(upbeat music) >> Narrator: From the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is the Cube Conversation. >> Welcome to this Cube Conversation. I'm Lisa Martin, excited to talk to the CEO of Styra, Bill Mann today. Bill, welcome to the Cube. >> Hi Lisa, how are you doing? >> I'm doing well. I should say welcome back. You've been on the Cube at a previous company, but we're excited to talk to you today about Styra, what's going on? So let's go ahead and start informing our audience who Styra is and what you do? >> Sure, so who Styra is and what do we do? So Styra is a company that's focused on reinventing policy and authorization in the cloud native stack. We're the company that created an open source project called Open Policy Agent, it's part of CNCF. And on top of Open Policy Agent, we built a control plane, a management plane to help organizations really put OPA into production and operationalized OPA. >> An OPA is Open Policy Agent. That's what the company actually developed with CNCF, correct? >> So, we actually founded Open Policy Agent and then we contributed Open Policy Agent to CNCF. And the real goal of contributing the Open Policy Agent to CNCF was we believe that we want to get authorization defacto in the market, right? And the only way to get something out there that everybody uses is to put it into the open source and having an entity like the CNCF supporting the project. So, really it's about getting everybody, all enterprises and vendors to use Open Policy Agent as a way of solving authorization for the cloud native environment. >> So you say Styra is reinventing policy and authorization for cloud native applications, your target audience, security folks, developer folks, what changes has cloud native brought to security and development teams? >> Sure, so what changes has cloud native brought to security and development teams? So fundamentally there've been three changes in the marketplace. One, as you know we're shifting from this monolithic architecture of building applications to now this new distributed architectures of kubernetes, microservices and Deep-coupled architecture. So fundamentally the way we build applications is fundamentally changed because everybody wants to have scale up and scale down and so forth. Second, the way we actually developed software, we've moved now to a DevOps model where we're doing more things earlier on in the cycle so we can innovate faster and we're producing code on an hourly basis versus when I joined the industry which was probably three releases a year. And then thirdly which is kind of a major topic that all of us kind of understand is our focus on privacy and security is higher than it's been before. And if these applications are going to be way more complex and more distributed and we're going to innovate faster than the way we focus on security and privacy has to be done differently as well. And if we don't do it differently, then we're going to have to all the breaches that we had in the previous generation of the app stack. >> And we don't want that, but you're right privacy and security are increasing concerns in any environment. How do you help address those and also with the thought of privacy and security are going to be concerned for quite a long time? >> Yeah, so let me take a step back. So how do we address privacy and security? So, at a fundamental level, authorization is a foundational part of security and authorization has never really been solved or re-imagined ever for the last 50 years or so. Every application developer or security vendor has built authorization into their own stack and done it in a very proprietary way. And it's been locked away within these applications and these stacks and so forth. So what happens now when you've got a highly distributed environment is that you've got so many moving parts, you still need to apply authorization. So, the way we've tackled it is by building Open Policy Agent. And there's three fundamental kind of tenants around Open Policy Agent that make it really ideal for this cloud native environment. Number one, it's policy as code and everything in the market now, everything is as code. You buy infrastructure as code. So this is now policy as code. So you can describe in a declarative model, how you want the policy for a system to be developed and you can use the language called Rego to do that. Second is the fact that all the cloud native projects out there which are all developed based upon open source technologies, kubernetes, microservices, envoy, SDO, cafco, all these kinds of buzzwords you hear in the marketplace, they all integrate with Open Policy Agent already. And then thirdly the architecture of Open Policy Agent is that it's distributed, which means that it's ideally suited for this distributed architecture for cloud native. And those are the three kind of characteristics of Open Policy Agent leading to developers loving it. And when I say they love it, we've got hundreds and thousands of users of Open Policy Agent. When you go to the CNCF shows co op con earlier this year and there's two more coming this year. There's many, many talks on it. You've got cloud vendors like Google and Microsoft adopting Open Policy Agent, got a lot of enterprises adopting Open Policy Agent. So, that's really fundamentally what we've built is we've built an authorization architecture for this new world to really address the security and privacy concerns, which have always existed and I'm going to be more exponential in this new world. >> And I think you've also built a community around OPA. Can you share a little bit of information about that and how they help with the co-development and even some of the other things that you're commercializing? >> Sure, yeah. So, now what have we done in from a community point of view with Open Policy Agents? So yeah, the community is a integral part of any open source project and we're lucky to have a great community. We've got a great community of enterprise users of Open Policy Agents and vendors as well, vendors like Microsoft and Google who are now contributing to OPA and building it up. And for me, the most important part of a community is that you learn how enterprises are using your software and they share ideas and they share use cases and you're able to innovate really, really fast. And what we've learned from that is the use cases that they use Open Policy Agent for, for instance, one of the major use cases for Open Policy Agent is for kubernetes Admission Control. So, essentially we can test the configuration of an application which is described in a file called YAML before it goes into production. So, think of it as pre-production tests, but companies are using it for microservices and applications and data and so forth. So, it helps us understand what they're using it for, but also we use it to help us develop our commercial product, which is the management control plane for OPA. So, we learn about what they're missing in the open source project that we can use to build our commercial product >> which is ready for enterprise use. >> So you've had a lot of success with OPA. Talk to me about Styra DAS and why the need for that? >> Sure, so why do we need Styra DAS recognizing that OPA is very, very successful. So, the fundamental difference is OPA is a very focused on developers and it's very focused on an environment for an individual node or cluster, but it doesn't have all the enterprise features necessary for a real enterprise to go into production. So what we notice is companies use OPA for pre-production, but when they want to go into production, they need a user interface. They need a way to author policies, distribute policies, monitor policies, do impact analysis and a whole bunch of other features and capabilities that are needed for enterprise deployments and so forth. So that's a fundamental difference between OPA and the commercial product. The commercial product is really operationalizing in OPA for an enterprise deployment. >> So the relationship between Styra and OPA seems very collaborative to me that what you just described with the commercial product of Styra DAS is really one that was developed based on what the OPA community and Styra have learned together? >> Correct, Yes. So, OPA was created by the CTO, the founders of the company saw early on several years ago, the need for distributed architectures and the need for unified policy so they left and created OPA. And from day one they wanted to get OPA into everybody's hands. That's why they contributed it to open source as part of CNCF. And then the next kind of strategy is to focus on the control apps aspects, the enterprise aspect. So yes, the same team that created OPA is the same team that's creating the Styra DAS commercial offering as well. >> So from the enterprise perspective, talk to me about some of the companies that you're talking to. I imagine any organization that's focused on cloud native, but any industry in particular that you see is really kind of leading edge right now? >> Yeah, so which industries are we talking to in terms of using Styra DAS and OPA? What we've actually found it's across the board. And we've seen in the early days that financial services and high tech were using OPA, but now it's really across the board. So it's all verticals really. And what we've noticed is any organization which is going through a cloud transformation project where they're either building new applications based upon cloud native app stacks like kubernetes and microservices and so forth or shift to the cloud are the companies that are also adopting OPA and the Styra DAS product, right? Because it's all part of the same solution set. And what we're noticing now and this is a fundamental difference is platform architects and developers are kind of prime to use these technologies. They learn about these technologies by going to the conferences and unlike the past which was very much top down selling from the sea level down, this is very much bottomed up. So developers learn about OPA from going to the conferences. They use it within their own environment and then they tell their management that, "Look, we're using OPA already. "We're missing these capabilities," or they come to us and we educate them about the Styra DAS product and so forth. So it's a very different sales model as well and that's why it's very important for ourselves and any open source company to really keep developers happy and provide a solution, that's meeting their requirements. >> On that side with so many of us and developers included working from home for the past nearly four months. We now are doing things like this virtual conversations, virtual events, how is Styra helping to continue to feed and educate those developers so that they can understand how you can impact their job functions and how they can then elevate you guys up the stack. >> Sure, so what's changed over the last three months or so in the market as a consequence of COVID-19 and from an educational point of view. So, what we've seen is fundamentally in the early days of COVID-19 everybody was kind of get the head around how to work from home and so forth, but what we've seen across the all verticals is developers have now really focused on educating themselves and just as a data point and the audience that we get to the OPA website is as high as it's ever been for the last three months. And what we're doing as a company is a lot of training sessions, video content, write-ups, blogs and so forth, right? And really helping the community learn about OPA and how to solve these kind of fundamental problems around policy and authorization within the environment. We've also been helped by the community as well. So there's been talks about a number of companies, Microsoft, Google, Palo Alto had a talk and many many companies are talking about OPA now and I love it because ultimately being an open source company and building a project which we want to become defacto, we want to raise the bar for security across the world, right? And if we can do that then it's going to be an achievement for us and it's very gratifying knowing that we're really fixing security problems for organizations because ultimately we always want to be able to use an application or a banking service and not worry about privacy and security concerns and that's ultimately what we're all after. But this is such a fundamental component that once we want to have developers learn this now because if they can incorporate this into the DevOps app stack then in future years when these applications are built and they're exposed there'll be more secure. >> And so it sounds like maybe there's even more engagement now during COVID when everybody is at home. Tell me about some of the things that are coming down the pipe for Styra in light of all of this exciting collaboration with the community. >> Sure, yeah. There's definitely been way more collaboration as a consequence of COVID-19. People are at home and they're focusing and they're going through learning sessions and browsing the website going through the video content and so forth. So what we're engaging as much as we have ever been, in fact I would argue that we're engaging even more so now, because it's just a different environment to work in. And what we're focused on now is really adding more features to the Styra DAS product, just to step back for a second, Open Policy Agent works across the cloud native stack and Styra DAS has been focused first on the kubernetes use case and now it also supports microservices as well. And then what we're continuing to do is add more of those enterprise features into Styra DAS and move up and up across the stack. But it is all driven by developers that we're talking to on a daily basis and that's leading to where the project is moving forward and the development for the roadmap and so forth. >> And Styra DAS was only launched in 2019, is that correct? >> 2019 yes, that's correct. That's correct. Yes, time flies, right? So, yes. >> A lot of change and a lot of development in a short period of time. >> That's right and 2019 was a big year for us, right? We started last 2019 with a soft launch at the RSA conference and we finished 2019 with series a funding led by Xcel. And yeah, it's great to see how the commercial product has been gaining traction in the marketplace as well as OPA as well and I think it's a combination of events. One, the fact that cloud native is now really well understood. Second, the fact that kubernetes at the beginning of 2019, it was still, "What does kubernetes mean, "is it going into production?" Now kubernetes is absolutely going into production and there's such a desire for organizations to make sure that security and policy and compliance are resolved before applications go into production otherwise we're going to have the same kind of challenges we had with previous app stacks. >> Well, the momentum is certainly with you. I can definitely hear that in your voice bell. Thank you so much for joining me talking about Styra, how you're reinventing policy and authorization for cloud native applications. >> Thank you, Lisa. >> For my guest Bill Mann, I'm Lisa Martin. You're watching the Cube Conversation. Thanks for your time. (upbeat music)

