Screaming in the Cloud - Challenges of AI in Cloud Computing with Justin Brodley
Episode Date: May 16, 2024In this episode of Screaming in the Cloud, Corey Quinn reconnects with Justin Brodley, Senior Vice President of Cloud and Technology at Blackline and host of the CloudPod podcast, to discuss ...the ongoing changes within cloud computing, specifically the intense focus on artificial intelligence (AI) and its repercussions on traditional cloud infrastructure. Justin shares insights from his recent experience at Google Cloud Next, discussing how the AI hype is reshaping cloud service strategies. Additionally, their conversation explores the cultural and strategic shifts within Google and Microsoft, examining their impact on the broader cloud computing landscape.Show Highlights: (00:00) - Introduction (01:45) - Justin's take on Google Cloud Next (03:56) - The investor-focused nature of the recent Google Cloud Next conference(06:16) - How multi-cloud strategies are forming enterprise tech decisions(08:18) - Over-reliance on AI in critical business functions(15:08) - The lack of foundational cloud services and the risk of overemphasizing AI (19:36) - Leadership changes at Amazon and their impact on the company's direction(21:50) - Growth of Amazon's ad revenue(27:16) - The importance of cloud services in today’s tech world(30:51) - Concerns about security practices and responsiveness in cloud services(37:19) - The need for Security in user training and corporate policies(41:13) - Closing remarks and where to find JustinAbout Justin: Justin Brodley is the Senior Vice President of Cloud and Technology at Blackline and the host of the CloudPod podcast. With a strong background in building innovative DevOps teams and enhancing revenue growth through strategic compliance and innovation, Justin is adept at driving customer satisfaction and operational efficiency. He has extensive experience designing and deploying scalable systems, managing costs effectively, and implementing positive cultural changes across various sectors, including cloud computing, ITIL, infrastructure, and more. Justin is also an engaging mentor and a recognized voice in the cloud community through his podcast, found at www.thecloudpod.net. Links referenced: The CloudPod Podcast: https://www.thecloudpod.net/ Justin’s Twitter: https://twitter.com/jbrodleyJustin’s LinkedIn: https://www.linkedin.com/in/jbrodley/Sponsor Prowler: https://prowler.com
Transcript
Discussion (0)
You can't have a single role that uses a bunch of services.
You run out of ability to add that to the policy.
It just doesn't work.
Welcome to Screaming in the Cloud.
I'm Corey Quinn, and I am joined by a guest who it's been a while since I've spoken to.
Justin Brodley is now the SVP of Cloud and Technology at Blackline,
and also the host of The Cloud Pod. Justin,
it feels like it's been a month of Sundays since we've spoken formally. How are you?
I'm doing great. You know, I remember your early days of screaming in the cloud. I think
it was episode six or seven or maybe even eight. And you had me on and we talked about
being a corporate prisoner in the world of cloud, which was a fun conversation, but still
a corporate prisoner in the world of cloud, which was a fun conversation, but still a corporate prisoner in the world of cloud.
But now it's become normalized.
Yeah, now it's normal.
Now everyone's in the cloud and stuck there.
Meet Prowler Open Source.
Designed for the hands-on professional,
Prowler empowers you with an open, transparent platform
to conduct detailed security assessments
and compliance audits across AWS, Azure, GCP, and Kubernetes.
Say goodbye to black box solutions
and hello to a customizable security tool
that grows with your infrastructure.
Start with confidence,
knowing you're using the tool trusted by industry leaders.
Visit prowler.com to get your first security scan in minutes.
Now it's like, what's it like to be an ancient dinosaur
who runs physical computers?
Turns out that that is not,
strictly speaking, accurate.
But it is the Overton window,
the perceptual position has changed
from society on this thing.
Yeah, for sure.
And, you know, also,
if you're on the old dinosaur days in our world,
you're now paying extortionate prices to VMware,
who I think you rightfully called
the payday lender of technology for a long time.
And now it feels that way for sure with Broadcom.
Thank you for that. I'd forgotten I made that joke,
but you're absolutely right. My comment nowadays
is when we were younger and more foolish,
we all used to pirate VMware.
And then we all grew up and the pirates bought VMware.
Yeah, that's what happened.
For sure. But yeah, that's a
travesty in the making
for a lot of companies, I think, this year. They're all dealing dealing with macro climate and their VMware bills are about to go up in a dramatic way, unfortunately.
For a few years, I've been a fan of Google Cloud Next because, as I frequently say, it is a great place to go hang out with AWS customers.
And I got to hang out with you at Google Cloud Next in Las Vegas. This time, though, because you are an actual Google Cloud customer, which is probably why I haven't seen
you quite as much opining on AWS
things, which, oh my god, you must
feel so free and amazing. But
let's start with talking about Next. How was it?
This is my second year going to Next.
I did the one in San Francisco the year before
at Moscone, which, you know,
is all conferences now in San Francisco is terrible.
And so moving it to Vegas, you know,
you had to worry about, is it to Vegas, you know, you had to worry about,
is it reinvent part, you know, smaller cousin?
And it was surprisingly good.
It's, you know, for their first attempt at Mandalay Bay
and doing a conference in Vegas, they did a relatively good job.
They have, you know, the growing pains and teething pains
of the problems of that.
You know, they use an arena for their keynote,
which, you know, novel concept.
Amazon, could you please just book, you know, the Oracle Raider for their keynote, which, you know, novel concept. Amazon, could you please just book,
you know, the Oracle Raider Stadium,
Oracle and Raider Stadium,
and just use that for your keynote
instead of trying to shove everyone into a small room.
