they can bring and just there are cloud versions of, and that's a big one.

20:15 Shawn Kirk: And then finally, just what's available to me to visualize and understand, "Now I've got all my assets or a lot of my assets in the cloud, my controls have been rationalized. Now what do you have available to me that I can monitor in an ongoing way, and provide to either to my SOC team or maybe they outsource to third-party MSSP to let them know if something's gone from green to red.” Those are usually the three things that we hit right out of the gate.

20:42 Raghu Nandakumara: And then in terms of the threats that the customers are concerned about from that point about when they're starting their migration to when they are at a level of maturity, what are the threats they're concerned about and does the nature of those threats change as their cloud migration matures?

20:59 Shawn Kirk: 私たちが行っている会話は全範囲に及びます。一般的には、移行プロセスのできるだけ早い段階で、お客様にリスクとリスク軽減について考えてもらうように努めます。さらに、率直に言って、それをDevSecOpsの会話に戻して、SDLCと安全なコーディング手法について考えてもらうことができれば、そのようなことを考えさせることができれば、それだけでもお客様に考えてもらうことができます。その後、私たちはNISTという非常によく似たフレームワーク概念に従います。クラウド移行のさまざまな段階でNISTを頻繁に使用し、NISTが適切な識別とID管理を実施していることを確認し、アクセス制御を検討します。脅威の検出、脅威からの保護、脅威への対応、脅威からの回復など、お客様が使い慣れたすべての標準フレームワークに対応できるか。

21:55 ショーン・カーク: 繰り返しになりますが、私たちはこうしたもののクラウドアナログが何であるかをお客様が理解できるように努めています。繰り返しになりますが、できる限り最善を尽くすために、ハイブリッド環境にある場合は、これらの制御を統合してください。当社のお客様の多くは、いわゆるクラウドネイティブであり、クラウドで生まれたばかりなので、従来のクラウドサービスを使用しても問題ありません。しかし、繰り返しになりますが、多くの顧客、実際にはほとんどの顧客は依然としてハイブリッドであり、少なくともオンプレミスと AWS を合理化する必要がありますが、多くの場合、オンプレミスでは複数のクラウドプロバイダーを合理化する必要があります。はい。

22:26 ラグー・ナンダクマラ: ええ、絶対に。それで、実は、もっと将来を見据えた質問に移ります。クラウドの水晶玉を見ると、クラウドの消費者に影響を及ぼす可能性のある進化する脅威にはどのようなものがあると思いますか。また、それらの脅威を軽減するために開発される主なセキュリティ機能は何だと思いますか。

22:46 ショーン・カーク: これは興味深い質問であり、私が毎日やっていることをやることにワクワクさせてくれます。繰り返しになりますが、脅威と脅威環境についての考えはまだ始まったばかりです。これは静的な業界ではなく、絶え間なく続く猫とネズミのゲーム、スパイ対スパイというものです。そして、私の答えはおそらく誰も驚かないと思います。特に、最近ChatGPTが普及しているのは至る所にあるからです。しかし、これらの AI がこのような大規模な言語モデルに基づいて構築されるという考えは、ますます洗練されつつあります。マルウェアからより効果的なソーシャルエンジニアリングスクリプトまで、あらゆるものを構築するために、悪者がこのような大規模な言語モデル駆動型の AI を使用しているという事例証拠が公開されています。そして、必需品として、善良な人々もこの種のテクノロジーを採用して対策を講じ始めるようになると思います。つまり、発展しているのは、この AI 対 AI の世界です。

23:52 ショーン・カーク: これがどこに行くのかはわかりませんが、私が読んだ統計の1つは、今後2年間で80％以上の企業がAI主導のセキュリティ制御を採用するというものだと思います。これは、業界がAIについてどのように考えているかをよく表していると思います。ですから、この業界にいて、チームのこちら側にいて、お客様の保護を支援することは、さまざまな理由から、本当に興味深い未来であり、本当にエキサイティングな時期になると思います。

24:27 ラグーナンダクマラ: もちろんです。そして、より高度な機械学習、そしてより汎用的なAIが開発されつつある中で、専門家であり、その真の価値を顧客に伝えることができることが非常に重要だと思います。なぜなら、AI/ML全体が、人々はその言葉を聞くだけで、差別化要因とは何か、どのように活用すべきかを真に理解していないと思うからです。ですから、それを表現できること、特に環境を保護できることは、魅力的な場所だと思います。

24:58 ラグーナンダクマラ: 最後にもう一つ質問があります。セキュリティについて話すとき、私たちはそれをサイバーレジリエンス、そして逆境の中でも機能し続けることができることと同一視します。そこで、サバイバルトレーニングをしていたあなたが軍隊にいた頃に戻りたいと思います。生存とレジリエンスを確保するために、どんな虫を食べるのが一番良いのか？また、ビーガンやベジタリアンの方には、どのようなビーガンやベジタリアンの選択肢があるのでしょうか？

25:24 ショーン・カーク: ええ、それは素晴らしい質問です。バグに関する会話は、おそらく時間があるよりもかなり長いですが、私がそうしていた頃は、陸でのサバイバル、水でのサバイバル、北極でのサバイバル、ジャングルのサバイバルがありました。しかし、万が一、海の真ん中でディンギーに乗って立ち往生していて、食料を求めて釣りをしているなら、私が言えることは、くちばしのついた魚は食べてはいけないということです。くちばしのついた魚は食べてはいけない。くちばしのついた魚は、毒のあるサンゴなど色んなものを食べているので、あなたをひどく病気にするでしょう。これが、皆さんのサバイバル能力に関して私がお伝えできるヒントの1つです。

26:06 ラグーナンダクマラ: それは素晴らしいです。ショーン、どうもありがとう。今日のショーにあなたが出てくれて本当に嬉しかったです。素晴らしい会話です。リスナーの皆さんは、AWS と Illumio がどのようにして組織がクラウドに移行する際のリスクを軽減し、レジリエンスを実現しているかについてさらに知りたい場合は、Illumio.com にアクセスして、そこにある AWS ソリューションをご覧ください。ショーンさん、本日はどうもありがとうございました。本当に感謝しています。

26:31 ショーン・カーク: 間違いありません。来てくれてありがとう、ラグー。

26:33 ラグーナンダクマラ: 今週のThe Segmentのエピソードを視聴していただきありがとうございます。さらに詳しい情報やゼロトラストのリソースについては、Illumio.com のウェブサイトをご覧ください。Illumio は AWS マーケットプレイスでも見つけることができます。また、Illumio と AWS とのパートナーシップについて詳しく知りたい場合は、今年後半の AWS re: Force のブースにぜひお立ち寄りください。私はあなたのホスト、ラグー・ナンダクマラです。すぐに戻ってきます。

‍