Surviving Bad Days in the Cloud
In this episode, host Raghu Nandakumara chats with Shawn Kirk, Worldwide Leader for Security Go to Market at Amazon Web Services. The two of them discuss the shared responsibility model, making incremental Zero Trust improvements in the cloud, and cloud economics and ROI.
00:03 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation company. Today, I'm joined by Shawn Kirk, Worldwide Leader for Security Go to Market at Amazon Web Services. At AWS, Shawn is responsible for leading the global security and compliance specialist team. Prior to his current role, Shawn spent 20 years in the security industry across networking and startup companies, in various business development and sales positions. Today, Shawn is joining us to discuss the shared responsibility model, making incremental Zero Trust improvements in the cloud, and understanding cloud economics and ROI. Hey Shawn, thank you so much for joining us on The Segment, it's a pleasure to have you.
00:52 Shawn Kirk: Absolutely, Raghu, I appreciate you having me on.
00:54 Raghu Nandakumara: I know that you've been in the security industry for about 20 years now. Give us your journey to where you are today at AWS.
01:02 Shawn Kirk: If we go back to the early 2000s, I was just getting out of the Air Force where I was a survival instructor of all things. So teaching people which bugs to eat and which bugs not to eat, and that sort of thing. And I realized I wasn't going to probably be doing 20 years and retire in the military, and that I had to think about a career, and there wasn't much of a demand at least at that time for folks with skills in survival.
01:23 Shawn Kirk: So I had to start thinking about alternatives and for whatever reason, I also found myself as a resident expert in MS-DOS in our fighter squadron that I reported to. And so I put two and two together and thought, "Well, if I get out, maybe I'll do something in tech." I ended up separating, getting out, and I moved into tech procurement. I was a purchasing manager for a while and then that really wet my appetite for tech. So I moved into a net admin job, I moved into a sysadmin job. Eventually, I got picked up by Cisco as a solutions architect or some folks call it a systems engineer. So I did that for quite a while. While doing that, again, very early security days relatively speaking, security was still pretty nascent, got pulled into some really interesting customer projects working on if you could remember Cisco PIX's and local directors.
02:09 Raghu Nandakumara: Yep, yep.
02:10 Shawn Kirk: So I was working on those and then ta-da, overnight I found myself as a security subject matter expert as again, sometimes that happens. So from there, I shifted from systems engineering into sales and go to market, which I got endless amounts of crap from my SE peers, constantly asking me why I would do something like that. And it's funny, invariably my response would be – You remember there was a bank robber back in the 1950s. It was a guy named Willie Sutton. And when they finally caught Willie Sutton and they sat him down and they said, "Hey, why is it that you rob banks?" And Willie replies, "Because that's where they keep the money." Right? So that's usually my answer for why I shifted from being an SE into sales.
02:51 Shawn Kirk: And anyway, to wrap it up, long story short, four years ago I got the call from the AWS recruiter saying, "Hey, we're doing some new stuff here. Do you want to come lead our go-to-market activities in security?" And so the rest is history.
03:03 Raghu Nandakumara: Love the story. And I'm just going back to something at the beginning. You became the resident MS-DOS expert. That must be quite a niche title to hold, particularly in the early 2000s. I have to wonder what you are still doing, poking around MS-DOS in the early 2000s?
03:16 Shawn Kirk: Yeah. Had a lot to do with Edlin, my Edlin skills, if you remember that.
03:22 Raghu Nandakumara: Yeah. And it's funny, the story also about how you said your SE counterparts when you moved over onto more the go to market side, like, "What you doing?" And I associate with that because when I moved from being a customer to being on the vendor side, the feedback I got from my colleagues, "Are you going over to the dark side?" And I said, it's the same reason. I just want to go back to what you said about being that MS-DOS resident expert. And so from there, just where beyond now today and your role at the world's largest hyperscaler driving GTM for security. What has been your observation about how that change in what we consume from a technology perspective, how we consume it, the trends that have shaped that and where we are today?
04:08 Shawn Kirk: We've just seen so much evolution, particularly in the security space in terms of how we think about security mental models, and we'll get into some of that, I think, hopefully a little bit later around security that have just been absolutely turned completely upside down. And then of course the advent of hyperscaling and private cloud and public cloud has just been completely transformational in terms of allowing companies to be transformative in driving their business and how they think about their go-to-market strategies. But it's also at the same time, created great opportunities for the ne'er-do-wells who would want to take advantage of the tech sprawl and technologies like work from home and just the ever expanding edge and the footprint of the network.
