>>Hey, everyone. Welcome back to accelerating analytics, maturity. I'm your host. Lisa Martin, Alan Jacobson joins me next. The chief data and analytics officer at Altrix Ellen. It's great to have you on the program. >>Thanks Lisa. >>So Ellen, as we know, everyone knows that being data driven is very important. It's a household term these days, but 93% of organizations are not utilizing the analytics skills of their employees, which is creating a widening analytics gap. What's your advice, your recommendations for organizations who are just starting out with analytics >>And you're spot on many organizations really aren't leveraging the, the full capability of their knowledge workers. And really the first step is probably assessing where you are on the journey, whether that's you personally, or your organization as a whole, we just launched an assessment tool on our website that we built with the international Institute of analytics, that in a very short period of time, in about 15 minutes, you can go on and answer some questions and understand where you sit versus your peer set versus competitors and kind of where you are on the journey. >>So when people talk about data analytics, they often think, ah, this is for data science experts like people like you. So why should people in the lines of business like the finance folks, the marketing folks, why should they learn analytics? >>So domain experts are really in the best position. They, they know where the gold is buried in their companies. They know where the inefficiencies are, and it is so much easier and faster to teach a domain expert a bit about how to automate a process or how to use analytics than it is to take a data scientist and try to teach them to have the knowledge of a 20 year accounting professional or a, or a logistics expert of your company. It much harder to do that. And really, if you think about it, the world has changed dramatically in a very short period of time. If, if you were a marketing professional 30 years ago, you likely didn't need to know anything about the internet, but today, do you know what you would call that marketing professional? If they didn't know anything about the internet, probably unemployed or retired. And so knowledge workers are having to learn more and more skills to really keep up with their professions. And analytics is really no exception. Pretty much in every profession, people are needing to learn analytics, to stay current and, and be capable for their companies. And companies need people who can do that. >>Absolutely. It seems like it's table stakes. These days, let's look at different industries. Now, are there differences in how you see analytics in automation being employed in different industries? I know Altrix is being used across a lot of different types of organizations from government to retail. I also see you're now with some of the leading sports teams, any differences in industries. >>Yeah. There's an incredible actually commonality between domains industry to industry. So if you look at what an HR professional is doing, maybe attrition analysis, it's probably quite similar, whether they're in oil and gas or in a high tech software company. And so really the similarities are, are much larger than you might think. And even on the, on, on the, on the sports front, we see many of the analytics that sports teams perform are very similar. So McLaren is one of the great partners that we work with and they use TRICS across many areas of their business from finance to production, extreme sports, logistics, wind tunnel engineering, the marketing team analyzes social media data, all using Altrics. And if I take as an example, the finance team, the finance team is trying to optimize the budget to make sure that they can hit the very stringent targets that F1 sports has. And I don't see a ton of difference between the optimization that they're doing to hit their budget numbers and what I see fortune 500 finance departments doing to optimize their budget. And so really the, the commonality is very high. Even across industries. >>I bet every F fortune 500 or even every company would love to be compared to the same department within McLaren F1, just to know that wow, what they're doing is so in incre incredibly important as is what we are doing. Absolutely. So talk about lessons learned, what lessons can business leaders take from those organizations like McLaren, who are the most analytically mature >>Probably first and foremost, is that the ROI with analytics and automation is incredibly high. Companies are having a ton of success. It's becoming an existential threat to some degree, if, if your company isn't going on this journey and your competition is it, it can be a, a huge problem. IDC just did a recent study about how companies are unlocking the ROI using analytics. And the data was really clear organizations that have a higher percentage of their workforce using analytics are enjoying a much higher return from their analytic investment. And so it's not about hiring two double PhD statisticians from Oxford. It really is how widely you can bring your workforce on this journey. Can they all get 10% more capable? And that's having incredible results at businesses all over the world. An another key finding that they had is that the majority of them said that when they had many folks using analytics, they were going on the journey faster than companies they didn't. And so picking technologies, that'll help everyone do this and, and do this fast and do it easily. Having an approachable piece of software that everyone can use is really a key, >>So faster able to move faster, higher ROI. I also imagine analytics across the organization is a big competitive advantage for organizations in any industry. >>Absolutely the IDC or not. The IDC, the international Institute of analytics showed huge correlation between companies that were more analytically mature versus ones that were not. They showed correlation to growth of the company. They showed correlation to revenue and they showed correlation to shareholder values. So across really all of the, the, the key measures of business, the more analytically mature companies simply outperformed their competition. >>And that's key these days is to be able to outperform your competition. You know, one of the things that we hear so often, Alan, is people talking about democratizing data and analytics. You talked about the line of business workers, but I gotta ask you, is it really that easy for the line of business workers who aren't trained in data science, to be able to jump in, look at data, uncover and extract business insights to make decisions. >>So in, in many ways, it really is that easy. I have a 14 and 16 year old kid. Both of them have learned Altrics they're, Altrics certified. And, and it was quite easy. It took 'em about 20 hours and they were, they, they were off to the races, but there can be some hard parts. The hard parts have more to do with change management. I mean, if you're an accountant, that's been doing the best accounting work in your company for the last 20 years. And all you happen to know is a spreadsheet for those 20 years. Are you ready to learn some new skills? And, and I would suggest you probably need to, if you want, keep up with your profession. The, the big four accounting firms have trained over a hundred thousand people in Altrix just one firm has trained over a hundred thousand. >>You, you can't be an accountant or an auditor at some of these places with, without knowing Altrix. And so the hard part, really in the end, isn't the technology and learning analytics and data science. The harder part is this change management change is hard. I should probably eat better and exercise more, but it's, it's hard to always do that. And