>>And welcome back to the cubes coverage of a, of us. Reinforc here in Boston, Massachusetts. I'm John furrier. We're here for a great interview on the next generation topic of state of industrial security. We have two great guests, Tim Jefferson, senior vice president data network and application security at Barracuda. And Cenon Aron vice president of zero trust engineering at Barracuda. Gentlemen. Thanks for coming on the queue. Talk about industrial security. >>Yeah, thanks for having us. >>So one of the, one of the big things that's going on, obviously you got zero trust. You've got trusted, trusted software supply chain challenges. You've got hardware mattering more than ever. You've got software driving everything, and all this is talking about industrial, you know, critical infrastructure. We saw the oil pipeline had a hack and ransomware attack, and that's just constant barrage of threats in the industrial area. And all the data is pointing to that. This area is gonna be fast growth machine learning's kicking in automation is coming in. You see a huge topic, huge growth trend. What is the big story going on here? >>Yeah, I think at a high level, you know, we did a survey and saw that, you know, over 95% of the organizations are experiencing, you know, security challenges in this space. So, you know, the blast radius in the, of the, the interface that this creates so many different devices and things and objects that are getting network connected now create a huge challenge for security teams to kind of get their arms around that. >>Yeah. And I can add that, you know, majority of these incidents that, that these organizations suffer lead to significant downtime, right? And we're talking about operational technology here, you know, lives depend on, on these technologies, right? Our, our wellbeing everyday wellbeing depend on those. So, so that is a key driver of initiatives and projects to secure industrial IOT and operational technologies in, in these businesses. >>Well, it's great to have both of you guys on, you know, Tim, you know, you had a background at AWS and sit on your startup, founder, soldier, coming to Barracuda, both very experienced, seeing the ways before in this industry. And I'd like to, if you don't mind talk about three areas, remote access, which we've seen in huge demand with, with the pandemic and the out, coming out with the hybrid and certainly industrial, that's a big part of it. And then secondly, that the trend of clear commitment from enterprises to have in a public cloud component, and then finally the secure access edge, you know, with SAS business models, securing these things, these are the three hot areas let's go into the first one, remote access. Why is this important? It seems that this is the top priority for having immediate attention on what's the big challenge here? Is it the most unsecure? Is it the most important? What, why is this relevant? >>So now I'll let you jump in there. >>Yeah, sure. Happy to. I mean, if you think about it, especially now, we've been through a, a pandemic shelter in place cycle for almost two years. It, it becomes essentially a business continuity matter, right? You do need remote access. We also seen a tremendous shift in hiring the best talent, wherever they are, right. Onboarding them and bringing the talent into, into, into, into businesses that have maybe a lot more distributed environments than traditionally. So you have to account for remote access in every part of everyday life, including industrial technologies, you need remote support, right? You need vendors that might be overseas providing you, you know, guidance and support for these technologies. So remote support is every part of life. Whether you work from home, you work on your, on the go, or you are getting support from a vendor that happens to be in Germany, you know, teleporting into your environment in Hawaii. You know, all these things are essentially critical parts of everyday life. Now >>Talk about ZT and a zero trust network access is a, this is a major component for companies. Obviously, you know, it's a position taking trust and verifies. One other approach, zero trust is saying, Hey, I don't trust you. Take us through why that's important. Why is zero trust network access important in this area? >>Yeah. I mean, I could say that traditionally remote access, if you think about infancy of the internet in the nineties, right? It was all about encryption in, in transit, right? You were all about internet was vastly clear text, right? We didn't have even SSL TLS, widely distributed and, and available. So when VPNs first came out, it was more about preventing sniffing, clear tech clear text information from, from, from the network, right? It was more about securing the, the transport, but now that kind of created a, a big security control gap, which implicitly trusted user users, once they are teleported into a remote network, right? That's the essence of having a remote access session you're brought from wherever you are into an internal network. They implicitly trust you that simply breakdown over time because you are able to compromise end points relatively easily using browser exploits. >>You know, so, so for supply chain issues, water hole attacks, and leverage the existing VPN tunnels to laterally move into the organization from within the network, you literally move in further and further and further down, you know, down the network, right? So the VPN needed a, a significant innovation. It was meant to be securing packets and transit. It was all about an encryption layer, but it had an implicit trust problem with zero trust. We turn it into an explicit trust problem, right? Explicit trust concept, ideally. Right? So you are, who do you say you are? And you are authorized to access only to things that you need to access to get the work done. >>So you're talking about granular levels versus the one time database look up you're in >>That's right. >>Tim, talk about the OT it side of this equation of industrial, because it, you know, is IP based, networking, OT have been purpose built, you know, maybe some proprietary technology yeah. That connects to the internet internet, but it's mainly been secure. Those have come together over the years and now with no perimeter security, how is this world evolving? Because there's gonna be more cloud there, be more machine learning, more hybrid on premise, that's going on almost a reset if you will. I mean, is it a reset? What's the, what's the situation. >>Yeah. I think, you know, in typical human behavior, you know, there's a lot of over rotation going on. You know, historically a lot of security controls are all concentrated in a data center. You know, a lot of enterprises had very large sophisticated well-established security stacks in a data center. And as those applications kind of broke down and, and got rearchitected for the cloud, they got more modular, they got more distributed that centralized security stack became an anti pattern. So now this kind of over rotation, Hey, let's take this stack and, and put it up in the cloud. You know, so there's lots of names for this secure access, service edge, you know, secure service edge. But in the end, you know, you're taking your controls and, and migrating them into the cloud. And, you know, I think ultimately this creates a great opportunity to embrace some of security, best practices that were difficult to do in some of the legacy architectures, which is being able to push your controls as far out to the edge as possible. >>And the interesting thing about OT and OT now is just how far out the edge is, right? So instead of being, you know, historically it was the branch or user edge, remote access edge, you know, Syon mentioned that you, you have technologies that can VPN or bring those identities into those networks, but now you have all these things, you know, partners, devices. So it's the thing, edge device edge, the user edge. So a lot more fidelity and awareness around who users are. Cause in parallel, a lot of the IDP and I IBM's platforms have really matured. So marrying those concepts of this, this lot of maturity around identity management yeah. With device in and behavior management into a common security framework is really exciting. But of course it's very nascent. So people are, it's a difficult time getting your arms around >>That. It's funny. We were joking about the edge. We just watching the web telescope photos come in the deep space, the deep edge. So the edge is continuing to be pushed out. Totally see that. And in fact, you know, one of the things we're gonna, we're gonna talk about this survey that you guys had done by an independent firm has a lot of great data. I want to unpack that, but one of the things that was mentioned in there, and I'll get, I wanna get your both reaction to this is that virtually all organizations are committing to the public cloud. Okay. I think it was like 96% or so was the stat. And if you combine in that, the fact that the edge is expanding, the cloud model is evolving at the edge. So for instance, a building, there's a lot behind it. You know, how far does it go? So we don't and, and what is the topology because the topology seem to change too. So there's this growth and change where we need cloud operations, DevOps at, at the edge and the security, but it's changing. It's not pure cloud, but it's cloud. It has to be compatible. What's your reaction to that, Tim? I mean, this is, this is a big part of the growth of industrial. >>Yeah. I think, you know, if you think about, there's kind of two exciting developments that I would think of, you know, obviously there's this increase to the surface area, the tax surface areas, people realize, you know, it's not just laptops and devices and, and people that you're trying to secure, but now they're, you know, refrigerators and, you know, robots and manufacturing floors that, you know, could be compromised, have their firmware updated or, you know, be ransomware. So this a huge kind of increase in surface area. But a lot of those, you know, industrial devices, weren't built around the concept with network security. So kind of bolting on, on thinking through how can you secure who and what ultimately has access to those, to those devices and things. And where is the control framework? So to your point, the control framework now is typically migrated now into public cloud. >>These are custom applications, highly distributed, highly available, very modular. And then, you know, so how do you, you know, collect the telemetry or control information from these things. And then, you know, it creates