a16z Podcast - a16z Podcast: The Cloud and The Public Sector
Episode Date: May 17, 2016It almost seems like gospel -- or at least a given -- today for startups to embrace the cloud. Services like AWS have powered an entire generation of startups that can now spin up new applications, ne...w businesses, and new experiments with very little investment in new infrastructure. But what about governments -- both in the U.S. and around the world -- trying to adopt the cloud? How do they approach this widely known (yet still nebulous) concept of THE CLOUD? Especially given sometimes competing considerations around security and compliance with the desire to innovate? Teresa Carlson, Vice President of Worldwide Public Sector for Amazon Web Services, shares tales from the field in this episode of the a16z Podcast -- continuing our on-the-road series from Washington, D.C. Adopting a cloud-based approach is one of the ways to democratize entrepreneurship, but how do countries and governments, not just companies and entrepreneurs, think about this, especially given the tendency towards "balkanization" of the cloud? All this and more in this episode...
Transcript
Discussion (0)
Hi everyone. Welcome to the A16Z podcast. I'm Sonal and I'm honored today to have as our guest, Teresa Carlson, who's a vice president of the worldwide public sector for AWS or Amazon Web Services. And what that means is she basically covers everything related to government, education, and the not-for-profit sector. So let's just say that's pretty much everything. Welcome, Teresa. Thank you. It's great to be here today. Thank you. And by the way, this is another one of our podcast live from D.C., actually not live. We're just in D.C.
So, Trees, let's just get started by talking about what you do.
So I think a lot of companies are embracing the cloud.
But for something that we take as gospel, like, oh, this is amazing.
It enables all these startups and companies in, you know, AWS, the private.
How is it different in the public sector?
Like, do you see a lot of people wanting, I mean, what are some of the misconceptions that you have to work with when people are trying to think about adopting the cloud?
Because the public sector is so different than the private sector.
It is a little bit different.
You know, it's interesting because I tell everyone, we started this business with,
AWS about five and a half years ago now. And when we first came in to public sector, and we did
originally start out here in U.S. federal government because we felt like we're a U.S.-based
company. And if we can't get the U.S. government on board, it would be hard to go around the
world and get other governments on board. And, you know, what we found was in the very beginning,
we could not even get through two sentences without people saying you're not secure. Like,
it was the early days. It was all about security. I mean, even private companies.
he still have that concern. They're standing at private clouds.
Absolutely. How did you kind of overcome that?
We said, we've said the whole time that we were going to meet and or exceed security and
compliance requirements of our customers. And that's not only been for public sector.
It's been for every market, financial health. And as a result of that, we did get very aggressive.
And we got, we rolled our sleeves up and we got in the game with not only helping government
define what actual cloud computing was, but we also worked with GSA and the FedRAM,
the General Services Administration, who was in charge of at the time and OMB, the Office of Management
Budget, on, number one, what is cloud, but also what is the right security and compliance model.
And in fact, they had a really, they had sort of an outdated security and compliance model called
FISMA, which was a paper-based model, which was a law and mandate for how they looked at
security compliance. And then they moved to this model for cloud called FedRamp. And FedRamp is really
a model that takes in controls. They look at security compliance controls. And it's a model
that also is set up to be more continuously monitored. So it's less of the paper-based, which is
really good because you think about a paper-based security model.
Yeah, what is that exactly?
Well, you look at your controls, you print them out, and you show them to someone.
Well, the minute you print it out, it's outdated.
You want to look at security and compliance in a continuous manner, right?
You want that's automation, the mechanisms are doing that.
And that's what cloud is.
That's what cloud's all about.
So that's what's so interesting about, you know, your anecdote here is that you took the very
native property of the cloud and were able to adapt it to their needs, as opposed to just
translating their paper needs into digital, which is, I think, a mistake a lot of people make.
And they go on this path.
You said something really interesting, though, and I just realized we've never actually done this on the podcast.
If you take a step back, how did you, with them, define the cloud?
Because people all have the same definition of that.
Well, you know, cloud itself was not an unknown principle here, obviously.
And you do have a lot of innovators in government.