So, you know, some things they did well,
some things they did poorly.
They'll make improvements.
Yeah, an example is that the arena staff
were very clearly used to working with drunk sports fans.
And my comment was, at one point,
I wondered if they wound up hiring specifically for
people who were surly or if they had a training program to get them there on the upfront.
They also had logistical challenges, like, huh, when the keynote lets out, suddenly it's going
to be impossible to get anywhere for 45 minutes. So the next session starting five minutes later
in the analyst summit wasn't the best attended thing as a result. But these are growing pains,
and it's easy to get through. My concern, I had a result. But it was a, but these are growing pains and it's easy
to get through. My concern, I had a suspicion this might be the case, in TK's keynote, he started
off talking about AI and I kept waiting for him to talk about other things and it never really
happened. So I started dressing myself with a clown nose and a clown wig and a clown vest and
a clown bow tie just because by the end, I didn't want him to feel unsupported as the only clown
in the room who wouldn't stop talking about AI. And the funny stories I heard after the fact are
that it was a security found out that, oh, this might be a challenge of, is this going to be
something that we have to worry about? No, no, no. I'm not going to rush the stage. I'm just
going to be unfortunately observant about a number of trends. And I was annoyed and confused by this until someone pointed out quite rightly that
these performances, and that's what they are, are increasingly for investors, not for customers.
Yeah. Well, and this is the second year that Google Next has been just overly focused on
the investors and making the investors happy from an AI perspective. I think last year was 160 some odd times he said AI on stage. This year was 111 times that he said
it. And so, you know, Google's very focused on where the investors care, which is not where I
care as a customer about what they're investing in as much. But, you know, I get those, you know,
you're right, their stage performance, it's all about investors making them happy. And that,
you know, Google's serious about cloud if you didn't know.
Yes, which is why they spent very little time
talking about cloud and a lot more talking about AI.
I mean, the concern that I have,
and maybe this is unfounded,
maybe I'm not giving customers enough credit
for sophistication,
but they had giant billboards everywhere
talking about the new way to cloud.
And my thought is,
well, if you're one of the large organizations
that has just signed one of the large organizations that has
just signed one of their highly publicized 10-year cloud deals, which is kind of built
definitionally on the old way to cloud, is this a concern? I mean, it's not like Google has a
track record of losing interest in things and dropping the thing that they're currently selling
in favor of the thing that they're building or anything. Is this an actual concern for you as a serious company doing serious things
on Google Cloud?
It comes up.
Customers will ask me about it when they
find out we're on Google Cloud.
Oh, aren't you worried they're going to cancel it?
They just had their earnings this last
week. They had $25 billion
in revenue from the Google Cloud business.
It's a $100 billion run rate business. It would be
surprising to me at this point in time
if they were to back away from it.
But you always want to have some contingencies.
We do have a bit of a multi-cloud strategy.
Through acquisitions, we've picked up Amazon Web Services.
We've picked up Azure.
And so we have our foot in all three clouds,
even though our majority of our spend
and majority of our workload runs on GCP.
We have options. And as we think about more multi-cloud, we're thinking more in the right way
to multi-cloud is pick the right cloud for the problem you're trying to solve
and use that one. And if you're using Google for big data and AI
and Kubernetes, you're probably having a pretty good time on Google Cloud.
If you're trying to do managed services, you're trying to do Microsoft licensing,
maybe less so.
The enterprise story functionally is regardless of the interesting experiments that you're doing in a cloud environment, in the overwhelmingly common case, you still have a giant mountain of EC2 and or VM equivalent and our database RDS and data transfer and S3 or object store and great.
And then there's a long tail of other stuff.
And I mean, AWS does the same thing.
Even before they got this AI addiction
to talking about things that they aren't shipping yet,
they did not give a whole lot of time to EC2
just because running VMs in a provider's environment
is no longer top of mind interesting to most people.
I mean, I find it fascinating.
One of my absolute favorite parts of reInvent every year is the Monday night live with Peter DeSantis, which is improperly named.
It should properly be named Surprise Late Night Computer Science Lecture with Professor DeSantis.
And I am totally there for it.
I come out of that thing three times smarter than I went in, which is odd because they often serve beer in it.
But that is the stuff I care about.
That is the stuff that is substantive and interesting
and I can learn wonderful new things.
But then the machine learning stuff
has always been a little on the strange side.
And don't get me wrong,
customers are using AI in a bunch of different ways.
They're just not necessarily going as all in on it
as the hype would have people believe.
Yeah, I think we're,
how often now can you recognize ad copy
that is clearly written by AI?
I actually do have trouble with that
because it turns out that I cannot,
it's like the park ranger story
where it's so hard to build bear-proof trash cans
because there's significant overlap
between the smartest bears and the dumbest tourists.
And I feel that same way with the best AI marketing
and the worst human marketing also have significant overlap.
Where, like, I don't know if it's because a computer wrote it
or it's just bad copy, but I don't like it regardless.
But if they're, frankly, I guess what that means,
if there are great things being written by AI,
it's sneaking past my filter and I'm not aware of it.
Yeah, I don't think it exists.
I think that's the problem.
I think the AI generated content
sticks out like a sore thumb.
I've been using it myself for the newsletter.
But when I say that, everyone gets very nervous
until I complete the thought,
which is I use it to generate the placeholder text
for any given event.
And sometimes it has a very funny turn of phrase
that I'll use either there or somewhere else.
Once or twice, it has come back
with something objectively horrifying.