secure connections back into these, these control applications, which again, are now migrated to public cloud. So you have this challenge, you know, how do you secure? We were talking about this last time we discussed, right. So how do you secure the infrastructure that I've, I've built in deploying now, this control application and in public cloud, and then connect in with this, this physical presence that I have with these, you know, industrial devices and taking telemetry and control information from those devices and bringing it back into the management. And this kind marries again, back into the remote axis that Sunan was mentioning now with this increase awareness around the efficacy of ransomware, we are, you know, we're definitely seeing attackers going after the management frameworks, which become very vulnerable, you know, and they're, they're typically just unprotected web applications. So once you get control of the management framework, regardless of where it's hosted, you can start moving laterally and, and causing some damage. >>Yeah. That seems to be the common thread. So no talk about, what's your reaction to that because, you know, zero trust, if it's evolving and changing, you, you gotta have zero trust you. I didn't even know it's out there and then it gets connected. How do you solve that problem? Cuz you know, there's a lot of surface area that's evolving all the OT stuff and the new, it, what's the, what's the perspective and posture that the clients your clients are having and customers. Well, >>I, I think they're having this conversation about further mobilizing identity, right? We did start with, you know, user identity that become kind of the first foundational building block for any kind of zero trust implementation. You work with, you know, some sort of SSO identity provider, you get your, you sync with your user directories, you have a single social truth for all your users. >>You authenticate them through an identity provider. However that didn't quite cut it for industrial OT and OT environments. So you see like we have the concept of hardware machines, machine identities now become an important construct, right? The, the legacy notion of being able to put controls and, and, and, and rules based on network constructs doesn't really scale anymore. Right? So you need to have this concept of another abstraction layer of identity that belongs to a service that belongs to an application that belongs to a user that belongs to a piece of hardware. Right. And then you can, yeah. And then you can build a lot more, of course, scalable controls that basically understand the, the trust relation between these identities and enforce that rather than trying to say this internal network can talk to this other internal network through a, through a network circuit. No, those things are really, are not scalable in this new distributed landscape that we live in today. So identity is basically going to operationalize zero trust and a lot more secure access going forward. >>And that's why we're seeing the sassy growth. Right. That's a main piece of it. Is that what you, what you're seeing too? I mean, that seems to be the, the approach >>I think like >>Go >>Ahead to, yeah. I think like, you know, sassy to me is really about, you know, migrating and moving your security infrastructure to the cloud edge, you know, as we talked to the cloud, you know, and then, you know, do you funnel all ingress and egress traffic through this, you know, which is potentially an anti pattern, right? You don't wanna create, you know, some brittle constraint around who and what has access. So again, a security best practices, instead of doing all your enforcement in one place, you can distribute and push your controls out as far to the edge. So a lot of SASI now is really around centralizing policy management, which is the big be one of the big benefits is instead of having all these separate management plans, which always difficult to be very federated policy, right? You can consolidate your policy and then decide mechanism wise how you're gonna instrument those controls at the edge. >>So I think that's the, the real promise of, of the, the sassy movement and the, I think the other big piece, which you kind of touched on earlier is around analytics, right? So it creates an opportunity to collect a whole bunch of telemetry from devices and things, behavior consumption, which is, which is a big, common, best practice around once you have SA based tools that you can instrument in a lot of visibility and how users and devices are behaving in being operated. And to Syon point, you can marry that in with their identity. Yeah. Right. And then you can start building models around what normal behavior is and, you know, with very fine grain control, you can, you know, these types of analytics can discover things that humans just can't discover, you know, anomalous behavior, any kind of indicators are compromised. And those can be, you know, dynamic policy blockers. >>And I think sun's point about what he was talking about, talks about the, the perimeters no longer secure. So you gotta go to the new way to do that. Totally, totally relevant. I love that point. Let me ask you guys a question on the, on the macro, if you don't mind, how concerned are you guys on the current threat landscape in the geopolitical situation in terms of the impact on industrial IOT in this area? >>So I'll let you go first. Yeah. >>I mean, it's, it's definitely significantly concerning, especially if now with the new sanctions, there's at least two more countries being, you know, let's say restricted to participate in the global economic, you know, Mar marketplace, right? So if you look at North Korea as a pattern, since they've been isolated, they've been sanctioned for a long time. They actually double down on rents somewhere to even fund state operations. Right? So now that you have, you know, BES be San Russia being heavily sanctioned due to due to their due, due to their activities, we can envision more increase in ransomware and, you know, sponsoring state activities through illegal gains, through compromising, you know, pipelines and, you know, industrial, you know, op operations and, and seeking large payouts. So, so I think the more they will, they're ized they're pushed out from the, from the global marketplace. There will be a lot more aggression towards critical infrastructure. >>Oh yeah. I think it's gonna ignite more action off the books, so to speak as we've seen. Yeah. We've >>Seen, you know, another point there is, you know, Barracuda also runs a, a backup, you know, product. We do a, a purpose built backup appliance and a cloud to cloud backup. And, you know, we've been running this service for over a decade. And historically the, the amount of ransomware escalations that we got were very slow, you know, is whenever we had a significant one, helping our customers recover from them, you know, you know, once a month, but over the last 18 months, this is routine now for us, this is something we deal with on a daily basis. And it's becoming very common. You know, it's, it's been a well established, you know, easily monetized route to market for the bad guys. And, and it's being very common now for people to compromise management planes, you know, they use account takeover. And the first thing they're doing is, is breaking into management planes, looking at control frameworks. And then first thing they'll do is delete, you know, of course the backups, which this sort of highlights the vulnerability that we try to talk to our customers about, you know, and this affects industrial too, is the first thing you have to do is among other things, is, is protect your management planes. Yeah. And putting really fine grain mechanisms like zero trust is, is a great, >>Yeah. How, how good is backup, Tim, if you gets deleted first is like no backup. There it is. So, yeah. Yeah. Air gaping. >>I mean, obviously that's kinda a best practice when you're bad guys, like go in and delete all the backups. So, >>And all the air gaps get in control of everything. Let me ask you about the, the survey pointed out that there's a lot of security incidents happening. You guys pointed that out and discussed a little bit of it. We also talked about in the survey, you know, the threat vectors and the threat landscape, the common ones, ransomware was one of them. The area that I liked, what that was interesting was the, the area that talked about how organizations are investing in security and particularly around this, can you guys share your thoughts on how you see the, the market, your customers and, and the industry investing? What are they investing in? What stage are they in when it comes to IOT and OT, industrial IOT and OT security, do they do audits? Are they too busy? I mean, what's the state of their investment thesis progress of, of, of how they're investing in industrial IOT? >>Yeah. Our, our view is, you know, we have a next generation product line. We call, you know, our next, our cloud chain firewalls. And we have a form factor that sports industrial use cases we call secure connectors. So it's interesting that if you, what we learned from that business is a tremendous amount of bespoke efforts at this point, which is sort of indicative of a, of a nascent market still, which is related to another piece of information I thought was really interested in the survey that I think it was 93% of the, the participants, the enterprises had a failed OT initiative, you know, that, you know, people tried to do these things and didn't get off the ground. And then once we see build, you know, strong momentum, you know, like we have a, a large luxury car manufacturer that uses our secure connectors on the, on the robots, on the floor. >>So well established manufacturing environments, you know, building very sophisticated control frameworks and, and security controls. And, but again, a very bespoke effort, you know, they have very specific set of controls and specific set of use cases around it. So it kind of reminds me of the late nineties, early two thousands of people trying to figure out, you know, networking and the blast radi and networking and, and customers, and now, and a lot of SI are, are invested in this building, you know, fast growing practices around helping their customers build more robust controls in, in helping them manage those environments. So, yeah, I, I think that the market is still fairly nascent >>From what we seeing, right. But there are some encouraging, you know, data that shows that at least helpful of the organizations are actively pursuing. There's an initiative