The Relevancy of Backups with Nancy Wang

Episode Summary

“Nobody cares about backups” might ring true in certain circles, and Corey has uttered that line a few times, but there are some who do. Nancy Wang, GM of AWS Backup and AWS Cryo at AWS, does care. A lot. And naturally she had to come on the show and tell Corey about it! Nancy and Corey bat around some back up reasoning. Nancy kindly goes into the nuances of her own work, of which her title actually indicates what she does, and the importance that she sees in back ups. Nancy’s work doesn’t end there—she is also the founder and CEO of Advancing Women in Tech. A 501c non-profit, “Advancing Women” is an education platform designed to help women move into higher positions in their organizations. Check out the conversation for more!

Episode Show Notes & Transcript

About Nancy
Nancy Wang is a global product and technical leader at Amazon Web Services, where she leads P&L, product, engineering, and design for its data protection and governance businesses. Prior to Amazon, she led SaaS product development at Rubrik, the fastest-growing enterprise software unicorn and built for the U.S. Department of Health and Human Services. Passionate about advancing more women into technical roles, Nancy is the founder & CEO of Advancing Women in Tech, a global 501(c)(3) nonprofit with 16,000+ members worldwide.

Nancy is an angel investor in data security and compliance companies, and an LP with several seed- and growth-stage funds such as Operator Collective and IVP. She earned a degree in computer science from the University of Pennsylvania.

Announcer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.

Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig is the solution for securing DevOps. They have a blog post that went up recently about how an insecure AWS Lambda function could be used as a pivot point to get access into your environment. They’ve also gone deep in-depth with a bunch of other approaches to how DevOps and security are inextricably linked. To learn more, visit and tell them I sent you. That’s S-Y-S-D-I-G dot com. My thanks to them for their continued support of this ridiculous nonsense.

Corey: This episode is sponsored in part by our friends at Rising Cloud, which I hadn’t heard of before, but they’re doing something vaguely interesting here. They are using AI, which is usually where my eyes glaze over and I lose attention, but they’re using it to help developers be more efficient by reducing repetitive tasks. So, the idea being that you can run stateless things without having to worry about scaling, placement, et cetera, and the rest. They claim significant cost savings, and they’re able to wind up taking what you’re running as it is, in AWS, with no changes, and run it inside of their data centers that span multiple regions. I’m somewhat skeptical, but their customers seem to really like them, so that’s one of those areas where I really have a hard time being too snarky about it because when you solve a customer’s problem, and they get out there in public and say, “We’re solving a problem,” it’s very hard to snark about that. Multus Medical,, and Stax have seen significant results by using them, and it’s worth exploring. So, if you’re looking for a smarter, faster, cheaper alternative to EC2, Lambda, or batch, consider checking them out. Visit That’s, and be sure to tell them that I said you because watching people wince when you mention my name is one of the guilty pleasures of listening to this podcast.

Corey: Welcome to Screaming in the Cloud. I’m Corey Quinn. I’ve said repeatedly on this show—and I stand by it—that absolutely nobody cares about backups. Because they don’t. They do care tremendously about restores, usually right after they really should have been caring about backups.

My guest today has more informed opinions on these things than I do, just because I’m bad at computers. But Nancy Wang is someone else entirely. She is AWS’s general manager of the AWS Backup service, and heads the Data Protection Team. Nancy, thank you for tolerating me, I appreciate it.

Nancy: Hey, no worries because you know, when I heard you say I don’t care about backups, I knew I had to come on the show and correct you. [laugh].

Corey: It’s the sort of thing where there’s no one is fanatical as a convert. And every grumpy old sysadmin that is in my cohort either cares a lot about backups or just doesn’t even think about it at all. And the question is—the only thing that separates those two groups is have you lost data yet? And once you’ve lost data and you feel like a heel, you realize, “Wow, this was eminently preventable. What can I do differently to fix this?”

And that’s when people start preaching the virtues of backups, and you know, this novel ridiculous idea of testing the backups you’ve made to make sure that it isn’t just—yeah, it says it’s completing correctly, but if you haven’t restored it, you don’t really know.