Like there was one AWS blog post about two months ago
where it mentioned a woman who was doing an interesting work
and its comment was,
and it took a while to get my prompt dialed in
so it mostly sounds like me,
but you want to talk million mile miss,
good news, the thing that's about to spike massively
are Google image searches for, and then they put the woman's name in there. And it's no,
no, no, no, no. We do not sexualize people because they happen to be a woman. This is a professional
space. No. Now, if that had gone out in the newsletter, I would not have a newsletter
anymore and probably not a company either, rightfully so. But it didn't, because I don't send AI output unfiltered to the outside
world, because I am not a fool. And that is, I think, where some of the worst expressions of AI
are getting it wrong. Yeah, I agree with you. I think people are overly confident in it. And
yeah, I think Amazon Q, they just had in their announcement, they were talking about
National Australian Bank, you know, accepting 50% of the recommendations from QDeveloper.
And I was like, well, that's a bank that I don't necessarily want to use business with right now.
Because if you're accepting 50% of the code suggestions that are being written by AI right now, I think you're in a lot of trouble.
Because the code that's generating is not great. And let's be very clear on something here, that their metric for accepting
of a suggestion from AI and what that actually looks like are not what people think they are.
Very often, I'll tell it, it'll automatically generate out an IAM role in the CDK when I'm
building something out. Great. It is hilariously and comically wrong. I mean, horribly so. Like,
there are things that there are condition keys that don't exist, for example.
But you know what it did get correct?
Bracket symmetry, parentheses symmetry.
The indentation is right there.
And yeah, then I can accept the dumb suggestion, but then change the actual words to be something
that isn't absurd.
That is, I think, a very different thing than, yeah, I'm just going to tab complete my way
through my job.
Exactly.
But, you know, again, take the time, build the personality into your AI like you're doing at the newsletter and then filter and edit and be a strong editor.
You know, you're probably one of the 1% people doing that.
Most people are taking AI at face value in the wrong way.
And they're resulting in, I think, where we're heading.
I think we're on a rocket ship to the trough
of disillusionment on a bunch of this AI stuff.
I live in the trough of disillusionment
about everything. I'm the guy
still waiting for the year of Linux
on the desktop. I'm still waiting for containers.
I'm still waiting for
cloud.
I'm still waiting for an AI.
This one is like AI and Linux containers
on Linux desktop in the cloud. It's going to be year 2025, I'm sure of it an AI. This one is like AI and Linux containers on the Linux desktop in the cloud.
It's going to be year 2025, I'm sure of it.
But it's, I'm used to being disappointed
because I am cynical.
That's what running, or I'm not disappointed
because I am cynical.
I expect the least.
So all my surprises are pleasant.
That comes from being an office person.
Yeah.
So I think it's going to be interesting to see
as these companies realize how limited what we have is.
I mean, ML's been around for 10, 15 years now at this point.
And my joke on the CloudPod all the time is AI is how ML makes money.
That's our running gag about this, is that it's the only way they've been able to make money on ML for years is by now rebranding it as AI and Gen AI.
But the same limitations are there.
The cool stuff that you can do, like recognizing cancer and images and those things, those are very strong
pattern recognition matches. But when you get into truly creating software,
truly creating words on a page and these things,
it's so limited in how it interprets it that you see the limitations in the transformer model
so quickly that I think people will see those issues.
And that's how I recognize AI generated content now
because it uses certain phrases and certain things
that no person uses in a common conversation.
You know, like, oh, you know,
the candor of the gentleman at the table
was amazingly bright.
Like, you know, it's just like,
no one talks that way.
Like, this doesn't make sense.
So unless you take the time like you're doing to tune it,
you're going to have people
who are constantly dealing with that.
Yeah, I'll use odd words here.
Someone said delve.
Like, I use the word delve periodically,
but it's not going to be three times in a paragraph.
Like, that is where it starts.
The wheels fall off.
It feels almost like it's a modified form of gal-man amnesia
with Gen AI across the board,
which, for those who are unaware,
is when you read a newspaper article about something you know well,
and you spot all the mistakes
and how little the journalist understands
about the area that you know a lot about,
but then you completely forget that
the next time you're reading
about international relations or the Middle East crisis,
and suddenly you're taking everything they say at face value.
AI is very good at filler and surface-level content,
but as soon as you start delving into it,
see, there I go,
you wind up with a, you wind up with a,
you wind up with a,
oh, this thing doesn't actually make sense
and know what it's talking about.
Now, a disturbing amount of the world
gets by on surface-level nonsense for things.
And that is,
that is the way the world works.
I'm not crapping on that.
I use it to give me templates for reports
and policies and things
that might not necessarily be the most important.
I somewhat recently, for a billing thing I was doing, had to come up with an example
of a DR policy.
Like, great, how would you do it for billing stuff?
Well, the data is originally sourced from Kerr, which lives in S3 buckets that Amazon
places there.
If that data goes away, the cloud has become free for you for that month.
So I think that there's a very different story going on then.
You don't actually need to back that up
to a third party.
But explaining that in a way
that makes sense for just a
basically check the box
for an insurance policy thing.
Great.
Here's the baseline thing.
I explained the constraints
and it put it into policy framework
because they like long documents
and not bullet points.
And we iterate on that going forward.
But I don't have it write the thing
and then email it on my behalf.
That is insane. Yeah, that's crazy
time. Don't do that.
I used it this year to help me write my
reviews, which then I then had to edit
quite heavily because you give
it a list of like, here's what the person does well, and here's what the person
does bad, and write me a review on that.