And as an example, NIST, which is the National Institute for Standards and Technology, has always been a group that has been
looking at what's going on in the market, right? And so because Vivette Kundra, who was the
CIO of the U.S. government at the time, he came in and started saying, why are we spending all this
money on wasted projects and buying all this IT and we can't account for actually the success
of what we've spent? And he said, look, there's these new technologies out there called cloud.
And Amazon Web Services is one of them. So because of him, it actually paved the way for us to get
super aggressive. And we went in and we worked with NIST. They were very open to it on sharing with
them how AWS works and the principles. We had these basic principles. What were some of those
basic principles? Well, some of them is some of those principles and still today is the utility
based. You only pay for what you use. You have zero upfront cost to get going. You can scale
up and down so you can turn these things on and off and you can go global in seconds. So some
of these kind of basic principles of cloud, we brought in, we talked them about, and then
they set up, and they defined what, at the time, they defined what they called a public and
then a private. So that's really how we got going. And then as a result of that definition
and the security and compliance regime that was set up, FedRamp, we were the first large cloud
provider to pass that. And again, we rolled our sleeves up, and we were in there with
it. We were in the game with them every day passing that. And there were a lot of
goodness in that, there was a lot of goodness in that because there were so many lessons learned
on both sides, right? Because if they had a control that had generally been an old data center
kind of model, we would sit and have the dialogue about why cloud was a different, more progressive
model. So those dialogues in the early days were very important setting the stage. I can totally imagine
that. I mean, what were some of the other major misconceptions in those early days, not just on
your clients or the federal government side, but on your side as well?
your team side, like what were some of the big, other big lessons learned?
Once we got in the door, we felt maybe the customers would scale faster than they actually
did. Now, fast forward five and a half years, I'm very pleased with where our customers have
gone. But I think we probably didn't realize how much sort of work we would have to do
hand and glove with them to get them there. We did believe, which is probably a good thing.
It sounds like a lot of handholding, like your book to explain to each other things. And it's
because of a lot of culture things, too.
Like when you have been in a world of the more traditional, older-based kind of technologies,
and somebody brings to this idea of cloud, I would see some of our customers come in to do the
training, and we would actually spend that we would go to our site, and we would go to the
portal where you actually procure our tools, and I would see people's eyes pop.
It was like, what, you can build a data center in seconds.
Of course, startups do it every day.
We do it so for granted that it's shocking that it's like eye-opening.
Actually, that brings me to an interesting question.
Are you seeing government, you know, their government clients do startup like things now because of this?
We are.
We are.
And it's really cool.
So a couple examples I'll say is like 18F, which is a new group that started out of GSA.
18F is based on the street.
It's on 18F.
There's sort of this little internal SWAT team of techies that are going in and they're helping government with their projects, number one, projects that weren't doing as well or new projects they're trying to get off the ground.
And they're trying to use innovative technologies.
And AWS, of course, is core to what they go to because they're like, okay, let's get your infrastructure up.
Let's get going.
Let's move fast.
And then also the Digital Services Office.
I think they're a really great example.
Those kind of things are happening.
And I see that around the world.
Liam Maxwell, who's the CTO of the UK government, sort of started the same kind of trend in the UK where he said,
we are spending way too much money on tech and not getting the benefits.
They've created their own digital service, and they're starting to put also policies and mandates in place.
It says, wait a minute, don't go out and buy like a bunch of servers when you can go to cloud.
Show me why you can't use cloud.
New procurements have to go through this group to say, why not cloud?
So now the model is flipped. Instead of saying, like, why you need to make a case for why I need the cloud, it's sort of like, wait a minute, why can't you use cloud, which is a big difference. I'm glad you brought up the international example, actually, because when you were mentioning, you know, the early days, when the form of Vivek, Kundra, it sounds like you had a champion who was helping, you know, say like, why are you guys doing this? And that's critical to these kinds of engagements. How do you navigate that around the world? Do you have those same kind of champions internationally? And what are some of the differences, but some of the
similarities and differences you've seen play out? Well, you know, you find the world is actually
a really small place. Really? So it's actually very similar. It is. I mean, of course there are
unique differences. And you have to understand the culture wherever you go around the world.
But additionally, what I'm finding is on a global basis, companies now, because of the ability
to use it as long as you have a computer and you have an internet connection or a mobile device,
you can get going. So that is really exciting alone, by the way, just to hear
people say, we love that you've provided us access to this on-demand technology to help us get a
company going.