Nancy: Yeah. I mean, that’s so true, right? And that’s why when we’re thinking about our holistic data protection strategy, it’s less so about, “Hey, make sure that you take backups”—which is albeit a very important part of the data protection hygiene—but is making sure that you can regularly test the things that you’re backing up to make sure that, frankly, when you happen to be in a disaster scenario, or someone fat fingers a restore process, that you have good known bits to restore from.

Corey: So, people will be forgiven for not, potentially, understanding what AWS Backup is, where it starts and where it stops. I mean, let’s be clear, this is sort of the price you as a company get to pay for having 300-some-odd services; not everyone is conversant with every single one of them. I know, I’m as offended as anyone at that fact, but apparently other people have lives. So, what is AWS Backup?

Nancy: So, on that note, Corey, I do have to say that I’m probably at a more of an advantage in terms of my name being very descriptive and what it does versus, maybe, Athena or Redshift where it’s very clear, hey, we do backups. But actually, if you parse apart the product—and this is why the team itself is called data protection—there are various axes to think about what we do, right? So, to help illustrate, perhaps if you think about axes one as in, what are the different types of application data that we protect, right? There’s obviously database data, there’s going to be file system data, there’s various storage platform data, right? And those are comprised by AWS services that I’m sure you all are very familiar with, love dearly, like RDS, EBS, with EC2, VMs, et cetera, but also, more recently, we added S3, which we’ll get to that in just a bit, but because I’d love to talk about, you know, how folks think about S3 and why you might want to back it up, right? So, that’s axis number 

Now, if we turn to axis number two, it’s about the different platforms where these application data might reside. So there’s, of course, in-cloud, and that’s the place where most people are familiar with and why they might choose to seek out a first party native data protection provider like AWS Backup. And by the way, we just extended our support to on-premises as well, starting with VMware, which is a thing that a lot of backup admins were super excited to hear about, and all those vExperts out there.

And of course, the final axis is we think about how we make sure that we not just protect your data, but we are also able to give you tools like compliance reporting, which we announced in August at re:Inforce, via our CISO, Stephen Schmidt, about, “Hey, once you take your backups, are you monitoring continuously the resource configurations of the application data that you’re protecting?” Are your backup plans architected to meet RPO requirements that your organization needs to meet? Are they being, for example, retained for the right amount of times? Is it seven years or is it a month? Many different organizations have widely varying RPO requirements, so making sure that all of that is captured, monitored, and also reportable so when, hey, those, that auditor decides to knock on your door, you have a report ready to say, “Hey, I’m in compliance. And by the way, I’m proactively thinking about how my organization can meet evolving regulations.”

Corey: Please tell me you’re familiar with AWS Audit Manager, which is, to my understanding, aimed at solving exactly this problem. If the answer is no, this would admittedly not be the first time there I found, “Oh, wow. We have a complete service duplicate hanging out somewhere at AWS.” “Oh, good. How do we make it run in containers?” Being the next obvious question there.

Nancy: Sure. Which is actually a great lead-in to, again, another descriptive name of an AWS service, which is AWS Backup Audit Manager. So, if you recall from the re:Inforce keynote, it was one of the slides that was highlighted. The reason being, I’m a firm believer of a managed solution. Because look, we all know that AWS is great at building, I would say, tools or building blocks, or primitives to design end-to-end solutions.

Corey: It’s the Lego approach to cloud services. “What can I build with this?” “You’re only constrained by your imagination.” “Okay, but what can I build?” “Here to talk about that is someone from Netflix.”

Great. I want to build Twitter for Pets, which I guess now has to stream video? Yeah, it becomes a very different story. The higher-level service offerings are generally not a common area that AWS has excelled in, but this seems to be a notable exception.

Nancy: That’s actually where my background is, right? So, previous to AWS, I worked at a not-so-small startup anymore, called Rubrik, down in Silicon Valley, where we spent a lot of time thinking about what is the end-to-end solution for customers. How can customers simply deploy with one click, make sure that they can create policies that are repeatable, that are automated, and go off when you want them to, and make sure that you have reporting, at the end of the day. So, that’s really what we focused on, right?