(upbeat music) >> Narrator: From the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is the Cube Conversation. >> Welcome to this Cube Conversation. I'm Lisa Martin, excited to talk to the CEO of Styra, Bill Mann today. Bill, welcome to the Cube. >> Hi Lisa, how are you doing? >> I'm doing well. I should say welcome back. You've been on the Cube at a previous company, but we're excited to talk to you today about Styra, what's going on? So let's go ahead and start informing our audience who Styra is and what you do? >> Sure, so who Styra is and what do we do? So Styra is a company that's focused on reinventing policy and authorization in the cloud native stack. We're the company that created an open source project called Open Policy Agent, it's part of CNCF. And on top of Open Policy Agent, we built a control flame, a management plane to help organizations really put OPA into production and operationalized OPA. >> An OPA is Open Policy Agent. That's what the company actually developed with CNCF, correct? >> So, we actually founded Open Policy Agent and then we contributed Open Policy Agent to CNCF. And the real goal of contributing the Open Policy Agent to CNCF was we believe that we want to get authorization defacto in the market, right? And the only way to get something out there that everybody uses is to put it into the open source and having an entity like the CNCF supporting the project. So, really it's about getting everybody, all enterprises and vendors to use Open Policy Agent as a way of solving authorization for the cloud native environment. >> So you say Styra is reinventing policy and authorization for cloud native applications, your target audience, security folks, developer folks, what changes has cloud native brought to security and development teams? >> Sure, so what changes has cloud native brought to security and development teams? So fundamentally there've been three changes in the marketplace. One, as you know we're shifting from this monolithic architecture of building applications to now this new distributed architectures of kubernetes, microservices and Deep-coupled architecture. So fundamentally the way we build applications is fundamentally changed because everybody wants to have scale up and scale down and so forth. Second, the way we actually developed software, we've moved now to a DevOps model where we're doing more things earlier on in the cycle so we can innovate faster and we're producing code on an hourly basis versus when I joined the industry which was probably three releases a year. And then thirdly which is kind of a major topic that all of us kind of understand is our focus on privacy and security is higher than it's been before. And if these applications are going to be way more complex and more distributed and we're going to innovate faster than the way we focus on security and privacy has to be done differently as well. And if we don't do it differently, then we're going to have to all the breaches that we had in the previous generation of the app stack. >> And we don't want that, but you're right privacy and security are increasing concerns in any environment. How do you help address those and also with the thought of privacy and security are going to be concerned for quite a long time? >> Yeah, so let me take a step back. So how do we address privacy and security? So, at a fundamental level, authorization is a foundational part of security and authorization has never really been solved or re-imagined ever for the last 50 years or so. Every application developer or security vendor has built authorization into their own stack and done it in a very proprietary way. And it's been locked away within these applications and these stacks and so forth. So what happens now when you've got a highly distributed environment is that you've got so many moving parts, you still need to apply authorization. So, the way we've tackled it is by building Open Policy Agent. And there's three fundamental kind of tenants around Open Policy Agent that make it really ideal for this cloud native environment. Number one, it's policy as code and everything in the market now, everything is as code. You buy infrastructure as code. So this is now policy as code. So you can describe in a declarative model, how you want the policy for a system to be developed and you can use the language called Rego to do that. Second is the fact that all the cloud native projects out there which are all developed based upon open source technologies, kubernetes, microservices, envoy, SDO, cafco, all these kinds of buzzwords you hear in the marketplace, they all integrate with Open Policy Agent already. And then thirdly the architecture of Open Policy Agent is that it's distributed, which means that it's ideally suited for this distributed architecture for cloud native. And those are the three kind of characteristics of Open Policy Agent leading to developers loving it. And when I say they love it, we've got hundreds and thousands of users of Open Policy Agent. When you go to the CNCF shows co op con earlier this year and there's two more coming this year. There's many, many talks on it. You've got cloud vendors like Google and Microsoft adopting Open Policy Agent, got a lot of enterprises adopting Open Policy Agent. So, that's really fundamentally what we've built is we've built an authorization architecture for this new world to really address the security and privacy concerns, which have always existed and I'm going to be more exponential in this new world. >> And I think you've also built a community around OPA. Can you share a little bit of information about that and how they help with the co-development and even some of the other things that you're commercializing? >> Sure, yeah. So, now what have we done in from a community point of view with Open Policy Agents? So yeah, the community is a integral part of any open source project and we're lucky to have a great community. We've got a great community of enterprise users of Open Policy Agents and vendors as well, vendors like Microsoft and Google who are now contributing to OPA and building it up. And for me, the most important part of a community is that you learn how enterprises are using your software and they share ideas and they share use cases and you're able to innovate really, really fast. And what we've learned from that is the use cases that they use Open Policy Agent for, for instance, one of the major use cases for Open Policy Agent is for kubernetes Admission Control. So, essentially we can test the configuration of an application which is described in a file called Yammer before it goes into production. So, think of it as pre-production tests, but companies are using it for microservices and applications and data and so forth. So, it helps us understand what they're using it for, but also we use it to help us develop our commercial product, which is the management control plane for OPA. So, we learn about what they're missing in the open source project that we can use to build our commercial product which is ready for enterprise use. >> So you've had a lot of success with OPA. Talk to me about Styra DAS and why the need for that? >> Sure, so why do we need Styra DAS recognizing that OPA is very, very successful. So, the fundamental difference is OPA is a very focused on developers and it's very focused on an environment for an individual node or cluster, but it doesn't have all the enterprise features necessary for a real enterprise to go into production. So what we notice is companies use OPA for pre-production, but when they want to go into production, they need a user interface. They need a way to author policies, distribute policies, monitor policies, do impact analysis and a whole bunch of other features and capabilities that are needed for enterprise deployments and so forth. So that's a fundamental difference between OPA and the commercial product. The commercial product is really operationalizing in OPA for an enterprise deployment. >> So the relationship between Styra and OPA seems very collaborative to me that what you just described with the commercial product of Styra DAS is really one that was developed based on what the OPA community and Styra have learned together? >> Correct, Yes. So, OPA was created by the CTO, the founders of the company when the team was actually part of Nicira and they left Nicira which got acquired by VMware and so on early on several years ago, the need for distributed architectures and the need for unified policy so they left and created OPA. And from day one they wanted to get over into everybody's hands. That's why they contributed it to open source as part of CNCF. And then the next kind of strategy is to focus on the control apps aspects, the enterprise aspect. So yes, the same team that created OPA is the same team that's creating the Styra DAS commercial offering as well. >> So from the enterprise perspective, talk to me about some of the companies that you're talking to. I imagine any organization that's focused on cloud native, but any industry in particular that you see is really kind of leading edge right now? >> Yeah, so which industries are we talking to in terms of using Styra DAS and OPA? What we've actually found it's across the board. And we've seen in the early days that financial services and high tech were using OPA, but now it's really across the board. So it's all verticals really. And what we've noticed is any organization which is going through a cloud transformation project where they're either building new applications based upon cloud native app stacks like kubernetes and microservices and so forth or shift to the cloud are the companies that are also adopting OPA and the Styra DAS product, right? Because it's all part of the same solution set. And what we're noticing now and this is a fundamental difference is platform architects and developers are kind of prime to use these technologies. They learn about these technologies by going to the conferences and unlike the past which was very much top down selling from the sea level down, this is very much bottomed up. So developers learn about OPA from going to the conferences. They use it within their own environment and then they tell their management that, "Look, we're using OPA already. "We're missing these capabilities," or they come to us and we educate them about the Styra DAS product and so forth. So it's a very different sales model as well and that's why it's very important for ourselves and any open source company to really keep developers happy and provide a solution, that's meeting their requirements. >> On that side with so many of us and developers included working from home for the past nearly four months. We now are doing things like this virtual conversations, virtual events, how is Styra helping to continue to feed and educate those developers so that they can understand how you can impact their job functions and how they can then elevate you guys up the stack. >> Sure, so what's changed over the last three months or so in the market as a consequence of COVID-19 and from an educational point of view. So, what we've seen is fundamentally in the early days of COVID-19 everybody was kind of get the head around how to work from home and so forth, but what we've seen across the all verticals is developers have now really focused on educating themselves and just as a data point and the audience that we get to the OPA website is as high as it's ever been for the last three months. And what we're doing as a company is a lot of training sessions, video content, write-ups, blogs and so forth, right? And really helping the community learn about OPA and how to solve these kind of fundamental problems around policy and authorization within the environment. We've also been helped by the community as well. So there's been talks about a number of companies, Microsoft, Google, Palo Alto had a talk and many many companies are talking about OPA now and I love it because ultimately being an open source company and building a project which we want to become defacto, we want to raise the bar for security across the world, right? And if we can do that then it's going to be an achievement for us and it's very gratifying knowing that we're really fixing security problems for organizations because ultimately we always want to be able to use an application or a banking service and not worry about privacy and security concerns and that's ultimately what we're all after. But this is such a fundamental component that once we want to have developers learn this now because if they can incorporate this into the DevOps app stack then in future years when these applications are built and they're exposed there'll be more secure. >> And so it sounds like maybe there's even more engagement now during COVID when everybody is at home. Tell me about some of the things that are coming down the pipe for Styra in light of all of this exciting collaboration with the community. >> Sure, yeah. There's definitely been way more collaboration as a consequence of COVID-19. People are at home and they're focusing and they're going through learning sessions and browsing the website going through the video content and so forth. So what we're engaging as much as we have ever been, in fact I would argue that we're engaging even more so now, because it's just a different environment to work in. And what we're focused on now is really adding more features to the Styra DAS product, just to step back for a second, Open Policy Agent works across the cloud native stack and Styra DAS has been focused first on the kubernetes use case and now it also supports microservices as well. And then what we're continuing to do is add more of those enterprise features into Styra DAS and move up and up across the stack. But it is all driven by developers that we're talking to on a daily basis and that's leading to where the project is moving forward and the development for the roadmap and so forth. >> And Styra DAS was only launched in 2019, is that correct? >> 2019 yes, that's correct. That's correct. Yes, time flies, right? So, yes. >> A lot of change and a lot of development in a short period of time. >> That's right and 2019 was a big year for us, right? We started last 2019 with a soft launch at the RSA conference and we finished 2019 with series a funding led by Xcel. And yeah, it's great to see how the commercial product has been gaining traction in the marketplace as well as OPA as well and I think it's a combination of events. One, the fact that cloud native is now really well understood. Second, the fact that kubernetes at the beginning of 2019, it was still, "What does kubernetes mean, "is it going into production?" Now kubernetes is absolutely going into production and there's such a desire for organizations to make sure that security and policy and compliance are resolved before applications go into production otherwise we're going to have the same kind of challenges we had with previous app stacks. >> Well, the momentum is certainly with you. I can definitely hear that in your voice bell. Thank you so much for joining me talking about Styra, how you're reinventing policy and authorization for cloud native applications. >> Thank you, Lisa. >> For my guest Bill Mann, I'm Lisa Martin. You're watching the Cube Conversation. Thanks for your time. (upbeat music)