so companies are finding that that's the hard part. They need to help people go on the journey, help people with the change management to, to help them become the digitally enabled accountant of the future. The, the logistics professional that is E enabled that that's the challenge. >>That's a huge challenge. Cultural, cultural shift is a challenge. As you said, change management. How, how do you advise customers? If you might be talking with someone who might be early in their analytics journey, but really need to get up to speed and mature to be competitive, how do you guide them or give them recommendations on being able to facilitate that change management? >>Yeah, that's a great question. So, so people entering into the workforce today, many of them are starting to have these skills Altrics is used in over 800 universities around the globe to teach finance and to teach marketing and to teach logistics. And so some of this is happening naturally as new workers are entering the workforce, but for all of those who are already in the workforce have already started their careers, learning in place becomes really important. And so we work with companies to put on programmatic approaches to help their workers do this. And so it's, again, not simply putting a box of tools in the corner and saying free, take one. We put on hackathons and analytic days, and it can, it can be great fun. We, we have a great time with, with many of the customers that we work with helping them, you know, do this, helping them go on the journey and the ROI, as I said, you know, is fantastic. And not only does it sometimes affect the bottom line, it can really make societal changes. We've seen companies have breakthroughs that really make great impact to society as a whole. >>Isn't that so fantastic to see the, the difference that that can make. It sounds like you're, you guys are doing a great job of democratizing access to alter X to everybody. We talked about the line of business folks and the incredible importance of enabling them and the, the ROI, the speed, the competitive advantage. Can you share some specific examples that you think of Alter's customers that really show data breakthroughs by the lines of business using the technology? >>Yeah, absolutely. So, so many to choose from I'll I'll, I'll give you two examples. Quickly. One is armor express. They manufacture life saving equipment, defensive equipments, like armor plated vests, and they were needing to optimize their supply chain, like many companies through the pandemic. We, we see how important the supply chain is. And so adjusting supply to, to match demand is, is really vital. And so they've used all tricks to model some of their supply and demand signals and built a predictive model to optimize the supply chain. And it certainly helped out from a, a dollar standpoint, they cut over a half a million dollars of inventory in the first year, but more importantly, by matching that demand and supply signal, you're able to better meet customer customer demand. And so when people have orders and are, are looking to pick up a vest, they don't wanna wait. >>And, and it becomes really important to, to get that right. Another great example is British telecom. They're, they're a company that services the public sector. They have very strict reporting regulations that they have to meet and they had, and, and this is crazy to think about over 140 legacy spreadsheet models that they had to run to comply with these regulatory processes and, and report, and obviously running 140 legacy models that had to be done in a certain order and linked incredibly challenging. It took them over four weeks, each time that they had to go through that process. And so to, to save time and have more efficiency in doing that, they trained 50 employees over just a two week period to start using Altrix and, and, and learn Altrix. And they implemented an all new reporting process that saw a 75% reduction in the number of man hours. >>It took to run in a 60% runtime performance. And so, again, a huge improvement. I can imagine it probably had better quality as well, because now that it was automated, you don't have people copying and past data into a spreadsheet. And that was just one project that this group of, of folks were able to accomplish that had huge ROI, but now those people are moving on and automating other processes and performing analytics in, in other areas, you can imagine the impact by the end of the year that they will have on their business, you know, potentially millions upon millions of dollars. This is what we see again. And again, company after company government agency, after government agency is how analytics are really transforming the way work is being done. >>That was the word that came to mind when you were describing the all three customer examples, the transformation, this is transformative. The ability to leverage alters to, to truly democratize data and analytics, give access to the lines of business is transformative for every organization. And, and also the business outcomes. You mentioned, those are substantial metrics based business outcomes. So the ROI and leveraging a technology like alri seems to be right there, sitting in front of you. >>That's right. And, and to be honest, it's not only important for these businesses. It's important for, for the knowledge workers themselves. I mean, we, we hear it from people that they discover Alrich, they automate a process. They finally get to get home for dinner with their families, which is fantastic, but, but it leads to new career paths. And so, you know, knowledge workers that have these added skills have so much larger opportunity. And I think it's great when the needs of businesses to become more analytics and analytic and automate processes actually matches the needs of the employees. And, you know, they too wanna learn these skills and become more advanced in their capabilities, >>Huge value there for the business, for the employees themselves to expand their skillset, to, to really open up so many opportunities for not only the business to meet the demands of the demanding customer, but the employees to be able to really have that breadth and depth in their field of service. Great opportunities there. Alan, is there anywhere that you wanna point the audience to go, to learn more about how they can get started? >>Yeah. So one of the things that we're really excited about is how fast and easy it is to learn these tools. So any of the listeners who wanna experience Altrix, they can go to the website, there's a free download on the website. You can take our analytic maturity assessment, as we talked about at the beginning and, and see where you are on the journey and just reach out. You know, we'd love to work with you and your organization to see how we can help you accelerate your journey on, on analytics and automation, >>Alan, it was a pleasure talking to you about democratizing data and analytics, the power in it for organizations across every industry. We appreciate your insights and your time. >>Thank you so much >>In a moment, Paula Hanson, who is the president and chief revenue officer of ultras and Jackie Vander lay graying. Who's the global head of tax technology at eBay will join me. You're watching the cube, the leader in high tech enterprise coverage.