in place for OT and a, you know, industrial IOT security projects in place, right. They're dedicating time and resources and budget for this. And, and in, in regards to industries, verticals and, and geographies oil and gas, you know, is, is ahead of the curve more than 50% responded to have the project completed, which I guess colonial pipeline was the, you know, the call to arms that, that, that was the big, big, you know, industrial, I guess, incident that triggered a lot of these projects to be accelerating and, and, you know, coming to the finish line as far as geographies go DACA, which is Germany, Austria, Switzerland, and of course, north America, which happens to be the industrial powerhouses of, of the world. Well, APAC, you know, also included, but they're a bit behind the curve, which is, you know, that part is a bit concerning, but encouragingly, you know, Western Europe and north America is ahead of these, you know, projects. A lot of them are near completion or, or they're in the middle of some sort of an, you know, industrial IOT security project right >>Now. I'm glad you brought the colonial pipeline one and, and oil and gas was the catalyst. Again, a lot of, Hey, scared that better than, than me kinda attitude, better invest. So I gotta ask you that, that supports Tim's point about the management plane. And I believe on that hack or ransomware, it wasn't actually control of the pipeline. It was control over the management billing, and then they shut down the pipeline cuz they were afraid it was gonna move over. So it wasn't actually the critical infrastructure itself to your point, Tim. >>Yeah. It's hardly over the critical infrastructure, by the way, you always go through the management plane, right. It's such an easier lying effort to compromise because it runs on an endpoint it's standard endpoint. Right? All this control software will, will be easier to get to rather than the industrial hardware itself. >>Yeah. It's it's, it's interesting. Just don't make a control software at the endpoint, put it zero trust. So down that was a great point. Oh guys. So really appreciate the time and the insight and, and the white paper's called NETEC it's on the Barracuda. Netex industrial security in 2022. It's on the barracuda.com website Barracuda network guys. So let's talk about the read force event hasn't been around for a while cuz of the pandemic we're back in person what's changed in 2019 a ton it's like security years is not dog years anymore. It's probably dog times too. Right. So, so a lot's gone on where are we right now as an industry relative to the security cybersecurity. Could you guys summarize kind of the, the high order bit on where we are today in 2022 versus 2019? >>Yeah, I think, you know, if you look at the awareness around how to secure infrastructure in applications that are built in public cloud in AWS, it's, you know, exponentially better than it was. I think I remember when you and I met in 2018 at one of these conferences, you know, there were still a lot of concerns, whether, you know, IAS was safe, you know, and I think the amount of innovation that's gone on and then the amount of education and awareness around how to consume, you know, public cloud resources is amazing. And you know, I think that's facilitated a lot of the fast growth we've seen, you know, the consistent, fast growth that we've seen across all these platforms >>Say that what's your reaction to the, >>I think the shared responsibility model is well understood, you know, and, and, and, and we can see a lot more implementation around, you know, CSBM, you know, continuously auditing the configurations in these cloud environments become a, a standard table stake, you know, investment from every stage of any business, right? Whether from early state startups, all the way to, you know, public companies. So I think it's very well understood and, and the, and the investment has been steady and robust when it comes to cloud security. We've been busy, you know, you know, helping our customers and AWS Azure environments and, and others. So I, I think it's well understood. And, and, and we are on a very optimistic note actually in a good place when it comes to public cloud. >>Yeah. A lot of great momentum, a lot of scale and data act out there. People sharing data, shared responsibility. Tim is in, thank you for sharing your insights here in this cube segment coverage of reinforce here in Boston. Appreciate it. >>All right. Thanks for having >>Us. Thank you. >>Okay, everyone. Thanks for watching the we're here at the reinforced conference. AWS, Amazon web services reinforced. It's a security focused conference. I'm John furier host of the cube. We'd right back with more coverage after the short break.

>>Hello, Ron. Welcome to AWS reinforce here. Live in Boston, Massachusetts. I'm John feer, host of the cube. We're here at Carl Matson. CSO at no name security. That's right, no name security, no name securities, also a featured partner at season two, episode four of our upcoming eightish startup showcase security themed event happening in the end of August. Look for that at this URL, AWS startups.com, but we're here at reinforc Carl. Thanks for joining me today. Good to see >>You. Thank you for having us, John. >>So this show security, it's not as packed as the eight of us summit was in New York. That just happened two weeks ago, 19,000 people here, more focused crowd. Lot at stake operations are under pressure. The security teams are under a lot of pressure as apps drive more and more cloud native goodness. As we say, the gen outta the bottle, people want more cloud native apps. Absolutely. That's put a lot of pressure on the ops teams and the security teams. That's the core theme here. How do you see it happening? How do you see this unfolding? Do you agree with that? And how would you describe today's event? >>Well, I think you're, you're spot on. I think the, the future of it is increasingly becoming the story of developers and APIs becoming the hero, the hero of digital transformation, the hero of public cloud adoption. And so this is really becoming much more of a developer-centric discussion about where we're moving our applications and, and where they're hosted, but also how they're designed. And so there's a lot of energy around that right now around focusing security capabilities that really appeal to the sensibilities and the needs of, of modern applications. >>I want to get to know name security a second, and let you explain what you guys do. Then I'll have a few good questions for you to kind of unpack that. But the thing about the structural change that's happened with cloud computing is kind of, and kind of in the past now, DevOps cloud scale, large scale data, the rise of the super cloud companies like snowflake capital, one there's examples of companies that don't even have CapEx investments building on the cloud. And in a way, our, the success of DevOps has created another sea of problems and opportunities that is more complexity as the benefits of DevOps and open source, continue to rise, agile applications that have value can be quantified. There's no doubt with the pandemic that's value there. Yeah. Now you have the collateral damage of success, a new opportunity to abstract away, more complexity to go to the next level. Yep. This is a big industry thing. What are the key opportunities and areas as this new environment, cuz that's the structural change happening now? Yep. What's the key dynamics right now. That's driving this new innovation and what are some of those problem areas that are gonna be abstracted away that you see? >>Well, the, the first thing I I'd suggest is is to, to lean into those structural changes and take advantage of them where they become an advantage for governance, security risk. A perfect example is automation. So what we have in microservices, applications and cloud infrastructures and new workloads like snowflake is we have workloads that want to talk, they want to be interoperated with. And because of that, we can develop new capabilities that take advantage of those of those capabilities. And, and so we want to have on our, on our security teams in particular is we wanna have the talent and the tools that are leaning into and capitalizing on exactly those strengths of, of the underlying capabilities that you're securing rather than to counter that trend, that the, the security professional needs to get ahead of it and, and be a part of that discussion with the developers and the infrastructure teams. >>And, and again, the tructure exchange could kill you too as well. I mean, some benefits, you know, data's the new oil, but end of the day it could be a problematic thing. Sure. All right. So let's get that. No names talk about the company. What you guys do, you have an interesting approach, heavily funded, good success, good buzz. What's going on with the company? Give the quick overview. >>Well, we're a company that's just under three years old and, and what APIs go back, of course, a, a decade or more. We've all been using APIs for a long time, but what's really shifted over the last couple of years is the, is the transition of, of applications and especially business critical processes to now writing on top of public facing APIs where API used to be the behind the scenes interconnection between systems. Now those APIs are exposed to their public facing. And so what we focus on as a company is looking at that API as a, as a software endpoint, just like any other endpoint in our environments that we're historically used to. That's an endpoint that needs full life cycle protection. It needs to be designed well secure coding standards for, for APIs and tested. Well, it also has to be deployed into production configured well and operated well. And when there's a misuse or an attack in progress, we have to be able to protect and identify the, the risks to that API in production. So when you add that up, we're looking at a full life cycle view of the API, and it's really it's about time because the API is not new yet. We're just starting to now to apply like actual discipline and, and practices that help keep that API secure. >>Yeah. It's interesting. It's like what I was saying earlier. They're not going anywhere. They're not going, they're the underpinning, the underlying benefit of cloud yes. Cloud native. So it's just more, more operational stability, scale growth. What are some of the challenges that, that are there and what do you guys do particularly to solve it? You're protecting it. Are you scaling it? What specifically are you guys addressing? >>But sure. So I think API security, even