I mean, it democratizes entrepreneurship.
Completely, completely.
And oh, by the way, can I also just say hashtag smart is beautiful, which is helping women
around the world create companies?
Really?
I didn't know about this.
Oh, my gosh.
We started trying to get more women, entrepreneurs and young girls excited about tech.
The idea that a woman from anywhere can start it from home and can do part-time or full-time.
So we like this idea of sort of the on-demand entrepreneur as well, which cloud really really
I love that.
I love what we're doing on a global basis, and I would have never dreamed how much progress
we would have made.
But there's a couple of areas I'll point out.
One is in South Korea with the city of Busan.
They came to us and wanted us to help them with an innovation center to bring startups
and new companies into South Korea to get this area really flowing because they have media
and entertainment and shipping.
We're working with them on this innovation.
Center. By Innovation Center, you mean like a physical space? It's a physical space where we will
staff and they will staff. It'll be very cool like an AWS pop up where we'll bring people in.
You know, we'll be able to talk about, you know, new technology trends, support these startups and
the way they get going, new entrepreneurs, do training and education, special guest speaking.
Maybe you can come over and be one of our guest podcast gurus.
I'm talking about them to funding that trip.
The other group that's really exciting is in Bahrain with the Economic Development Group
and C5 Capital, which is a great partner of ours that's in Europe and the Middle East.
And we have an innovation center there that's been creative in partnership with the three of us.
And that facility is getting ready to open soon.
And that's for across all of the GCC.
So now we're creating these partners from a public-private perspective on a worldwide basis.
One of the things we talk about a lot on this podcast is this notion of innovation clusters and what makes a cluster succeed or not.
And some of the things we've seen over and over and over again is that top-down efforts alone do not work.
Like if a government says, I want to be an innovation hub, you know, and they suddenly say like, you know, we're going to build this wonderful smart city or whatever they're trying to build.
On the flip side, bottom-up communities alone do not work either because you need certain policy and regulatory things in place.
We talk about this recipe mix of, you know, you need government to get out of the way sometimes or just set up.
conditions that are supportive. You need the bottom-up entrepreneurial community. And now we can actually
add to the mix, sort of this notion of education around the cloud. That's right. Because it sort of
creates new businesses. It's completely true. You had asked me a question earlier that did I see
differences around the world? And the one thing I didn't say, which I should have, the Middle East,
I think, is a really good example of what we had to do there was a little bit different. We actually
had to create a model for mentoring in terms of business mentoring because they have some businesses
that are really startupy there,
but we met with a lot of them
and said, okay, what do you need?
What's your goals?
And what we found is they were truly missing
that business mentoring.
So we've not only set up
sort of the startup ecosystem model of tech
and bringing them into a space
that they can learn and crowdsource,
but now we've brought mentors
to mentor these companies
on their business plan, ideas, thoughts.
You know, how do they break through
a lot of barriers that startups
in Silicon Valley do every day?
In other countries, though,
like the Middle East. Besides like, you know, entrepreneurs in those countries, do those governments
really trust the idea of being on the U.S. cloud? Is there such a, I mean, at the end of the day,
like does cloud have geography? And I think we have to talk about this because a common trend, as you
know, especially in Europe, is this so-called boccanization of a cloud where people are, you know,
so I would love your views on that. Well, we've always said that in the fullness of time, well,
we're going to have our clouds everywhere. We just launched a region in South Korea this year.
We announced India and more on the horizon.
So, you know, we'll continue to move fast and build clouds around the world.
And what you find is that commercial companies really don't care.
We find, believe it or not, companies in the Middle East are using our regions here in northern Virginia or a region in Ireland.
So they really, you know, they sort of go with, they'll look at pricing or, but governments still do worry.
They are very concerned.
I mean, it's political for them.
political, they have data sovereignty issues. So, yes, it does matter to government. So we're trying
to go to places where that does really matter. Also, we feel that in the fullness of time,
also as these countries really do understand how they set up their security models, that they
will sort of crowdsourcing groups, if that makes sense.
No way do you mean about that? Well, we believe that certain groups of countries will probably
come together and say, yeah, we'll use this cloud. So if you think about the Nordics as an example,
the Benelects, or you think about the GCC countries.
So, you know, over time, I think they're, they have close relationships.
And today, while it's not widely known, there are countries that already put their data
in other countries as a safety net.
So there are reasons that happens today, right, because of, you know, they have bilateral
agreements and things ship up.
So some of these will take big policy changes, but that's okay.
we're in this for the long term, and we are also working with our policymakers around the world
to educate them, because this is very new, not to startups, but it is very new to, you know, large
government around the world. How do they take advantage of technology for this economic
development and jobs creation opportunity that they can have at their fingertips?
So, you know, you started off saying how the world is small and clearly some of the issues
are actually pretty universal and similar. What are some of the differences besides data sovereignty
and some of the policy-related.
Are there any other cultural differences
or other observations you've had
from your reps on the ground
and your own experiences abroad?
Obviously, everywhere we go,
we do try to really understand
what is the most important things to the customer.
And we talk about beginning
sort of with the end in mind
or the working backwards process
where we say, if we wrote a press release today,
what would that look like?
And we think about that for every country,
every customer, what would we want it to say?
And I think you always find, yes, there are some unique things to each organization or country that you go into.
But at the end of the day, when you get down to the actual technology and the processes, they are very similar.
The issues are very similar.
The words may be a little different, but they're actually very, very similar.
And in fact, just a point on that, we are working very hard when we go into these countries to explain to them what's already been put in place with,
security and compliance regimes, like SOC 1, SOC 2.
What SOC 1, what SOC 2?
You know, the security models that are set up or the FedRamp, things that are there,
CGIS, which is the criminal information justice standard here in the U.S., which is very
similar to things that are across the world.
But we're trying to show them what's already been done on the security and compliance
scope so they're not recreating a bunch of stuff because we,
do worry sometimes that if you put too many standards in place, it stagnates both innovation
and you're not allowing startup companies to get into that innovative cycle because it sheds
them out because their costs get so high on trying to meet a bunch of standards.
So one of the big things that AWS brings to the table is our infrastructure allow
startups to jump on that and inherit all those security and compliance controls.
so their cost goes down and their speed goes up to get to market.
Compliance is one of the number one reasons.
Cloud isn't as simple as saying, hey, you know,
I mean, it is as simple as turning a button, you know,
being able to set something up within minutes, not just days and hours.
But there is the social side of it, like the selling and the explanation
and meeting these regulations.
So are you finding that you're offering different versions
and different packages, so to speak,
that are like on a spectrum of degrees of compliance,
Like, here's the most compliant version, the least, simply because some of these folks do not necessarily need as much compliance to say this.
I mean, at the end of the day, it probably doesn't make a big difference because is the security underneath all the same?
Well, here's the interesting thing about the way we launch.
And this is what we have to explain to people a lot.
When we create a security and compliance control, if we launch it in one region, the others inherit it.
So that's what you mean by the inheriting.
So it's hard for us because we operate on a global scale, massive infrastructure.
So we're not going to do a bunch of one-offs, if that makes sense.
It makes perfect sense.
We just launch it across our fleet.
Inately, customers inherit the security models that we put on the cloud.
And then, of course, what we also share with them is the ability to use architecture and design in new ways,
like encryption tools that they can use.
So what we always like to talk to them about, and I think you pointed out rightly,
is what kind of security model are you looking for with this application?
And then once they say, okay, it's at this level.
And then places around the world, it's very defined.
So like here, if somebody says, I want to Fed ramp low, okay, well, you can use any region around the world anywhere.
You know, moderate, then, okay, here's the controls.
So that helps us.
So you do have degrees of compliance.
I really did not know that.
I was just trying to understand it.
And it's, and a lot of that, once you get to a certain level, then it's their architecture
and design.
It's tools they choose then, right, to utilize.
based on their need.
Also, it could be about backing up to different regions
around the world as an example.
So they might build a solution in one region
and say, I want to take it and completely move.
I want to have one on the East Coast
and one on the West Coast because I don't ever want to lose.
I want zero, zero, zero, zero, zero, zero, zero degrees
that I could lose anything ever, you know.
So there's like, there's all kinds of models,
but that's the beauty of the cloud,
that you have all these choices and options
on how you create,
you can do it very, very fast. It doesn't take you forever to do this.