04:52 Raghu Nandakumara: I was just watching your intro video about your role, something that you mentioned is you're helping secure your customers' cloud migrations, and what you find is that customers are often very familiar with how they secure on-prem but have lots of questions of how they secure in cloud. So can you explain how you articulate the key similarities and key differences and ensure that they're focused on the right things when they're securing cloud?
05:19 Shawn Kirk: I would say that again, the best thing about my job or the best part of my job is the fact that we do get to help customers avoid what we call “having a bad day in the cloud”. In really everything, every program, every initiative, everything that we do, whether it's training and education, or certification, or helping customers understand best practices, introducing the technologies, either ours or partner technologies, really revolves around this idea of just helping customers not have a bad day.
05:48 Shawn Kirk: But to answer your question more specifically, one of the areas that we spend a lot of time with customers on almost invariably is this notion of a shared responsibility model. And while conceptually, a lot of our customers get it and understand the idea that it's a partnership between the cloud service provider and the entity that's running on that platform, there's a lot of nuance to that model. And oftentimes, a lot of that nuance is lost with the customer. They don't know exactly where that line is, where you've got this notion of security of the cloud, which is again, the responsibility of the hyperscaler or the cloud security provider, which is to provide physical security, network security, platform security, but then it becomes the responsibility of the customer or the person running on the cloud to provide data security and application security.
06:35 Shawn Kirk: But as you begin to break those down even a little bit further, that's where it starts to get a little bit murky for our customers where we got to come in and explain where those lines are. And then if you overlay that with managed services, it becomes yet even more murky. And so we spend a lot of time, like I said, helping our customers with understanding the nuance of that concept and familiarizing them again, with all the best practices, controls and those sorts of things that are available to them to make their environments a little bit more resilient.
07:04 Raghu Nandakumara: I'm glad you brought up the shared responsibility model because in one of my previous roles as a cloud security engineering lead, I remember presenting that shared security responsibility model a number of times, and I was just actually just looking at an ESG report of the state of security in 2022. And to reflect what you just said, is that four out of five organizations that they surveyed reported that they still found a confusion in the shared security model. And then you alluded to some of those, the nuances about they weren't clear particularly on those boundaries about where those responsibilities lied. Now, if I again think back that I know AWS, for example, have been talking about the share responsibility model in your best practices for the best part of almost a decade now. So why is there still a lack of clarity and a lack of understanding in customers?
07:55 Shawn Kirk: Full understanding requires that the customer fully shifts their mental model around on-prem controls versus cloud-based controls. And we frequently get into these discussions with customers that immediately go deep into the controls. And so what they want to try to understand or to better rationalize is this is the environment that I'm coming from and I need to understand the environment that I'm going to. And they immediately want to gravitate towards analogs of their current on-prem security controls and want to understand immediately, "Okay, well what is the analog for the cloud and is it like for like, and can I just simply lift and shift my firewall or my proxy or my endpoint or whatever it might be from a control standpoint?" And frankly, AWS as other hyperscalers, offers their own native security services and that's a big part of my team's job, is to help customers understand what those are and how to use them. And again, rationalize on-prem controls with now cloud native controls. And so again, it gets nuanced and it can get complex, but the customer just needs to make that shift and understand and rationalize the differences between those controls.
09:14 Raghu Nandakumara: Cloud security is such a vast and continuously evolving subject in its own right. Going back to what you said is essentially your mission is to ensure your customers don't have a bad day. From your perspective, what role does Zero Trust have to play in cloud security? Is that something that you regularly discuss with your prospects and your customers?
09:36 Shawn Kirk: Yes.
09:37 Raghu Nandakumara: Thank God.
09:38 Shawn Kirk: Yeah, unambiguously, yes. It's in every conversation we have and customers are really trying to understand what to do about it. And it's a different thing in different contexts, which is why I think there's a lot of still, ongoing confusion because of the diversity of use cases that it can be applied to. And vendors would like you to believe it's just this turnkey off the shelf thing you can just buy and then you can just buy Zero Trust and you're good. And that's not really the case, at least not yet. You've got to think deeply about the use cases. Is it a machine to machine? Is it a humint application? Is it a transformative control IoT connected vehicle thing, which is completely off your network? It starts to get really esoteric, but those are the kinds of discussions we're having every day. And then how do you think about it from an on-prem, private cloud, public cloud standpoint and how do you bring that all together?
10:33 Raghu Nandakumara: Like what you said about really focusing on use cases and saying, "Okay, this is the best way to deliver security for this use case." And then tying that back into an approach like Zero Trust, and I guess it's a bit of a chicken and egg question. With your customers, how does the question of Zero Trust come up? Is it a customer saying, "Oh, well hey, we want to adopt AWS and by the way, the security must fall into a Zero Trust approach," or is it more the case of you lead with the use case and then you ultimately show them how to build security around it that follows a least privileged model that then obviously lines up to Zero Trust?
11:11 Shawn Kirk: I think it's pretty safe to say that when we're having conversations like that with customers, which again is every day, we are very reluctant to put the actual technology or the feature or the control at the beginning of the conversation. Because particularly with something as nuanced as Zero Trust, you really have to have a much more in-depth understanding of the problem that they're trying to solve. That's really the key thing. What is the problem that they're trying to solve and what are the very specific use cases? And so once you understand, and that's the Amazon way of viewing things just generally is to work back from the customer and the customer problem and what they're trying to solve, these types of conversations are no different.
11:56 Shawn Kirk: And then once we get through that and we understand the problems that they're trying to solve, then we're still not ready for a technology conversation. What we should be then thinking about is particularly in this environment with the macroeconomic conditions and reserve looking very closely at their spend. And so what existing technologies, whether on-prem networking technologies are a cloud service provider technologies like VPCs and that sort of thing are in place that can be then leveraged with the simple augmentation of more granular identity control capabilities. And that's where we start. And we don't want the customer to think about solving for a 100% of the problem right out of the gate because it's just too big. Let's shoot for 80% and then let's make constant but steady incremental improvements as we go. That's how we think about it.
12:49 Raghu Nandakumara: I think that's a really great approach and it's such a practical approach, and I feel that the more we hear that and a lot of my other guests have echoed the same thing, is that the more we hope that customers actually approach their adoption in that same way, rather [than] be massively transformative in the get-go, make those small steps. When I first started looking at AWS specifically, and I looked at the identity access management approach that you had wrapped around all your services. And essentially every service was almost built least privilege from the get-go. And I thought... it's instilling real security best practice from the moment you adopt. So given that and given all the best practice and etc. that you've published that's available, why is it that we still see examples of open world readable S3 buckets or world writeable S3 buckets, because it just feels like customers are not leveraging the tools that they have at their disposal to do better.
13:53 Shawn Kirk: I think philosophically, AWS is headed down the right path, meaning this notion of least privileged, this notion of security by default is a path that we're going to continue to go down because whatever the reason that customers sometimes don't adhere to the best practices or what have you, CSPs should be doing absolutely as much as they possibly can to make these capabilities more intrinsic, to make them secure by default, which doesn't obviate the need for a shared responsibility model, that's not what I'm saying. But we should be doing everything we possibly can to reduce the tax that our customers have to pay on security and building these capabilities into the fabric of the architecture. That's how we think about it intrinsically.
14:37 Shawn Kirk: Will customers sometimes still make mistakes? Sure. But we should be able to help them with those mistakes by quickly identifying the impact and then help them quickly remediate and get back to the business that they want to do. As an industry, I believe we put too much undifferentiated heavy lifting on the shoulders of the customer to go off and try to run their IT and secure their environment. And again, we as an industry ought to be doing more to take that undifferentiated heavy lifting off their shoulders and just build a lot of these capabilities in by default.
15:07 Raghu Nandakumara: Absolutely. That, I think, is a really interesting thing about making it easier for customers to adopt these capabilities rather than trying to necessarily be it about differentiating. So, how much of that responsibility do you think it's about on the cloud service providers to provide those capabilities natively so that customers can do as much as possible through... I'm going to say that single platform that they're interfacing with vs. how much of this is on third-party vendors to develop value add services? Where do you see the balance between that?
