>>Hey guys and girls, welcome back to Motor City, Lisa Martin here with John Furrier on the Cube's third day of coverage of Coon Cloud Native Con North America. John, we've had some great conversations over the last two and a half days. We've been talking about identity and security management as a critical need for enterprises within the cloud native space. We're gonna have another quick conversation >>On that. Yeah, we got a great segment coming up from someone who's been in the industry, a long time expert, running a great company. Now it's gonna be one of those pieces that fits into what we call super cloud. Others are calling cloud operating system. Some are calling just Cloud 2.0, 3.0. But there's definitely a major trend happening around how cloud is going Next generation. We've been covering it. So this segment should be >>Great. Let's unpack those trends. One of our alumni is back with us, O Rika Zi, co-founder and CEO of Aerio. Omri. Great to have you back on the >>Cube. Thank you. Great to be here. >>So identity move to the cloud, Access authorization did not talk to us about why you found it assertive, what you guys are doing and how you're flipping that script. >>Yeah, so back 15 years ago, I helped start Azure at Microsoft. You know, one of the first few folks that you know, really focused on enterprise services within the Azure family. And at the time I was working for the guy who ran all of Windows server and you know, active directory. He called it the linchpin workload for the Windows Server franchise, like big words. But what he meant was we had 95% market share and all of these new SAS applications like ServiceNow and you know, Workday and salesforce.com, they had to invent login and they had to invent access control. And so we were like, well, we're gonna lose it unless we figure out how to replace active directory. And that's how Azure Active Directory was born. And the first thing that we had to do as an industry was fix identity, right? Yeah. So, you know, we worked on things like oof Two and Open, Id Connect and SAML and Jot as an industry and now 15 years later, no one has to go build login if you don't want to, right? You have companies like Odd Zero and Okta and one login Ping ID that solve that problem solve single sign-on, on the web. But access Control hasn't really moved forward at all in the last 15 years. And so my co-founder and I who were both involved in the early beginnings of Azure Active directory, wanted to go back to that problem. And that problem is even bigger than identity and it's far from >>Solved. Yeah, this is huge. I think, you know, self-service has been a developer thing that's, everyone knows developer productivity, we've all experienced click sign in with your LinkedIn or Twitter or Google or Apple handle. So that's single sign on check. Now the security conversation kicks in. If you look at with this no perimeter and cloud, now you've got multi-cloud or super cloud on the horizon. You've got all kinds of opportunities to innovate on the security paradigm. I think this is kind of where I'm hearing the most conversation around access control as well as operationally eliminating a lot of potential problems. So there's one clean up the siloed or fragmented access and two streamlined for security. What's your reaction to that? Do you agree? And if not, where, where am I missing that? >>Yeah, absolutely. If you look at the life of an IT pro, you know, back in the two thousands they had, you know, l d or active directory, they add in one place to configure groups and they'd map users to groups. And groups typically corresponded to roles and business applications. And it was clunky, but life was pretty simple. And now they live in dozens or hundreds of different admin consoles. So misconfigurations are rampant and over provisioning is a real problem. If you look at zero trust and the principle of lease privilege, you know, all these applications have these course grained permissions. And so when you have a breach, and it's not a matter of if, it's a matter of when you wanna limit the blast radius of you know what happened, and you can't do that unless you have fine grained access control. So all those, you know, all those reasons together are forcing us as an industry to come to terms with the fact that we really need to revisit access control and bring it to the age of cloud. >>You guys recently, just this week I saw the blog on Topaz. Congratulations. Thank you. Talk to us about what that is and some of the gaps that's gonna help sarto to fill for what's out there in the marketplace. >>Yeah, so right now there really isn't a way to go build fine grains policy based real time access control based on open source, right? We have the open policy agent, which is a great decision engine, but really optimized for infrastructure scenarios like Kubernetes admission control. And then on the other hand, you have this new, you know, generation of access control ideas. This model called relationship based access control that was popularized by Google Zanzibar system. So Zanzibar is how they do access control for Google Docs and Google Drive. If you've ever kind of looked at a Google Doc and you know you're a viewer or an owner or a commenter, Zanzibar is the system behind it. And so what we've done is we've married these two things together. We have a policy based system, OPPA based system, and at the same time we've brought together a directory, an embedded directory in Topaz that allows you to answer questions like, does this user have this permission on this object? And bringing it all together, making it open sources a real game changer from our perspective, real >>Game changer. That's good to hear. What are some of the key use cases that it's gonna help your customers address? >>So a lot of our customers really like the idea of policy based access management, but they don't know how to bring data to that decision engine. And so we basically have a, you know, a, a very opinionated way of how to model that data. So you import data out of your identity