And it produces a bunch
of filler content, which is fine,
but then you have to make it sound like you,
which is always sort of the fun part to make it sound like you, which is
always sort of the fun part. There are times where I want to write an email, but I don't want to be
bothered to write the eight paragraphs that it requires to do it right. For example, one of my
better prompts is respond to this email with the following sentiment in a tone that is either
wildly enthusiastic or witheringly sarcastic, but is difficult, if not impossible, to figure out
which. And it understands the assignment more often than not. I tweak it a littleastic, but is difficult, or if not impossible, to figure out which.
And it understands the assignment more often than not.
I tweak it a little bit,
but it's a,
but that's the sort of thing
where in certain circumstances,
where that's the effect
I want to get across.
It's terrific.
Well, you know,
going back to Google Next,
you know there was AI at Google Next,
but, you know,
there was other things
that matter to you
as a cloud practitioner.
Not in the keynote, there weren't.
Not in the keynote,
not in the developer conference, not in any of the things.
And I think this is the big problem that Google has in particular because they've got AI-itis.
And then you also have got Amazon trying to chase that as well.
Azure is a little bit more metered in this, although they have the same problem.
Well, Azure is partnering with OpenAI, who is clearly the industry leader.
So Microsoft's problem is stomping back from the wild, over-the-top
nonsense. Their GitHub division is
refounding the company on AI, which is
a scary thing to hear from the company that owns
all of your corporate IP, or holds your corporate IP
and think they own it.
This is going to change the nature of humanity.
Frankly, they're changing the keyboards.
The 104 keyboard is going to be
105 now, with a dedicated
co-pilot key.
And that doesn't bug me in the least because it turns out that everything can remap it.
Now I have one more button to tie to some meta function or whatnot through my keyboard remapping.
Great. I'll live with that.
Yeah. The key is just everything wrong with Microsoft's strategy on that. But my point, I think, is as you look at these cloud providers,
Google's got a lot of foundational pieces and fundamentals to rebuild still in their cloud.
They're so heavily partner-focused that they don't have some of the basic things.
If you want to go get CIFS file servers, for example, to support your Windows workload on GCP, your answer is partner with NetApp. Whereas, you know, those of us in the data center business who want
to get out of the data center business don't want to keep using
NetApp or Palo Alto or these
other vendors that they continue down this path with.
And so there's
this issue with Next, I think, where you had
to start talking about, like, it can't
all be AI because if it's only AI
and then AI falters or has
bigger major issues or we
run out of training data
or any of the other things that we hear about AI,
what else does Google have?
What else does Amazon have?
And right now, that's all they're doing.
That's not a lot of innovation beyond AI.
And I think that's a risk for the cloud market in general.
It is.
And the challenge is,
especially with the one that I deal with the most,
is obviously AWS.
And suddenly you have a chatbot
that pops up on its website that is LLM powered.
And if you ask it questions,
it gives answers that occasionally
are the sort of thing that if any AWS employee
were to say them to me,
Andy Jassy would personally drop out of a parachute
out of the helicopter to fire them on the spot
because that is so off brand and the rest.
It makes up, it hallucinates.
There's a polite way
of lying. And it just very convincingly talks about things that aren't real. And when you're
not conversant with a thing, you don't necessarily catch it. When I ask it for a list of regions and
it mentions the one in Greece, it's like, okay, that's interesting. I don't believe there is one
in Greece because most people don't have a visceral awareness of where all the AWS regions are.
31, I believe now.
Like, could I list them all off the top of my head?
No.
But when you tell me that there's going to be one in Duluth,
I'm, that sounds suspicious.
I don't recall there being one there.
Let me look it up.
And that is the stuff that can be dangerously misleading.
It's always weird too when you catch it in those lies.
I was dealing with it the other day, and I was trying to find out if
this annoyance I had with some software, there was a feature request to fix my
pain point. And so I asked, and it's like, yeah, there's a GitHub issue related to your
thing. And I'm like, cool, can you send me the link to that GitHub issue? And then it comes back and goes like, well,
actually, there's not a GitHub issue. But I'm like, but you just told me confidently that
there was. And, you know,
those little things like,
you know, you just lose confidence
so quickly in the AI
because of those type of
gotchas and the hallucinations.
And it's like,
how do I trust you ever
when it matters?
And I think that's
a risk for these companies.
You mentioned Andy Jassy,
and you're actually
probably the best person
I could ask about this.
You know,
it's now been a couple of years since he's
moved on from being the CEO of AWS to being
the CEO of Amazon and Adam Slipsky's come onto
board. I'm not sure that I would say that this isn't
the bomber of Amazon. I'm not seeing
the big picture for him about how he's going to drive
that company to the future. And then, you know, couple
that with Adam being kind of,
you know, less visible than Andy ever was.
It makes me wonder,
coupled with all the employee dissent there,
like, are they on the wrong side of a lot of stuff?
And are they going to be able to get out of this?
Or do they need their Satya Nadella moment?
A lot in there.
Let me begin by saying that
I don't know that there was any way to avoid Amazon going from where it
was when Andy took over to where it is now. Bezos is not a fool. I suspect he saw some of the writing
on the wall and decided that he would effectively, on some level, I don't mean to cast aspersions,
I've never met the man, but I wonder if it was, I'm going to toss my good buddy Andy of 20 years
under the bus to take the fall for this. The job of Amazon CEO is one of those jobs that is both impossible to do,
and to someone in Andy Jassy's position, impossible to turn down.
There is no way to win.
There are only different ways to lose.
One of the better examples was when they killed their Amazon Smile charity donation program.
