>>Welcome back to the Cube, as a continued coverage here from AWS Reinvent 22. It's day three of our coverage here at the Venetian in Las Vegas, and we're part of the AWS Global Startup Showcase. With me to talk about what Kong's to in that regard is Marco Palladino, who's the, the CTO and the co-founder of Con Marco. Good >>To see you. Well, thanks for having me >>Here. Yeah, I was gonna say, by the way, I, I, you've got a beautiful exhibit down on the show floor. How's the week been for you so far as an exhibitor here? >>It's been very busy. You know, to this year we made a big investment at the WS reinvent. You know, I think this is one of the best conferences in the industry. There is technology developers, but it's also business oriented. So you can learn about all the business outcomes that our, you know, customers or, you know, people are trying to make when, when adopting these new technologies. So it's very good so far. >>Good, good, good to hear. Alright, so in your world, the API world, you know, it used to be we had this, you know, giant elephant. Now we're cutting down the little pieces, right? That's right. We're all going micro now these days. That's right. Talk about that trend a little bit, what you're seeing, and we'll jump in a little deeper as to how you're addressing that. >>Well, I think the industry learned a long time ago that running large code bases is actually quite problematic when it comes to scaling the organization and capturing new opportunities. And so, you know, we're transitioning to microservices because we want to get more opportunities in our business. We want to be able to create new products, fasters, we want to be able to leverage existing services or data that we have built, like an assembly line of software, you know, picking up APIs that other developers are building, and then assemble them together to create new experiences or new products, enter new markets. And so microservices are fantastic for that, except microservices. They also introduce significant concerns on the networking layer, on the API layer. And so this is where Kong specializes by providing API infrastructure to our customers. >>Right. So more about the problems, more about the challenges there, because you're right, it, opportunities always create, you know, big upside and, and I, I don't wanna say downside, but they do introduce new complexities. >>That's right. And introducing new complexity. It's a little bit the biggest enemy of any large organization, right? We want to reduce complexity, we want to move faster, we want to be more agile, and, and we need an API vision to be able to do that. Our teams, you know, I'm speaking with customers here at Reinvent, they're telling me that in the next five years, the organization is going to be creating more APIs than all the APIs they've created up until now. Right? So how do you >>Support, that's a mind boggling number, right? >>It's mind boggling. Yeah, exactly. How do you support that type of growth? And things have been moving so fast. I feel like there is a big dilemma in, you know, with certain organizations where, you know, we have not taught a long term strategy for APIs, whereas we do have a long term strategy for our business, but APIs are running the business. We must have a long term strategy for our APIs, otherwise we're not gonna be able to execute. And that's a big dilemma right now. Yeah. >>So, so how do we get the horse back in front of the cart then? Because it's like you said, it's almost as if we've, we're, we're reprioritizing, you know, incorrectly or inaccurately, right? You're, you're getting a little bit ahead of ourselves. >>Well, so, you know, whenever we have a long-term strategy for pretty much anything in the organization, right? We know what we want to do. We know the outcome that we want to achieve. We work backwards to, you know, determine what are the steps that are gonna bring us there. And, and the responsibility for thinking long term in, in every organization, including for APIs at the end of the day, always falls on the leaders and the should on the shoulders of the leadership and, and to see executives of the organization, right? And so we're seeing, you know, look at aws by the way. Look at Amazon. This conference would not have been possible without a very strong API vision from Amazon. And the CEO himself, Jeff Bezos, everybody talks about wanting to become an API first organization. And Amazon did that with the famous Jeff Bezos mandate today, aws, it's a hundred billion revenue for Amazon. You see, Amazon was not the first organization with, with an e-commerce, but if it was the first one that married a very strong e-commerce business execution with a very strong API vision, and here we are. >>So yeah, here we are putting you squarely in, in, in a pretty good position, right? In terms of what you're offering to the marketplace who has this high demand, you see this trend starting to explode. The hockey sticks headed up a little bit, right? You know, how are you answering that call specifically at how, how are you looking at your client's needs and, and trying to address what they need and when they need it, and how they need it. Because everybody's in a kind of a different place right now. >>Right? That's exactly right. And so you have multiple teams at different stages of their journey, right? With technology, some of them are still working on legacy, some of them are moving to the cloud. Yep. Some of them are working in containers and in microservices and Kubernetes. And so how do you, how do we