providers. So you connect us to Okta or oze or Azure, Azure Active directory. And so now you have the user data, you can define groups and then you can define, you know, your object hierarchy, your domain model. So let's say you have an applicant tracking system, you have nouns like job, you know, know job descriptions or candidates. And so you wanna model these things and you want to be able to say who has access to, you know, the candidates for this job, for example. Those are the kinds of rules that people can express really easily in Topaz and in assertive. >>What are some of the challenges that are happening right now that dissolve? What, what are you looking at to solve? Is it complexity, sprawl, logic problems? What's the main problem set you guys >>See? Yeah, so as organizations grow and they have more and more microservices, each one of these microservices does authorization differently. And so it's impossible to reason about the full surface area of, you know, permissions in your application. And more and more of these organizations are saying, You know what, we need a standard layer for this. So it's not just Google with Zanzibar, it's Intuit with Oddy, it's Carta with their own oddy system, it's Netflix, you know, it's Airbnb with heed. All of them are now talking about how they solve access control extracted into its own service to basically manage complexity and regain agility. The other thing is all about, you know, time to market and, and tco. >>So, so how do you work with those services? Do you replace them, you unify them? What is the approach that you're taking? >>So basically these organizations are saying, you know what? We want one access control service. We want all of our microservices to call that thing instead of having to roll out our own. And so we, you know, give you the guts for that service, right? Topaz is basically the way that you're gonna go implement an access control service without having to go build it the same way that you know, large companies like Airbnb or Google or, or a car to >>Have. What's the competition look like for you guys? I'm not really seeing a lot of competition out there. Are there competitors? Are there different approaches? What makes you different? >>Yeah, so I would say that, you know, the biggest competitor is roll your own. So a lot of these companies that find us, they say, We're sick and tired of investing 2, 3, 4 engineers, five engineers on this thing. You know, it's the gift that keeps on giving. We have to maintain this thing and so we can, we can use your solution at a fraction of the cost a, a fifth, a 10th of what it would cost us to maintain it locally. There are others like Sty for example, you know, they are in the space, but more in on the infrastructure side. So they solve the problem of Kubernetes submission control or things like that. So >>Rolling your own, there's a couple problems there. One is do they get all the corner cases who built a they still, it's a company. Exactly. It's heavy lifting, it's undifferentiated, you just gotta check the box. So probably will be not optimized. >>That's right. As Bezo says, only focus on the things that make your beer taste better. And access control is one of those things. It's part of your security, you know, posture, it's a critical thing to get right, but you know, I wanna work on access control, said no developer ever, right? So it's kind of like this boring, you know, like back office thing that you need to do. And so we give you the mechanisms to be able to build it securely and robustly. >>Do you have a, a customer story example that is one of your go-tos that really highlights how you're improving developer productivity? >>Yeah, so we have a couple of them actually. So there's the largest third party B2B marketplace in the us. Free retail. Instead of building their own, they actually brought in aer. And what they wanted to do with AER was be the authorization layer for both their externally facing applications as well as their internal apps. So basically every one of their applications now hooks up to AER to do authorization. They define users and groups and roles and permissions in one place and then every application can actually plug into that instead of having to roll out their own. >>I'd like to switch gears if you don't mind. I get first of all, great update on the company and progress. I'd like to get your thoughts on the cloud computing market. Obviously you were your legendary position, Azure, I mean look at the, look at the progress over the past few years. Just been spectacular from Microsoft and you set the table there. Amazon web service is still, you know, thundering away even though earnings came out, the market's kind of soft still. You know, you see the cloud hyperscalers just continuing to differentiate from software to chips. Yep. Across the board. So the hyperscalers kicking ass taking names, doing great Microsoft right up there. What's the future? Cuz you now have the conversation where, okay, we're calling it super cloud, somebody calling multi-cloud, somebody calling it distributed computing, whatever you wanna call it. The old is now new again, it just looks different as cloud becomes now the next computer industry, >>You got an operating system, you got applications, you got hardware, I mean it's all kind of playing out just on a massive global scale, but you got regions, you got all kinds of connected systems edge. What's your vision on how this plays out? Because things are starting to fall into place. Web assembly to me just points to, you know, app servers are coming back, middleware, Kubernetes containers, VMs are gonna still be there. So you got the progression. What's your, what's your take on this? How would you share, share your thoughts to a friend or the industry, the audience? So what's going on? What's, what's happening right now? What's, what's going on? >>Yeah, it's funny because you know, I remember doing this quite a few years ago with you probably in, you know, 2015 and we were talking about, back then we called it hybrid