But I digress, Corey. To your question about AWS Audit Manager, the name of the service within AWS Backup that handles compliance reporting, and auditing is called AWS Audit Manager, and we certainly didn’t pick that name by fluke. The reason being, we wanted AWS Backup, from that managed solution point of view, to be the single central platform where customers come to create data protection policies, where they come to execute those data protection policies, in backup plans, store their backups in encrypted backup vaults, and have the ability to restore them when they want, and finally, report on them. So, it is that single platform.

Now, with that said, if, for example, you wanted that reporting to come from AWS Audit Manager, which is a service that does a lot of reporting across many AWS services, you also have that ability. So, depending on what user persona you might be, whether you’re from the central compliance office or you’re a member of the data protection team within an organization, you might choose to use that functionality separately. And that’s the flexibility that my team strived to provide.

Corey: One of the most interesting things about AWS Backup is that I did not affirmatively go out of my way to use your service. I did not—to my recollection—wind up saying, “Oh, time to learn about this new thing, and set it up, and be very diligent about it.” But sure enough, I find it showing up on the AWS inventory—which is of course, the bill. And I look at this in a random account I use for various, you know, shitposting extravaganzas, and sure enough, it’s last—so far, this month, it is—I’m recording this near the end of the month—it charged me $3.40 to backup 70 gigs of data.

Which is first, like on the one hand, there is an argument of, “Now, wait a minute. I didn’t opt into this. What gives?” The other side of it though, is how dare you make sure that my data isn’t going to be lost, not through your negligence, but through my own, when I get sloppy with an rm -rf. And because I’ve been using ZFS a fair bit, and it is integrated extraordinarily tightly with that service. It goes super well.

It works out when setting this up, unless you go out of your way to disable it, it will set up a backup plan. And first, that is not generally aligned with how AWS thinks about things, which you across the board, generally the philosophy I’ve gotten is, “Oh, you want to do this thing? That’s a different service team. Do it yourself.” But also, it’s one of those areas that is the least controversial. If you have to make a decision one way or 
another, yeah, it’s opt people into backups. Was that as hard to get approved as I would suspect it would be, or was that sort of a no-brainer?

Nancy: Hopefully you can let me know what your account number is, Corey, so I can make sure it doesn’t get marked for fraud—A—but B, going into, you know, our philosophy on protecting data: So, EFS actually was one of our first AWS services that was supported by the AWS Backup service, which is actually quite a fascinating story in itself because the service [AWS Backup] only launched in 2019. Now, AWS has been around for much, much longer than that—

Corey: And it feels even three times longer than that. But yes.

Nancy: [laugh]. Exactly, right. So, as a central data protection platform for the AWS overall cloud platform, it’s quite interesting that from a managed solution perspective, the service is not yet, you know, four years old. We’re barely embarking on our third year together. So, with that said, why we started with EFS and a few other services is we wanted to cover the most commonly used stateful data stores for AWS Cloud, EFS being one of them, as the first cloud-native—as Wayne Duso would say—Elastic File System in the cloud.

And so what we did is a deeper level integration, what we call our “data plane integration.” So, what does that mean? Customers protecting EFS file systems have the ability to not just restore their entire file system as a file system volume, but also have the ability to specify individual files, folders, that they want to restore from. And so, file level recovery, super, super important. And it’s something that we also want to bring for other file systems down the road as well.

And so, to your question, Corey, a common design principle that we think about is, how do we make sure that customers are protected? Obviously, in a world where we cannot yet use AI to transcribe every part of a customer’s intent when they’re looking to protect their data, the closest that we can get is, “Hey, you create a file system. We assume that you want it protected, unless you tell us you don’t want to.” And so for certain resources, like EFS, where we have a deeper level integration to our own data plane, we can then say, “Once you create a file system will opt you automatically into AWS Backup protection until you tell us to stop.” And from there, you have all the goodness that comes with AWS Backup, such as file-level restore, such as for example now, WORM [write-once-read-many] lock, which disables the ability to mutate backups from anyone, even someone with admin access.

Corey: So, a big announcement in your area at re:Invent, was AWS Backup support for S3. Allow me to set up an intentionally insulting straw man argument here. S3 has vaunted 11 nines of durability, which I think exceeds the likelihood the gravity is going to continue to function. So, are they lying by having AWS Backups supporting it now, or are you just basically selling us something we don’t need? Which is it?