provide an API vision that can fulfill the needs of the entire organization in such a way that we reduce that type of fragmentation and we don't introduce too much complexity? Well, so at con, we do it by essentially splitting the API platform in three different components. Okay. One is API management. When, whenever we want to expose APIs internally or to an ecosystem of partners, right? Or to mobile, DRA is a service mesh. You know, as we're splitting these microservices into smaller parts, we have a lot of connectivity, all, you know, across all the services that the teams are building that we need to, to manage. >>You know, the network is unreliable. It's by default, not secure, not observable. There is nothing that that works in there. And so how do we make that network reliable without asking our teams to go and build these cross-cut concerns whenever they create a new service. And so we need a service match for that, right? And then finally, we could have the best AP infrastructure in the world, millions of APIs and millions of microservices. Everything is working great. And with no API consumption, all of that would be useless. The value of our APIs and the value of our infrastructure is being driven by the consumption that we're able to drive to all of these APIs. And so there is a whole area of API productivity and discovery and design and testing and mocking that enables the application teams to be successful with APIs, even when they do have a, the proper API infrastructure in place that's made of meshes and management products and so on and so forth. Right. >>Can you gimme some examples? I mean, at least with people that you've been working with in terms of addressing maybe unique needs. Cuz again, as you've addressed, journeys are in different stages now. Some people are on level one, some people are on level five. So maybe just a couple of examples Yeah. Of clients with whom you've been working. Yeah, >>So listen, I I was talking with many organizations here at AWS Reinvent that are of course trying to migrate to the cloud. That's a very common common transformation that pretty much everybody's doing in the world. And, and how do you transition to the cloud by de-risking the migration while at the same time being able to get all the benefits of, of running in the cloud? Well, we think that, you know, we can do that in two, two ways. One, by containerizing our workloads so that we can make them portable. But then we also need to lift and shift the API connectivity in such a way that we can determine how much traffic goes to the legacy and how much traffic goes to the new cloud infrastructure. And by doing that, we're able to deal with some of these transformations that can be quite complex. And then finally, API infrastructure must support every team in the organization. >>And so being able to run on a single cloud, multi-cloud, single cluster, multi cluster VMs containers, that's important and essential because we want the entire organization to be on board. Because whenever we do not do that, then the developers will make short term decisions that are not going to be fitting into the organizational outcomes that we want to achieve. And we look at any outcome that your organization wants to achieve the cloud transformation, improving customer retention, creating new products, being more agile. At the end of the day, there is an API that's powering that outcome. >>Right? Right. Well, and, and there's always a security component, right? That you have to be concerned about. So how are you raising that specter with your clients to make them aware? Because sometimes it, I wouldn't say it's an afterthought, but sometimes it's not the first thought. And, and obviously with APIs and with their integral place, you know, in, in the system now security's gotta be included in that, right? >>API security is perhaps the biggest, biggest request that we're hearing from customers. You know, 83% of the world's internet traffic at the end of the day runs on APIs, right? That's a lot of traffic. As a matter of fact, APIs are the first attack vector for any, you know, malicious store party. Whenever there is a breach, APIs must be secured. And we can secure APIs on different layers of our infrastructure. We can secure APIs at the L four mesh layer by implementing zero trust security, for example, encrypting all the traffic, assigning an identity to every service, removing the concept of trust from our systems because trust is exploitable, right? And so we need to remove the cut zero trust, remove the concept of trust, and then once we have that underlying networking that's being secure and encrypted, we want to secure access to our APIs. >>And so this is the typical authentication, authorization concerns. You know, we can use patterns like op, op or opa open policy agent to create a security layer that does not rely on the team's writing code every time they're creating a new service. But the infrastructure is enforcing the type of layer. So for example, last week I was in Sweden, as a matter of fact speaking with the largest bank in Sweden while our customers, and they were telling us that they are implementing GDPR validation in the service mesh on the OPPA layer across every service that anybody's building. Why? Well, because you can embed the GDPR settings of the consumer into a claim in a gel token, and then you can use OPPA to validate in a blanket way that Jo Token across every service in the mesh, developers don't have to do that. It just comes out of the box like that. And then finally, so