cloud, right? And it was a vision, but it is actually what's going on. It just took longer for it to get here, right? So back then, you know, the big debate was public cloud or private cloud and you know, back when we were, you know, talking about these ideas, you know, we said, well you know, some applications will always stay on-prem and some applications will move to the cloud. I was just talking to a big bank and they basically said, look, our stated objective now is to move everything we can to the public cloud and we still have a large private cloud investment that will never go away. And so now we have essentially this big operating system that can, you know, abstract all of this stuff. So we have developer platforms that can, you know, sit on top of all these different pieces of infrastructure and you know, kind of based on policy decide where these applications are gonna be scheduled. So, you know, the >>Operating schedule shows like an operating system function. >>Exactly. I mean like we now, we used to have schedulers for one CPU or you know, one box, then we had schedulers for, you know, kind of like a whole cluster and now we have schedulers across the world. >>Yeah. My final question before we kind of get run outta time is what's your thoughts on web assembly? Cuz that's getting a lot of hype here again to kind of look at this next evolution again that's lighter weight kind of feels like an app server kind of direction. What's your, what's your, it's hyped up now, what's your take on that? >>Yeah, it's interesting. I mean back, you know, what's, what's old is new again, right? So, you know, I remember back in the late nineties we got really excited about, you know, JVMs and you know, this notion of right once run anywhere and yeah, you know, I would say that web assembly provides a pretty exciting, you know, window into that where you can take the, you know, sandboxing technology from the JavaScript world, from the browser essentially. And you can, you know, compile an application down to web assembly and have it real, really truly portable. So, you know, we see for example, policies in our world, you know, with opa, one of the hottest things is to take these policies and can compile them to web assemblies so you can actually execute them at the edge, you know, wherever it is that you have a web assembly runtime. >>And so, you know, I was just talking to Scott over at Docker and you know, they're excited about kind of bringing Docker packaging, OCI packaging to web assemblies. So we're gonna see a convergence of all these technologies right now. They're kind of each, each of our, each of them are in a silo, but you know, like we'll see a lot of the patterns, like for example, OCI is gonna become the packaging format for web assemblies as it is becoming the packaging format for policies. So we did the same thing. We basically said, you know what, we want these policies to be packaged as OCI assembly so that you can sign them with cosign and bring the entire ecosystem of tools to bear on OCI packages. So convergence is I think what >>We're, and love, I love your attitude too because it's the open source community and the developers who are actually voting on the quote defacto standard. Yes. You know, if it doesn't work, right, know people know about it. Exactly. It's actually a great new production system. >>So great momentum going on to the press released earlier this week, clearly filling the gaps there that, that you and your, your co-founder saw a long time ago. What's next for the assertive business? Are you hiring? What's going on there? >>Yeah, we are really excited about launching commercially at the end of this year. So one of the things that we were, we wanted to do that we had a promise around and we delivered on our promise was open sourcing our edge authorizer. That was a huge thing for us. And we've now completed, you know, pretty much all the big pieces for AER and now it's time to commercially launch launch. We already have customers in production, you know, design partners, and you know, next year is gonna be the year to really drive commercialization. >>All right. We will be watching this space ery. Thank you so much for joining John and me on the keep. Great to have you back on the program. >>Thank you so much. It was a pleasure. >>Our pleasure as well For our guest and John Furrier, I'm Lisa Martin, you're watching The Cube Live. Michelle floor of Con Cloud Native Con 22. This is day three of our coverage. We will be back with more coverage after a short break. See that.

>> Narrator: theCUBE presents KubeCon, and CloudNativeCon Europe, 2022, brought to you by Red Hat, the Cloud Native Computing Foundation, and its ecosystem partners. >> Welcome to Valencia, Spain and KubeCon, CloudNativeCon Europe, 2022. I'm Keith Townsend, and we're continuing the conversation with builders, startups, large enterprise, customers, small customers, the whole community. Just got a interesting stat earlier in the day, 7.1 million community members in the CNCF foundation, and we're been interacting with 7,500 of them. But we're bringing the signal, separating the signal from the noise. We have a Kube alum who's been on both sides of the table, Omri Gazitt co-founder and CEO of Aserto. Welcome to the show. >> Thank you so much, Keith. >> So identity management, you know it's, it's critical need to the enterprise cloud native but there's plenty of solutions on the market, what unique problem are you solving you know how are you solving the problem in a unique way that we don't go to some of the big named vendors in this space? >> Yeah, we, my co-founder and I, were veterans of large clouds. We helped start Azure at Microsoft. We in fact helped build what became Azure Active Directory and those solutions entirely focus on one part, the "I" part, the identity part of the problem. They completely ignore the access management part and you could argue that is a larger problem and it is far from solved. So we completely agree. Identity management, a problem that's been solved over