I am certain there were reasons internal and good ones to do that.
And there is context that can be shared publicly
around that for a certainty.
But the world never sees that.
So to all the world, all it looks like is,
well, Andy's here now, so he's going to,
first thing he's going to do is stomp out
that pesky philanthropy, which is absurd
if you just accept that on its face.
Andy does a lot of philanthropic work.
I admire the man deeply
on a personal and professional level.
Let's be clear here.
I know I dunk on the thing he built an awful lot
that should not be misconstrued
as anything other than
more or less meet storytelling there.
I have, he is, he's admirable.
And the couple of times
I've gotten to ask him questions,
I have always come away
with my head spinning at the implications
of what he has said in response.
He's, he's. The man is brilliant.
There's no way around that.
He's brilliant on his own. I agree.
It feels like Amazon is
sort of in this...
They're in the middle of the ocean without a paddle in a lot of ways
on a bunch of areas, from employee engagement,
from Amazon, the store.
I mean, the revenue doesn't say the story,
but Microsoft's revenue never was bad either.
In the bomber era, their revenues were fine, the stock doesn't say the story, but Microsoft's revenue never was bad either. Like in the Balmer era, you know, their revenues were fine.
The stockholders were happy, but like they lost their identity between the Gates era and the Satya era.
And I feel like we're sort of going through that same process with Amazon at this moment.
And nothing against Andy, nothing against Adam.
They're both seem very smart, but they seem lost in a bigger picture of something,
other than we're chasing AI and hope AI
is going to be the future.
If you've ever felt boxed in by your security tools,
it's time to break free with Prowler
Open Source. Tailored for security
and cloud architects who demand control
and transparency, Prowler
delivers with a robust suite of security
checks and the flexibility to adjust
them as you see fit. From CIS benchmarks to GDPR compliance, handle it all with a robust suite of security checks and the flexibility to adjust them as you see fit.
From CIS benchmarks to GDPR compliance, handle it all with a tool that lets you see under the hood.
Join a community of experts making cloud security accessible and, as a bonus, understandable.
Don't just monitor your cloud environment. Master it now at Prowler.com.
At this scale, Amazon's market cap far exceeds the GDP of, I believe, majority of countries
now, which is ridiculous, but also true.
They are effectively heads of state.
And part of the challenge as well is that you know this probably better than I do, but
when you're at a certain level of executive seniority, You only really do two things. You hire people to run different orgs
who report to you, and then you set context. Everything else is done by power of that
delegation. And some people are spectacular at it. Some people are not. I, from my engineering
background, I just think, well, I write code all the time and I could just jump in and do that job
too by writing stuff. They don't write a lot themselves. They have things written for them.
They wind up weighing in and corresponding. They're literate, don't get me wrong. And they
write, yes, but that artifact output is not the core of what they do. And I don't know what it
takes to succeed in a role like that. I would never be in a position to be offered a job like
that, which is why I would never get so far as being able to turn it down. It wouldn't be
presented to me. And that's a good thing for everyone. But it's a, it's, I don't know what the
right, what the right thing to do is, but some of these things are inevitabilities. The market
demands growth at all size, at all costs. And at Amazon scale, there are precious few new worlds
left to conquer. You can do things
around the margins that I think are foolish. The fact that the Google search results have been
decimated by ads. The Amazon search list for products has completely gone the way of garbage
because of the way people game these things in Amazon themselves. And now we're starting to see
ad experiments run in the AWS marketplace, which I'm sure is going to simply be more of the same.
But it makes a lot of money to do it.
Advertising is, to big tech companies past a certain point,
a absolutely corrosive force.
And I don't know how we fix it.
Yeah, that was my big thing
from this month's earnings for Amazon was,
I think it was ad revenue grew to 18 billion, something like that in the quarter. I mean, it's a massive amount of growth for them. It's growing for Amazon was, I think it was ad revenue grew to 18 billion,
something like that in the court.
Like, I mean, it's a massive amount of growth for them.
It's growing faster than Amazon Web Services
for them at this point.
And that is fundamentally detrimental
to the long-term customer obsession
that they say is part of their leadership principles.
And so it's just sort of, again,
it's an interesting inflection point.
And I think we're going to look back
at this era of Amazon and Apple and maybe even some of the other companies out there and say they were really on the wrong side of a bunch of stuff.
If you were to spin off AWS as its own company and then ask me to reason about that company, there are a hell of a lot of worlds left to conquer.
I can come up with ideas for days, and I am not particularly creative in that particular way. I can think of a bunch of
things that they would do, that they could do that day, that would revolutionize the way that
they are perceived in a number of ways. But as part of Amazon, a lot of those doors are closed
to them. And as well as that, it doesn't move the needle on Amazon, the entity. Because AWS,
the business unit, is important and increasingly so,
but the earnings calls,
I mostly start ignoring
just because everyone instead
wants to focus on how many boxes
they're shipping and to where.
Yeah.
I was talking to a very large
Fortune 10 company the other day,
and we were talking about a project
they were talking about doing
with my day job.
And they were like,
well, this project will save us
about $8 million.
And you're like, oh, great. That's amazing. We should do that. This makes all the sense. they were like, well, this project will save us about $8 million. And you're like,
oh, great, that's amazing.
We should do that.
This makes all the sense.
We're like, yeah,
we won't even touch that
because at our scale and size,
$8 million doesn't do anything.
And it's a level of scale
you just don't understand
where at the day job,
if I saved $8 million,
I'd be a hero.