>> Narrator: From downtown San Francisco it's TheCUBE covering RSA North American 2018. >> Hey, welcome back everybody. Jeff Frick from TheCUBE. We're on the floor at the RSA Conference 2018. 40,000 plus people packed in Moscone North, South, West, and we're excited to be here. It's a crazy conference, Security's top of mind obviously and everybody is aware of this. And our next guest, he's Bill Mann, chief product officer from Centrify. Bill, great to see you. >> Great to see you. >> So you guys have a lot of stuff going on but what I think what's interesting to me is you guys have this kind of no trust as your starting foundation. Don't trust anybody, anything, any device. How do you work from there? Why is that the strategy? >> Well that strategy is because we've got a really new environment now. A new environment where we have to appreciate that the bad actors are already within our environment. And if you stop believing that bad actors are already in your environment, you have to start changing the way you think about security. So it's a really different way of thinking about security. So what we call this new way of thinking about security is zero trust security. And you might have heard this from Google with BeyondCorp and so forth. And with that as the overarching kind of way we are thinking about security, we're focusing on something called NextGenAccess. So how do you give people access to applications and services where they're remote. They're not on the network and they're not behind a firewall because who cares about the firewall anymore because it's not secure. >> Right. So there's four tenants of NextGenAccess. One is verify the user, verify the device that they are coming from so they're not coming from a compromised device. Then give them limited access to what they are trying to access or what we call Limit Privilege and Access. And that last one is learn and adapt which is this kind of pragmatic viewpoint which is we're never going to get security right day one, right? To learn and adapt and what we're doing look at auto tune logs and session logs to change your policy and adapt to get a better environment. >> So are you doing that every time they access the system? As they go from app to app? I mean how granular is it? Where you're consistently checking all these factors? >> We're always checking the end factor and where we use an actual machine learning to check what's happening in the environment and that machine learning is able to give that user a better experience when they are logging in. Let's say Bill's logging into Salesforce.com from the same location, from the same laptop all the time. Let's not get in the way right? But if Bill the IT worker is going from a different location and logging into a different server that's prompting for another factor of authentication because you want to make sure that this is really Bill. Because fundamentally you don't trust anybody in the network. >> And that's really what you guys call this NextGenAccess, right? [Bill]- That right, that's right, that's right. >> It's not just I got a VPN. You trust my VPN. I got my machine. Those days are long gone. >> Well VPNs, no no to VPNs as well, right? We do not trust VPNs either. >> So a bit topic ever since the election, right, has been people kind of infiltrating the election. Influencing you know how people think. And you guys are trying to do some proactive stuff even out here today for the 2018 election to try to minimize that. Tell us a little bit more about it. >> Yeah we call it Secure The Vote. And if the audience has looked at the recent 60 Minutes episode that came on. That did a really good that walked everybody through what was really happening with the elections. The way you know the Russians really got onto the servers that are storing our databases for the registration systems and changed data and created chaos in the environment. But the fundamental problem was compromised credentials. I mean 80% of all breaches believe it or not have to do with compromised credentials. They are not around all the things we think are the problem. So what we're doing here with Secure The Vote is giving our technology to state and local governments for eight months for free. And essentially they can then upgrade their systems, right? So they can secure the vote. So fundamentally securing who has access to what and why and when. And if you look at the people who are working on election boards, they're volunteers, there are a lot of temporary staff and so forth. >> Right, right. >> So you can imagine how the bad guys get into the environment. Now we've got a lot of experience on this. We sell to state and local governments. We've seen our technology being used in this kind of environment. So we're really making sure that we can do our part in terms of securing the election by providing our technology for free for eight months so election boards can use our technology and secure the vote. >> So how hard is it though for them to put it in for temporary kind of situation like that? You made it pretty easy for them to put it in if they are not an existing customer? >> Absolutely I mean one of the things, one of the fallacies around this whole NextGenAccess space is the fact that it's complicated. It's all SAS-Space, it's easy to use, and it's all in bite-sized chunks, right? So some customers can focus on the MFA aspects, right? Some customers can focus on making sure the privileged users who have access to the databases, right, are limiting their access right? So there's aspects of this that you can implement based upon where you want to be able to, what problem you want to be able to solve. We do provide a very pragmatic best practices way of implementing zero trust. So we are really providing that zero trust platform for the election boards. [Jeff]- Alright well that's great work Bill and certainly appreciated by everybody. We don't want crazy stuff going on in the elections. >> Absolutely. >> Jeff: So we'll have to leave it there. We'll catch up back in the office. It's a little chaotic here so thanks for taking a few minutes. >> Thank you very much. >> Alright, he's Bill Mann and I'm Jeff Frick. You're watching TheCUBE from RSCA 2018. Thanks for watching. (bright music)

>> Announcer: Live from Las Vegas, it's theCUBE covering AWS re:Invent 2017. Presented by AWS, Intel, and our ecosystem of partners. (techno music) >> Welcome back here on theCUBE, of course, the flagship broadcast for SilconANGLE, along with Justin Warren, I am John Walls, and we are live at re:Invent, AWS' annual shin-dig here in Las Vegas, and certainly with great success, they have staged this year's event. We'll have more on that a little bit later on, right now we're joined by Bill Mann, who's the Chief Product Officer at Centrify, the latest newcomer to the AWS marketplace. >> Yes. >> John: Bill good to see you, thanks for the time today. >> Thanks for the time as well. >> Big week for you, right? >> Yup >> Joining the marketplace, tell us about the driver of that decision, and then what you're bringing, literally, to the marketplace? >> Sure, sure. Well, we're bringing our products to the marketplace. We're very excited about getting our products on the marketplace, and what was really the driver for us was, we wanted to really be part of the Amazon ecosystem, and we wanted to make, reduce the friction of selling to enterprise and mid-market customers, and this was the way to get to those customers. We realized really early on that, customers are already buying all the other services from Amazon already. They're buying their instances. They're buying their storage, and so forth. So, getting our products on the marketplace was just an important aspect of reaching those customers and removing the friction, and so forth. Also, with the move to the cloud, our customers were asking for how to secure servers in the cloud, and secure access to applications in the cloud, and then things just kind of lead, one thing leads to another, where you say, okay, let's put everything in one place as well. I kind of used the analogy of we buy our diapers from Amazon, now, and everything else, so, but the IT shop is working the same way. They don't want to deal with multiple vendors, and if you can reduce that friction, at least, my theory is, reducing that friction will mean, we can sell more product to the customer. >> That's an interesting image, diapers from... (laughter) >> It's the everything store. >> I didn't give a chance to talk about Centrify, a little bit. Security firm with the tag "The breach stops here", so, just tell for those at home who might not be familiar with Centrify, a little bit more about your specific offers. >> Sure, well, let's start with the breech stops here, the reason we have our tagline, "the breech stops here" is, it really is a definition of what's happening in the marketplace. If you look at most of the breaches out there, there's 80% of most breaches are to do with compromised credentials, our passwords, and that is really an area that we focus on. We are really trying to solve the problem, how users have access to the applications, like Sales Force, or any home grown applications, or how IT users have access to their servers, like a server on AWS, and using a password, and having too much privileges, is really the wrong way to do things, so we are solving that problem, and that's why we kinda start off with that line of the breach stops here, because we fundamentally believe that if you implement security based upon identity you're gonna be able to reduce your risk. >> Security is such a hot market right at the moment. We're hearing constantly, we were talking earlier on theCUBE, where we're talking IOT, and it immediately went to security. It was being really, really top of mind for people, so the things that you're doing with Centrify, there's kind of two prongs to it, if I understand it. So, one is identity management. So, knowing who people are. So that credentials management. And the other one's to do with the access, is that right? We were talking before we went to air that, about the Beyond Corp concept, where instead of having this, sort of inside protected crunchy layer, and then everything outside is bad, now it's just becoming everything everywhere should not be trusted, unless you are cleared by something like Centrify. >> So, yes, so, for those of you who are familiar with the Beyond Corp model, the model really is about zero trust. So, if you think of these two things here in our user, let's say a server instance, the thing in between you can't trust, and in the past we've been trusting the firewall to stop the bad guys from coming into our network. So really the concept is around, assume the bad actors are everywhere, and now that you've assumed that, let's now focus on what you can do to actually gain security. So the concepts are, let's do identity assurance. Let's make sure this is really Bill. Let's do, let's make sure Bill's coming from a trusted device, yeah, like a known mobile phone that hasn't been jailbroken, has the right configuration policies, et cetera. Then, let's do access control, or what we call, lease privilege, to the asset that they're trying to have access to. So, is Bill coming from this show, from his phone, allowed to access SalesForce.com? Or is Bill coming from this phone able login to a Unix instance on AWS, now? And what can he do on that instance? Can he go to root, and restart the Oracle database, or can he just run some lower level privilege commands? So, that's the scope of what we're doing. In fact, Beyond Corp is a great descriptor of what we do, if a company wants to implement Beyond Corp, that security paradigm, which I think a lot of modern companies are thinking that way, you can use the services that we provide on the Amazon Marketplace to implement that. We have a service called Application Service, which is all about securing your applications. We have a service called Endpoints Service, which is securing the endpoints, like the mobile phones and so forth, and we have a service called Infrastructure Service, which is securing instances in the cloud. Access to those instances, and those, all those services can be used together, as well, because, as you know I'm an IT user. One day, I'm using Outlook to read my email, and in the next second I'm logging onto a Unix instance. So, for me, it's bringing all these components together, and that's providing throughout by the marketplace. >> Yeah, and really, providing that security in context, as you mentioned. It