the last 15 years and solved well by great companies like Microsoft and Okta and Auth0. And we're best friends with them. We basically pick up where they leave off. We do the access management part. >> So the access management part, what specifically, what what am I getting when I engage with your team and your product? >> Yep. So basically I, authentication is all about proving that you are, who you say you are through a password or something else, you know, biometric. And that part is done. We basically pick up where that leaves off. So once you know who you are, once you've proven to a system that you are Keith. Now, what can Keith do? What roles, what permissions, , what operations can Keith perform on what resources? That's a harder problem. And that's the problem that we focus on. So for example, if you have a SaaS app - let's say you're building, you know an applicant tracking system and you Keith are an owner of some job descriptions and you have some candidates, but  somebody else has a different set of candidates and an admin, maybe has visibility at everything. How do you build that system? That actually is a pretty hard problem. And how do you build it to enterprise grade? That's where we come in. We basically have an end-to-end solution that gives you cloud native, end-to-end authorization that's built to enterprise grade. >> So when I think of this capability, I can't help but to think of AWS IAM and I'm in AWS IAM, I get my security role, and now I can assign to an EC2 instance, the ability to access some other AWS service or identity. So role based identity - are you giving me that type of capability? >> For everything else. So AWS IAM for AWS resources right? Google IAM for Google Resources. Azure has a similar system but they're all infrastructure focused. And what we're trying to do is bring that to your domain specific resources, right? So you, as an application builder, you have the things that correspond  you're not doing VMs, you're not doing storage arrays, you're not doing networks. You have higher level constructs, right. You know, like I said, if you're building Lever or Greenhouse, you have candidates and jobs and reports and things like that. So we basically allow you to create this fine grained access control, but for your own objects. >> So where's the boundaries? Let's say that I have a container or microservice that is a service and it has a role, it has an identity on my network. And there is a cloud based service, let's say a, a cloud SQL. And I want to do authentication across the two or can I only have the boundaries within my private infrastructure or does that boundary extend to the public cloud as well? >> It extends everywhere, right. So basically, you know, if you think about all the different hops here, you know, Zero Trust is the, the rage, right? And that encourages defense in depth. So you have an access proxy that does some type of authorization. Then you have an API Gateway that has a little bit more context, a little bit more authorization. For us we live inside of the application. So the application calls us, we give you a sidecar, you deploy it right next to your application. It gives you, you know, sub-millisecond response time, a hundred percent availability, all the authorization decisions are done with full context about who the user is and what resource they're trying to access. And so our sidecar will give you a response back, allow or deny, and then downstream from us, you could basically talk to another microservice. And at that point you're doing machine identities, right? So you may have a different authorization policy for those, only you know these particular services, are allowed to talk to these other services. And so we solve both the, you know authorization for machine identities as well as authorization for human identities. >> All right Omri are you ready for Q Clock? >> I sure am! >> Oh, I like the energy. >> Bring it on. >> You know, there have been many before you, they have failed the test. >> All right. I mean, they brought, they've brought the energy. You have the energy but do you have the ability to survive the clock? >> I'm going to do my best. >> So I'm going to say start the clock. I haven't said, said start cube clock yet, but when I say it, you have 60 seconds. There's no start overs. There's no repeats. The pressure's on, you ready? >> All right. I'm ready. >> Ready? Start Cube Clock. >> All right. If you are a VP of Engineering or a CTO or run a security or engineering organization what are you doing for roles and permissions? You're building it on your own, right? >> Tough times never last, tough people always do, and you're, you're delaying, you're letting me break you up. >> All right, I'm not going to let you break me up. Great. So you don't want to build it yourself. You don't want to build it yourself. Why would you spend engineering time? Why would you spend, you know, the- >> You deserve a seat at the table. >> No but look, why would you ever spend your time building something that is not differentiating your application? Instead use something like Aserto, just dear God use something, use a developer API. Don't build it yourself because what are you doing? You're reinventing the wheel, you know. You want to get out of the business of reinventing the wheel. >> Crawl before you walk. (Omri laughs) >> You think so? I think, I think you have to go you know, make sure that you spend your engineering resources on the things that matter and the things that matter are. >> Time up. >> Yep. >> You know what? You threw three great curve balls and struck me out. Great job. (Omri laughs) You, you, you just knocked it out the park. Great job Omri, I appreciate you coming in, stopping by, sharing your company's journey about authorization and authorization services and getting kind of this cloud capability, the cloud native. >> I appreciate your time as well Keith, always a pleasure. >> From Valencia Spain, I'm Keith Townsend, and you're watching theCUBE, the leader in high tech coverage. (soft instrumental music)