as a, as a discipline is not new, but I think the, the, the traditional look at API security looks only at, at the quality of the source code. Certainly quality of the source code of API is, is sort of step one. But what we see in, in practices is most of the publicly known API compromises, they weren't because of bad source code that they because of network misconfiguration or the misapplication of policy during runtime. So a great example of that would be developer designs, an API designs. It in such a way that Gar that, that enforces authentication to be well designed and strong. And then in production, those authentication policies are not applied at a gateway. So what we add to the, we add to the, to the conversation on API security is helping fill all those little gaps from design and testing through production. So we can see all of the moving parts in the, the context of the API to see how it can be exploited and, and how we can reduce risk in independent of. >>So this is really about hardening the infrastructure yep. Around cuz the developer did their job in that example. Yep. So academic API is well formed working, but something didn't happen on the network or gateway box or app, you know, some sort of network configuration or middleware configuration. >>Absolutely. So in our, in our platform, we, we essentially have sort of three functional areas. There's API code testing, and then we call next is posture management posture. Management's a real thing. If we're talking about a laptop we're talking about, is it up to date with patches? Is it configured? Well, is it secure network connectivity? The same is true with APIs. They have to be managed and cared for by somebody who's looking at their posture on the network. And then of course then there's threat defense and run time protection. So that posture management piece, that's really a new entrant into the discussion on API security. And that's really where we started as a company is focusing on that sort of acute gap of information, >>Posture, protection, >>Posture, and protection. Absolutely >>Define that. What does that, what does posture posture protection mean? How would you define that? >>Sure. I think it's a, it's identifying the inherent risk exposure of an API. Great example of that would be an API that is addressable by internal systems and external systems at the same time. Almost always. That is, that is an error. It's a mistake that's been made so well by, by identifying that misconfiguration of posture, then we can, we can protect that API by restricting the internet connectivity externally. That's just a great example of posture. We see almost every organization has that and it's never intended. >>Great, great, great call out. Thanks for sharing. All right, so I'm a customer. Yep. Okay. Look at, Hey, I already got an app firewall API gateway. Why do I need another tool? >>Well, first of all, web application firewalls are sort of essential parts of a security ecosystem. An API management gateway is usually the brain of an API economy. What we do is we, we augment those platforms with what they don't do well and also when they're not used. So for example, in, in any environment, we, we aspire to have all of our applications or APIs protected by web application firewall. First question is, are they even behind the web? Are they behind the w at all? We're gonna find that the WAFF doesn't know if it's not protecting something. And then secondary, there are attack types of business logic in particular of like authentication policy that a WAFF is not gonna be able to see. So the WAFF and the API management plan, those are the key control points and we can help make those better. >>You know what I think is cool, Carl, as you're bringing up a point that we're seeing here and we've seen before, but now it's kind of coming at the visibility. And it was mentioned in the keynote by one of the presenters, Kurt, I think it was who runs the platform. This idea of reasoning is coming into security. So the idea of knowing the topology know that there's dynamic stuff going on. I mean, topes aren't static anymore. Yep. And now you have more microservices. Yep. More APIs being turned on and off this runtime is interesting. So you starting to see this holistic view of, Hey, the secret sauce is you gotta be smarter. Yep. And that's either machine learning or AI. So, so how does that relate to what you guys do? Does it, cuz it sounds like you've got something of that going on with the product. Is that fair or yeah. >>Yeah, absolutely. So we, yeah, we talked about posture, so that's, that's really the inherent quality or secure posture of a, of an API. And now let's talk about sending traffic through that API, the request and response. When we're talking about organizations that have more APIs than they have people, employees, or, or tens of thousands, we're seeing in some customers, the only way to identify anomalous traffic is through machine learning. So we apply a machine learning model to each and every API in independently for itself because we wanna learn how that API is supposed to be behave. Where is it supposed to be talking? What kind of data is it supposed to be trafficking in, in, in all its facets. So we can model that activity and then identify the anomaly where there's a misuse, there's an attacker event. There's an, an insider employee is doing something with that API that's different. And that's really key with APIs is, is that no, a no two APIs are alike. Yeah. They really do have to be modeled individually rather than I can't share my, my threat signatures for my API, with your organization, cuz your APIs are different. And so we have to have that machine learning approach in order to really identify that >>Anomaly and watch the credentials, permissions. Absolutely all those things. All right. Take me through the life cycle of an API. There's pre-production postproduction what do I need to know about those two, those two areas with respect to what you guys do? >>Sure. So the pre-production activities are really putting in the hands of a developer or an APSEC team. The ability to test that API during its development and, and source code testing is one piece, but also in pre-production are we modeling production variables enough to know what's gonna happen when I move it into production? So it's one thing to have secure source code, of course, but then it's also, do we know how that API's gonna interact with the world once it's sort of set free? So the testing capabilities early life cycle is really how we de-risk in the long term, but we all have API ecosystems that are existing. And so in production we're applying the, all of those same testing of posture and configuration issues in runtime, but really what it, it may sound cliche to say, we wanna shift security left, but in APIs that's, that's a hundred percent true. We want to keep moving our, our issue detection to the earliest possible point in the development of an API. And that gives us the greatest return in the API, which is what we're all looking for is to capitalize on it as an agent of transformation. >>All right, let's take the customer perspective. I'm the customer, Carl, Carl, why do I need you? And how are you different from the competition? And if I like it, how do I get started? >>Sure. So the, the, the first thing that we differentiate selves from the customer is, or from our competitors is really looking at the API as an entire life cycle of activities. So whether it's from the documentation and the design and the secure source code testing that we can provide, you know, pre-development, or pre-deployment through production posture, through runtime, the differentiator really for us is being a one-stop shop for an entire API security program. And that's very important. And as that one stop shop, the, the great thing about that when having a conversation with a customer is not every customer's at the same point in their journey. And so if, if a customer discussion really focuses on their perhaps lack of confidence in their code testing, maybe somebody else has a lack of confidence in their runtime detection. We can say yes to those conversations, deliver value, and then consider other things that we can do with that customer along a whole continuum of life cycle. And so it allows us to have a customer conversation where we don't need to say, no, we don't do that. If it's an API, the answer is, yes, we do do that. And that's really where we, you know, we have an advantage, I think, in, in looking at this space and, and, and being able to talk with pretty much any customer in any vertical and having a, having a solution that, that gives them something value right away. >>And how do I get started? I like it. You sold me on, on operationalizing it. I like the one stop shop. I, my APIs are super important. I know that could be potential exposure, maybe access, and then lateral movement to a workload, all kinds of stuff could happen. Sure. How do I get started? What do I do to solve >>This? Well, no name, security.com. Of course we, we have, you know, most customers do sandboxing POVs as part of a trial period for us, especially with, you know, being here at AWS is wonderful because these are customers who's with whom we can integrate with. In a matter of minutes, we're talking about literally updating an IAM role. Permission is the complexity of implementation because cloud friendly workloads really allow us to, to do proofs of concept and value in a matter of minutes to, to achieve that value. So whether it's a, a dedicated sandbox for one customer, whether it's a full blown POC for a complicated organization, you know, whether it's here at AWS conference or, or, or Nona security.com, we would love to do a, do a, like a free demo test drive and assessment. >>Awesome. And now you guys are part of the elite alumni of our startup showcase yep. Where we feature the hot startups, obviously it's the security focuses episodes about security. You guys have been recognized by the industry and AWS as, you know, making it, making it happen. What specifically is your relationship with AWS? Are you guys doing stuff together? Cuz they're, they're clearly integrating with their partners. Yeah. I mean, they're going to companies and saying, Hey, you know what, the more we're integrated, the better security everyone gets, what are you doing with Amazon? Can you share any tidbits? You don't have to share any confidential information, but can you give us a little taste of the relationship? >>Well, so I think we have the best case scenario with our relationship with AWSs is, is as a, as a very, very small