could be the same person. Like, I'm at work, and I'm doing some things, and I've got access to all these great, all of this information inside the company, but when I go home, should I still have access to that? Probably not. So, if I'm sitting home and I'm using my device, as many of us do, I have children, and they sometimes put games on your phone, or load stuff on your computer. So, if I've got my work computer at home with me, and I suddenly start deciding, hmm I think I'll login and download all of the sales information, that shouldn't happen. >> That's absolutely right. So, the context is that core part of it, and that's what endpoint services does for us. So going back to an Amazon use case, if I'm at home, and I'm logging on to my Amazon console, yeah? From my home machine, let's say, and I'm kicking off an instance, should I be able to do that? I'm not using, maybe an endpoint that is authorized, but I could authorize an endpoint and say, this is a known endpoint, like a lot of IT workers do. And you could also do things like, I'm in Vegas now, and I'm using my Mac, and I'm trying to go to the Amazon console, should I be able to, because that's outside of my normal behavior, in which case, we would up-level your multi-factor authentication, it would re-prompt me to re-authenticate. So, all of that is built into our environment. So, our services are not just for Amazon. It's for on-premises, and for cloud apps, cause it's the whole gamut of what an enterprise has. As companies are moving, or migrating from one premises to the cloud, we can protect the applications, and servers on premises, as well as servers in cloud, and applications on premises, as well as SAAS apps, like Sales Force, or Concur, et cetera, et cetera. So, it's that gamut of giving a user access to applications and infrastructure that we're doing with this Beyond Corp model in mind. Which is, I think the cool, and the interesting thing about what we're doing, because we are connecting these components together, and that's the only way we're going to raise security, cause if you go back to the stat I gave you earlier about the 80%, that is the problem, right? A firewall will not protect you from these breaches, and we could have an argument about it, but if it was, then we wouldn't see the breaches, right? That's kind of the high-level. >> John: Yeah >> There's only so much that you as, like Amazon can do so much about securing their environment, but ultimately you as the customer need to spend a bunch of time, and -- >> Just like they did, share responsibility, right? >> Absolutely right. I mean, Amazon does an awesome job in defining the shared responsibility model, and we are relying on them to do their part of the responsibility, and we're proving the technology for the customers to worry about their aspect, right? So, Amazon does not worry about Bill coming from this device, having access to an instance, we're worrying about those things. So, absolutely, we're part of the shared responsibility model for Amazon. >> We're not going to worry about Bill coming in either. I think you're okay. I think it'll be alright. How do you guys, in the big picture, put on your bad guy hat? How do you look for, if you offer a product, this is our latest security offering, now let's go look for holes? Now let's, I mean, you're trying to beat it up all the time, right? You're always, you're looking for vulnerabilities? So, how do you switch gears like that, and go to the other side of the fence to think about what the next problem is going to be, or what the next vulnerability is going to be? >> Well, you know, I think we, like most other security, modern security companies, we are thinking, one side of our brain is thinking like the bad guys all the time. We have to, and, and honestly, they are always multiple steps ahead of us, and one of the things I like to really make sure customers understand is, some customers get really wound up about zero risk, right? They want it to be perfect before they implement a solution, and really the reality is, most companies don't even have multi-factor authentication for implemented for all of their employees, and if companies just implemented multi-factor authentication for all their users, for all their access, you would have a significant reduction in risk. So, the types of security we're focused on, is not about reducing risk to zero, or finding every single vulnerability out there. It's really trying to attack the problem that hasn't been attacked already. Let me give you another analogy. As we all know patching is a basic security model that we all need to know. Yeah, but how many vulnerabilities have there been in the news where patching was not done? We're like patching. You know, understanding the user is authenticating an environment without a password, and instead using multi-factor authentication, is the best precaution against the bad guys. It won't limitate risk, right, but its going to drastically reduce it. Now, as part of the services we're offering on Amazon, we have multi-factor authentication as a service, right? By definition, as it's a service means it can be implemented extremely fast for enterprise. It's a SAAS Service, right? It's pay by use, right? By definition. So, gone are the days where the technology was the reason you couldn't implement these sets of capabilities, cause they're easy to procure, they're in the cloud, they're mobile friendly, they're modern, et cetera, et cetera. So that's how we really deal with the aspect of the bad guys, right? They're going to be there all the time, but honestly speaking companies have spent so much time, and energy, and dollars on the wrong security products, right? Or focusing on the wrong stuff, and it was fine when you had a legacy, closed environment with no cloud, and no SAAS, but that's not the environment anybody lives in, especially a show like this. Everybody's using the cloud, it's like, the obvious thing, right? So, it should be obvious that these kind of controls need to be implemented. >> I agree. Just do the simple things. If you can do one or two simple things, multi-factor, absolutely. Just do these basic things. You will eliminate 80% of your risk. Do that first, then worry about the esoteric problems that are going to cost millions and millions of dollars to solve, just, you know, brush your teeth. Go for a walk. (John laughing) >> We define a maturity model of going towards Beyond Corp's slash zero trust, and the first thing on that maturity chart is identity assurance, i.e. multifactor authentication, and that's the first thing that organizations need to implement, and the issue is companies haven't implemented these products in the past, because they've been too expensive on-premise, hard to implement, not mobile friendly. So we're hoping once we're on Amazon's marketplace with the reach we've got with Amazon, we're going to see a lot of customers adopting those. So, it's good for us as a business, but ultimately it's good for enterprises. They're going to get safer, and our data is gonna be safeguarded, and so forth, which is the primary responsibility. >> I'm not sure. I think Justin just told you to take some time off. (laughing) I'm not sure. Bill, thanks for being with us. >> [Bill} Thank you very much. >> Thanks for the time, and congratulations on joining the marketplace, and we wish you continued success at Centrify. >> Cheers. Thank you. >> Thank you, sir. Bill Mann, Chief Product Officer at Centrify. Back with more here, Live at AWS. We're at re:Invent. Live at Las Vegas. Back with more on theCUBE, just in a bit. (techno music)

>> Narrator: Live from New York City, it's the CUBE covering CyberConnect 2017 brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> Okay welcome back everyone. This is the CUBE's live coverage in New York City exclusively with the CyberConnect 2017, it's an inaugural event presented by Centrify. It's not a Centrify event. Centrify one of the fastest growing security startups in Silicon Valley and around the world. It is underwriting this great event bringing industry, government and practitioners together to add value on top of the great security conversations. I'm John Furrier, your host with Dave Vellante, my co-host, my next guest is Bill Mann who's the Chief Product Officer with Centrify. Welcome back to the CUBE, great to see you. >> Hey, great to be here. >> Thanks and congratulations for you guys doing what I think is a great community thing, underwriting an event, not just trying to take the event, make it about Centrify, it's really an organically driven event with the team of customers you have, and industry consultants and practitioners, really, really great job, congratulations. >> Bill: Thank you. >> Alright so now let's get down to the meat of the conversation here at the show in the hallways is general's conversation, General Alexander talking about his experience at the NSA and the Fiber Command Center. Really kind of teasing out the future of what cyber will be like for an enterprise whether it's a slow moving enterprise or a fast moving bank or whatever, the realities are this is the biggest complexity and challenge of our generation. Identity's at the heart of it. You guys were called the foundational element of a new solution that has people have to coming together in a community model sharing data, talking to each other, why did he call you guys foundational? >> I think he's calling us foundational because I think he's realizing that having strong identity in an environment is kind of the keys to getting yourself in a better state of mind and a better security posture. If we look at the kind of the foundational principles of identity, it's really about making sure you know who the people are within your organization, by doing identity assurance so that's a foundational principle. The principle of giving people the least amount of access within an organization, that's a foundational principle. The principle of understanding what people did and then using that information and then adjusting policy, that's a foundational principle. I think that's the fundamental reason why he talks about it as a foundational principle and let's face it, most organizations are now connected to the Cloud, they've got mobile user, they've got outsourced IT so something's got to change, right. I mean the way we've been running security up until now. If it was that great, we wouldn't have had all the threats, right? >> And all kinds of silver bullets have been rolling out, Dave and I were commenting and Dave made a point on our intro today that there's no silver bullet in security, there's a lot of opportunities to solve problems but there's no, you can't buy one product. Now identity is a foundational element. Another interesting thing I want to get your reaction to was on stage was Jim from Aetna, the Chief Security Officer and he was kind of making fun with himself by saying I'm not a big computer science, I was a history major and he made a comment about his observation that when civilizations crumble, it's because of trust is lost. And kind of inferring that you can always connect the dots that trust in fundamental and that email security and most of the solutions are really killing the trust model rather than enhancing it and making it more secure so a holistic view of trust stability and enhancement can work in security. What's your reaction to that? >> So it's a complicated area. Trust is complicated let me just kind of baseline that for the moment. I think that we unfortunately, need to have better trust but the way we're approaching trust at the moment is the wrong way so let me give you a simple example. When we go, when we're at home and we're sleeping in our homes and the doors and windows are closed, we inherently trust the security of our environment because the doors and windows are closed but reality is the doors and windows can be really easily opened right, so we shouldn't be trusting that environment at all but we do so what we need to instead do is get to a place where we trust the known things in our environment very, very well and understand what are the unknown things in our environment so the known things in our environment can be people right, the identity of people, can be objects like knowing that this is really Bill's phone, it's a registered phone and it's got a device ID is better than having any phone being used for access so like I said, trust, it's complicated. >> John: But we don't know it has malware on there though. You could have malware. >> You could have malware on there but look, then you've got different levels of trust, right. You've got zero trust when you don't know anything about it. You've got higher levels of trust when you know it's got no malware. >> So known information is critical. >> Known information is critical and known information can then be used to make trust decisions but it's when we make decisions on trust without any information and where we infer that things are trustworthy when they shouldn't be like the home example where you think the doors are closed but it's so easy to break through them, that's when we infer trust so trust is something that we need to build within the environment with information about all the objects in the environment and that's where I think we can start building trust and that's I think how we have to approach the whole conversation about trust. Going back to your example, when you receive an email from somebody, you don't know if it came from that person right. Yet I'm talking to you, I trust that I'm talking to you, right, so that's where the breakdown happens and once we have that breakdown, society can breakdown as well. >> But going back to your device example so there are situations today. I mean you try to log on to your bank from your mobile device and it says do you want to remember this device, do you want to trust this device? Is that an example of what you're talking about and it might hit me a text with a two factor authentication. >> That's an example, that's absolutely an example of trust and then so there's a model in security called the zero trust model and I spoke about it earlier on today and that model of security is the foundational principles of that is understanding who the user is, understanding what endpoint or device they're coming from and that's exactly what you've described which is