Right. So you mentioned encryption. Are you seeing, you know, given recent political news
and the context that the discussions and debates are playing out, are you seeing people
ask more questions or yes, people see people ask different questions? How are you guys
tackling this one? Well, you know, it's interesting because I'd like to see them sometimes
even ask more questions. Like some do, but I think we even, I was just on a panel last week
and I was surprised about cyber and I was shocked encryption didn't come up. And I actually
brought it up because now encryption to me should just be a standard.
Like encryption should just be a standard for customers who have sensitive data and they
should manage the keys and we provide all that for them so they can set it up, have their
own keys and access and have analytics around that.
So I, we believe it will be a standard and we always recommend it.
We always recommend encryption.
It's not required.
It's not required.
But we do, you know, that's my.
Part of sort of the architecture and designing when we're getting in there with our customers one-on-one, we say, okay, let's talk about the application you're running, what do you want to do, and then we make recommendations, and their own security team makes recommendations.
But the types of tooling that is available around security has gotten better, but I will still say companies are really needed to continue to think about cybersecurity and the analytics, because this is not going to end.
We need to continue to innovate and evolve.
It's a beginning. Okay, so let's, you know, come full circle where we started, which is this notion of what is cloud.
You know, with all the customers you talk to, U.S., federal education, nonprofit, around the world, what's the moment when you see an aha light up, like when you're, you know, talking them about what it is and why it's useful to them?
Like, what's the moment where there's like this, like their eyes, they get it?
I mean, you see it in their eyes at Rianbimp, and they see the level of innovation. That is pretty mind-blowing.
I hear customers on stage like GE and Capital One and the intelligence community talking about what they've been able to achieve, NASA.
And I've had customers say to me, that was the moment for me when I saw how you were innovating.
Like they say, if they can do this, I can do this.
I think the moment they get it is not when they see it, but when they run their first like workload.
They see these instances spin up and how quickly they can build something.
something and try it and modify it, the lights just go on. And then once they dive in and they
understand the security and compliance, it is really like, okay, let's go. Let's get moving.
Are they really innovating those customers, or are they just so coming out of this bad,
you know, experience from before where they're just no longer have to worry about plumbing,
that they're just finally able to do their jobs? Is there really like, what's the kind of
spectrum of that to be really innovating? I think it's across all, but you did sort of hit the
now on the head, the average government agency is behind and the types of infrastructure and tools
they're running. So I think for them it is sort of, they see it as a path forward to getting
things done faster, quicker, having agility. But for others, I think there are a lot of new
missions. I think for them, it's like, wow, I can do this much faster. You know, I can really
run this. I can do this faster. And I can demonstrate the results. And in government, we have not
often talked about results delivered. Now, with Cloud, what we're seeing. That's kind of mind-blowing
because that's the whole point of every other enterprise. Why shouldn't government be the same?
Completely. Being held accountable to the tech you're buying and that it works. But with Cloud,
the big AHAs, you know what? We can do this in a small way and demonstrate it and then scale it fast
without spending. That's right. That's the same thing in startups, like the rapid,
billi a rapidly prototype without having wasted all these capital resources. And you're
using these precious resources of people and mindshare in building out infrastructure and
using time when you can put them to work on the skills that really matter to get that
mission completed or that workload that you really need. So really putting the resources
back at work that you've hired them to do originally. You essentially represent the private
cloud arm of AWS in general. I don't mean private in the sense of private sector, obviously,
but in the sense of the notion of a public versus a private cloud,
like clouds that are sort of cordoned off.
So I kind of want to hear your views on the definition of public versus private cloud
and then the so-called hybrid cloud and what you think of that.
Well, so it's so interesting because my team, when we respond,
when a customer acquires something in a big way from us,
even before there's any money transacted,
we have to go through what we call a procurement process and bid and proposals.
The government will put out an RFP, we respond, and then, you know, you win that, and then that's when you actually get going.
So in the beginning of doing all this, we saw a lot of procurements come out that said private cloud.
And my team, we would dig into this, we're like, okay, well, we can respond to this.
So it really depends on what the definition, because within a commercial cloud environment, you can build a model that seems very private.
Like, it seems, it seems cordoned off, but it may not actually be or it is.