If you saved $8 million,
Duckville Group,
they'd be super happy with you
as well. Mike would love you. It's just a different scale. And it's hard to fathom that scale unless
you're at a company of that size where we're not even going to touch that unless it moves the
needle by $500 million. What's wild is I deal with my personal finances. I mean, I do okay,
don't get me wrong, but I still rent in San Francisco because if you want to buy a house
in the city, you need to exit a company twice.
When I'm dealing with the Dunk Bill Group's finances,
the numbers are a different order,
not order of magnitude necessarily,
but there's a significant difference there.
But then when I deal with customer AWS bills
and words like more revenue
than the Dunk Bill Group makes in a year
is what you're spending on that service,
so it might not make sense to optimize that yet is one of those weird things that like objectively, if you were to like optimize
that dollar figure and write it to me as a check, I could retire comfortably today. And that is just
a, you have to make sure you're not thinking about the wrong order of magnitude on these things.
And then I talked to my almost seven-year-old now about her allowance and whatnot, and I have to come down to a different order of magnitude, lest I inflict a
bunch of inflation-related problems solely on myself. Clean my room, that's $20. At this age,
there is functionally no difference between $20 and a quarter, but yeah, it keeps things interesting.
Yeah. As a thing in my 40s, I still cringe when I break a 20.
And now, you know,
that's what someone's dollar is these days.
When I was growing up,
my parents always had an emergency 20
tucked away in their wallet.
And now I have an emergency 100
tucked away in my wallet.
It's like, well, lots of places won't accept it.
It's like, no, no.
If I need to break into that for a problem,
keep the change is not a problem
because it's like either that
or I don't have gas to get home.
There's a, there's always, because it's like either that, or I don't have gas to get home. There's a,
there's always,
it's just nice having that,
that back pocket,
get out of jail free thing if I need it.
And I'm sure my kids will find a company at some point,
they're gonna have to have bigger bills than hundreds for that sort of plan to work.
Yeah.
That's a scary thought,
isn't it?
Something you mentioned a little while back was that Google cloud is now at a
$25 billion a quarter revenue side,
which is on par with AWS, just hitting $100 billion in annual run rate as well.
And that threw me for a second.
And then I realized, oh, wait, this is the same thing as what I saw on a sign
advertising at Google Cloud Next, that 90% of AI startups are on Google Cloud.
And that struck me as first as wildly high. And then I remembered,
oh, that is super interesting, but not because of the reason that they want me to think.
Instead, it's because I really want to talk to the 10% of companies that somehow are not using
Google Workspace. Who doesn't use Google Docs and Gmail for this stuff? What are they doing?
And a company founded today, I want to know what they see and how they get there. Because Google Workspace
is a behemoth. I used to say that that
wasn't really fair as being part of
cloud revenue, but I was wrong on that
because, as killed last
week, AWS has
work docs. Or this week,
or whenever it is. As the recording, it is
in the past. I just don't remember. Time is a flat circle.
But yeah, so Amazon had one.
They killed it. It's fair.
But what I care about is infrastructure, not
those business applications side of it.
Yeah. I mean, that's a very common path
where people get to Azure because they're a big Office 365
subscriber. And it's
a big path of how they get to Google as they were a Google
Workspace customer first. And in
both cases, Office 365
less so. But in Google Workspace, it's
tightly embedded into Google Cloud. If you want to be able to use it, you need to but in Google Workspace, it's tightly embedded into Google Cloud.
If you want to be able to use it, you need to have
a Google Workspace account to do
basic functions. And so
it does lead you
there directly because it's easy. Click the button, and now
I have Google Cloud resources tied to my workspaces
and I'm off to the races.
It's sort of interesting.
The BigQuery
component of GCP and then their support of interesting the the big query component of gcp and then their support
of kubernetes is the biggest driver for initial cloud workloads coming into gcp uh when you talk
to customers who are in the space from there you then jump into they stole the sage maker product
manager who basically created sage maker 2.0 andex, which fixed a lot of the deficiencies
of SageMaker that SageMaker still has not fixed.
Dangerous to steal that person because honestly, SageMaker started being shorthand or the parent
service for felt like 200 different subservices under it.
So clearly that person's an empire builder and effective at navigating the bureaucracy
to do it.
Like what's the difference between a feature and a product in AWS?
Oh, quite simply how charismatic the product owner is.
But Vertex itself
has got a lot of great things going
for it. And so I think it just naturally makes sense.
They're also investing a ton of money in startups
in the AI space as well.
Trying to copy
ChatGPT, etc. You mentioned earlier
GitHub co-pilot
a little bit on ChatGPT.
And it's interesting because I think both at Google Next and now with the new Amazon
Q developer announcement they just had this last week, they both have now
gone to the point where they're now indexing your entire code repository to then
give you insights into your code. So you can actually now like, oh, I need to call that other service
which is a different API and just call it by name and gives you basically the API
commands you need to make that call
and the web endpoints that are defined in your code.
Chat GPT and OpenAI and what they're doing with GitHub Copilot is actually behind right now, I think.
So I'm actually curious to see, you know, are they going to leapfrog at build,
which is happening, I think, in two or three weeks now?