understanding the context of that device, the trustworthy of the device, you know the location of that device, the posture of that device. All of those things make that device more trustworthy than knowing nothing about that device and those are the kind of fundamental constructs of building trust within the organization now as opposed to what we've got at the moment is we're implying trust without any information about really trust right. I mean most of us use passwords and most of us use password, password so there's no difference between both of you, right and so how can I trust-- >> I've never done that. >> I know but how can we trust each other if we're using you know, data like that to describe ourselves. >> Or using the data in your Linkedin profile that could be socially engineered. >> Bill: Exactly. >> So there's all kinds of ways to crack the passwords so you brought up the trust so this is a, spoofing used to be a common thing but that's been resolved that some, you know same calling some techniques and other things but now when you actually have certificates being compromised, account compromised, that's where you know, you think you know who that person is but that's not who it is so this is a new dynamic and was pointed out in one of the sessions that this account, real compromises of identity is a huge issue. What are you guys doing to solve that problem? Have you solved that problem? >> We're addressing parts of solving that problem and the part of the problem that we're trying to solve is increasing the posture of multi factor authentication of that user so you know more certainty that this is really who that person is. But the fact of the matter is like you said earlier on, trying to reduce the risk down to zero is almost impossible and I think that's what we have to be all clear about in this market, this is not about reducing risk to zero, it's about getting the risk down to something which is acceptable for the type of business you are trying to work on so implementing MFA is a big part of what Centrify advocates within organizations. >> Explain MFA real quick. >> Oh, multi factor authentication. >> Okay, got it. >> Something that we're all used to when we're using, doing online banking at the moment but unfortunately most enterprises don't implement MFA for all the use cases that they need to be able to implement before. So I usually describe it as MFA everywhere and the reason I say MFA everywhere, it should be for all users, not a subset of the users. >> Should be all users, yeah. >> And it should be for all the accesses when they're accessing salesforce.com for concur so all the application, all the servers that they access, all the VPNs that they access, all the times that they request any kind of privilege command, you should reauthenticate them as well at different points in time. So implementing MFA like that can reduce the risk within the organization. >> So I buy that 100% and I love that direction, I'd ask you then a hard question. Anyone who's an Apple user these days knows how complicated MFA could be, I get this iCloud verification and it sends me a code to my phone which could be hacked potentially so you have all these kinds of complexities that could arise depending upon how complicated the apps are. So how should the industry think about simplifying and yet maintaining the security of the MFA across workloads so application one through n. >> So let me kind of separate the problems out so we focus on the enterprise use case so what you're describing is more the consumer use case but we have the same problem in the enterprise area as well but at least in the enterprise area I think that we're going to be able to address the problems sooner in the market. >> John: Because you have the identity baseline? >> One, we have the identity and there's less applications that the enterprise is using. >> It's not Apple. >> It's not like endpoints. >> But take Salesforce, that's as much of a pain, right. >> But with applications like Salesforce, and a lot of the top applications out there, the SaaS applications out there, they already support SAML as a mechanism for eliminating passwords altogether and a lot of the industry is moving towards using API mechanisms for authentication. Now your example for the consumer is a little bit more challenging because now you've got to get all these consumer applications to tie in and so forth right so that's going to be tougher to do but you know, we're focused on trying to solve the enterprise problem and even that is being a struggle in the industry. It's only now that you're seeing standards like SAML and OWASP getting implemented whereby we can make assertions about an identity and then an application can then consume that assertion and then move forward. >> Even in those situations if I may Bill, there's take the trust to another level which is there's a trusted third party involved in those situations. It might be Twitter, Linkedin, Facebook or Google, might be my bank, it might be RSA in some cases. Do you envision a day where we can eliminate the trusted third party with perhaps blockchain. >> Oh I actually do. Yeah, no, I do, I think the trusted third party model that we've got is broken fundamentally because if a break in to the bank, that's it, you know the third party trust but I'm a big fan of blockchain mainly because it's going to be a trusted end party right so there's going to be end parties that are vouching for Bill's identity on the blockchain so and it's going to be harder to get to all those end minors and convince them that they need to change their or break into them right. So yeah I'm a big fan of the trust model changing. I think that's going to be one of the biggest use cases for blockchain when it comes to trust and the way we kind of think about certificates and browsers and SSL certificates and so forth. >> I think you're right on the money and what i would add to that is looking at this conference, CyberConnect, one theme that I see coming out of this is I hear the word reimagining the future here, reimagining security, reimagining DNS, reimagining so a lot of the thought leaders that are here are talking about things like okay, here's what we have today. I'm not saying throwing it away but it's going to be completely different in the new world. >> Yeah and I think you know the important thing about the past is got to learn from the past and we got to apply some of the lessons to the future and things are just so different now. We know with microservices versus monolithic application architectures you know security used to be an afterthought before but you know, you talk to the average developer now, they want to add security in their applications, they realize that right so, and that's going to, I mean, maybe I'm being overly positive but I think that's going to take us to a better place. >> I think we're in a time. >> We need to be overly positive Bill. >> You're the chief officer, you have to have a 20 mouth stare and I think you know legacy always has been a thing we've heard in the enterprise but I just saw a quote on Twitter on the internet and it was probably, it's in quotes so it's probably right, it's motivating, a motivating quote. If you want to create the future, you've got to create a better version of the past and they kind of use taxis versus Uber obviously to answer of a shift in user behavior so that's happening in this industry. There's a shift of user experience, user expectations, changing internet infrastructure, you mentioned blockchain, a variety of other things so we're actually in a time where the better mouse trap actually will work. If you could come out with a great product that changes the economics and the paradigm or use case of an old legacy. So in a way by theory if you believe that, legacy shouldn't be a problem. >> You know and I certainly believe that. Having a kid who's in middle school at the moment, and the younger generation, to understand security way more than we ever used to and you know, this generation, this coming generation understands the difference between a password and a strong password and mobile be used as a second factor authentication so I think that the whole tide will rise here from a security perspective. I firmly believe that. >> Dave: You are an optimist. >> Well about government 'cause one thing that I liked about the talk here from the general was he was pretty straight talk and one of his points, I'm now generalizing and extrapolating out is that the HR side of government has to change in other words the organizational behavior of how people look at things but also the enterprise, we've heard that a lot in our Cloud coverage. Go back eight years when the Clouderati hit, oh DevOps is great but I can't get it through 'cause I've got to change my behavior of my existing staff. So the culture of the practitioners have to change. >> Bill: Yes, absolutely. >> 'Cause the new generation's coming. >> Oh absolutely, absolutely. I was speaking to a customer this morning who I won't mention and literally they told me that their whole staff has changed and they had to change their whole staff on this particular project around security because they found that the legacy thinking was there and they really wanted to move forward at a pace and they wanted to make changes that their legacy staff just wouldn't let 'em move forward with so basically, all of their staff had been changed and it was a memorable quote only because this company is a large organization and it's struggling with adopting new technologies and it was held back. It was not held back because of product or strategies, >> John: Or willingness. >> Or willingness. It was held back by people who were just concerned and wanted to stick to the old way of doing things and that has to change as well so I think you know, there's times will change and I think this is one of those times where security is one of those times where you got to push through change otherwise I mean I'm also a believer that security is a competitive advantage for an organization as well and if you stick with the past, you're not going to be able to compete in the future. >> Well, and bad user behavior will always trump good security. It was interesting to hear Jim Routh today talk about unconventional message and I was encouraged, he said, you know spoofing, we got DMARC, look alike domains, we got sink holes, display name deception, we've got, you know we can filter the incoming and then he talked about compromised accounts and he said user education and I went oh, but there's hope as an optimist so you've got technologies on the horizon to deal with that even right so you. >> I'm also concerned that the pace at which the consumer world is moving forward on security, online banking and even with Google and so forth that the new generation will come into the workforce and be just amazed how legacy the environments are right, 'cause the new generation is used to using you know, Google Cloud, Google Mail, Google everything and everything works, it's all integrated already and if they're coming to the workplace and that workplace is still using legacy technologies right, they're not going to be able to hire those people. >> Well I'll give you an example. When I went to college, I was the first generation, computer science major that didn't have to use punch cards and I was blown away like actually people did that like what, who the hell would ever do that? And so you know, I was the younger guy coming up, it was like, I was totally looking down. >> Dave: That's ridiculous. >> I would thank God I don't do that but they loved it 'cause they did it. >> I mean I've got the similar story, I was the first generation in the UK. We were the first Mac-Lab in the UK, our university had the first large Mac, Apple Macintosh Lab so when I got into the workplace and somebody put a PC in front of me, I was like hold on, where's the mouse, where's the windows, I couldn't handle it so I realized that right so I think we're at that kind of junction at the moment as well. >> We got two minutes left and I want to ask you kind of a question around the comment you just made a minute ago around security as a competitive advantage. This is really interesting, I mean you really can't say security is a profit center because you don't sell security products if you're deploying state of the art security practices but certainly it shouldn't be a cost center so we've seen on our CUBE interviews over the past year specifically, the trend amongst CCOs and practitioners is when pressed, they say kind of, I'm again generalizing the trend, we're unbundling the security department from IT and making it almost a profit center reporting to the board and or the highest levels, not like a profit center but in a way, that's the word they use because if we don't do that, our ability to make a profit is there so you've brought up competitive strategy, you have to have a security and it's not going to be underneath an IT umbrella. I'm not saying everyone's doing it but the trend was to highlight that they have to break out security as a direct report as if it was a profit center because their job is so critical, they don't want to be caught in an IT blanket. Do you see that trend and your comment and reaction to that statement? >> I see that trend but I see it from a perspective of transparency so I think that taking security out of the large umbrella of IT and given its own kind of foundation, own reporting structure is all about transparency and I think that modern organizations understand now the impact a breach can have to a company. >> John: Yeah, puts you out of business. >> Right, it puts you out of business right. You lose customers and so forth so I think having a security leader at the table to be able to describe what they're doing is giving the transparency for decision makers within the organization and you know, one of my other comments about it being a competitive advantage, I personally think let's take the banking arena, it's so easy to move from bank A to bank B and I personally think that people will stay with a certain bank if that bank has more security features and so forth. I mean you know, savings, interest rates going to be one thing and mortgage rates are going to be one thing but if all things are even. >> It's a product feature. >> It's a product feature and I think that again, the newer generation is looking for features like that, because they're so much more aware of the threat landscape. So I think that's one of the reasons why I think it's a competitive advantage but I agree with you, having more visibility for an organization is important. >> You can't make a profit unless the lights are on, the systems are running and if you have a security hack and you're not running, you can't make a profit so it's technically a profit center. Bill I believe you 100% on the competitive strategy. It certainly is going to be table stakes, it's part of the product and part of the organization's brand, everything's at stake. Big crisis, crisis of our generation, cyber security, cyber warfare for the government, for businesses as a buzz thing and business, this is the Centrify presented event underwritten by Centrify here in New York City. CyberConnect 2017, the CUBE's exclusive coverage. More after this short break. (electronic jingle)