>>Hey everyone. Welcome back to the program. Lisa Martin here, I've got two guests joining me, please. Welcome back to the cube. Paula Hansen, the chief revenue officer and president at Al alters and Jackie Vander lake grayling joins us as well. The global head of tax technology at eBay. They're gonna share with you how an alter Ricks is helping eBay innovate with analytics. Ladies. Welcome. It's great to have you both on the program. >>Thank you, Lisa. It's great to be here. >>Yeah, Paula, we're gonna start with you in this program. We've heard from Jason Klein, we've heard from Alan Jacobson, they talked about the need to democratize analytics across any organization to really drive innovation with analytics. As they talked about at the forefront of software investments, how's alters helping its customers to develop roadmaps for success with analytics. >>Well, thank you, Lisa. It absolutely is about our customer's success. And we partner really closely with our customers to develop a holistic approach to their analytics success. And it starts of course, with our innovative technology and platform, but ultimately we help our customers to create a culture of data literacy and analytics from the top of the organization, starting with the C-suite. And we partner with our customers to build their roadmaps for scaling that culture of analytics through things like enablement programs, skills, assessments, hackathons, setting up centers of excellence to help their organizations scale and drive governance of this analytics capability across the enterprise. So at the end of the day, it's really about helping our customers to move up their analytics, maturity curve with proven technologies and best practices so they can make better business decisions and compete in their respective industries. >>Excellent. Sounds like a very strategic program. We're gonna unpack that Jackie, let's bring you into the conversation. Speaking of analytics maturity, one of the things that we talked about in this event is the IDC report that showed that 93% of organizations are not utilizing the analytics skills of their employees, but then there's eBay. How Jackie did eBay become one of the 7% of organizations who's really maturing and how are you using analytics across the organization at eBay? >>So I think the main thing for us is just when we started out was is that, you know, our, especially in finance, they became spreadsheet professionals instead of the things that we really want our employees to add value to. And we realized we had to address that. And we also knew we couldn't wait for all our data to be centralized until we actually start using the data or start automating and be more effective. So ultimately we really started very, very actively embedding analytics in our people and our data and our processes, >>Starting with people is really critical. Jackie, continuing with you, what were some of the roadblocks to analytics adoption that you faced and how did you overcome them? >>So I think, you know, eBay is a very data driven company. We have a lot of data. I think we are 27 years around this year, so we have the data, but it is everywhere. And how do you use that data? How do you use it efficiently? How do you get to the data? And I believe that that is definitely one of our biggest roadblocks when we started out and, and just finding those data sources and finding ways to connect to them to move forward. The other thing is, is that, you know, people were experiencing a lot of frustration. I mentioned before about the spreadsheet professionals, right? And we, there was no, we're not independent. You couldn't move forward. You would've opinion on somebody else's roadmap to get to data and to get the information you wanted. So really finding something that everybody could access analytics or access data. >>And finally we have to realize is that this is uncharted territory. This is not exactly something that everybody is used to working with every day. So how do you find something that is easy? And that is not so daunting on somebody who's brand new to the field. And I would, I would call those out as your, as your major roadblocks, because you always have not always, but most of the times you have support from the top in our case, we have, but in the end of the day, it's, it's our people that need to actually really embrace it and, and making that accessible for them, I would say is definitely not per se, a roadblock, but basically some, a block you wanna be able to move. >>It's really all about putting people. First question for both of you and Paula will start with you. And then Jackie will go to you. I think the message in this program that the audience is watching with us is very clear. Analytics is for everyone should be for everyone. Let's talk now about how both of your organizations are empowering people, those in the organization that may not have technical expertise to be able to leverage data so that they can actually be data driven Paula. >>Yes. Well, we leverage our platform across all of our business functions here at Altrix and just like Jackie explained it, eBay finances is probably one of the best examples of how we leverage our own platform to improve our business performance. So just like Jackie mentioned, we have this huge amount of data flowing through our enterprise and the opportunity to leverage that into insights and analytics is really endless. So our CFO, Kevin Rubin has been a, a key sponsor for using our own technology. We use Altrix for forecasting, all of our key performance metrics for business planning across our audit function, to help with compliance and regulatory requirements tax, and even to close our books at the end of each quarter. So it's really remain across our business. And at the end of the day, it comes to how do you train users? How do you engage users to lean into this analytic opportunity to discover use cases? >>And so one of the other things that we've seen many companies do is to gamify that process, to build a game that brings users into the experience for training and to work with each other, to problem solve and along the way, maybe earn badges depending on the capabilities and trainings that they take. And just have a little healthy competition as an employee base around who can become more sophisticated in their analytic capability. So I think there's a lot of different ways to do it. And as Jackie mentioned, it's really about ensuring that people feel comfortable, that they feel supported, that they have access to the training that they need. And ultimately that they are given both the skills and the confidence to be able to be a part of this great opportunity of analytics. >>That confidence is key. Jackie, talk about some of the ways that you're empowering folks without that technical expertise to really be data driven. >>Yeah, I think it means to what Paula has said in terms of, you know, you know, getting people excited about it, but it's also understanding that this is a journey and everybody's the different place in their journey. You have folks that's already really advanced who has done this every day. And then you have really some folks that this is brand new and, or maybe somewhere in between. And it's about how you put, get everybody in their different phases to get to the, the initial destination. I say initially, because I believe the journey is never really complete. What we have done is, is that we decided to invest in an Ebola group of concept. And we got our CFO to sponsor a hackathon. We opened it up to everybody in finance, in the middle of the pandemic. So everybody was on zoom and we had, and we told people, listen, we're gonna teach you this tool super easy. >>And let's just see what you can do. We ended up having 70 entries. We had only three weeks. So, and these are people that has N that do not have a background. They are not engineers, they're not data scientists. And we ended up with a 25,000 hour savings at the end of that hackathon from the 70 inches with people that have never, ever done anything like this before and there you had the result. And then it just went from there. It was, people had a proof of concept. They, they knew that it worked and they overcame the initial barrier of change. And that's where we are seeing things really, really picking up. Now >>That's fantastic. And the, the business outcome that you mentioned there, the business impact is massive helping folks get that confidence to be able to overcome. Sometimes the, the cultural barriers is key. I think another thing that this program has really highlighted is there is a clear demand for data literacy in the job market, regardless of organization. Can each of you share more about how you are empowering the next generation of data workers, Paula will start with you? >>Absolutely. And, and Jackie says it so well, which is that it really is a journey that organizations are on. And, and we, as people in society are on in terms of upskilling our capabilities. So one of the things that we're doing here at Altrix to help address this skillset gap on a global level is through a program that we call sparked, which is essentially a, no-cost a no cost analytics education program that we take to universities and colleges globally to help build the next generation of data workers. When we talk to our customers like eBay and many others, they say that it's difficult to find the skills that they want when they're hiring people into the job market. And so this program's really developed just to, to do just that, to close that gap and to work hand in hand with students and educators to improve data literacy for the next generation. So we're just getting started with sparked. We started last may, but we currently have over 850 educational institutions globally engaged across 47 countries. And we're gonna continue to invest here because there's so much opportunity for people, for society and for enterprises, when we close gap and empower more people within necessary analytics skills to solve all the problems that data can help solve. >>So spark has made a really big impact in such a short time period. And it's gonna be fun to watch the progress of that. Jackie, let's go over to you now talk about some of the things that eBay is doing to empower the next generation of data workers. >>So we basically wanted to make sure that we keep that momentum from the hackathon that we don't lose that excitement, right? So we just launched a program called Ebo masterminds. And what it basically is, it's an inclusive innovation initiative where we firmly believe that innovation is all up scaling for all analytics for. So it doesn't matter. Your background doesn't matter which function you are in, come and participate in, in this where we really focus on innovation, introducing new technologies and upskilling our people. We are apart from that, we also say, well, we should just keep it to inside eBay. We, we have to share this innovation with the community. So we are actually working on developing an analytics high school program, which we hope to pilot by the end of this year, where we will actually have high schoolers come in and teach them data essentials, the soft skills around analytics, but also how to use alter alter. And we're working with actually, we're working with spark and they're helping us develop that program. And we really hope that as a say, by the end of the year, have a pilot and then also make you, so we roll it out in multiple locations in multiple countries and really, really focus on, on that whole concept of analytics, role >>Analytics for all sounds like ultra and eBay have a great synergistic relationship there that is jointly aimed at, especially kind of going down the staff and getting people when they're younger, interested, and understanding how they can be empowered with data across any industry. Paula, let's go back to you. You were recently on the Cube's super cloud event just a couple of weeks ago. And you talked about the challenges the companies are facing as they're navigating. What is by default a multi-cloud world? How does the alters analytics cloud platform enable CIOs to democratize analytics across their organization? >>Yes, business leaders and CIOs across all industries are realizing that there just aren't enough data scientists in the world to be able to make sense of the massive amounts of data that are flowing through organizations. Last I check there was 2 million data scientists in the world. So that's woefully underrepresented in terms of the opportunity for people to be a part of the analytics solution. So what we're seeing now with CIOs with business leaders is that they're integrating data analysis and the skill of data analysis into virtually every job function. And that is what we think of when we think of analytics for all. And so our mission with Altrics analytics cloud is to empower all of those people in every job function, regardless of their skillset. As Jackie pointed out from people that would, you know, are just getting started all the way to the most sophisticated of technical users. Every worker across that spectrum can have a meaningful role in the opportunity to unlock the potential of the data for their company and their organizations. So that's our goal with Altrics analytics cloud, and it operates in a multi cloud world and really helps across all sizes of data sets to blend, cleanse, shape, analyze, and report out so that we can break down data silos across the enterprise and drive real business outcomes. As a result of unlocking the potential of data, >>As well as really re lessening that skill gap. As you were saying, there's only 2 million data scientists. You don't need to be a data scientist. That's the, the beauty of what Altrics is enabling. And, and eBay is a great example of that. Jackie, let's go ahead and wrap things with you. You talked a great deal about the analytics maturity that you have fostered at eBay. It obviously has the right culture to adapt to that. Can you talk a little bit and take us out here in terms of where alters fits in on as that analytics maturity journey continues and what are some of the things that you are most excited about as analytics truly gets democratized across eBay? >>When we start about getting excited about things, when it comes to analytics, I can go on all day, but I I'll keep it short and sweet for you. I do think we are on the topic full of, of, of data scientists. And I really feel that that is your next step for us anyways, is that, how do we get folks to not see data scientists as this big thing, like a rocket scientist, it's, it's something completely different. And it's something that, that is in everybody to a certain extent. So again, partner with three X would just released the AI ML solution, allowing, you know, folks to not have a data scientist program, but actually build models and be able to solve problems that way. So we have engaged with alters and we, we purchased a license, this quite a few. And right now through our mastermind program, we're actually running a four months program for all skill levels, teaching, teaching them AI ML and machine learning and how they can build their own models. >>We are really excited about that. We have over 50 participants without the background from all over the organization. We have members from our customer services. We have even some of our engineers are actually participating in the program. We just kicked it off. And I really believe that that is our next step. I wanna give you a quick example of, of the beauty of this is where we actually just allow people to go out and think about ideas and come up with things. And one of the people in our team who doesn't have a data scientist background at all, was able to develop a solution where, you know, there is a checkout feedback checkout functionality on the eBay site where sellers or buyers can verbatim add information. And she build a model to be able to determine what relates to tax specific, what is the type of problem, and even predict how that problem can be solved before we, as a human even step in, and now instead of us or somebody going to verbatim and try to figure out what's going on there, we can focus on fixing the error versus actually just reading through things and not adding any value. >>And it's a beautiful tool and very impressed. You saw the demo and they developing that further. >>That sounds fantastic. And I think just the one word that keeps coming to mind, and we've said this a number of times in the program today is empowerment. What you're actually really doing to truly empower people across the organization with, with varying degrees of skill level, going down to the high school level, really exciting, we'll have to stay tuned to see what some of the great things are that come from this continued partnership. Ladies, I wanna thank you so much for joining me on the program today and talking about how alters and eBay are really partnering together to democratize analytics and to facilitate its maturity. It's been great talking to you. >>Thank you. >>As you heard over the course of our program organizations, where more people are using analytics who have the deeper capabilities in each of the four E's, that's, everyone, everything everywhere and easy analytics, those organizations achieve more ROI from their respective investments in analytics and automation than those who don't. We also heard a great story from eBay, great example of an enterprise that is truly democratizing analytics across its organization. It's enabling an empowering line of business users to use analytics, not only focused on key aspects of their job, but develop new skills rather than doing the same repetitive tasks. We wanna thank you so much for watching the program today. Remember you can find all of the content on the cue.net. You can find all of the news from today on Silicon angle.com and of course, alter.com. We also wanna thank alt alters for making this program possible and for sponsored in the queue for all of my guests. I'm Lisa Martin. We wanna thank you for watching and bye for now.

>> Paige: Hello everybody and thank you for joining us today for the virtual Vertica BDC 2020. Today's breakout session is entitled End-to-End Security in Vertica. I'm Paige Roberts, Open Source Relations Manager at Vertica. I'll be your host for this session. Joining me is Vertica Software Engineers, Fenic Fawkes and Chris Morris. Before we begin, I encourage you to submit your questions or comments during the virtual session. You don't have to wait until the end. Just type your question or comment in the question box below the slide as it occurs to you and click submit. There will be a Q&A session at the end of the presentation and we'll answer as many questions as we're able to during that time. Any questions that we don't address, we'll do our best to answer offline. Also, you can visit Vertica forums to post your questions there after the session. Our team is planning to join the forums to keep the conversation going, so it'll be just like being at a conference and talking to the engineers after the presentation. Also, a reminder that you can maximize your screen by clicking the double arrow button in the lower right corner of the slide. And before you ask, yes, this whole session is being recorded and it will be available to view on-demand this week. We'll send you a notification as soon as it's ready. I think we're ready to get started. Over to you, Fen. >> Fenic: Hi, welcome everyone. My name is Fen. My pronouns are fae/faer and Chris will be presenting the second half, and his pronouns are he/him. So to get started, let's kind of go over what the goals of this presentation are. First off, no deployment is the same. So we can't give you an exact, like, here's the right way to secure Vertica because how it is to set up a deployment is a factor. But the biggest one is, what is your threat model? So, if you don't know what a threat model is, let's take an example. We're all working from home because of the coronavirus and that introduces certain new risks. Our source code is on our laptops at home, that kind of thing. But really our threat model isn't that people will read our code and copy it, like, over our shoulders. So we've encrypted our hard disks and that kind of thing to make sure that no one can get them. So basically, what we're going to give you are building blocks and you can pick and choose the pieces that you need to secure your Vertica deployment. We hope that this gives you a good foundation for how to secure Vertica. And now, what we're going to talk about. So we're going to start off by going over encryption, just how to secure your data from attackers. And then authentication, which is kind of how to log in. Identity, which is who are you? Authorization, which is now that we know who you are, what can you do? Delegation is about how Vertica talks to other systems. And then auditing and monitoring. So, how do you protect your data in transit? Vertica makes a lot of network connections. Here are the important ones basically. There are clients talk to Vertica cluster. Vertica cluster talks to itself. And it can also talk to other Vertica clusters and it can make connections to a bunch of external services. So first off, let's talk about client-server TLS. Securing data between, this is how you secure data between Vertica and clients. It prevents an attacker from sniffing network traffic and say, picking out sensitive data. Clients have a way to configure how strict the authentication is of the server cert. It's called the Client SSLMode and we'll talk about this more in a bit but authentication methods can disable non-TLS connections, which is a pretty cool feature. Okay, so Vertica also makes a lot of network connections within itself. So if Vertica is running behind a strict firewall, you have really good network, both physical and software security, then it's probably not super important that you encrypt all traffic between nodes. But if you're on a public cloud, you can set up AWS' firewall to prevent connections, but if there's a vulnerability in that, then your data's all totally vulnerable. So it's a good idea to set up inter-node encryption in less secure situations. Next, import/export is a good way to move data between clusters. So for instance, say you have an on-premises cluster and you're looking to move to AWS. Import/Export is a great way to move your data from your on-prem cluster to AWS, but that means that the data is going over the open internet. And that is another case where an attacker could try to sniff network traffic and pull out credit card numbers or whatever you have stored in Vertica that's sensitive. So it's a good idea to secure data in that case. And then we also connect to a lot of external services. Kafka, Hadoop, S3 are three of them. Voltage SecureData, which we'll talk about more in a sec, is another. And because of how each service deals with authentication, how to configure your authentication to them differs. So, see our docs. And then I'd like to talk a little bit about where we're going next. Our main goal at this point is making Vertica easier to use. Our first objective was security, was to make sure everything could be secure, so we built relatively low-level building blocks. Now that we've done that, we can identify common use cases and automate them. And that's where our attention is going. Okay, so we've talked about how to secure your data over the network, but what about when it's on disk? There are several different encryption approaches, each depends on kind of what your use case is. RAID controllers and disk encryption are mostly for on-prem clusters and they protect against media theft. They're invisible to Vertica. S3 and GCP are kind of the equivalent in the cloud. They also invisible to Vertica. And then there's field-level encryption, which we accomplish using Voltage SecureData, which is format-preserving encryption. So how does Voltage work? Well, it, the, yeah. It encrypts values to things that look like the same format. So for instance, you can see date of birth encrypted to something that looks like a date of birth but it is not in fact the same thing. You could do cool stuff like with a credit card number, you can encrypt only the first 12 digits, allowing the user to, you know, validate the last four. The benefits of format-preserving encryption are that it doesn't increase database size, you don't need to alter your schema or anything. And because of referential integrity, it means that you can do analytics without unencrypting the data. So again, a little diagram of how you could work Voltage into your use case. And you could even work with Vertica's row and column access policies, which Chris will talk about a bit later, for even more customized access control. Depending on your use case and your Voltage integration. We are enhancing our Voltage integration in several ways in 10.0 and if you're interested in Voltage, you can go see their virtual BDC talk. And then again, talking about roadmap a little, we're working on in-database encryption at rest. What this means is kind of a Vertica solution to encryption at rest that doesn't depend on the platform that you're running on. Encryption at rest is hard. (laughs) Encrypting, say, 10 petabytes of data is a lot of work. And once again, the theme of this talk is everyone has a different key management strategy, a different threat model, so we're working on designing a solution that fits everyone. If you're interested, we'd love to hear from you. Contact us on the Vertica forums. All right, next up we're going to talk a little bit about access control. So first off is how do I prove who I am? How do I log in? So, Vertica has several authentication methods. Which one is best depends on your deployment size/use case. Again, theme of this talk is what you should use depends on your use case. You could order authentication methods by priority and origin. So for instance, you can only allow connections from within your internal network or you can enforce TLS on connections from external networks but relax that for connections from your internal network. That kind of thing. So we have a bunch of built-in authentication methods. They're all password-based. User profiles allow you to set complexity requirements of passwords and you can even reject non-TLS connections, say, or reject certain kinds of connections. Should only be used by small deployments because you probably have an LDAP server, where you manage users if you're a larger deployment and rather than duplicating passwords and users all in LDAP, you should use LDAP Auth, where Vertica still has to keep track of users, but each user can then use LDAP authentication. So Vertica doesn't store the password at all. The client gives Vertica a username and password and Vertica then asks the LDAP server is this a correct username or password. And the benefits of this are, well, manyfold, but if, say, you delete a user from LDAP, you don't need to remember to also delete their Vertica credentials. You can just, they won't be able to log in anymore because they're not in LDAP anymore. If you like LDAP but you want something a little bit more secure, Kerberos is a good idea. So similar to LDAP, Vertica doesn't keep track of who's allowed to log in, it just keeps track of the Kerberos credentials and it even, Vertica never touches the user's password. Users log in to Kerberos and then they pass Vertica a ticket that says "I can log in." It is more complex to set up, so if you're just getting started with security, LDAP is probably a better option. But Kerberos is, again, a little bit more secure. If you're looking for something that, you know, works well for applications, certificate auth is probably what you want. Rather than hardcoding a password, or storing a password in a script that you use to run an application, you can instead use a certificate. So, if you ever need to change it, you can just replace the certificate on disk and the next time the application starts, it just picks that up and logs in. Yeah. And then, multi-factor auth is a feature request we've gotten in the past and it's not built-in to Vertica but you can do it using Kerberos. So, security is a whole application concern and fitting MFA into your workflow is all about fitting it in at the right layer. And we believe that that layer is above Vertica. If you're interested in more about how MFA works and how to set it up, we wrote a blog on how to do it. And now, over to Chris, for more on identity and authorization. >> Chris: Thanks, Fen. Hi everyone, I'm Chris. So, we're a Vertica user and we've connected to Vertica but once we're in the database, who are we? What are we? So in Vertica, the answer to that questions is principals. Users and roles, which are like groups in other systems. Since roles can be enabled and disabled at will and multiple roles can be active, they're a flexible way to use only the privileges you need in the moment. For example here, you've got Alice who has Dbadmin as a role and those are some elevated privileges. She probably doesn't want them active all the time, so she can set the role and add them to her identity set. All of this information is stored in the catalog, which is basically Vertica's metadata storage. How do we manage these principals? Well, depends on your use case, right? So, if you're a small organization or maybe only some people or services need Vertica access, the solution is just to manage it with Vertica. You can see some commands here that will let you do that. But what if we're a big organization and we want Vertica to reflect what's in our centralized user management system? Sort of a similar motivating use case for LDAP authentication, right? We want to avoid duplication hassles, we just want to centralize our management. In that case, we can use Vertica's LDAPLink feature. So with LDAPLink, principals are mirrored from LDAP. They're synced in a considerable fashion from the LDAP into Vertica's catalog. What this does is it manages creating and dropping users and roles for you and then mapping the users to the roles. Once that's done, you can do any Vertica-specific configuration on the Vertica side. It's important to note that principals created in Vertica this way, support multiple forms of authentication, not just LDAP. This is a separate feature from LDAP authentication and if you created a user via LDAPLink, you could have them use a different form of authentication, Kerberos, for example. Up to you. Now of course this kind of system is pretty mission-critical, right? You want to make sure you get the right roles and the right users and the right mappings in Vertica. So you probably want to test it. And for that, we've got new and improved dry run functionality, from 9.3.1. And what this feature offers you is new metafunctions that let you test various parameters without breaking your real LDAPLink configuration. So you can mess around with parameters and the configuration as much as you want and you can be sure that all of that is strictly isolated from the live system. Everything's separated. And when you use this, you get some really nice output through a Data Collector table. You can see some example output here. It runs the same logic as the real LDAPLink and provides detailed information about what would happen. You can check the documentation for specifics. All right, so we've connected to the database, we know who we are, but now, what can we do? So for any given action, you want to control who can do that, right? So what's the question you have to ask? Sometimes the question is just who are you? It's a simple yes or no question. For example, if I want to upgrade a user, the question I have to ask is, am I the superuser? If I'm the superuser, I can do it, if I'm not, I can't. But sometimes the actions are more complex and the question you have to ask is more complex. Does the principal have the required privileges? If you're familiar with SQL privileges, there are things like SELECT, INSERT, and Vertica has a few of their own, but the key thing here is that an action can require specific and maybe even multiple privileges on multiple objects. So for example, when selecting from a table, you need USAGE on the schema and SELECT on the table. And there's some other examples here. So where do these privileges come from? Well, if the action requires a privilege, these are the only places privileges can come from. The first source is implicit privileges, which could come from owning the object or from special roles, which we'll talk about in a sec. Explicit privileges, it's basically a SQL standard GRANT system. So you can grant privileges to users or roles and optionally, those users and roles could grant them downstream. Discretionary access control. So those are explicit and they come from the user and the active roles. So the whole identity set. And then we've got Vertica-specific inherited privileges and those come from the schema, and we'll talk about that in a sec as well. So these are the special roles in Vertica. First role, DBADMIN. This isn't the Dbadmin user, it's a role. And it has specific elevated privileges. You can check the documentation for those exact privileges but it's less than the superuser. The PSEUDOSUPERUSER can do anything the real superuser can do and you can grant this role to whomever. The DBDUSER is actually a role, can run Database Designer functions. SYSMONITOR gives you some elevated auditing permissions and we'll talk about that later as well. And finally, PUBLIC is a role that everyone has all the time so anything you want to be allowed for everyone, attach to PUBLIC. Imagine this scenario. I've got a really big schema with lots of relations. Those relations might be changing all the time. But for each principal that uses this schema, I want the privileges for all the tables and views there to be roughly the same. Even though the tables and views come and go, for example, an analyst might need full access to all of them no matter how many there are or what there are at any given time. So to manage this, my first approach I could use is remember to run grants every time a new table or view is created. And not just you but everyone using this schema. Not only is it a pain, it's hard to enforce. The second approach is to use schema-inherited privileges. So in Vertica, schema grants can include relational privileges. For example, SELECT or INSERT, which normally don't mean anything for a schema, but they do for a table. If a relation's marked as inheriting, then the schema grants to a principal, for example, salespeople, also apply to the relation. And you can see on the diagram here how the usage applies to the schema and the SELECT technically but in Sales.foo table, SELECT also applies. So now, instead of lots of GRANT statements for multiple object owners, we only have to run one ALTER SCHEMA statement and three GRANT statements and from then on, any time that you grant some privileges or revoke privileges to or on the schema, to or from a principal, all your new tables and views will get them automatically. So it's dynamically calculated. Now of course, setting it up securely, is that you want to know what's happened here and what's going on. So to monitor the privileges, there are three system tables which you want to look at. The first is grants, which will show you privileges that are active for you. That is your user and active roles and theirs and so on down the chain. Grants will show you the explicit privileges and inherited_privileges will show you the inherited ones. And then there's one more inheriting_objects which will show all tables and views which inherit privileges so that's useful more for not seeing privileges themselves but managing inherited privileges in general. And finally, how do you see all privileges from all these sources, right? In one go, you want to see them together? Well, there's a metafunction added in 9.3.1. Get_privileges_description which will, given an object, it will sum up all the privileges for a current user on that object. I'll refer you to the documentation for usage and supported types. Now, the problem with SELECT. SELECT let's you see everything or nothing. You can either read the table or you can't. But what if you want some principals to see subset or a transformed version of the data. So for example, I have a table with personnel data and different principals, as you can see here, need different access levels to sensitive information. Social security numbers. Well, one thing I could do is I could make a view for each principal. But I could also use access policies and access policies can do this without introducing any new objects or dependencies. It centralizes your restriction logic and makes it easier to manage. So what do access policies do? Well, we've got row and column access policies. Rows will hide and column access policies will transform data in the row or column, depending on who's doing the SELECTing. So it transforms the data, as we saw on the previous slide, to look as requested. Now, if access policies let you see the raw data, you can still modify the data. And the implication of this is that when you're crafting access policies, you should only use them to refine access for principals that need read-only access. That is, if you want a principal to be able to modify it, the access policies you craft should let through the raw data for that principal. So in our previous example, the loader service should be able to see every row and it should be able to see untransformed data in every column. And as long as that's true, then they can continue to load into this table. All of this is of course monitorable by a system table, in this case access_policy. Check the docs for more information on how to implement these. All right, that's it for access control. Now on to delegation and impersonation. So what's the question here? Well, the question is who is Vertica? And that might seem like a silly question, but here's what I mean by that. When Vertica's connecting to a downstream service, for example, cloud storage, how should Vertica identify itself? Well, most of the time, we do the permissions check ourselves and then we connect as Vertica, like in this diagram here. But sometimes we can do better. And instead of connecting as Vertica, we connect with some kind of upstream user identity. And when we do that, we let the service decide who can do what, so Vertica isn't the only line of defense. And in addition to the defense in depth benefit, there are also benefits for auditing because the external system can see who is really doing something. It's no longer just Vertica showing up in that external service's logs, it's somebody like Alice or Bob, trying to do something. One system where this comes into play is with Voltage SecureData. So, let's look at a couple use cases. The first one, I'm just encrypting for compliance or anti-theft reasons. In this case, I'll just use one global identity to encrypt or decrypt with Voltage. But imagine another use case, I want to control which users can decrypt which data. Now I'm using Voltage for access control. So in this case, we want to delegate. The solution here is on the Voltage side, give Voltage users access to appropriate identities and these identities control encryption for sets of data. A Voltage user can access multiple identities like groups. Then on the Vertica side, a Vertica user can set their Voltage username and password in a session and Vertica will talk to Voltage as that Voltage user. So in the diagram here, you can see an example of how this is leverage so that Alice could decrypt something but Bob cannot. Another place the delegation paradigm shows up is with storage. So Vertica can store and interact with data on non-local file systems. For example, HGFS or S3. Sometimes Vertica's storing Vertica-managed data there. For example, in Eon mode, you might store your projections in communal storage in S3. But sometimes, Vertica is interacting with external data. For example, this usually maps to a user storage location in the Vertica side and it might, on the external storage side, be something like Parquet files on Hadoop. And in that case, it's not really Vertica's data and we don't want to give Vertica more power than it needs, so let's request the data on behalf of who needs it. Lets say I'm an analyst and I want to copy from or export to Parquet, using my own bucket. It's not Vertica's bucket, it's my data. But I want Vertica to manipulate data in it. So the first option I have is to give Vertica as a whole access to the bucket and that's problematic because in that case, Vertica becomes kind of an AWS god. It can see any bucket, any Vertica user might want to push or pull data to or from any time Vertica wants. So it's not good for the principals of least access and zero trust. And we can do better than that. So in the second option, use an ID and secret key pair for an AWS, IAM, if you're familiar, principal that does have access to the bucket. So I might use my, the analyst, credentials, or I might use credentials for an AWS role that has even fewer privileges than I do. Sort of a restricted subset of my privileges. And then I use that. I set it in Vertica at the session level and Vertica will use those credentials for the copy export commands. And it gives more isolation. Something that's in the works is support for keyless delegation, using assumable IAM roles. So similar benefits to option two here, but also not having to manage keys at the user level. We can do basically the same thing with Hadoop and HGFS with three different methods. So first option is Kerberos delegation. I think it's the most secure. It definitely, if access control is your primary concern here, this will give you the tightest access control. The downside is it requires the most configuration outside of Vertica with Kerberos and HGFS but with this, you can really determine which Vertica users can talk to which HGFS locations. Then, you've got secure impersonation. If you've got a highly trusted Vertica userbase, or at least some subset of it is, and you're not worried about them doing things wrong but you want to know about auditing on the HGFS side, that's your primary concern, you can use this option. This diagram here gives you a visual overview of how that works. But I'll refer you to the docs for details. And then finally, option three, this is bringing your own delegation token. It's similar to what we do with AWS. We set something in the session level, so it's very flexible. The user can do it at an ad hoc basis, but it is manual, so that's the third option. Now on to auditing and monitoring. So of course, we want to know, what's happening in our database? It's important in general and important for incident response, of course. So your first stop, to answer this question, should be system tables. And they're a collection of information about events, system state, performance, et cetera. They're SELECT-only tables, but they work in queries as usual. The data is just loaded differently. So there are two types generally. There's the metadata table, which stores persistent information or rather reflects persistent information stored in the catalog, for example, users or schemata. Then there are monitoring tables, which reflect more transient information, like events, system resources. Here you can see an example of output from the resource pool's storage table which, these are actually, despite that it looks like system statistics, they're actually configurable parameters for using that. If you're interested in resource pools, a way to handle users' resource allocation and various principal's resource allocation, again, check that out on the docs. Then of course, there's the followup question, who can see all of this? Well, some system information is sensitive and we should only show it to those who need it. Principal of least privilege, right? So of course the superuser can see everything, but what about non-superusers? How do we give access to people that might need additional information about the system without giving them too much power? One option's SYSMONITOR, as I mentioned before, it's a special role. And this role can always read system tables but not change things like a superuser would be able to. Just reading. And another option is the RESTRICT and RELEASE metafunctions. Those grant and revoke access to from a certain system table set, to and from the PUBLIC role. But the downside of those approaches is that they're inflexible. So they only give you, they're all or nothing. For a specific preset of tables. And you can't really configure it per table. So if you're willing to do a little more setup, then I'd recommend using your own grants and roles. System tables support GRANT and REVOKE statements just like any regular relations. And in that case, I wouldn't even bother with SYSMONITOR or the metafunctions. So to do this, just grant whatever privileges you see fit to roles that you create. Then go ahead and grant those roles to the users that you want. And revoke access to the system tables of your choice from PUBLIC. If you need even finer-grained access than this, you can create views on top of system tables. For example, you can create a view on top of the user system table which only shows the current user's information, uses a built-in function that you can use as part of the view definition. And then, you can actually grant this to PUBLIC, so that each user in Vertica could see their own user's information and never give access to the user system table as a whole, just that view. Now if you're a superuser or if you have direct access to nodes in the cluster, filesystem/OS, et cetera, then you have more ways to see events. Vertica supports various methods of logging. You can see a few methods here which are generally outside of running Vertica, you'd interact with them in a different way, with the exception of active events which is a system table. We've also got the data collector. And that sorts events by subjects. So what the data collector does, it extends the logging and system table functionality, by the component, is what it's called in the documentation. And it logs these events and information to rotating files. For example, AnalyzeStatistics is a function that could be of use by users and as a database administrator, you might want to monitor that so you can use the data collector for AnalyzeStatistics. And the files that these create can be exported into a monitoring database. One example of that is with the Management Console Extended Monitoring. So check out their virtual BDC talk. The one on the management console. And that's it for the key points of security in Vertica. Well, many of these slides could spawn a talk on their own, so we encourage you to check out our blog, check out the documentation and the forum for further investigation and collaboration. Hopefully the information we provided today will inform your choices in securing your deployment of Vertica. Thanks for your time today. That concludes our presentation. Now, we're ready for Q&A.