company. Most of our first customers were AWS customers. And so to develop the, the, the initial integrations with AWS, what we were able to do is have our customers, oftentimes, which are large public corporations, go to AWS and say, we need, we need that company to be through your marketplace. We need you to be a partner. And so that partnership with, with AWS has really grown from, you know, gone from zero to 60 to, you know, miles per hour in a very short period of time. And now being part of the startup program, we have a variety of ways that a customer can, can work with us from a direct purchase through the APS marketplace, through channel partners and, and VA, we really have that footprint now in AWS because our customers are there and, and they brought our customers to AWS with us. >>It's it nice. The customers pulls you to AWS. Yes. Its pulls you more customers. Yep. You get kind of intermingled there, provide the value. And certainly they got, they, they hyperscale so >>Well, that creates depth of the relationship. So for example, as AWS itself is evolving and changing new services become available. We are a part of that inner circle. So to speak, to know that we can make sure that our technology is sort of calibrated in advance of that service offering, going out to the rest of the world. And so it's a really great vantage point to be in as a startup. >>Well, Carl, the CISO for no name security, you're here on the ground. You partner with AWS. What do you think of the show this year? What's the theme. What's the top story one or two stories that you think of the most important stories that people should know about happening here in the security world? >>Well, I don't think it's any surprise that almost every booth in the, in the exhibit hall has the words cloud native associated with it. But I also think that's, that's, that's the best thing about it, which is we're seeing companies and, and I think no name is, is a part of that trend who have designed capabilities and technologies to take advantage and lean into what the cloud has to offer rather than compensating. For example, five years ago, when we were all maybe wondering, will the cloud ever be as secure as my own data center, those days are over. And we now have companies that have built highly sophisticated capabilities here in the exhibit hall that are remarkably better improvements in, in securing the cloud applications in, in our environments. So it's a, it's a real win for the cloud. It's something of a victory lap. If, if you hadn't already been there, you should be there at this point. >>Yeah. And the structural change is happening now that's clear and I'd love to get your reaction if you agree with it, is that the ops on security teams are now being pulled up to the level that the developers are succeeding at, meaning that they have to be in the boat together. Yes. >>Oh, lines of, of reporting responsibility are becoming less and less meaningful and that's a good thing. So we're having just in many conversations with developers or API management center of excellence teams to cloud infrastructure teams as we are security teams. And that's a good thing because we're finally starting to have some degree of conversions around where our interests lie in securing cloud assets. >>So developers ops security all in the boat together, sync absolutely together or win together. >>We, we, we win together, but we don't win on day one. We have to practice like we as organizations we have to, we have to rethink our, we have to rethink our tech stack. Yeah. But we also have to, you have to rethink our organizational models, our processes to get there, to get >>That in, keep the straining boat in low waters. Carl, thanks for coming on. No name security. Why the name just curious, no name. I love that name. Cause the restaurant here in Boston that used to be of all the people that know that. No name security, why no name? >>Well, it was sort of accidental at, in the, in the company's first few weeks, the there's an advisory board of CISOs who provides feedback on, on seed to seed companies on their, on their concept of, of where they're gonna build platforms. And, and so in absence of a name, the founders and the original investor filled out a form, putting no name as the name of this company that was about to develop an API security solution. Well, amongst this board of CSOs, basically there was unanimous feedback that the, what they needed to do was keep the name. If nothing else, keep the name, no name, it's a brilliant name. And that was very much accidental, really just a circumstance of not having picked one, but you know, a few weeks passed and all of a sudden they were locked in because sort of by popular vote, no name was, >>Was formed. Yeah. And now the legacy, the origination story is now known here on the cube call. Thanks for coming on. Really appreciate it. Thank you, John. Okay. We're here. Live on the floor show floor of AWS reinforced in Boston, Massachusetts. I'm John with Dave ALO. Who's out and about getting the stories in the trenches in the analyst meeting. He'll be right back with me shortly day tuned for more cube coverage. After this short break.

(upbeat music) >> Okay, welcome back everyone. CUBE's coverage here in Boston, Massachusetts, AWS re:inforce 22, security conference. It's AWS' big security conference. Of course, theCUBE's here, all the reinvent, reese, remars, reinforced. We cover 'em all now and the summits. I'm John Furrier, my host Dave Vellante. We have IDC weighing in here with their analysts. We've got some great guests here, Jay Bretzmann research VP at IDC and Philip Bues research manager for Cloud security. Gentlemen, thanks for coming on. >> Thank you. >> Appreciate it. Great to be here. >> Appreciate coming. >> Got a full circle, right? (all laughing) Security's more interesting than storage, isn't it? (all laughing) >> Dave and Jay worked together. This is a great segment. I'm psyched that you guys are here. We had Crawford and Matt Eastwood on at HPE Discover a while back and really the data you guys are getting and the insights are fantastic. So congratulations to IDC. You guys doing great work. We appreciate your time. I want to get your reaction to the event and the keynotes. AWS has got some posture and they're very aggressive on some tones. Some things that we didn't hear. What's your reaction to the keynote? Share your assessment. >> So, you know, I manage two different research services at IDC right now. They are both Cloud security and identity and digital security, right? And what was really interesting is the intersection between the two this morning, because every one of those speakers that came on had something to say about identity or least privileged access, or enable MFA, or make sure that you control who gets access to what and deny explicitly. And it's always been a challenge a little bit in the identity world because a lot of people don't use MFA. And in RSA, that was another big theme at the RSA conference, MFA everywhere. Why don't they use it? Because it introduces friction and all of a sudden people can't get their jobs done. And the whole point of a network is letting people on to get that data they want to get to. So that was kind of interesting, but as we have in the industry, this shared responsibility model for Cloud computing, we've got shared responsibility for between Philip and I. (Philip laughing) I have done in the past more security of the Cloud and Philip is more security in the Cloud. >> So yeah. >> And now with Cloud operation Super Cloud, as we call it, you have on premises, private Cloud coming back, or hasn't really gone anywhere, all that on premises, Cloud operations, public Cloud, and now edge exploding with new requirements. It's really an ops challenge right now. Not so much dev. So the sec and op side is hot right now. >> Yeah, well, we've made this move from monolithic to microservices based applications. And so during the keynote this morning, the announcement around the GuardDuty Malware Protection component, and that being built into the pricing of current GuardDuty, I thought was really key. And there was also a lot of talk about partnering in security certifications, which is also so very important. So we're seeing this move towards filling in that talent gap, which I think we're all aware of in the security industry. >> So Jake, square the circle for me. So Kirk Coofell talked about Amazon AWS identity, where does AWS leave off, and companies like Okta or Ping identity or Cybertruck pickup, how are they working together? Does it just create more confusion and more tools for customers? We know the overused word of seamless. >> Yeah, yeah. >> It's never seamless, so how should we think about that? >> So, identity has been around for 35 years or something like that. Started with the mainframes and all that. And if you understand the history of it, you make more sense to the current market. You have to know where people came from and the baggage they're carrying, 'cause they're still carrying a lot of that baggage. Now, when it comes to the Cloud Service providers, they're more an accommodation from the identity standpoint. Let's make it easy inside of AWS to let you single sign on to anything in the Cloud that they have, right? Let's also introduce an additional MFA capability to keep people safer whenever we can and provide people with tools, to get into those applications somewhat easily, while leveraging identities that may live somewhere else. So there's a whole lot of the world that is still active, directory-centric, right? There's another portion of companies that were born in the Cloud that were able to jump on things like Okta and some of the other providers of these universal identities in the Cloud. So, like I said, if you understand where people came from in the beginning, you start to say, "Yeah, this makes sense." >> It's interesting you talk about mainframe. I always think about Rack F, you know. And I say, "Okay, who did what, when, where?" And you hear about a lot of those themes. So what's the best practice for MFA, that's non-SMS-based? Is it you got to wear something around your neck, is it to have sort of a third party authenticator? What are people doing that you guys would recommend? >> Yeah, one quick comment about adoption of MFA. If you ask different suppliers, what percent of your base that does SSO also does MFA, one of the biggest suppliers out there, Microsoft will tell you it's under 25%. That's pretty shocking. All the messaging that's come out about it. So another big player in the market was called Duo, Cisco bought them. >> Yep. >> And because