>> From theCUBE studios in Palo Alto and Boston, connecting with thought leaders all around the world, this is a CUBE conversation. >> Hi, and welcome to another CUBE Conversation. I'm Stu Miniman coming to you from our Boston area office. We've been in the cloud native ecosystem for many years. We know many open source projects, really helping to drive innovation, help companies modernize what they're doing. And one of the companies that leads one of those initiatives, happy to welcome to the program, we're going to be talking to the co-founder and CTO of Styra, that is Tim Hinrichs. First time on theCUBE, of course, company behind OPA. Tim, thank you for joining us. Welcome to the program. >> Hi Stu, thanks for having me. >> All right, so we've had the CEO of Styra, Bill Mann, on the program before, he's many time CUBE alum, it's your first time, and I always love when I get the founder on the program. Of course the question is, give us the why Tim. There's no shortage of tools out there in the industry, but as we've seen in the ecosystem, there's always companies, I wish something could happen, I wish we had something there. Often they've built it for themselves, and then, create a project. So bring us back a little bit to that origin story and what you and the team, what was the inspiration? >> So when we... the first thing to know is that really at Styra what we're focused on is helping enterprises that are embracing cloud native technology, sort of enforce and control the authorization policies across all their different Cloud native software. So I remember authorization is that problems of which people and which machines can perform which actions on software. And so the way this all got started was we were at DIEMware, before we founded Styra, and we were talking to a number of our customers from finance and tech, and what they did was they had built one of these things. They had built a unified solution policy to manage their authorization needs across many different pieces of software. So at that point we knew that the problem was very real, cause people had to solve it themselves. And so when- >> I'm sorry Tim. Just one thing to make sure I understand this. So in the policy management you talk about there, help me understand how that fits into say identity management which is one of the top things we think about when I'm managing my IT, when I go to the Cloud. It seems related but different, yes? >> Absolutely, yeah. So identity management is really this problem of who are you? It's often solved, from a user's point of view, by providing a username and a password, or a thumbprint, or a multi-factor authentication. That's an important problem that needs to be solved. That's authentication or identity. And it's really about proving who you are. But authorization is the next step, it's about what actions can you perform once you've convinced the machine who you are. And so really that's the piece that we focus on. >> All right, yeah, once can we get people in we need... It's usually you want to give them the least amount of access possible. We understand that from a security standpoint, we need to do this. So you've said what the kind of problem was, and that this is there so how open source?... I mean we know often it's, there's many reasons why projects end up open source. So give us the journey here. >> So it started, we've really got two pieces of software, So one of which, as you say is completely open source, it's become the open policy agent project, we decided to open source it and then eventually donate it to the CNCF because it's sort of mission in life is to make authorization decisions make decisions about if an action that a user or machine is trying to take a safe or not. And, that project is really designed to be a decision maker across all the different kinds of software in the cloud native ecosystem. And so naturally, there's a need for a lot of expertise about a whole bunch of different areas, about a whole bunch of different pieces of software and the best way to sort of leverage all of the world's knowledge about all those different pieces of software is to put that project out into the open. And so for us, it was just an easy, very easy thing to do. Every single line of OPA of code that goes into OPA has been done. >> Well, absolutely it's a project I know I've seen the stickers, I've seen people talking about it in the breakout at KubeCon CloudNativeCon shows. Let's not leave everybody, waiting for the news though Tim, it had been an incubating project, believe you've got some news for us. Yeah, absolutely so OPA has now officially graduated, it's now moved from incubation into the graduation portion the CNCF. And for us, it's really exciting because it really is a reflection of the maturity of the project. Right? There's so many people using OPA and using it to solve all kinds of different use cases. We're even seeing vendors pick it up and offer native integrations with their homegrown software. So it's really exciting to see the progress of the project has made >> It just for audience that might not be familiar. What does this mean now that it's graduated as a maturity level? Is it production? Ready? What what are those criteria that allowed to go from that incubating stage to the graduation? Yeah, so there are a bunch of criteria, but I think the biggest one really is really users in production, right? It has been proven at scale for many different users all over the world, right? CNCF just did a survey recently there, a couple hundred different organizations all across the world who were using open in some way, shape or form. We see it all the time and KubeCon and CloudNativeCon talks, you can hear all about all the folks who were using it. >> Yeah, so maybe it would help if you've got a customer example or use case that you can walk us through as to how exactly that fits. >> For sure yeah. So the nice thing about OPA and more generally Styra is that you can apply it to all different kinds of use cases. So there are a couple of very popular ones using it for Kubernetes admission control or micro service authorization, those are the two most popular right now. And they both work roughly the same way but I'll give you a concrete example. For Kubernetes, anytime some end users trying to spin up any resource, whether the pod or an Ingress or anything on the Kube cluster, you can integrate OPA with that Kube API server and allow open make a decision, is this new resource safe to deploy on the cluster? Or is it not? Micro service authorization works almost exactly the same way, every time one of those micro services receives an API call, it can ask OPA is this API call safe for me to off to execute or not? And so both of those are going to work in basically the same way and that's true for all the other applications and use cases for OPA. >> Okay, and give us some of the stats if you would, how many people how many companies and people contribute to it? What was the customer base look like? >> So think they're a bunch of interesting metrics I think that was the one that's most interesting to me is that number of downloads a week. Right now, we're at roughly a million downloads a week, which is super exciting. I remember those days when we hit that one million mark total and we were very excited. And so now we're at a point where it's every week, we're hitting a million downloads, all kinds of contributors as well and I think, another good metric there to think about are, talks I think we had nearly 50 talks, organic talks from end users on OPA that we ran across it last year. >> Well it's wonderful is the thing we love in that ecosystem there is it's not just using it contributing, to the code, sharing with the community. Tim, what are the challenges in this ecosystem? if you go to the CNCF website and you look at the landscape, it's a little bit scary and taunting just because there's so many different pieces. What I understand from OPA is, are there any dependencies there when you think about, the other services that it interacts with? Or does it just, kind of do its own thing enables customers? >> Yeah, so OPA is, wasn't designed to be a standalone project, right? It doesn't depend on really any other CNCF or really any other project. It was designed to make these policies of these authorization decisions and but at the same time, it's also designed to make it very easy to integrate with a wide range of software systems. And so, I think on the OPA website we've got over 25 different integrations that we are the community have built around OPA, to go ahead and give you and deliver on that vision of unified authorization. >> You mentioned that styro has kind of two pieces help us understand, what is graduating mean for customers in general? And for Styra? Help us understand a little bit more of the business that goes along with it. >> So like I said, that first piece that we build that first piece of software we built was the policy agent project open source, the second piece of software that we built is a control plane for OPA. The idea architecturally behind OPA is that you don't have one copy of OPA running, typically, you might have 10, or 100, or thousand copies of OPA running. And you do that for availability and performance aid for decision making. And so Styra second piece of software is what we call the declarative authorization service. It is a control plane and management plane, a single pane of glass that allows you to operationalize OPA at scale for the enterprise. So it really is designed to give you that ability to control and manage distribute policy, right policy log all the policy decisions for all those Opus. And so that's really where we're, that's the second piece of software that we're putting a lot of effort energy into. >> All right, now that the great graduation is there, what does this mean? Give us a little bit of the roadmap, you're the CTO, we know, there's always, feedbacks and other updates coming. So what should we be expecting to be seeing going forward? >> So there a couple of things I'll mention here, one of which is that with OPA we did a survey recently, just trying to get a sense as to what the community needs and how they're using OPA and so one of the things we found was that the fastest growing use case for OPA, it looks to be application authorization, right? So if you're building a custom application, maybe it's a banking application, that application needs to decide every time a user performs an action is this authorized or not? So if I'm trying to withdraw money from an account, is it safe or not? And so that's the fastest growing use case for OPA that we saw on that and so what I expect to see is more and more people talking about using OPA for that application level authorization. On the Styra side, I think what we're looking forward to is just continuing to chat with the community and understand what they need around operationalizing OPA and making that control plane, that management plane do all the things that enterprises need to operationalize OPA at scale. >> Tim, you've reached the graduation, which is a phenomenal milestone in the project there, there's so many other projects out there wonder what advice you would give to other people starting business, starting a project engaging with the open source community? What have you learned along the way? Any lessons learned? And what feedback would you give others? >> Absolutely, so if I'm talking to somebody else who's interested in, starting an open source project, I'll give them a little bit of advice. So the first of which is that certainly the code matters a lot, it's codes got to be technically sound, it's got to be solving real problems. Everybody understands that. I think what a lot of people understand less of is that when you start a project, you need to put a lot of energy into growing, that community that communication, you need to focus a lot, you need to reach out to end users, and actively engage with them. Help them understand what the project's good for. Help them be successful with it. And so I think that piece is what a lot of people don't really understand, and it's something that I think we that if more people did, we'd see a lot more successful open source projects. >> Alright, Tim, I'll let you have the final word and any final things you want to feed back to the community or, potential customers for Styra? >> Sure, so first of all, I'd like to say thank you to all of our community members, all the users who've worked with us, all the vendors who are taking her doing integrations with OPA, we'd love to see it, we'd love to see more of it. And at the end of the day, I got to say I'm super excited to be working both with OPA and our commercial declared authorization service really deliver on that vision of unified authorization and deliver that to the vote to the world at large. >> Tim, congratulations to you and the OPA team and Styra definitely looking forward to seeing you at the next gathering of the community. And we'l hear more updates in the future. >> Thanks so much for having me. Steve, this is great. >> All right, and be sure to check out the cube.net for all the back catalog of interviews that we've done, including with the CEO Styra as well as upcoming events that we will be at including, of course KubeCon CloudNativeCon North America happening later this year virtually. I'm Stu Miniman, and thank you for watching theCUBE.