networking, security, API security for access and, and management of those APIs. And then finally we have deep inspection of our API traffic. And here you will see more exotic solutions for API security, where we essentially take a subset of our API traffic and we try to inspect it to see if there is anybody doing anything that they shouldn't be doing and, and perhaps block them or, you know, raise, raise, raise the flag, so to speak. >>Well, the answer is probably yes, they are. Somebody's trying to, somebody's trying to, yeah, you're trying to block 'em out. Before I let you go, you've had some announcements leading up here to the show that's just to hit a few of those highlights, if you would. >>Well, you know, Kong is an organization that you know, is very proud of the technology that we create. Of course, we started with a, with the API gateway Con Gateway, which was our first product, the most adopted gateway in the world. But then we've expanded our platform with service mesh. We just announced D B P F support in the service mesh. For example, we made our con gateway, which was already one of the fastest gateway, if not the fastest gateway out there, 30% faster with Con Gateway 3.0. We have shipped an official con operator for Kubernetes, both community and enterprise. And then finally we're doubling down on insomnia, insomnia's, our API productivity application that essentially connects the developers with the APIs that are creating and allows them to create a discovery mechanism for testing, mocking the bagging, those APIs, all of this, we of course ship it OnPrem, but then also on the cloud. And you know, in a cloud conference right now, of course, cloud, right? Right. Is a very important part of our corporate strategy. And our customers are asking us that. Why? Because they don't wanna manage the software, they want the API platform, they don't, don't wanna manage it. >>Well, no, nobody does. And there are a few stragglers, >>A few, a few. And for them there is the on-prem >>Platform. Fine, let 'em go. Right? Exactly. But if you wanna make it a little quick and dirty, hand it off, right? Oh, >>That's exactly right. Yes. >>Let Con do the heavy lifting for you. Hey Marco, thanks for the time. Yeah, thank you so much. We appreciate, and again, congratulations on what appears to be a pretty good show for you guys. Yeah, thank you. Well done. All right, we continue our discussions here at aws. Reinvent 22. You're watching the Cube, the leader in high tech coverage. >>Okay.

well hello everybody John Wallace here on thecube he's continuing our segments here on the AWS Global startup showcase we are at day three of Reinventing irking Zhang is joining us now he is the CEO co-founder of Jupiter one um first off before we get going talking about you know security and big world for you guys I know what's your take on the show what's been going on out here at re invent yeah yeah ring event has been one of my favorite shows there's a lot of people here there's a lot of topics of course it's not just cyber security a lot of cloud infrastructure and just technology in general so you get a lot you know if you go walk the floor you see a lot of vendors you look at us go into sessions you can learn a lot but you're the Hot Topic right everybody's focused on Cyber yeah big time and with good reason right because as we know the Bad actors are getting even smarter and even faster and even more Nimble so just paint the landscape for me here in general right now as you see uh security Cloud Security in particular and and kind of where we are in that battle well we are clearly not winning so I think that in itself is a bit of a uh interesting problem right so as a it's not just Cloud security if you think about cyber security in general as an industry it has it has not been around for that long right but if you just look at the history of it uh we haven't done that while so uh pick another industry say medicine which has been around forever and if you look at the history of Medicine well I would argue you has done tremendously well because people live longer right when you get sick you get access to health care and yeah exactly you have Solutions and and you can see the trend even though there are problems in healthcare of course right but the trend is is good it's going well but not in cyber security more breaches more attacks more attackers we don't know what the hell we're doing with that many solutions and you know that's been one of my struggles as a former CSO and security practitioner for many years you know why is it that we're not getting better all right so I'm going to ask you the question yeah okay why aren't we getting better you know how come we can't stay ahead of the curve on this thing that for some reason it's like whack-a-mole times a hundred every time we think we solve one problem we have a hundred more that show up over here exactly and we have to address that and and our attention keeps floating around yeah I think you said it right so because we're taking this guacamole approach and we're looking for the painkiller of the day and you know we're looking for uh the Band-Aids right so and then we ended up well I I think to be fair to be fair to your industry the industry moves so quickly technology in general moves so quickly and security has been playing catch-up over time we're still playing catch-up so when you're playing catch-up you you can almost only uh look at you know what's the painkiller of what's the band name of the day so I can stop the bleeding right but I do think that we're we're to a