they provide networks, a lot of people buy their MFA. They have probably the most prevalent type of MFA, it's called Push. And Push can be a red X and a green check mark to your phone, it can be a QR code, somewhere, it can be an email push as well. So that is the next easiest thing to adopt after SMS. And as you know, SMS has been denigrated by NIST and others saying, it's susceptible to man and middle attacks. It's built on a telephony protocol called SS7. Predates anything, there's no certification either side. The other real dynamic and identity is the whole adoption of PKI infrastructure. As you know, certificates are used for all kinds of things, network sessions, data encryption, well, identity increasingly. And a lot of the consumers and especially the work from anywhere, people these days have access through smart devices. And what you can do there, is you can have an agent on that smart device, generate your private key and then push out a public key and so the private key never leaves your device. That's one of the most secure ways to- >> So if our SIM card gets hacked, you're not going to be as vulnerable? >> Yeah, well, the SIM card is another challenge associated with the older ways, but yeah. >> So what do you guys think about the open source connection and they mentioned it up top. Don't bolt on security, implying shift left, which is embedding it in like sneak companies, like sneak do that. Very container oriented, a lot of Kubernetes kind of Cloud native services. So I want to get your reaction to that. And then also this reasoning angle they brought up. Kind of a higher level AI reasoning decisions. So open source, and this notion of AI reasoning. or AI reason. >> And you see more open source discussion happening, so you have your building maintaining and vetting of the upstream open source code, which is critical. And so I think AWS talking about that today, they're certainly hitting on a nerve, as you know, open source continues to proliferate. Around the automated reasoning, I think that makes sense. You want to provide guide rails and you want to provide roadmaps and you want to have sort of that guidance as to, okay, what's a correlation analysis of different tools and products? And so I think that's going to go over really well, yeah. >> One of the other key points about open source is, everybody's in a multi-cloud world, right? >> Yeah. >> And so they're worried about vendor lock in. They want an open source code base, so that they don't experience that. >> Yeah, and they can move the code around, and make sure it works well on each system. Dave and I were just talking about some of the dynamics around data control planes. So they mentioned encrypt everything which is great and I message by the way, I love that one. But oh, and he mentioned data at rest. I'm like, "What about data in flight? "Didn't hear that one." So one of the things we're seeing with SuperCloud, and now multi-cloud kind of as destinations of that, is that in digital transformation, customers are leaning into owning their data flows. >> Yeah. >> Independent of say the control plane aspects of what could come in. This is huge implications for security, where sharing data is huge, even Schmidt on stage said, we have billions and billions of things happening that we see things that no one else sees. So that implies, they're sharing- >> Quad trillion. >> Trillion, 15 zeros. (Jay laughs) >> 15 zeros. >> So that implies they're sharing that or using that pushing that into something. So sharing is huge with cyber security. So that implies open data, data flows. How do you guys see this evolving? I know it's kind of emerging, but it's becoming a nuanced point, that's critical to the architecture. >> Well, yeah, I think another way to look at that is the sharing of intelligence and some of the recent directives, from the executive branch, making it easier for private companies to share data and intelligence, which I think strengthens the cyber community overall. >> Depending upon the supplier, it's either an aggregate level of intelligence that has been anonymized or it's specific intelligence for your environment that everybody's got a threat feed, maybe two or three, right? (John laughs) But back to the encryption point, I mean, I was working for an encryption startup for a little while after I left IBM, and the thing is that people are scared of it. They're scared of key management and rotation. And so when you provide- >> Because they might lose the key. >> Exactly. >> Yeah. >> It's like shooting yourself in the foot, right? So that's when you have things like, KMS services from Amazon and stuff that really help out a lot. And help people understand, okay, I'm not alone in this. >> Yeah, crypto owners- >> They call that hybrid, the hybrid key, they don't know how they call the data, they call it the hybrid. What was that? >> Key management service? >> The hybrid- >> Oh, hybrid HSM, correct? >> Yeah, what is that? What is that? I didn't get that. I didn't understand what he meant by the hybrid post quantum key agreement. >> Hybrid post quantum key exchange. >> AWS never made a product name that didn't have four words in it. (John laughs) >> But he did reference the new NIST algos. And I think I inferred that they were quantum proof or they claim to be, and AWS was testing those. >> Correct, yeah. >> So that was kind of interesting, but I want to come back to identity for a second. So, this idea of bringing traditional IAM and Privileged Access Management together, is that a pipe dream, is that something that is actually going to happen? What's the timeframe, what's your take on that? >> So, there are aspects of privilege in every sort of identity. Back when it was only the back office that used computers for calculations, right? Then you were able to control how many people had access. There were two types of users, admins and users. These days, everybody has some aspect of- >> It's a real spectrum, really. >> Yeah. >> Granular. >> You got the C-suite, the finance people, the DevOps people, even partners and whatever. They all need some sort of privileged access, and the term you hear so much is least-privileged access, right? Shut it down, control it. So, in some of my research, I've been saying that vendors who are in the PAM space, Privilege Access Management space, will probably be growing their suites, playing a bigger role, building out a stack, because they have the expertise and the perspective that says, "We should control this better." How do we do that, right? And we've been seeing that recently. >> Is that a combination of old kind of antiquated systems meets for proprietary hyper scale, or kind of like build your own? 'Cause I mean, Amazon, these guys, Facebook, they all build their own stuff. >> Yes, they do. >> Then enterprises buy services from general purpose identity management systems. >> So as we were talking about knowing the past and whatever, Privileged Access Management used to be about compliance reporting. Just making sure that I knew who accessed what? And could prove it, so I didn't fail at all. >> It wasn't a critical infrastructure item. >> No, and now these days, what it's transitioning into, is much more risk management, okay. I know what our risk is, I'm ahead of it. And the other thing in the PAM space, was really session monitor. Everybody wanted to watch every keystroke, every screen's scrape, all that kind of stuff. A lot of the new Privileged Access Management, doesn't really require that. It's a nice to have feature. You kind of need it on the list, but is anybody really going to implement it? That's the question, right. And then if you do all that session monitoring, does anybody ever go back and look at it? There's only so many hours in the day. >> How about passwordless access? (Jay laughs) I've heard people talk about that. I mean, that's as a user, I can't wait but- >> Well, it's somewhere we want to all go. We all want identity security to just disappear and be recognized when we log in. So the thing with passwordless is, there's always a password somewhere. And it's usually part of a registration action. I'm going to register my device with a username password, and then beyond that I can use my biometrics, right? I want to register my device and get a private key, that I can put in my enclave, and I'll use that in the future. Maybe it's got to touch ID, maybe it doesn't, right? So even though there's been a lot of progress made, it's not quote, unquote, truly passwordless. There's a group, industry standards group called Fido. Which is Fast Identity Online. And what they realized was, these whole registration passwords, that's really a single point of failure. 'Cause if I can't recover my device, I'm in trouble. So they just did new extension to sort of what they were doing, which provides you with much more of like an iCloud vault that you can register that device in and other devices associated with that same identity. >> Get you to it if you have to. >> Exactly. >> I'm all over the place here, but I want to ask about ransomware. It may not be your wheelhouse. But back in the day, Jay, remember you used to cover tape. All the backup guys now are talking about ransomware. AWS mentioned it today and they showed a bunch of best practices and things you can do. Air gaps wasn't one of them. I was really surprised 'cause that's all every anybody ever talks about is air gaps and a lot of times that air gap could be a guess to the Cloud, I guess, I'm not sure. What are you guys seeing on ransomware apps? >> We've done a lot of great research around ransomware as a service and ransomware, and we just had some data come out recently, that I think in terms of spending and spend, and as a result of the Ukraine-Russia war, that ransomware assessments rate number one. And so it's something that we encourage, when we talk to vendors and in our services, in our publications that we write about taking advantage of those free strategic ransomware assessments, vulnerability assessments, as well and then security and training ranked very highly as well. So, we want to make sure that all of these areas are being funded well to try and stay ahead of the curve. >> Yeah, I was surprised to not see air gaps on the list, that's all everybody talks about. >> Well, the old model for air gaping in the land days, the novel days, you took your tapes home and put them in the sock drawer. (all laughing) >> Well, it's a form of air gap. (all laughing) >> Security and no one's going to go there and clean out. >> And then the internet came around and ruined it. >> Guys, final question we want to ask you, guys, we kind of