Yeah, I've been invited to it. I'm trying to figure out if I go. The honest problem I've got is this show, specifically
because I have beaten up Azure for a while on not necessarily their security issues as such,
but rather the lack of public response to them, because I think their customers deserve
better. What is going on? When Google or AWS have vulnerabilities, as they do from time to
time, their response is uniformly excellent and rapid. And the problem is, is I don't want, I
don't have a rule. I don't make people regret inviting me to things and helping give me a
platform to do it. But there's no way for me to have conversations with people there and not ask
that as the first question. I owe that to my own integrity, if nothing else. And if they're
just going to avoid the topic or give non-answers, then I don't care what they're doing with AI if I
can't trust the security of the data that feeds it and the response I get from it if it's critical
to me. Yeah. I mean, you mentioned Wiz, I think, at one point in the show. And every time they
write a blog post about an Azure vulnerability and you read through the details, it's just like,
how did you not think of this? It's totally secure unless you hit a packet against a high port or try another password.
And when Wiz talks about other things about finding exploits with Google or with AWS,
and I've talked to the researchers about it, midway through these explorations,
usually they get a phone call from those cloud security teams going,
so what's going on, buddy? Anything you want to talk to us about? Whereas with Microsoft,
they report the issue
and a month goes by with no response.
They report it again,
six weeks go by,
and then they begrudgingly acknowledge receipt.
It's, yeah.
I mean, because security is hard.
They are better than I would be at their scale.
I get it.
But I would not be doing security at their scale.
I would have a crack team of people,
not just who are good at it,
but who understand how to communicate about it,
how to drive it holistically.
Hiring Charlie Bell to run security
was on its face a great idea,
except for the part where I strongly suspect
his 27 or whatever it was years at Amazon
almost certainly taught him the Amazon way,
which is very much not the Microsoft way.
You cannot export culture
between giant companies like that, to my experience.
Well, and also you have to have enough security knowledge to be effective. You know, you talked
about SVP level hiring. And, you know, yeah, it's partly about him being able to set a strategy and
hire people who can execute it. But, you know, it's more than that. Like you have to have
fundamental strategic thinking in the space and thought leadership in that space to be effective at scale.
And I think reading through the CISA report that came out
on that exchange attack was pretty damning.
I mean, as bad as the SolarWinds attack in many ways
and the outcome of what happened there
and the supply chain breaches that happened,
they've got to change their way.
And I'm seeing it already.
Satya spent a lot of time at the earnings call
talking about security and how important it is.
It sounds like they're making it now part of OKRs
for every executive at the company to be security focused.
But it's upsetting to me when it's like,
well, the only reason why you're doing that
is because you got embarrassed by the CISA.
That's the wrong reason to do it.
That's a bad reaction versus
it should have been part of your culture.
The topic was fascinating to me.
They said that I was banging on about Azure security being scary
and bad two years ago.
And they thought I was being over-the-top, histrionic.
Sometimes, sure.
But then all this came out, and their big question for me was
how did I know?
And the simple answer was, look, when
things come to light, as they do, I look
at the response and how it was handled.
When there was a AWS glue, cross-ten as they do, I look at the response and how it was handled. When there was a AWS
glue, cross-tenant
vulnerability discovered,
may have been by Wiz, may have been by Orca, may have
been by Datadog Security.
Yeah, it was, the response
was simply,
they did analysis on this, they fixed
the issue and said, we have examined the audit
logs for the service dating back to its launch
seven years ago.
And as a result,
we've returned conclusively.
The only time this has ever been done was when the security researcher did it.
The Azure vulnerability,
we have no indication that this has been exploited.
That reads to me as what even are logs philosophically speaking.
Yeah,
it clearly there's a gap in their culture on that,
but you know,
the logs are just the being a piece of it. You need to have so much more threat intelligence now,
threat hunting activities, red teaming.
These are just things I don't really hear about a lot at Microsoft.
It's not part of, you know, I've hired lots of Microsoft developers in my career.
I've hired Microsoft executives.
Just security is not on the forefront of what they talk about
when they think about these things.
That's just a cultural change that they have to make to get there. Security is not the forefront of what they talk about when they think about these things. That's just a cultural change that they have to make to get there.
Security is not the forefront of
what AWS talks about either.
But it is the forefront of how they approach
these things, how they think about things, and how they
operate. I've been saying for a while they should talk
more about it because everyone runs their
mouth about security. They don't seem to
very much, but they have a better story
than almost anyone. The only
folks who are better at
it, in my experience, has been Google Cloud, which sounds controversial. But the actual
implementation of their security programs comes down to which one is better depends on who had
what for breakfast on any given day. For me, though, it's a simple change, which is that inside
of a Google Cloud project, to my understanding, and please correct me if I'm wrong on this,
by default, almost every resource can talk to almost every resource within the bounds of that project. Does that align with
your understanding as well? And then at some point, if you work in, I don't know, a regulated
industry like you, you can disable that and restrict that down further. But great. By the
time you want to do that, you generally have a security apparatus that does that for you.
Whereas by default, AWS is nothing can talk to anything
and must be explicitly allowed,
which leads to the very human problem of,
I'll try it, oh, it failed.
I'll broaden the role.
Try it, fail, broaden the role.
And after a few times of that, screw it, allow everything.
And I still have a load bearing to do from six years ago
in one of my lesser accounts with CodeBuild
saying go back and remove administrator access.
I haven't gotten around to it because it's annoying.
Yeah. I mean, one of the things GCP, when you think about that particular aspect,
is the difference between IAM in Amazon and GCP
is the equivalent of Novell, Groupware, directories, and AD directories.
It's a completely inverse thought process.
So from Amazon's perspective, you get very broad and you go narrow.
And from Google's perspective, you get very broad and you go narrow. And from Google's perspective, you go very narrow and you go broad.
And so that single decision on how you think about it really dramatically changes
the entire way you approach the security model for that because you can't
have a single role that uses a bunch of services. You run out of
ability to add that to the policy. It just doesn't work. You have to create more smaller
policies. You have to attach more policies to things
to make things work.
And it's just a different fundamental choice.
And they, you know, being a third mover,
they have the ability to see what Azure did wrong
and what Amazon did wrong.
And they made different mistakes.
Your usability is a security issue.
People miss that.
The, like, I hate the security awareness training
every year that, oh yeah, remember,
if you click the wrong link in an email,
you could destroy the company.
Great. If you're an accountant or a marketing person or an admin assistant, you click a wrong link and it takes the entire company down. Maybe that's not
your problem. Maybe that is a problem with the entire way that we, both as a company and
collectively as an industry, have addressed where the buck stops with regard to cybersecurity.
Yeah. I mean, it's got to be in a board level thing. It's got to be an executive level
thing on security.
It's part of your entire organization.
It might not be what you're talking about,
but it has to be part of the practices
that you see in the organization.
I'm curious to see how Microsoft
does evolve from here.
I mean, it was a little bit interesting
to see Amazon take the opportunity
to punch down on Azure,
which always annoys me
when vendors do that.
You know, they had a security blog post
directly responding to the CSRB report.
And then they wrote
a couple thousand words on
how the unique culture of security
at AWS makes it different
in direct response to Azure
getting just bludgeoned by the government.
Did they name check Azure
or Microsoft on that?
Or was it just the timing?
No, they call out the,
you know, a recent report
from the Cyber Safety Review Board
makes it clear that
deficient security culture
can be a root cause
for avoidable errors.
I mean, it just, you know,
yes, you didn't say it.
They said it without saying it.
Yeah.
Close to the edge.
It's a, they are,
it's strange because in other areas,
Azure could be punching down at them.
Easy, sensitive example of them, AI.
And Microsoft is doing a better job
with AI than Google. And then Google is doing a better job with AI than Google,
and Google is doing a better job than Amazon.
Amazon is horribly sensitive to the perception that they're behind,
so they're doing everything in their power to affirm that they are behind
by releasing things too early that aren't really fit for purpose,
and then discussing them in ways that do not align with what their customers want them to do.
But even giving you a cohesive vision of AI on Amazon
would be a big step.
Because I get lost between,
okay, you've got this Q thing,
you've got SageMaker,
you've got Bedrock,
and then you've got a bunch of other ML, AI capabilities
you've done as point solutions,
but none of it seems connected,
none of it is aligned.
And ultimately, it feels
like it's all just, you know, throw it
at the wall, see what sticks. And whatever sticks is what
we're going to talk about, reinvent. And
hope for the best in the future. But it's
super disconnected in its strategy.
It really is. And I hope for the best, but
we'll see. Reinvent, I
want to say, is nigh. It's not. Don't worry. It's
still in December this year.
First week of December, which, great.
Easy enough. We're recording now
and it's still April. Oh, no, it's
May. It's coming.
Will you be there this year
or are you going to make good choices?
I have not
been for the last couple of years and I think I'm going to continue to make
that choice.
It's too big. For years now, I've
said they need to break reInvent and to be regional. They should have a European reInvent.
They should have an Asia pack reInvent and make it smaller, make it more focused.
Until they do that, I don't know if I want to go back. I did go the first year post-pandemic
because I was just sort of curious. And it was nice because it was like going to reInvent
from six years prior, which was really great when it was 40,000 people
versus the hundred and some odd thousand people
that it is now and the craziness of buses
and transportation and all the problems.
So when it's all on YouTube a week or two
later, it doesn't catch what I want to watch on YouTube.
Yeah.
I wish I could make those choices.
Yeah.
The decisions you make and what you do
for a living drive these things.
So I'm hoping Google Next doesn't get too big too quickly.
But the next couple of years are supposed to be at Mandalay.
So I'm excited about that.
I think it was a good conference and excited to see what they do going forward.
But to go back to reInvent and to do all that mess
when not being my primary cloud provider,
I'm going to watch from afar.
I think that's the right answer.
Yeah, I keep forgetting sometimes that you can't love companies.
They'll never love you back.
I want to thank you for taking the time to speak
with me today. If people want to learn more, where's
the best place for them to find you these days?
Yeah, so we're dropping a weekly
episode of the CloudPod
at thecloudpod.net, where we cover
all three cloud providers. Plus, we make fun of Oracle
occasionally, because if anyone
deserves to be punched down at, it's Oracle all the time.
We talk about cloud providers
and Oracle is kind of
a great tagline.
Yeah, exactly.
So, yeah, we're there every week
talking about the news.
You know, we try to talk about
why you actually might want
to use this crap
they're announcing.
Getting more and more difficult
with some of the AI announcements
admittedly, but, you know,
that's what we're doing every week.
And then, of course,
I'm on Twitter and the Mastodons
and all the places at Jay Broadley.
You can find me pretty quickly with a simple search.
So I'd love to connect with the audience
and hear more about what you guys are doing in the cloud.
We will put a link to that in the show notes.
Thank you so much for taking the time to speak with me.
I appreciate it.
Yeah, thanks, Corey.
Justin Broly, SVP of Cloud Engineering and Operations
at Blackline.
I'm cloud economist Corey Quinn,
and this is Screaming in the Cloud.
If you enjoyed this podcast,
please leave a five-star review
on your podcast platform of choice.
Whereas if you hated this podcast,
please leave a five-star review
on your podcast platform of choice
and be sure to leave an angry, insulting comment
making sure whether it is AWS security
complaining about my Google reference
or Azure security complaining about how great the crayons are eating for lunch taste
and which one of those you are in that insulting comment.