Nancy: Well, you know, Corey, judging by the hundreds of customers who have been filling up my inbox—and that’s why I actually ended up creating a special email alias for the S3 preview—so what we launched at re:Invent was a public preview of the ability to start baking in S3 backup protection—or bucket protection—into their existing data protection workflows, right? And so judging by the hundreds of customers, many of them in highly regulated industries, and FinServ, in healthcare, as well as in the US government, I would say that I think they find it pretty important, and we’re not just peddling things they don’t need. So, I’m getting ahead of myself. We’re actually—we should probably start the conversation—is a deeper dive into how we think about data protection on AWS.

And so there’s two really core schools of thought, right? One is, you know, focused on data durability, which in itself is a function of technology. So, to your point of 11 nines, right? That is very much true, and that’s why S3 increasingly becomes the platform of choice, now, for all of customer’s, you know, analytics information, and other stateful stores that they want to keep an S3 buckets for applications, right? But second of all—and this is a part where AWS Backup wants to focus on—is that concept of data resiliency, which itself is a function of external factors. Because, for example, human errors, such as fat-fingering, or miscellaneous entries, could impact for example, how you can access information that’s stored in your S3 bucket, or unfortunately, sometimes what we’ve heard is accidentally deleting an S3 bucket or certain objects in your S3 bucket.

Corey: This speaks to the idea of that RAID is not a backup. Sure, you want to make sure a drive failure doesn’t lose your data, but you also want to make sure that you overwriting a file that was super important doesn’t happen either and RAID, nor data durability and S3, are going to save you from that.

Nancy: Yeah. Because for example, we have built in—and this is actually very core to not just AWS Backup, but really how we think about data protection on AWS—is again, that separation of control. So, I encourage you to try to delete, let’s say, an EBS volume that is protected by AWS Backup, from the EBS console. You’ll likely find a very glaring error in your face that says, “You do not have sufficient privileges to do so.” And the reason we actually make such a separation of control, or our role-based access control—RBAC—so core to our product design is so that, for example, whoever creates that primary volume should not be the same person that deletes it, unless they do happen to be the same person with two different roles.

And that prevents, for example, unintended mutations. That also enables the data protection administrator to have the ability to, let’s say, do cross-region copies: Having your S3 bucket or objects stored in another region, in another account, that can be completely locked down to anyone, even those with administrator access, right? So, like I said, before, all the platform goodness, AWS Backup, such as version control, WORM locks, having multiple copies of those backups, as well as different protection domains, that’s what customers look for when they come to this service.

And to your point, especially even with highly durable platforms like S3, there’s still external factors that you simply can’t control for all the time, right? And having that peace of mind, having that protection that you know is on 24/7, hey, that keeps businesses up, right? And that keeps consumers like you and me able to enjoy all the goodness that those businesses offer.

Corey: This episode is sponsored by our friends at Oracle HeatWave is a new high-performance query accelerator for the Oracle MySQL Database Service, although I insist on calling it “my squirrel.” While MySQL has long been the worlds most popular open source database, shifting from transacting to analytics required way too much overhead and, ya know, work. With HeatWave you can run your OLAP and OLTP—don’t ask me to pronounce those acronyms again—workloads directly from your MySQL database and eliminate the time-consuming data movement and integration work, while also performing 1100X faster than Amazon Aurora and 2.5X faster than Amazon Redshift, at a third of the cost. My thanks again to Oracle Cloud for sponsoring this ridiculous nonsense.

Corey: I agree wholeheartedly with everything that you’re saying. I had a consulting client where it’s coming in optimize the AWS bill, and, “Wow, that sure is a lot of petabytes over in that S3 infrequent access bucket. How about you change the Infrequent Access-One Zone?” “Oh, no, no, no. We lose this data, it basically ends a division of the company.” “Cool. Do you have multi-factor delete turned on?” “No.” “Do you have versioning turned on?” “No.” “Okay. This is why I call it cost optimization, not cost cutting. You should be backing that up somewhere because there is far likelier—by several orders of magnitude—that you or someone on your team intentionally—unlikely—or by accident—very likely, as someone who’s extremely accident prone with computers, from my own perspective because I am—is going to accidentally cause data loss there. So yeah, spend more money and back that up.”