15:45 Shawn Kirk: Yeah, I don't think it's one or the other, but because of the nature of this industry and just security more broadly, it changes daily. It's just constantly and very rapidly evolving community. So for one either cloud service provider or one security vendor to assert that they've got all of the answers that the questions could have, it's a moment in time thing. Wait 10 minutes and the problem will be different or have evolved. So yes, what I'm saying is that while the CSP should own a big part of helping the customer secure their environment with native tools and capabilities, I think again as an industry, because it's a moving target, we should all be working more together in a collective. The cloud service provider is not going to be able to solve all the problems that address all the controls that a customer might need, and that's the case for us as well as others. We need partners that can be able to come in and either to solve for a problem that we just are not solving for, or maybe it's to come in and solve problem better than we're solving for it.
16:47 Shawn Kirk: And we are just as likely to recommend that a customer look at a third-party solution that they are as to look at a native AWS solution, because the right answer is to solve the problem. Right? The right answer is not to solve the problem necessarily just with a tool that Amazon provides. It could well be with a tool that somebody else provides, but we have to solve the problem for the customer. While at the same time again, we are working to build more intrinsic capabilities internally and into the fabric of the platform.
17:18 Raghu Nandakumara: Yeah, absolutely. And I think that brings us nicely on another question: Really from a security perspective, how do you factor in the ROI benefits of cloud security? Is that a key part of the conversations that you have?
17:34 Shawn Kirk: Yeah, they are. And I think they're becoming increasingly more top of mind. Again, back to the macroeconomic conditions that we see today. We're increasingly seeing customers ask us to help them rationalize their costs. And it's not just security costs, it's all of their costs, at least on our platform, and I'm sure other platforms are seeing the same thing. Help us understand where we can optimize our spend. Do we have duplicate spend? Do we have redundant spend? And we're having the same conversations when it comes to security. Customers are saying, "Either I'm spending all of this money on third-party technologies and I want to reduce that. AWS, can you help me?"
18:17 Shawn Kirk: And again, that knife cuts both ways, meaning we also know that customers are looking to third parties and saying, "Hey listen, I'm spending, I think I'm spending a lot on my cloud service provider. Can you help me optimize those spends as well?" And that's great. We want at the end of the day, whatever's best for the customer, both in terms of effectiveness and risk reduction, spend as well. Like I said, it goes both ways. And again, we are increasingly seeing those customers asking about cost optimization and the derivative security cost optimization questions as well.
18:50 Raghu Nandakumara: Yeah. Absolutely, ultimately what is best for the customer and it's adopting security in a way that is also that they're able to show the returns on it just in the same way they're able to show the returns on migrating to cloud. Going back to that and going back to your day job, when you have those conversations with customers and you're helping them migrate to cloud, what are the top three security challenges that they bring up vs. the ones that you communicate to them or the ones that you observe across your customers?
19:25 Shawn Kirk: I think first and foremost is the idea now of the shared responsibility model. That's right out of the gate, whether they're using our MAP program to help with their assistance or whatever it is, the question of just security and how do we think about security now in this hybrid environment - on prem, and then cloud and then maybe even hybrid and multi-cloud. They want to understand how they should be thinking about it and where the responsibility lies. That's the conversation we have right out of the gate. Second again, this notion of control portability and I've made all these investments in my on-prem security environment and the controls. How many of these can I bring with me? Can I bring all of them? Can I bring some of them? So we have to sit down and rationalize how they do that and how many of the controls they can bring and just there are cloud versions of, and that's a big one.
20:15 Shawn Kirk: And then finally, just what's available to me to visualize and understand, "Now I've got all my assets or a lot of my assets in the cloud, my controls have been rationalized. Now what do you have available to me that I can monitor in an ongoing way, and provide to either to my SOC team or maybe they outsource to third-party MSSP to let them know if something's gone from green to red.” Those are usually the three things that we hit right out of the gate.
20:42 Raghu Nandakumara: And then in terms of the threats that the customers are concerned about from that point about when they're starting their migration to when they are at a level of maturity, what are the threats they're concerned about and does the nature of those threats change as their cloud migration matures?