>> Narrator: New York City, it's the Cube covering CyberConnect 2017 brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> Welcome back, everyone. This is the Cube's live coverage in New York City's Grand Hyatt Ballroom for CyberConnect 2017 presented by Centrify. I'm John Furrier, the co-host of the Cube with my co-host this week is Dave Vellante, my partner and co-founder and co-CEO with me in SiliconAngle Media in the Cube. Our next guest is James Scott who is the co-founder and senior fellow at ICIT. Welcome to the Cube. >> Thanks for having me. >> You guys are putting on this event, really putting the content together. Centrify, just so everyone knows, is underwriting the event but this is not a Centrify event. You guys are the key content partner, developing the content agenda. It's been phenomenal. It's an inaugural event so it's the first of its kind bringing in industry, government, and practitioners all together, kind of up leveling from the normal and good events like Black Hat and other events like RSA which go into deep dives. Here it's a little bit different. Explain. >> Yeah, it is. We're growing. We're a newer think tank. We're less than five years old. The objective is to stay smaller. We have organizations, like Centrify, that came out of nowhere in D.C. so we deal, most of what we've done up until now has been purely federal and on the Hill so what I do, I work in the intelligence community. I specialize in social engineering and then I advise in the Senate for the most part, some in the House. We're able to take these organizations into the Pentagon or wherever and when we get a good read on them and when senators are like, "hey, can you bring them back in to brief us?" That's when we know we have a winner so we started really creating a relationship with Tom Kemp, who's the CEO and founder over there, and Greg Cranley, who heads the federal division. They're aggressively trying to be different as opposed to trying to be like everyone else, which makes it easy. If someone wants to do something, they have to be a fellow for us to do it, but if they want to do it, just like if they want to commission a paper, we just basically say, "okay, you can pay for it but we run it." Centrify has just been excellent. >> They get the community model. They get the relationship that you have with your constituents in the community. Trust matters, so you guys are happy to do this but more importantly, the content. You're held to a standard in your community. This is new, not to go in a different direction for a second but this is what the community marketing model is. Stay true to your audience and trust. You're relied upon so that's some balance that you guys have to do. >> The thing is we deal with cylance and others. Cylance, for example, was the first to introduce machine learning artificial intelligence to get passed that mutating hash for endpoint security. They fit in really well in the intelligence community. The great thing about working with Centrify is they let us take the lead and they're very flexible and we just make sure they come out on top each time. The content, it's very content driven. In D.C., we have at our cocktail receptions, they're CIA, NSA, DARPA, NASA. >> You guys are the poster child of be big, think small. >> Exactly. Intimate. >> You say Centrify is doing things differently. They're not falling in line like a lemming. What do you mean by that? What is everybody doing that these guys are doing differently? >> I think in the federal space, I think commercial too, but you have to be willing to take a big risk to be different so you have to be willing to pay a premium. If people work with us, they know they're going to pay a premium but we make sure they come out on top. What they do is, they'll tell us, Centrify will be like, "look, we're going to put x amount of dollars into a lunch. "Here are the types of pedigree individuals "that we need there." Maybe they're not executives. Maybe they're the actual practitioners at DHS or whatever. The one thing that they do different is they're aggressively trying to deviate from the prototype. That's what I mean. >> Like a vendor trying to sell stuff. >> Yeah and the thing is, that's why when someone goes to a Centrify event, I don't work for Centrify (mumbles). That's how they're able to attract. If you see, we have General Alexander. We've got major players here because of the content, because it's been different and then the other players want to be on the stage with other players, you know what I mean. It almost becomes a competition for "hey, I was asked to come to an ICIT thing" you know, that sort of thing. That's what I mean. >> It's reputation. You guys have a reputation and you stay true to that. That's what I was saying. To me, I think this is the future of how things get done. When you have a community model, you're held to a standard with your community. If you cross the line on that standard, you head fake your community, that's the algorithm that brings you a balance so you bring good stuff to the table and you vet everyone else on the other side so it's just more of a collaboration, if you will. >> The themes here, what you'll see is within critical infrastructure, we try to gear this a little more towards the financial sector. We brought, from Aetna, he set up the FS ISAC. Now he's with the health sector ISAC. For this particular geography in New York, we're trying to have it focus more around health sector and financial critical infrastructure. You'll see that. >> Alright, James, I've got to ask you. You're a senior fellow. You're on the front lines with a great Rolodex, great relationships in D.C., and you're adivising and leaned upon by people making policy, looking at the world and the general layout in which, the reality is shit's happening differently now so the world's got to change. Take us through a day in the life of some of the things you guys are seeing and what's the outlook? I mean, it's like a perfect storm of chaos, yet opportunity. >> It really depends. Each federal agency, we look at it from a Hill perspective, it comes down to really educating them. When I'm in advising in the House, I know I'm going to be working with a different policy pedigree than a Senate committee policy expert, you know what I mean. You have to gauge the conversation depending on how new the office is, House, Senate, are they minority side, and then what we try to do is bring the issues that the private sector is having while simultaneously hitting the issues that the federal agency space is. Usually, we'll have a needs list from the CSWEP at the different federal agencies for a particular topic like the Chinese APTs or the Russian APT. What we'll do is, we'll break down what the issue is. With Russia, for example, it's a combination of two types of exploits that are happening. You have the technical exploit, the malicious payload and vulnerability in a critical infrastructure network and then profiling those actors. We also have another problem, the influence operations, which is why we started the Center for Cyber Influence Operations Studies. We've been asked repeatedly since the elections last year by the intelligence community to tell us, explain this new propaganda. The interesting thing is the synergies between the two sides are exploiting and weaponizing the same vectors. While on the technical side, you're exploiting a vulnerability in a network with a technical exploit, with a payload, a compiled payload with a bunch of tools. On the influence operations side, they're weaponizing the same social media platforms that you would use to distribute a payload here but only the... >> Contest payload. Either way you have critical infrastructure. The payload being content, fake content or whatever content, has an underpinning that gamification call it virality, network effect and user psychology around they don't really open up the Facebook post, they just read the headline and picture. There's a dissonance campaign, or whatever they're running, that might not be critical to national security at that time but it's also a post. >> It shifts the conversation in a way where they can use, for example, right now all the rage with nation states is to use metadata, put it into big data analytics, come up with a psychographic algorithm, and go after critical infrastructure executives with elevated privileges. You can do anything with those guys. You can spearfish them. The Russian modus operandi is to call and act like a recruiter, have that first touch of contact be the phone call, which they're not expecting. "Hey, I got this job. "Keep it on the down low. Don't tell anybody. "I'm going to send you the job description. "Here's the PDF." Take it from there. >> How should we think about the different nation state actors? You mentioned Russia, China, there's Iran, North Korea. Lay it out for us. >> Each geography has a different vibe to their hacking. With Russia you have this stealth and sophistication and their hacking is just like their espionage. It's like playing chess. They're really good at making pawns feel like they're kings on the chessboard so they're really good at recruiting insider threats. Bill Evanina is the head of counterintel. He's a bulldog. I know him personally. He's exactly what we need in that position. The Chinese hacking style is more smash and grab, very unsophisticated. They'll use a payload over and over again so forensically, it's easy to... >> Dave: Signatures. >> Yeah, it is. >> More shearing on the tooling or whatever. >> They'll use code to the point of redundancy so it's like alright, the only reason they got in... Chinese get into a network, not because of sophistication, but because the network is not protected. Then you have the mercenary element which is where China really thrives. Chinese PLA will hack for the nation state during the day, but they'll moonlight at night to North Korea so North Korea, they have people who may consider themselves hackers but they're not code writers. They outsource. >> They're brokers, like general contractors. >> They're not sophisticated enough to carry out a real nation state attack. What they'll do is outsource to Chinese PLA members. Chinese PLA members will be like, "okay well, here's what I need for this job." Typically, what the Chinese will do, their loyalties are different than in the west, during the day they'll discover a vulnerability or an O day. They won't tell their boss right away. They'll capitalize off of it for a week. You do that, you go to jail over here. Russia, they'll kill you. China, somehow this is an accepted thing. They don't like it but it just happens. Then you have the eastern European nations and Russia still uses mercenary elements out of Moscow and St. Petersburg so what they'll do is they will freelance, as well. That's when you get the sophisticated, carbonic style hack where they'll go into the financial sector. They'll monitor the situation. Learn the ins and outs of everything having to do with that particular swift or bank or whatever. They go in and those are the guys that are making millions of dollars on a breach. Hacking in general is a grind. It's a lot of vulnerabilities work, but few work for long. Everybody is always thinking there's this omega code that they have. >> It's just brute force. You just pound it all day long. >> That's it and it's a grind. You might have something that you worked on for six months. You're ready to monetize. >> What about South America? What's the vibe down there? Anything happening in there? >> Not really. There is nothing of substance that really affects us here. Again, if an organization is completely unprotected. >> John: Russia? China? >> Russia and China. >> What about our allies? >> GCHQ. >> Israel? What's the collaboration, coordination, snooping? What's the dynamic like there? >> We deal, mostly, with NATO and Five Eyes. I actually had dinner with NATO last night. Five Eyes is important because we share signals intelligence and most of the communications will go through Five Eyes which is California, United States, Australia, New Zealand, and the UK. Those are our five most important allies and then NATO after that, as far as I'm concerned, for cyber. You have the whole weaponization of space going on with SATCOM interception. We're dealing with that with NASA, DARPA. Not a lot is happening down in South America. The next big thing that we have to look at is the cyber caliphate. You have the Muslim brotherhood that funds it. Their influence operations domestically are extremely strong. They have a lot of contacts on the Hill which is a problem. You have ANTIFA. So there's two sides to this. You have the technical exploit but then the information warfare exploit. >> What about the bitcoin underbelly that started with the silk roads and you've seen a lot of bitcoin. Money laundering is a big deal, know your customer. Now regulation is part of big ICOs going on. Are you seeing any activity from those? Are they pulling from previous mercenary groups or are they arbitraging just more free? >> For updating bitcoin? >> The whole bitcoin networks. There's been an effort to commercialize (mumbles) so there's been a legitimate track to bring that on but yet there's still a lot of actors. >> I think bitcoin is important to keep and if you look at the more black ops type hacking or payment stuff, bitcoin is an important element just as tor is an important element, just as encryption is an important element. >> John: It's fundamental, actually. >> It's a necessity so when I hear people on the Hill, I have my researcher, I'm like, "any time you hear somebody trying to have "weakened encryption, back door encryption" the first thing, we add them to the briefing schedule and I'm like, "look, here's what you're proposing. "You're proposing that you outlaw math. "So what? Two plus two doesn't equal four. "What is it? Three and a half? "Where's the logic?" When you break it down for them like that, on the Hill in particular, they begin to get it. They're like, "well how do we get the intelligence community "or the FBI, for example, to get into this iphone?" Civil liberties, you've got to take that into consideration. >> I got to ask you a question. I interviewed a guy, I won't say his name. He actually commented off the record, but he said to me, "you won't believe how dumb some of these state actors are "when it comes to cyber. "There's some super smart ones. "Specifically Iran and the Middle East, "they're really not that bright." He used an example, I don't know if it's true or not, that stuxnet, I forget which one it was, there was a test and it got out of control and they couldn't pull it back and it revealed their hand but it could've been something worse. His point was they actually screwed up their entire operation because they're doing some QA on their thing. >> I can't talk about stuxnet but it's easy to get... >> In terms of how you test them, how do you QA your work? >> James: How do you review malware? (mumbles) >> You can't comment on the accuracy of Zero Days, the documentary? >> Next question. Here's what you find. Some of these nation state actors, they saw what happened with our elections so they're like, "we have a really crappy offensive cyber program "but maybe we can thrive in influence operations "in propaganda and whatever." We're getting hit by everybody and 2020 is going to be, I don't even want to imagine. >> John: You think it's going to be out of control? >> It's going to be. >> I've got to ask this question, this came up. You're bringing up a really good point I think a lot of people aren't talking about but we've brought up a few times. I want to keep on getting it out there. In the old days, state on state actors used to do things, espionage, and everyone knew who they were and it was very important not to bring their queen out, if you will, too early, or reveal their moves. Now with Wikileaks and public domain, a lot of these tools are being democratized so that they can covertly put stuff out in the open for enemies of our country to just attack us at will. Is that happening? I hear about it, meaning that I might be Russia or I might be someone else. I don't want to reveal my hand but hey, you ISIS guys