And they started doing that. So, it’s always nice when your recommendations get accepted. But yeah, if data is that important, you absolutely need to have a strategy around that. What I love so far about what I’ve seen from AWS Backup is—and please don’t take this in any way as criticism on it—is that it’s so brainless. It just works. Because people don’t think about backups until it’s too late to have thought about backups.

Nancy: Yeah, don’t worry, I don’t take that as offense, Corey, otherwise I wouldn’t be on the show. Absolutely, right? My motto is set it and forget it, right? Just as I want to make it super simple for our mission, for customers to understand our mission, as well as, frankly, the engineers who build the service to understand our mission, it is, “We protect our customers’ data on AWS. How? With set-it-and-forget-it data protection policies.”

And we try to configure these policies to be fairly comprehensive. You can set everything from, like I mentioned, warm lock, where you want your backup copies created to: Which regions? Which accounts, for example? Which user role do you want to use with these data protection policies? Which services do you want to protect?

And even recently, we created the selection ability—or as we call it, AWS Backup Select—so you can include, exclude different resources, even when you have the common union of tags specified on your backup plan. So, the reason we went this comprehensive is so that once you configure a data protection policy, you can really rest assured that, hey, I’ve done everything in my power to make sure that these resources, this application data that is so critical to my business, is being protected. And oh, by the way, I can see these backups—or as we call in our lexicon, Recovery Points—directly in my console, in my account.

Corey: And there’s tremendous value to doing that. That is the sort of thing that customers like to see. This is—if you have to move up the stack somewhere, this feels like the place to begin doing it, just because it’s so critical to the rest of it. We all have side projects as well. Like, for example, I wind up making insulting parody music videos for people’s birthdays when they’re not expecting it. You have 80 hours of training content on Coursera. What is that about? Because I don’t think it’s all about backups.

Nancy: No. Although at some point, we should probably get AWS Backup as one of the modules in AWS certification. But I digress. The reason why training is so important to me is one of the ways, actually, that folks find me online is through my presence in the nonprofit world. So, I’m
the founder and CEO of a 501(c)(3) organization that’s called Advancing Women in Technology, or AWIT, or A-W-I-T for short.

The mission of AWIT is really to get more women leaders into visible, into senior tech leadership roles, so frankly and from a selfish perspective, I’m not the only woman in a room many of the times when decisions are being made, right? And that’s not just, you know, I’m talking about my current role, but in various roles that I’ve had throughout the tech industry. So, where does that start? And there’s a lot of different amazing organizations that focus on the early career, beginning in the pipeline, which is super important because it is important to get women, underrepresented groups in the door so that they can advance and they can accelerate their careers to becoming leaders, but the areas where AWIT focus is actually in that mid-career.

Because once folks, and especially women and underrepresented groups are in the door 10 to 15 years, they’re maybe in their first managerial role, or they’re in their first leadership role, that’s the core time when you want to retain that population, where you want to advance that population, so that in the next, I would say, generation—or hopefully it doesn’t even take that long; next 5, 10 years—we see a much more representative leadership room, or board table, right? So, that’s really where that goal starts. And so, why do we have 80 hours of training content because part of advancing your career and accelerating your career is having the right skills. Of course having a right network is also very important, and that’s something else that we preach, but upskilling yourself, constantly learning about new technologies—I mean, the tech world changes by the minute, right, and so being familiar with new technologies, new frameworks, new ways of thinking about product problems, is really what we focus on. So, we were the first to create the Real-World Product Management Specialization, which you can check out on Coursera. You’ll see my mug shot in a lot of those videos.

But actually, also of those of some of the best and brightest underrepresented leaders in the industry, such as Sandy Carter, Mai-Lan Tomsen Bukovec, Sabrina Farmer, I mean, the list goes on and on. Including, you know, personal friend who created Coffee Meets Bagel. So hey, for all those connections made out there on that platform, you know, she’s also a woman CEO, and used to be a product manager at Amazon.

Corey: A dear friend met his partner on Coffee Meets Bagel. I hear good things.

Nancy: Oh, awesome.

Corey: Fortunately, I was married before it launched, so I’ve never used the service myself. If I were a reference customer now, that would raise questions.