point or we have enough painkillers and Band-Aids and and we need to start looking at how can we do better fundamentally with the basics and do the basics well because a lot of times the basics that get you into trouble so fundamentally the foundation I if I hear you right what you're saying is um you know quick changing industry right things are moving rapidly but we're not blocking and tackling we're not doing the X's and O's and so forget changing and we we got to get back to the basis and do those things right exactly you can only seem so simple it seems so simple but it's so hard right so you can you can think about you know uh even in case of building a starter building a company and and in order at one point right so we're blocking uh blocking tackling and then when we grow to a certain size we have to scale we have to figure out how to scale the business this is the same problem that happens in security as an industry we've been blocking happening for so long you know we're the industry is so young but we're to a point that we got to figure out how to scale this scale this in a fundamentally different way and I'll give you some example right so so what when we say the basics now it's easy to to think that say users should have MFA enabled is one of the basics right or another Basics will be you have endpoint protection on your devices you know maybe it's Cloud strike or Sentinel one or carbon black or whatever but the question being how do you know it is working 100 of the time right how do you know that how do you know right you find out too exactly that's right and how do you know that you have 100 coverage on your endpoints those Solutions are not going to tell you because they don't know what they don't know right if it's not enabled if it's not you know what what's the negative that you are not seeing so that's one of the things that you know that's in the basic state that you're now covering so the fundamentals it really goes to these five questions that I think that nobody has a really good answer for until now so the five questions goes what do I have right is it important what's important out of all the things I have you have a lot right you could have millions of things what important now for those that are important does it have a problem and if it has a problem who can fix it because the reality is in most cases security teams are not the ones fixing the problems they're they're the ones identical they're very good at recognizing but not so good exactly identifying the owner who can fix it right right could be could be business owner could be Engineers so the the asset ownership identification right so so these four questions and and then over time you know whether it's over a week or a month or a quarter or a year am I getting better right and then you just keep asking these questions in different areas in different domains with a different lens right so maybe that's endpoints maybe that's Cloud maybe that's you know users maybe that's a product and applications right but it really boils down to these five questions that's the foundation for any good security program if you can do that well I think we cover a lot of bases and we're going to be in much better shape than we have been all right so where do you come in man Jupiter one in terms of what you're providing because obviously you've identified this kind of pyramid yes this hierarchy of addressing needs and I assume obviously knowing you as I do and knowing the company as I do you've got Solutions that's exactly right right and and we precisely answer those five questions right for uh any organization uh from a asset perspective right because all the the answers to all those these five questions are based in assets it starts with knowing what I have right right so the the overall challenge of cyber security being broke broken I I believe is fundamentally that people do not understand and cannot uh probably deal with the complexity that we have within our own environments so again like you know using uh medicine as an example right so in order to come up with the right medicine for either it's a vaccine for covid-19 or whether it is a treatment for cancer or whatever that case may be you have to start with the foundations of understanding both the pathogen and to the human body like DNA sequencing right without those you cannot effectively produce the right medicine in modern uh you know Medicine sure right so that is the same thing that's happening in cyber security you know we spend a lot of times you know putting band days in patches right and then we spend a lot of time doing attacker research from the outside but we don't fundamentally understand in a complete way what's the complexity within our own environment in terms of digital assets and that's that's almost like the DNA of your own work what is that kind of mind-blowing in a way that if again hearing you what you're talking about is saying that the first step is to identify what you have that's right so it seems just so basic that that I should know what I what's under my hood I should know what is valuable and what is not I should prioritize what I really need to protect and what maybe can go on the second shelf yeah it has been a tough problem since the beginning of I.T not just the beginning of cyber security right so in the history of I.T we have this thing called cmdb configuration management database it is supposed to capture the configurations of it assets now over time that has become a lot more complex and and there's a lot more than just it asset that we have