zoom out, great commentary by the way. Appreciate it. We've seen this in many markets, a collection of tools emerge and then there's its tool sprawl. So cyber we're seeing the trend now where mon goes up on stage of all the ecosystems, probably other vendors doing the same thing where they're organizing a platform on top of AWS to be this super platform, for super Cloud capability by building a more platform thing. So we're saying there's a platform war going on, 'cause customers don't want the complexity. I got a tool but it's actually making it more complex if I buy the other tool. So the tool sprawl becomes a problem. How do you guys see this? Do you guys see this platform emerging? I mean tools won't go away, but they have to be easier. >> Yeah, we do see a consolidation of functionality and services. And we've been seeing that, I think through a 2020 Cloud security survey that we released that was definitely a trend. And that certainly happened for many companies over the last six to 24 months, I would say. And then platformization absolutely is something we talk and write about all the time so... >> Couple of years ago, I called the Amazon tool set an erector set because it really required assembly. And you see the emphasis on training here too, right? You definitely need to go to AWS University to be competent. >> It wasn't Lego blocks yet. >> No. >> It was erector set. >> Yeah. >> Very good distinction. >> Loose. >> And you lose a few. (chuckles) >> But still too many tools, right? You see, we need more consolidation. It's getting interesting because a lot of these companies have runway and you look at sale point at stock prices held up 'cause of the Thoma Bravo acquisition, but all the rest of the cyber stocks have been crushed especially the high flyers, like a Sentinel-1 one or a CrowdStrike, but just still M and A opportunity. >> So platform wars. Okay, final thoughts. What do you, think is happening next? What's your outlook for the next year or so? >> So, in the identity space, I'll talk about, Philip can cover Cloud for us. It really is more consolidation and more adoption of things that are beyond simple SSO. It was, just getting on the systems and now we really need to control what you're able to get to and who you are. And do it as transparently as we possibly can, because otherwise, people are going to lose productivity. They're not going to be able to get to what they want. And that's what causes the C-suite to say, "Wait a minute," DevOps, they want to update the product every day. Make it better. Can they do that or did security get in the way? People, every once in a while call security, the Department of No, right? >> They ditch it on stage. They want to be the Department of Yes. >> Exactly. >> Yeah. >> And the department that creates additional value. If you look at what's going on with B2C or CIAM, consumer oriented identity, that is all about opening up new direct channels and treating people like their old friends, not like you don't know them, you have to challenge them. >> We always say, you want to be in the boat together, it sinks or not. >> Yeah. Exactly. >> Philip I'm glad- >> Okay, what's your take? What's your outlook for the year? >> Yeah, I think, something that we've been seeing as consolidation and integration, and so companies looking at from built time to run time, investing in shift left infrastructure is code. And then also in the runtime detection, makes perfect sense to have both the agent and agent lists so that you're covering any of the gaps that might exist. >> Awesome, Jay Phillip, thanks for coming on "theCUBE" with IDC and sharing your- >> Oh, our pleasure- >> Perspective, commentary and insights and outlook. Appreciate it. >> You bet. >> Thank you. >> Okay, we've got the great direction here from IDC analyst here on the queue. I'm John Furrier, Dave Vellante. Be back more after this short break. (bright upbeat music)

(upbeat music) >> Okay, welcome back everyone in live coverage here at theCUBE, Boston, Massachusetts, for AWS re:inforce 22 security conference for Amazon Web Services. Obviously reinvent the end of the years' the big celebration, "re:Mars" is the new show that we've covered as well. The res are here with theCUBE. I'm John Furrier, host with a great guest, Ameesh Divatia, co-founder, and CEO of a company called "Baffle." Ameesh, thanks for joining us on theCUBE today, congratulations. >> Thank you. It's good to be here. >> And we got the custom encrypted socks. >> Yup, limited edition >> 64 bitter 128. >> Base 64 encoding. >> Okay.(chuckles) >> Secret message in there. >> Okay.(chuckles) Secret message.(chuckles) We'll have to put a little meme on the internet, figure it out. Well, thanks for comin' on. You guys are goin' hot right now. You guys a hot startup, but you're in an area that's going to explode, we believe. >> Yeah. >> The SuperCloud is here, we've been covering that on theCUBE that people are building on top of the Amazon Hyperscalers. And without the capex, they're building platforms. The application tsunami has come and still coming, it's not stopping. Modern applications are faster, they're better, and they're driving a lot of change under the covers. >> Absolutely. Yeah. >> And you're seeing structural change happening in real time, in ops, the network. You guys got something going on in the encryption area. >> Yes >> Data. Talk about what you guys do. >> Yeah. So we believe very strongly that the next frontier in security is data. We've had multiple waves in security. The next one is data, because data is really where the threats will persist. If the data shows up in the wrong place, you get into a lot of trouble with compliance. So we believe in protecting the data all the way down at the field, or record level. That's what we do. >> And you guys doing all kinds of encryption, or other things? >> Yes. So we do data transformation, which encompasses three different things. It can be tokenization, which is format preserving. We do real encryption with counter mode, or we can do masked views. So tokenization, encryption, and masking, all with the same platform. >> So pretty wide ranging capabilities with respect to having that kind of safety. >> Yes. Because it all depends on how the data is used down the road. Data is created all the time. Data flows through pipelines all the time. You want to make sure that you protect the data, but don't lose the utility of the data. That's where we provide all that flexibility. >> So Kurt was on stage today on one of the keynotes. He's the VP of the platform at AWS. >> Yes. >> He was talking about encrypts, everything. He said it needs, we need to rethink encryption. Okay, okay, good job. We like that. But then he said, "We have encryption at rest." >> Yes. >> That's kind of been there, done that. >> Yes. >> And, in-flight? >> Yeah. That's been there. >> But what about in-use? >> So that's exactly what we plug. What happens right now is that data at rest is protected because of discs that are already self-encrypting, or you have transparent data encryption that comes native with the database. You have data in-flight that is protected because of SSL. But when the data is actually being processed, it's in the memory of the database or datastore, it is exposed. So the threat is, if the credentials of the database are compromised, as happened back then with Starwood, or if the cloud infrastructure is compromised with some sort of an insider threat like a Capital One, that data is exposed. That's precisely what we solve by making sure that the data is protected as soon as it's created. We use standard encryption algorithms, AES, and we either do format preserving, or true encryption with counter mode. And that data, it doesn't really matter where it ends up, >> Yeah. >> because it's always protected. >> Well, that's awesome. And I think this brings up the point that we want been covering on SiliconAngle in theCUBE, is that there's been structural change that's happened, >> Yes. >> called cloud computing, >> Yes. >> and then hybrid. Okay. Scale, role of data, higher level abstraction of services, developers are in charge, value creations, startups, and big companies. That success is causing now, a new structural change happening now. >> Yes. >> This is one of them. What areas do you see that are happening right now that are structurally changing, that's right in front of us? One is, more cloud native. So the success has become now the problem to solve - >> Yes. >> to get to the next level. >> Yeah. >> What are those, some of those? >> What we see is that instead of security being an afterthought, something that you use as a watchdog, you create ways of monitoring where data is being exposed, or data is being exfiltrated, you want to build security into the data pipeline itself. As soon as data is created, you identify what is sensitive data, and you encrypt it, or tokenize it as it flows into the pipeline using things like Kafka plugins, or what we are very clearly differentiating ourselves with is, proxy architectures so that it's completely transparent. You think you're writing to the datastore, but you're actually writing to the proxy, which in turn encrypts the data before its stored. >> Do you think that's an efficient way to do it, or is the only way to do it? >> It is a much more efficient way of doing it because of the fact that you don't need any app-dev resources. There are many other ways of doing it. In fact, the cloud vendors provide development kits where you can just go do it yourself. So that is actually something that we completely avoid. And what makes it really, really interesting is that once the data is encrypted in the data store, or database, we can do what is known as "Privacy Enhanced Computation." >> Mm. >> So we can actually process that data without decrypting it. >> Yeah. And so proxies then, with cloud computing, can be very fast, not a bottleneck that could be. >> In fact, the cloud makes it so. It's very hard to - >> You believe that? >> do these things in static infrastructure. In the cloud, there's infinite amount of processing available, and there's containerization. >> And you have good network. >> You have very good network, you have load balancers, you have ways of creating redundancy. >> Mm. So the cloud is actually enabling solutions like this. >> And the old way, proxies were seen as an architectural fail, in the old antiquated static web. >> And this is where startups don't have the baggage, right? We didn't have that baggage. (John laughs) We looked at the problem and said, of course we're going to use a proxy because this is the best way to do this in an efficient