20:59 Shawn Kirk: The conversations we have span the entire gamut. Just generally, we're going to try to get the customer to think about risk and risk mitigation as early in the migration process as we can. And even further, frankly, if we can get it back into a DevSecOps conversation and to get them thinking about SDLC and secure coding practices, those sorts of things that even that much, the better that we can get them thinking about that. And then after that, we follow very similar framework concepts, NIST. We'll use NIST oftentimes at varying stages of the cloud migration journey, make sure they've got proper identification and identity controls in place and looking at access control. Do they have the ability to detect threats, protect against threats, respond to threats, recover from threats, all of the standard frameworks the customers are familiar with.
21:55 Shawn Kirk: Again, we work to help them understand what the cloud analog of those things are. And again, to try to as best we can, unify those controls if they're in a hybrid environment. Many of our customers are what we call cloud native and they're just born in the cloud, and so they're okay just using the traditional cloud services. But again, many customers, most customers in fact are still hybrid and they have to rationalize at a minimum, on-prem and AWS, but oftentimes on-prem multiple cloud providers. Yep.
22:26 Raghu Nandakumara: Yeah, absolutely. So actually, that brings me on to a more forward looking question. When you look at your cloud crystal ball, what do you see as potentially the evolving threats that are going to affect consumers of cloud and what do you think are the key security capabilities that are going to develop to help mitigate against those?
22:46 Shawn Kirk: That's an interesting question and that's what makes me excited to get up and to do what I do every day is that again, the idea of threats and the threat landscape is so nascent. This is not a static industry, it's this constant cat and mouse game, this spy vs. spy thing. And I guess my answer is probably not going to surprise anybody, particularly with the prevalence of ChatGPT these days just being everywhere. But the idea of these AIs being built on these large language models, they're just becoming increasingly more and more sophisticated. Publicly, we see anecdotal evidence of the bad guys using these large language model driven AIs to build everything from malware to social engineering scripts that are more effective. And then I think as a necessity, you're going to begin to see the good guys begin to also adopt these sorts of technologies to mitigate against. So it's this AI vs. AI world that developing.
23:52 Shawn Kirk: And I don't know where this this goes, and I think that one of the stats I read is that is more than 80% of enterprises will be adopting AI driven security controls over the next two years, which I think says a lot about how the industry is thinking about AI. So I think it's going to be a really interesting future and a really exciting time for a variety of reasons, to be in this industry, and on this side of the team and helping protect our customers.
24:27 Raghu Nandakumara: Absolutely, and I think just with the development of more sophisticated machine learning and then more general purpose AI that's being developed, being experts and being able to communicate the real value of those to the customers is so important because I think the whole AI/ML, people just chuck that term in and not truly understand what the differentiators are and how they should be leveraged. So being able to express that and particularly to secure their environments, I think is a fascinating place to be.
24:58 Raghu Nandakumara: I have one last question. When we talk about security, we equate that with cyber resilience and being able to continue to function in the space of adversity. So I want to go back to your time in the armed forces as someone who's around survival training. What are the best bugs to eat to ensure survival and resilience? And what are the vegan and vegetarian options available, for the vegans and vegetarians?
25:24 Shawn Kirk: Yeah, that's an awesome question. The bug conversation is quite a bit longer than we probably have time for, but when I was doing that, we had land survival, water survival, arctic survival, jungle survival. But if you do happen to find yourself stranded somewhere in a dinghy out in the middle of the ocean and you're fishing for sustenance, what I can tell you is do not eat the fish with beaks. Do not eat the fish with beaks. The fish with the beaks are eating some of the poisonous corals, different things, and will make you violently ill. That's one tip I can give you relative to your survival abilities.
26:06 Raghu Nandakumara: That's fantastic. Shawn, thank you so much. It's been a real pleasure having you on today's show. It's a wonderful conversation. And for listeners, if you want to learn more about how AWS and Illumio are enabling organizations reduce risk and achieve resilience as they migrate to cloud, go and visit Illumio.com and have a look at the AWS solutions on there. So Shawn, thank you again for your time today. Really appreciate it.
26:31 Shawn Kirk: You bet. Thanks for having me, Raghu.
26:33 Raghu Nandakumara: Thanks for tuning into this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at Illumio.com. You can also find Illumio on AWS Marketplace. And to learn more about Illumio and our partnership with AWS, be sure to stop by our booth at AWS re:Inforce later this year. I'm your host, Raghu Nandakumara, and we'll be back soon.