to understand from a security and attack service perspective right so we have to understand I.T environments we have to understand Cloud environments and applications and users and access and data and as and all of those things then then we have to take a different approach of sort of a modern cmdb right so what is the way that we can understand all of those complexity within all of those assets but not just independently within those silos but rather in a connected way so we can not only understand the attack surface but only but also understand the attack path that connect the dots from one thing to another right because everything in the organization is actually connected if if there's any one thing that sits on an island right so if you say you have a a a a server or a device or a user that is on an island that is not connected to the rest of the organization then why have it right and it doesn't matter so it's the understanding of that connect connected tissue this entire map where this you know DNA sequencing equivalent of a digital organization is what Jupiter one provides right so that visibility of the fundamental you know very granular uh level of assets and resources to answer those five questions and how does that how do I get better at that then I mean I have you to help me but but internally within our organization um I mean I don't want to be rude but I mean do I have do I have the skill for that do I have um do I have the the internal horsepower for that or or is there some need to close that Gap and how do I do it you know I'll tell you two things right so so one you mentioned the worst skills right so let me start there so because this one is very interesting we also have a huge skills shortage in cyber security we will we've all heard that for years and and and and for a long time but if you dig deeper into it why is that why is that and you know we have a lot of you know talented people right so why do we still have a skills shortage now what's interesting is if you think about what we're asking security people to do is mind-boggling so if you if you get a security analyst to say hey I want to understand how to protect something or or how to deal with an incident and what you're asking the person to do is not only to understand the security concept and be a domain expert in security you're also asking the person to and understand at the same time AWS or other clouds or endpoints or code or applications so that you can properly do the analysis and the in the response it's it's impossible it's like you know if you have you have to have a person who's an expert in everything know everything about everything that's right it's impossible so so so that's that's one thing that we have to to resolve is how do we use technology like Jupiter one to provide an abstraction so that there's Automation in place to help the security teams be better at their jobs without having to be an expert in deep technology right just add the abstract level of understanding because you know we can we can model the data and and provide the analysis and visual visualization out of the box for them so they can focus on just the security practices so that's one and the second thing is we have to change the mindset like take vulnerability management as an example right so the mindset for vulnerability management has been how do I manage findings now we have to change it to the concept of more proactive and how to manage assets so let's think about uh you know say log4j right that that happened and uh you know when it happened everybody scrambles and said hey which which devices or which you know uh systems have log4j and you know it doesn't matter what's the impact we can fix it right going back to those questions that that I mentioned before right and then um and then they try to look for a solution at a time say well where's that silver bullet that can give me the answers now what what what we struggle with though is that you know I want to maybe ask the question where were you six months ago where were you six months ago where you could have done the due diligence and put something in place that help you understand all of these assets and connections so you can go to one place and just ask for that question when something like that you know hit the fan so so if we do not fundamentally change the mindset to say I have to look at things not from a reactive findings perspective but really starting from an asset-centric you know day one perspective to look at that and have this Foundation have this map build we can't get there right so it's like you know if I need direction I go to Google Maps right but the the reason that it works is because somebody has done the work of creating the map right right if you haven't if you don't have the map and you just at you know when the time you say I gotta go somewhere and you expect the map to magically happen to show you the direction it's not going to work right right I imagine there are a lot of people out there right now are listening to thinking oh boy you know and that's what Jupiter one's all about they're there to answer your oh boy thanks for the time of course I appreciate the insights as well it's nice to know that uh at least somebody is reminding us to keep the front door locked too that's just the back door the side doors keep that front door and that garage locked up too definitely um all right we'll continue our coverage here at AWS re invent 22 this is part of the AWS Global startup showcase and you're watching the cube the leader in high-tech coverage foreign