Nancy: [laugh]. Well, let’s just say I’m not on the platform, either, so I can’t verify or deny that you have a profile. Yeah. So, just having those underrepresented groups and individuals, really stellar rock stars, role models that we would all consider to be super inspirational, as speakers, as instructors on the courses have given so many folks the inspiration, the encouragement that they need to upskill themselves. And so yes, now educated over 20,000 learners worldwide using those courses.

And I still receive just amazing notes from them on a daily basis, all over LinkedIn about how they’ve managed to get promotions from taking these courses, or how they’ve managed to get jobs in FAANG tech companies as a result of taking these courses. And really, that’s the impact that I want to make is one to n, being able to impact a global audience, upskilling a global audience. And so again, in the future, and not so distant future, the leadership room gets so much more representative.

Corey: And to complete the trifecta of interesting things you do, you are also an early angel investor and a limited partner in a number of startups. Tell me a little bit about that. It’s odd to—at least in my experience—to see folks who are heavily involved in the nonprofit space, the corporate space at a giant tech company, and doing investment all at the same time. It seems like that is not a particularly common combination, at least in the circles in which I travel.

Nancy: You could also probably blame it on my extreme ADHD. That’s probably very true. Don’t worry, I try to control it, most of the time.

Corey: I’ve been struggling to control my own my entire life, which probably explains a lot about why I do the things that I do. I hear you.

Nancy: It makes sense, right? From one to another. It honestly makes me better at my job. And I’ll explain why. So, if you look at some of the new or joint marketing campaigns that AWS Backup or data protection team has done this past year with various startups—namely Open Raven; there’ll be others we’re working with in the new year—being able to just get some of that inspiration from founders, so thinking about how can we have a better together story?

You specialize in, let’s say with the case of Open Raven, in data visibility and let’s say scanning S3 buckets for vulnerabilities, for different content. And hey, we specialize in data recovery process, or then that data protection policy creation process. How do we come together to form a really awesome solution for our highly regulated customers, or compliance-minded customers? That’s the story that I love to tell, and frankly, I just get so inspired from talking to startup founders. The reason why I have also advised a few venture capitalists—namely Felicis Ventures—on, for example, their investment thesis is I just see so much potential in this environment, right?

And there’s really that adage, where it’s big enough sandbox for a lot of players. Just like, for example, how Snowflake and Redshift have managed to coexist together on the AWS platform, there’s a lot of just goodness, too, that exists between the data security world, how they customers think about securing their data, to the data protection world because, hey, you can’t protect what you can’t see, so you need to be make sure that you have that data visibility angle, along with that protection angle, along with that recovery angle. And hey, all of this needs to be within your data perimeter, within a secure zone, right? How do you securitize your data? So, all of that really comes together in this melding world.

And of course, there’s also adjacent themes such as, well, once you protect your data, how can you also make sure that the quality of your data is high? And that’s where pretty interesting startups in the data observability space, such as Monte Carlo, have come up. Which is, “Hey, I need to rely on my business data to make important decisions that affect my customers, so how can I make sure that what’s ever coming out of my data lake or data warehouse is correct, it truly reflects the state of the business?” So, all of that is converging, and that’s why, you know, it’s just super exciting to be a part of this space, to not only create net new, I would say greenfield opportunities on the AWS platform, but also use this as an opportunity to partner with startup CEOs and various startups in the data space, data infrastructure space, to create more use cases, more solutions for customers who otherwise we’d have to rely on either custom scripts, or simply not having any solutions in this space at all.

Corey: There’s something to be said for doing the—how do I frame this?—the boring work that’s always behind the scenes, that is never top of mind. People don’t get excited about things like data protection, about compliance, about cost optimization, about making sure that the fire insurance is paid up on the building before you wind up insulting execs at big companies, et cetera, et cetera. And that—but it is incredibly important—in my case, especially that last one—just because if you don’t get that done, there’s massive risk, and managing that risk is important. It’s nice to see that it’s not just the shiny features that are getting the attention. It’s the stuff of, “Okay, how do we do this safely and securely?” That is the area that I think is not being particularly well served these days, so it’s honestly refreshing to see someone focusing on 
that as an area of active investment.

