Cloud security is growing up. No longer must public-cloud customers bring an armful of their own security tools. The plug-ins and add-ons are giving way to baked-in security that’s live as soon as instances are up.

Cloud security proper — not just security in the cloud — is still pretty nascent, according to Jesse Rothstein (pictured), co-founder and chief technology officer of ExtraHop Networks Inc., an enterprise cyber analytics company. “We see a number of vendors that really are kind of on-prem security solutions that they’re trying to shoehorn into the cloud,” he said.

Their tools for vulnerability scanning and so forth are neither best in class nor easy to enable in cloud. The best place for security in cloud and hybrid cloud — is the network. “It is as close to ground truth as you can get; it’s very hard to tamper with, and it’s impossible to turn off,” Rothstein stated.

Amazon Web Services Inc. is the cloud provider leading the march toward specialized, network-driven security by and for cloud. Its just-announced virtual private cloud traffic mirroring is exactly what cloud’s been waiting for, according to Rothstein. ExtraHop and AWS have partnered to bring unified cloud security and monitoring to the enterprise.

Rothstein spoke with John Furrier (@furrier) and Dave Vellante (@dvellante), co-hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the AWS re:Inforce event in Boston. They discussed the evolution of cloud security and AWS’ new announcements (see the full interview with transcript here). (* Disclosure below.)

Friction-free first in cloud

VPC traffic mirroring is a network tap built to AWS’ EC2 networking. Users can configure a VPC traffic mirror for individual EC2 instances down to the elastic network interface level. They can configure filters and send them to targets for analysis, diagnostics and security. This provides the ability to analyze and respond to network traffic — including any suspicious behaviors or threats — in real time.

VPC traffic mirroring isn’t a bolt-on. It’s friction-free and exists right there inside AWS infrastructure with no performance penalty. “I think for the first time in cloud history you can now get extremely high quality network security analytics with practically the flip of a switch,” Rothstein said.

AWS is advocating a shared responsibility model for cloud security, which means customers still must pitch in. In other words, it’s not the end for audit logs and end-point agents. But these older methods don’t compare to newer network traffic analysis for cloud security, Rothstein concluded.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the AWS re:Inforce event. (* Disclosure: ExtraHop Networks Inc. sponsored this segment of theCUBE. Neither ExtraHop nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE