(upbeat techno music) >> From Union Square in downtown San Francisco, it's theCUBE, covering PagerDuty Summit '18. Now, here's Jeff Frick. >> Hey welcome back everybody, Jeff Frick here with theCUBE. We're at PagerDuty summit in the Westin St. Francis, Union Square, San Francisco. We're excited to have our next guest, this guy likes to get into the weeds. We'll get some into the weeds, not too far in the weeds. Armon Dagar, he's a co-founder and CTO of HashiCorp. Armon, great to see you. >> Thanks so much for having me, Jeff. >> Absolutely, so you're just coming off your session so how did the session go? What did you guys cover? >> It's super good, I mean I think what we wanted to do was sort of take a broader look and not just talk too much just about monitoring and so the talk was really about zero trust networking. Sort of the what, the how, the why. >> Right, right, so that's very important topic. Did Bitcoin come up or blockchain? Or are you able to do zero trust with no blockchain? >> We were able to get through with no blockchain, thankfully I suppose. >> Right. >> But I think kind of the gist of it when we talk about, I think that the challenge is it's still sort of at that nascent point where people are like, okay, zero trust networking I've heard of it, I don't really know what it is or what mental category to put it in. So I think what we tried to do was sort not get too far in the weeds, as you know I tend to do but sort of start high level. >> Right, right. >> And say, what's the problem, right? And I think the problem is we live in this world today of traditional flat networks where, I have a castle and moat, right? I wrap my data center in four walls, all my traffic comes over a drawbridge, and you're either on the outside and you're bad and untrusted or your on the inside and you're good and trusted. And so what happens when a bad guy gets in, right? >> Right. >> It's sort of this all or nothing model, right? >> But now we know, the bad guys are going to get in, right? It's only a function of time, right? >> Right, and I think you see it with the Target breech, the Neiman Marcus breech, the Google breech, right? The list sort of goes on, right? It's like, Equifax, right? It's a bad idea to assume they never get in. (laughing) >> If you assume they get in, so then, if you know the bad guys are going to get in, you got to bake that security in all different levels of your applications, your data, all over the place. >> Exactly. >> So what are some of the things you guys covered in the session? >> So I think the core of it is really saying how do we get to a point where we don't trust our network, where we assume the attacker will get on the network and then what? How do you design around that assumption, right? And what you really have to do is push identity everywhere, right? So every application has to say, I'm a web server and I'm connecting to a database, and is this allowed, right? Is a web server allowed to talk to the database? And that's really the crux of what Google calls Beyond Crop, what other people call sort of zero trust networking, is this idea of identity based where I'm saying it's not IP one talking to IP two, it's web server talking to database. >> Right, right, because then you've got all the role and rules and everything associated at that identity level? >> Bingo, exactly. >> Yeah. >> Exactly, and I think what's made that very hard historically is when we say, what do you have at the network? You have IPs and ports. So how do we get to a point where we know one thing is a web server and one thing's a database, right? >> Right. >> And I think the crux of the challenge there, is kind of three pieces, right? You need application identity. You have to say this is a web server, this is a database. You need to distribute certificates to them and say, you get a certificate that says you're a web server, you get a certificate that says you're a database and you have to enforce that access, right? So everyone can't just randomly talk to each other. >> Right, well then what about context too, right? Because context is another piece that maybe somebody takes advantage of and has access to the identity but is using it in way or there's an interaction that's kind of atypical to what's expected behavior, it just doesn't make sense. So context really matters quite a bit as well. >> Yeah, you're super, super right and I think this is where it gets into not only do we need to assign identity to the applications but how do we tie that back into sort of rich access controls of who's allowed to do what, audit trails of, okay it seems odd, this web server that never connects to this database suddenly out of the blue doing so, why? >> Right, right. >> And do we need to react to it? Do we need to change the rule? Do we need to investigate what's going on? >> Right. >> But you're right. It's like, that context is important of what's expected versus what's unexpected. >> Right, then you have this other X factor called shared infrastructure and hybrid cloud and I've got apps running on AWS, I've got apps running at Google, I've got apps running at Microsoft, I got apps running in the database, I've got some dev here, I've got some prod here. You know that adds another little X factor to the zero trust. (laughing) >> Yeah, I think I aptly heard it called once, we have a service mess on our hands, right? (laughing) >> Right, right. >> We have this stuff so sort of sprawled everywhere now, how do we wrangle it? How do we get our hands around it? And so as much as I think service mess is a play on sort of the language, I think this is where that emerging category of service mesh does make sense. >> Right. >> It's really looking at that and saying, okay, I'm going to have stuff in private cloud, public cloud, maybe multiple public cloud providers, how do I treat all of that in a uniform way? I want to know what's running where. I want to have rules around who can talk to who. >> Right. >> And that's a big focus for us with Console, in terms of, how do we have a consistent way of knowing what's running where a consistent set of rules around who can talk to who. >> Right. >> And do it across all these hybrid environments, right? >> Right, right, but wait, don't buy it yet, there's more. (laughing) Because then I've got all the APIs right? So now you've got all this application integration, many of which are with cloud based applications. So now you've got that complexity and you're pulling all these bits and connections from different infrastructures, different applications, some in house, some outside, so how do you bring some organization to that madness? >> No, that's a super good question. If you ever want to role change, take a look at our marketing department, you've got this down. (laughing) You know, I would say what it comes down to a heterogeneity is going to be fundamental, right? You're going to have folks that are going to operate different tools, different technologies for whatever reasons, right? Might be a historical choice, might be just they have better relations with a particular vendor. So our view has been, how do you inter op with all these things? Part of it is focus on open source. Part of it is focus on API driven. Part of it is focused on you have to do API integrations with all these systems because you're never going to get sort of the end user to standardize everything on a single platform. >> Right, right. It's funny, we were at a show talking about RPA, robotic process automation, and they, they treat those processes as employees in the fact that they give them identities. >> Right. >> So they can manage them. You hire them, you turn 'em on, they work for you for a while and then you might want to turn them off after they're done whatever doing, that you've put them in place for. But literally they were treating them as an employee. >> Right. >> Treating them with like an employee lead identity that they could have all the assigned rules and restrictions to then let the RPA do what it was supposed to do. It's like interesting concept. >> Yeah, and I think it mirrors I think what we see in a lot of different spaces which is what we were maybe managing before was the sort of very physical thing. Maybe it was we called it Robot 1234, right? Or in the same way we might say, this is server at IP 1234. >> Right. >> On our network. And so we're managing this really physical unit, whether it's an IP, a machine, a serial number. How do we take up the level of abstraction and instead say, you know actually all of these machines, whether IP one, IP two, IP three, they're a web server and whether it's robots one, two or three, they're a door attach, right? >> Right, right. >> And so now we start talking about identity and it gives us this more powerful abstraction to sort of talk about these underlying bits. >> Right. >> And I think it sort of follows the history of everything, right? Which is like how do we add new layers of abstraction that let us manage the complexity that we have? >> Right, right, so it's interesting right in Ray Kurzweil's keynote earlier today, hopefully you saw that, he talked about, basically exponential curves and that's really what we're facing so the amount of data, the amount of complexity is only going to increase dramatically. We're trying to virtualize so much of this and abstract it away but then that adds a different layer of management. At the same time, you're going to have a lot more horsepower to work with on the compute side, so is it kind of like the old Wintel, I got a faster PC, it's getting eaten up by more windows? I mean, do you see the automation being able to keep up with kind of the increasing layers of abstraction? >> Yeah, I mean I think there's a grain of that. Are we losing, just because we're getting access to more resources are we using it more efficiently? I think there's some fairness in, with each layer of abstraction we're sort of introduction additional performance cost, sort of to reduce that, but I think overall what we might be doing is increasing the amount of compute tenfold, but adding a 5% additional management fee, so it's still, I think it's still net and net we're able to do much more productive work, go to much bigger scale but only if you have the right abstractions, right? And I think that's where this kind of stuff comes in is, okay great, I'm going to have 10 times as many machines, how do I deal with the fact that my current security model barely works at my current scale? How do I go to 10x the scale? Or if I'm pointing and clicking to provision a machine, how does that work when I'm going to manage a thousand machines, right? >> Yeah. >> You have to bring in additional tooling and automation and sort of think about it at the next higher level. >> Yeah. >> And I think that's all, all part of this process of adopting cloud and sort of getting that leverage. >> It's so interesting, just the whole scale discussion because at the end of the day, right, scale wins and there's a great interview with James Hamilton from AWS, and it's old, but he's talking about kind of scale and he talks about how many server that were sold in this whatever calendar year it was, versus how many mobile phones were sold and it's many ores of magnitude different and the fact that he's thinking in terms of these types of scales as opposed to, you know, which was a big number in the service sales side, but really the scale challenge introduced by these giant clouds and Facebook and the like really changed the game fundamentally in how do you manage these things. >> Totally, totally and I think that's been our view at HashiCorp, is that when you talk about about kinds of the tidal shift of infrastructure from on premise, relatively static VMware centric to AWS, plus Azure, plus Google, plus VMware, it's not just a change of, okay it's of one server here to one server there. It's like going from one server here to 50 servers that I'm changing at every other day rather than every other year, right? >> Right, right. >> And so it's this sort of order of magnitude of scale but also an order of magnitude in terms of sort of the rate of change as well. >> Right, right. >> And I think that puts downward pressure on how do I provision? How do I secure? How do I deploy applications? How do I secure all of this stuff, right? >> Right. >> I think ever layer of the infrastructure gets hit by this change. >> Right, right, alright so you're a smart guy. You're always looking forward. What are some of the things you're working on down the road? Big challenges that you're looking forward to tackling? >> Oh, okay, that's fun. I mean I think the biggest challenge is how do we get this stuff to be simpler for people to use? Because I think what we're going through is you get this sort of see-saw effect, right? Which is okay, we're getting access to all this new hardware, all this new compute, all these new APIs, but it's not getting simpler, right? >> Right, right. >> It's getting exponentially more complicated. >> Right, right. >> And so I think part of it is how do we go back to sort of looking at what's the core of drivers here? It's like, okay well we want to make it easier for people to deliver and deploy their applications, let's go back to sort of, in some sense, the drawing board, say how do we abstract all of these new goodies that we've been given but make it consumable and easy to learn? Because otherwise, you know, what's the point? It's like, here's a catalog of 50,000 things and no one knows how to use any of it. >> Right, right, right. (laughing) Yeah it's funny, I'm waiting for that next abstraction for AWS, instead of the big giant slide that Andy shows every year. (laughing) It's just that I just want to plug in and you figure out. >> Right. >> What connects on the backend. I can't even hardly read that stuff-- >> Maybe AI will save us. >> Let's hope so. Alright Armon, well thanks for taking a few minutes out of your day and sitting down with us. >> My pleasure, thanks so much, Jeff. >> Alright, he's Armon, I'm Jeff, you're watching theCUBE, we're at PagerDuty Summit in downtown San Francisco, thanks for watching. (upbeat techno music)