Well, it's your own dedicated instances.
It's not physical separation.
But it is separate.
The guns, guards, fences, and dogs kind of conversation, it's not that because you don't need that anymore.
It is the logical, it's the virtual separation.
It's the software-defined separation.
It's the tools that make the difference.
So many times in the definition of an RFP coming out, we end up being able to respond to many, many
private clouds. The intelligence community is a cloud that we built. It's exactly like any cloud
that we built around the world. It's just on their own network. So by sense, it's their own
private cloud, but it is just like any other AWS region. It's just on a different network.
But in general, when we talk about this debate of public versus private cloud, and I mean, I guess,
more commercially as well than... Are they still benefiting then? Because one of the huge benefits
of cloud is, you know, the R&D and the multi-tenant architecture. Yeah. Exactly. That you're able to, like,
what you alone can't do, but together all those resources, everybody benefits?
That's right.
Do the people who have those private instances also benefit, then?
How does that play out?
They can't.
If they go and they say, I'm just going to build this private cloud,
which generally means putting servers in a data center,
that's not a scalable model.
But what we help them do when you combine,
and we work within these clouds,
we have a model called Direct Connect, as an example.
And that Direct Connect is where we take,
and we direct from our data centers into the customers.
And it doesn't go through the Internet.
So it's directly, you know, from one data center to another,
this allows them to scale what they're doing, do analytics.
So you can combine the two.
So it's not a one or the other, if that makes sense.
It makes perfect sense, and that brings me to my very last question,
which is, what's your view on this notion of hybrid cloud?
It's not so much one or the other, but are people really benefiting from one or the other?
Well, in terms of the hybrid cloud model,
We believe that's around for a long time because customers, you know, they're not going to transition overnight.
And they need to be able to take advantage of what they built over the years.
Now, we want to help them move and get progressive as fast as we can into AWS Cloud.
But at the same time, we've built tons of tooling now so that they can actually take advantage of what they have.
So this sense of a hybrid cloud, I think, you know, is there and can be utilized in,
many ways for many missions. And we want to be able to take advantage what the customers have
invested in. So the hybrid cloud is real. Sometimes I wonder if it's just like a word that we
pretend we believe in, but companies aren't really doing it. Well, I think, you know, what does that
really mean? I think all it really means is a customer has a set of tooling that they've done
already. They have a bunch of applications they've built and they've invested in. Now they're trying
to make this transitional shift to the cloud. This allows them in a very cost-effective way.
to be able to take advantage of both while they move over time.
Because they can't do it all overnight, they have to plan.
So what they have on-prem, we want to help them take advantage of it while they make
a move over to the cloud.
It's important, right?
You can't just sit there, have two things running.
You need to be able to take advantage of your entire enterprise.
That makes perfect sense.
And I'm glad to hear you say that because I think we tend to be a little dismissive of the
idea sometimes.
Although sometimes when I hear about some large companies' needs, I feel like they're just
delaying the inevitable.
And why don't they just pulled a Band-Aid off?
Right, yeah.
It's like, why are they even going through this?
There's a psychological aspect.
Right.
But sometimes I also wonder if the ones who will be ahead long-term
or the ones who got a head start in really adopting as a native mindset.
Definitely, they are.
There's no doubt.
But if you consider the true mission type of applications,
what government or large enterprises worry about is if they have their entire mission
running on something over here.
It is a scary value proposition, right?
You can't just shut it down if you're running Department of Homeland Security or Veterans.
So you have to have a model, and that's what we bring to the table, a thoughtful model
and a long-term view to help them feel really comfortable about their move.
And if they feel comfortable and they start moving things, again, it's that trying,
then they're like, oh, I see how this works.
Because, again, startups, they don't have this issue, right?
But in large enterprises that have been around for years and years and years,
and they're running these mission critical applications, a lot of legacy, then the move needs to be
made thoughtfully, but what we find is once they get going, get going, get moving.
So they move faster.
Yeah, because your costs are going to go down rapidly and your innovation, agility, you're going to go way up.
So they, you know, if you just start and stop, there's no value.
You've got to keep moving.
That's great.
Well, Teresa, that was wonderful.
And thank you for joining the A6 and Z podcast.
Thank you for having me.