out there, all you guys in the Middle East might want to use this great hack and put it out in the open. >> I think yeah. The new world order, I guess. The order of things, the power positions are completely flipped, B side, counter, whatever. It's completely not what the establishment was thinking it would be. What's happening is Facebook is no more relevant, I mean Facebook is more relevant than the UN. Wikileaks has more information pulsating out of it than a CIA analyst, whatever. >> John: There's a democratization of the information? >> The thing is we're no longer a world that's divided by geographic lines in the sand that were drawn by these two guys that fought and lost a war 50 years ago. We're now in a tribal chieftain digital society and we're separated by ideological variation and so you have tribe members here in the US who have fellow tribe members in Israel, Russia, whatever. Look at Anonymous. Anonymous, I think everyone understands that's the biggest law enforcement honeypot there is, but you look at the ideological variation and it's hashtags and it's keywords and it's forums. That's the Senate. That's congress. >> John: This is a new reality. >> This is reality. >> How do you explain that to senators? I was watching that on TV where they're trying to grasp what Facebook is and Twitter. (mumbles) Certainly Facebook knew what was going on. They're trying to play policy and they're new. They're newbies when it comes to policy. They don't have any experience on the Hill, now it's ramping up and they've had some help but tech has never been an actor on the stage of policy formulation. >> We have a real problem. We're looking at outside threats as our national security threats, which is incorrect. You have dragnet surveillance capitalists. Here's the biggest threats we have. The weaponization of Facebook, twitter, youtube, google, and search engines like comcast. They all have a censorship algorithm, which is how they monetize your traffic. It's censorship. You're signing your rights away and your free will when you use google. You're not getting the right answer, you're getting the answer that coincides with an algorithm that they're meant to monetize and capitalize on. It's complete censorship. What's happening is, we had something that just passed SJ res 34 which no resistance whatsoever, blew my mind. What that allows is for a new actor, the ISPs to curate metadata on their users and charge them their monthly fee as well. It's completely corrupt. These dragnet surveillance capitalists have become dragnet surveillance censorists. Is that a word? Censorists? I'll make it one. Now they've become dragnet surveillance propagandists. That's why 2020 is up for grabs. >> (mumbles) We come from the same school here on this one, but here's the question. The younger generation, I asked a gentleman in the hallway on his way out, I said, "where's the cyber west point? "We're the Navy SEALS in this new digital culture." He said, "oh yeah, some things." We're talking about the younger generation, the kids playing Call of Duty Destiny. These are the guys out there, young kids coming up that will probably end up having multiple disciplinary skills. Where are they going to come from? So the question is, are we going to have a counterculture? We're almost feeling like what the 60s were to the 50s. Vietnam. I kind of feel like maybe the security stuff doesn't get taken care of, a revolt is coming. You talk about dragnet censorship. You're talking about the lack of control and privacy. I don't mind giving Facebook my data to connect with my friends and see my thanksgiving photos or whatever but now I don't want fake news jammed down my throat. Anti-Trump and Anti-Hillary spew. I didn't buy into that. I don't want that anymore. >> I think millennials, I have a 19 year old son, my researchers, they're right out of grad school. >> John: What's the profile like? >> They have no trust whatsoever in the government and they laugh at legislation. They don't care any more about having their face on their Facebook page and all their most intimate details of last night's date and tomorrow's date with two different, whatever. They just don't... They loathe the traditional way of things. You got to talk to General Alexander today. We have a really good relationship with him, Hayden, Mike Rogers. There is a counterculture in the works but it's not going to happen overnight because we have a tech deficit here where we need foreign tech people just to make up for the deficit. >> Bill Mann and I were talking, I heard the general basically, this is my interpretation, "if we don't get our shit together, "this is going to be an f'd up situation." That's what I heard him basically say. You guys don't come together so what Bill talked about was two scenarios. If industry and government don't share and come together, they're going to have stuff mandated on them by the government. Do you agree? >> I do. >> What's going to happen? >> The argument for regulation on the Hill is they don't want to stifle innovation, which makes sense but then ISPs don't innovate at all. They're using 1980s technology, so why did you pass SJ res 34? >> John: For access? >> I don't know because nation states just look at that as, "oh wow another treasure trove of metadata "that we can weaponize. "Let's start psychographically charging alt-left "and alt-right, you know what I mean?" >> Hacks are inevitable. That seems to be the trend. >> You talked before, James, about threats. You mentioned weaponization of social. >> James: Social media. >> You mentioned another in terms of ISPs I think. >> James: Dragnet. >> What are the big threats? Weaponization of social. ISP metadata, obviously. >> Metadata, it really depends and that's the thing. That's what makes the advisory so difficult because you have to go between influence operations and the exploit because the vectors are used for different things in different variations. >> John: Integrated model. >> It really is and so with a question like that I'm like okay so my biggest concern is the propaganda, political warfare, the information warfare. >> People are underestimating the value of how big that is, aren't they? They're oversimplifying the impact of info campaigns. >> Yeah because your reality is based off of... It's like this, influence operations. Traditional media, everybody is all about the narrative and controlling the narrative. What Russia understands is to control the narrative, the most embryo state of the narrative is the meme. Control the meme, control the idea. If you control the idea, you control the belief system. Control the belief system, you control the narrative. Control the narrative, you control the population. No guns were fired, see what I'm saying? >> I was explaining to a friend on Facebook, I was getting into a rant on this. I used a very simple example. In the advertising world, they run millions of dollars of ad campaigns on car companies for post car purchase cognitive dissonance campaigns. Just to make you feel good about your purchase. In a way, that's what's going on and explains what's going on on Facebook. This constant reinforcement of these beliefs whether its for Trump or Hillary, all this stuff was happening. I saw it firsthand. That's just one small nuance but it's across a spectrum of memes. >> You have all these people, you have nation states, you have mercenaries, but the most potent force in this space, the most hyperevolving in influence operations, is the special interest group. The well-funded special interests. That's going to be a problem. 2020, I keep hitting that because I was doing an interview earlier. 2020 is going to be a tug of war for the psychological core of the population and it's free game. Dragnet surveillance capitalists will absolutely be dragnet surveillance propagandists. They will have the candidates that they're going to push. Now that can also work against them because mainstream media, twitter, Facebook were completely against trump, for example, and that worked in his advantage. >> We've seen this before. I'm a little bit older, but we are the same generation. Remember when they were going to open up sealex? Remember the last mile for connectivity? That battle was won before it was even fought. What you're saying, if I get this right, the war and tug of war going on now is a big game. If it's not played in one now, this jerry rigging, gerrymandering of stuff could happen so when people wake up and realize what's happened the game has already been won. >> Yeah, your universe as you know it, your belief systems, what you hold to be true and self evident. Again, the embryo. If you look back to the embryo introduction of that concept, whatever concept it is, to your mind it came from somewhere else. There are very few things that you believe that you came up with yourself. The digital space expedites that process and that's dangerous because now it's being weaponized. >> Back to the, who fixes this. Who's the watchdog on this? These ideas you're talking about, some of them, you're like, "man that guy has lost it, he's crazy." Actually, I don't think you're crazy at all. I think it's right on. Is there a media outlet watching it? Who's reporting on it? What even can grasp what you're saying? What's going on in D.C.? Can you share that perspective? >> Yeah, the people that get this are the intelligence community, okay? The problem is the way we advise is I will go in with one of the silos in the NSA and explain what's happening and how to do it. They'll turn around their computer and say, "show me how to do it. "How do you do a multi vector campaign "with this meme and make it viral in 30 minutes." You have to be able to show them how to do it. >> John: We can do that. Actually we can't. >> That sort of thing, you have to be able to show them because there's not enough practitioners, we call them operators. When you're going in here, you're teaching them. >> The thing is if they have the metadata to your treasure trove, this is how they do it. I'll explain here. If they have the metadata, they know where the touch points are. It's a network effect mole, just distributive mole. They can put content in certain subnetworks that they know have a reaction to the metadata so they have the knowledge going in. It's not like they're scanning the whole world. They're monitoring pockets like a drone, right? Once they get over the territory, then they do the acquired deeper targets and then go viral. That's basically how fake news works. >> See the problem is, you look at something like alt-right and ANTIFA. ANTIFA, just like Black Lives Matter, the initiatives may have started out with righteous intentions just like take a knee. These initiatives, first stage is if it causes chaos, chaos is the op for a nation state in the US. That's the op. Chaos. That's the beginning and the end of an op. What happens is they will say, "oh okay look, this is ticking off all these other people "so let's fan the flame of this take a knee thing "hurt the NFL." Who cares? I don't watch football anyway but you know, take a knee. It's causing all this chaos. >> John: It's called trolling. >> What will happen is Russia and China, China has got their 13 five year plan, Russia has their foreign influence operations. They will fan that flame to exhaustion. Now what happens to the ANTIFA guy when he's a self-radicalized wound collector with a mental disorder? Maybe he's bipolar. Now with ANTIFA, he's experienced a heightened more extreme variation of that particular ideology so who steps in next? Cyber caliphate and Muslim brotherhood. That's why we're going to have an epidemic. I can't believe, you know, ANTIFA is a domestic terrorist organization. It's shocking that the FBI is not taking this more serious. What's happening now is Muslim brotherhood funds basically the cyber caliphate. The whole point of cyber caliphate is to create awareness, instill the illusion of rampant xenophobia for recruiting. They have self-radicalized wound collectors with ANTIFA that are already extremists anyway. They're just looking for a reason to take that up a notch. That's when, cyber caliphate, they hook up with them with a hashtag. They respond and they create a relationship. >> John: They get the fly wheel going. >> They take them to a deep web forum, dark web forum, and start showing them how it works. You can do this. You can be part of something. This guy who was never even muslim now is going under the ISIS moniker and he acts. He drives people over in New York. >> They fossilized their belief system. >> The whole point to the cyber caliphate is to find actors that are already in the self-radicalization phase but what does it take psychologically and from a mentoring perspective, to get them to act? That's the cyber caliphate. >> This is the value of data and context in real time using the current events to use that data, refuel their operation. It's data driven terrorism. >> What's the prescription that you're advising? >> I'm not a regulations kind of guy, but any time you're curating metadata like we're just talking about right now. Any time you have organizations like google, like Facebook, that have become so big, they are like their own nation state. That's a dangerous thing. The metadata curation. >> John: The value of the data is very big. That's the point. >> It is because what's happening... >> John: There's always a vulnerability. >> There's always a vulnerability and it will be exploited and all that metadata, it's unscrubbed. I'm not worried about them selling metadata that's scrubbed. I'm worried about the nation state or the sophisticated actor that already has a remote access Trojan on the network and is exfiltrating in real time. That's the guy that I'm worried about because he can just say, "forget it, I'm going to target people that are at this phase." He knows how to write algorithms, comes up with a good psychographic algorithm, puts the data in there, and now he's like, "look I'm only going to promote this concept, "two people at this particular stage of self-radicalization "or sympathetic to the kremlin." We have a big problem on the college campuses with IP theft because of the Chinese Students Scholar Associations which are directly run by the Chinese communist party. >> I heard a rumor that Equifax's franchising strategy had partners on the VPN that were state sponsored. They weren't even hacking, they had full access. >> There's a reason that the Chinese are buying hotels. They bought the Waldorf Astoria. We do stuff with the UN and NATO, you can't even stay there anymore. I think it's still under construction but it's a no-no to stay there anymore. I mean western nations and allies because they'll have bugs in the rooms. The WiFi that you use... >> Has fake certificates. >> Or there's a vulnerability that's left in that network so the information for executives who have IP or PII or electronic health records, you know what I mean? You go to these places to stay overnight, as an executive, and you're compromised. >> Look what happened with Eugene Kaspersky. I don't know the real story. I don't know if you can comment, but someone sees that and says, "this guy used to have high level meetings "at the Pentagon weekly, monthly." Now he's persona non grata. >> He fell out of favor, I guess, right? It happens. >> James, great conversation. Thanks for coming on the Cube. Congratulations on the great work you guys are doing here at the event. I know the content has been well received. Certainly the key notes we saw were awesome. CSOs, view from the government, from industry, congratulations. James Scott who is the co founder and senior fellow of ICIT, Internet Critical Infrastructure Technology. >> James: Institute of Critical Infrastructure Technology. >> T is for tech. >> And the Center for Cyber Influence Operations Studies. >> Good stuff. A lot of stuff going on (mumbles), exploits, infrastructure, it's all mainstream. It's the crisis of our generation. There's a radical shift happening and the answers are all going to come from industry and government coming together. This is the Cube bringing the data, I'm John Furrier with Dave Vellante. Thanks for watching. More live coverage after this short break. (music)