Nancy: I mean, absolutely. Perhaps one data point I should also share, because I do get questions asked of, “What gets you so excited about compliance, about audit?” Well, I used to work for the US government. So, if that tells you anything—and I used to hold an active secret clearance—that hopefully explains some things about why I’m passionate about the areas I am. But, that’s really where, you know, back to your comment that you made on the core tenet or the ethos of the AWS Backup service, which is, “Set it, forget it, make it super simple,” is I want to design systems or solutions that enable customers to focus on developing applications, working on building business logic, whereas we will create the comprehensive data protection policies that protect your data.

And especially in the world of ever evolving cyber attacks where the attackers are getting more and more sophisticated, they have more backdoor methods that go undetected for many months, as was the case in attacks over the past recent years, or in the case of pesky ransomware attacks, where certain insurance companies have even stopped paying ransoms, right, and you’re wondering, “Well, how do I get my data back?” This is the world that we live in. And so, you know, yes, there might be ever-evolving more, I would say, sophisticated ways to detect vulnerabilities, or attacks, or do pattern matching between known attack patterns, but really what remains core and should be core to a lot of companies’ recovery strategies, as per the NIST cybersecurity framework, is actually having a good way to restore. And that goes back to something that you mentioned at the beginning of this recording, Corey, which is making sure that you’re regularly testing your backups because as you said, no one cares that you’re taking backups, but people do care about the ability to restore. So, having known good bits that exist in a secure vault, that exists maybe in some air gap account or region, where you know that it’s going to be there for you, that it’s restorable is going to be super key.

And we’re already seeing that trend in a lot of customers that I speak with. And by the way, these aren’t just customers in highly regulated industries. They’re really customers that now are increasingly relying on data to make business decisions. Just like, for example, there’s that adage that says, you know, “Software is eating the world,” well, now most businesses are data-driven businesses, and so data is core to their business mission. And so protecting that, it should also be core to their business mission.

Corey: I really wish that were the case a bit more than it is.

Nancy: True that. So, I would have to say, “Hear, hear.” And this is actually what makes my job so, just, fun frankly, is that I get to have these conversations with thought leaders at various different companies, who are my clients or customers of AWS. And these are different, I would say, leaders, ranging from IT leaders, to compliance leaders, to CISOs who I have these conversations with. And oftentimes it does start with this very, I would say, innocuous question, which is, “Well, why should I think about protecting my data?” And then we’re able to go into, “Well, this is how you think about tiering your data, this is how you think about different SLAs that you might have for your data, and then finally, this is how you would think about architecting a data protection solution into your environment.”

Corey: Nancy, I want to thank you for taking some time out of your day to speak with me. If people want to learn more about what you’re up to and how you’re viewing these things, where can they find you?

Nancy: Feel free to connect with me on LinkedIn, whether you have a service that you desperately want AWS Backup to protect—yes, I get a lot of those tweets or LinkedIn posts—absolutely happy to consider them and to prioritize them on the future roadmap. Or if you want to give me a feedback about your experience, more than happy to take those as well. Also, if you’re a startup founder and you have a brilliant new idea, and data infrastructure, always happy to grab coffee or drinks and hear about those ideas.

And lastly, if you’re looking to upskill yourself either product management or cloud tech skills, find us on Coursera at, or on LinkedIn as Advancing Women in Technology. Either way, whether you fit into one or more or all of these buckets, I’d love to hear from you.

Corey: And we will, of course, put links to that in the [show notes 00:32:36]. Thank you so much for speaking with me today. I really 
appreciate it.

Nancy: Well, thank you, Corey. It’s always a pleasure, and I’ll see you very soon in person in SF.

Corey: I look forward to it. Nancy Wang, General Manager of AWS Backup and AWS Data Protection. I’m Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you’ve enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you’ve hated this podcast, please leave a five-star review on your podcast platform of choice along with an insulting comment that I will then delete because it wasn’t backed up.

Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit to get started.

Announcer: This has been a HumblePod production. Stay humble.

Newsletter Footer

Get the Newsletter

Reach over 30,000 discerning engineers, managers, enthusiasts who actually care about the state of Amazon’s cloud ecosystems.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Sponsor Icon Footer

Sponsor an Episode

Get your message in front of people who care enough to keep current about the cloud phenomenon and its business impacts.