way. >> Well, you bring up something that's happening right now that I hear a lot of CSOs and CIOs and executives say, CXOs say all the time, "Our", I won't say the word, "Our stuff has gotten complicated." >> Yes. >> So now I have tool sprawl, >> Yeah. >> I have skill gaps, and on the rise, all these new managed services coming at me from the vendors who have never experienced my problem. And their reaction is, they don't get my problem, and they don't have the right solutions, it's more complexity. They solve the complexity by adding more complexity. >> Yes. I think we, again, the proxy approach is a very simple. >> That you're solving that with that approach. >> Exactly. It's very simple. And again, we don't get in the way. That's really the the biggest differentiator. The forcing function really here is compliance, right? Because compliance is forcing these CSOs to actually adopt these solutions. >> All right, so love the compliance angle, love the proxy as an ease of use, take the heavy lifting away, no operational problems, and deviations. Now let's talk about workloads. >> Yeah. >> 'Cause this is where the use is. So you got, or workloads being run large scale, lot a data moving around, computin' as well. What's the challenge there? >> I think it's the volume of the data. Traditional solutions that we're relying on legacy tokenizations, I think would replicate the entire storage because it would create a token wall, for example. You cannot do that at this scale. You have to do something that's a lot more efficient, which is where you have to do it with a cryptography approach. So the workloads are diverse, lots of large files in the workloads as well as structured workloads. What we have is a solution that actually goes across the board. We can do unstructured data with HTTP proxies, we can do structured data with SQL proxies. And that's how we are able to provide a complete solution for the pipeline. >> So, I mean, show about the on-premise versus the cloud workload dynamic right now. Hybrid is a steady state right now. >> Yeah. >> Multi-cloud is a consequence of having multiple vendors, not true multi-cloud but like, okay, they have Azure there, AWS here, I get that. But hybrid really is the steady state. >> Yes. >> Cloud operations. How are the workloads and the analytics the data being managed on-prem, and in the cloud, what's their relationship? What's the trend? What are you seeing happening there? >> I think the biggest trend we see is pipelining, right? The new ETL is streaming. You have these Kafka and Kinesis capabilities that are coming into the picture where data is being ingested all the time. It is not a one time migration. It's a stream. >> Yeah. >> So plugging into that stream is very important from an ingestion perspective. >> So it's not just a watchdog. >> No. >> It's the pipelining. >> It's built in. It's built-in, it's real time, that's where the streaming gets another diverse access to data. >> Exactly. >> Data lakes. You got data lakes, you have pipeline, you got streaming, you mentioned that. So talk about the old school OLTP, the old BI world. I think Power BI's like a $30 billion product. >> Yeah. >> And you got Tableau built on OLTP building cubes. Aren't we just building cubes in a new way, or, >> Well. >> is there any relevance to the old school? >> I think there, there is some relevance and in fact that's again, another place where the proxy architecture really helps, because it doesn't matter when your application was built. You can use Tableau, which nobody has any control over, and still process encrypted data. And so can with Power BI, any Sequel application can be used. And that's actually exactly what we like to. >> So we were, I was talking to your team, I knew you were coming on, and they gave me a sound bite that I'm going to read to the audience and I want to get your reaction to. >> Sure. >> 'Cause I love this. I fell out of my chair when I first read this. "Data is the new oil." In 2010 that was mentioned here on theCUBE, of course. "Data is the new oil, but we have to ensure that it does not become the next asbestos." Okay. That is really clever. So we all know about asbestos. I add to the Dave Vellante, "Lead paint too." Remember lead paint? (Ameesh laughs) You got to scrape it out and repaint the house. Asbestos obviously causes a lot of cancer. You know, joking aside, the point is, it's problematic. >> It's the asset. >> Explain why that sentence is relevant. >> Sure. It's the assets and liabilities argument, right? You have an asset which is data, but thanks to compliance regulations and Gartner says 75% of the world will be subject to privacy regulations by 2023. It's a liability. So if you don't store your data well, if you don't process your data responsibly, you are going to be liable. So while it might be the oil and you're going to get lots of value out of it, be careful about the, the flip side. >> And the point is, there could be the "Grim Reaper" waiting for you if you don't do it right, the consequences that are quantified would be being out of business. >> Yes. But here's something that we just discovered actually from our survey that we did. While 93% of respondents said that they have had lots of compliance related effects on their budgets. 75% actually thought that it makes them better. They can use the security postures as a competitive differentiator. That's very heartening to us. We don't like to sell the fear aspect of this. >> Yeah. We like to sell the fact that you look better compared to your neighbor, if you have better data hygiene, back to the. >> There's the fear of missing out, or as they say, "Keeping up with the Joneses", making sure that your yard looks better than the next one. I get the vanity of that, but you're solving real problems. And this is interesting. And I want to get your thoughts on this. I found, I read that you guys protect more than a 100 billion records across highly regulated industries. Financial services, healthcare, industrial IOT, retail, and government. Is that true? >> Absolutely. Because what we are doing is enabling SaaS vendors to actually allow their customers to control their data. So we've had the SaaS vendor who has been working with us for over three years now. They store confidential data from 30 different banks in the country. >> That's a lot of records. >> That's where the record, and. >> How many customers do you have? >> Well, I think. >> The next round of funding's (Ameesh laughs) probably they're linin' up to put money into you guys. >> Well, again, this is a very important problem, and there are, people's businesses are dependent on this. We're just happy to provide the best tool out there that can do this. >> Okay, so what's your business model behind? I love the success, by the way, I wanted to quote that stat to one verify it. What's the business model service, software? >> The business model is software. We don't want anybody to send us their confidential data. We embed our software into our customers environments. In case of SaaS, we are not even visible, we are completely embedded. We are doing other relationships like that right now. >> And they pay you how? >> They pay us based on the volume of the data that they're protecting. >> Got it. >> That in that case which is a large customers, large enterprise customers. >> Pay as you go. >> It is pay as you go, everything is annual licenses. Although, multi-year licenses are very common because once you adopt the solution, it is very sticky. And then for smaller customers, we do base our pricing also just on databases. >> Got it. >> The number of databases. >> And the technology just reviewed low-code, no-code implementation kind of thing, right? >> It is by definition, no code when it comes to proxy. >> Yeah. >> When it comes to API integration, it could be low code. Yeah, it's all cloud-friendly, cloud-native. >> No disruption to operations. >> Exactly. >> That's the culprit. >> Well, yeah. >> Well somethin' like non-disruptive operations.(laughs) >> No, actually I'll give an example of a migration, right? We can do live migrations. So while the databases are still alive, as you write your. >> Live secure migrations. >> Exactly. You're securing - >> That's the one that manifests. >> your data as it migrates. >> Awright, so how much funding have you guys raised so far? >> We raised 36 and a half, series A, and B now. We raised that late last year. >> Congratulations. >> Thank you. >> Who's the venture funders? >> True Ventures is our largest investor, followed by Celesta Capital, National Grid Partners is an investor, and so is Engineering Capital and Clear Vision Ventures. >> And the seed and it was from Engineering? >> Seed was from Engineering. >> Engineering Capital. >> And then True came in very early on. >> Okay. >> Greenspring is also an investor in us, so is Industrial Ventures. >> Well, privacy has a big concern, big application for you guys. Privacy, secure migrations. >> Very much so. So what we are believe very strongly in the security's personal, security is yours and my data. Privacy is what the data collector is responsible for. (John laughs) So the enterprise better be making sure that they've complied with privacy regulations because they don't tell you how to protect the data. They just fine you. >> Well, you're not, you're technically long, six year old start company. Six, seven years old. >> Yeah. >> Roughly. So yeah, startups can go on long like this, still startup, privately held, you're growing, got big records under management there, congratulations. What's next? >> I think scaling the business. We are seeing lots of applications for this particular solution. It's going beyond just regulated industries. Like I said, it's a differentiating factor now. >> Yeah >> So retail, and a lot of other IOT related industrial customers - >> Yeah. >> are also coming. >> Ameesh, talk about the show here. We're at re:inforce, actually we're live here on the ground, the show floor buzzing. What's your takeaway? What's the vibe this year? What if you had to share what your opinion the top story here at the show, what would be the two top things, or three things? >> I think it's two things. First of all, it feels like we are back. (both laugh) It's amazing to see people on the show floor. >> Yeah. >> People coming in and asking questions and getting to see the product. The second thing that I think is very gratifying is, people come in and say, "Oh, I've heard of you guys." So thanks to digital media, and digital marketing. >> They weren't baffled. They want baffled. >> Exactly. >> They use baffled. >> Looks like, our outreach has helped, >> Yeah. >> and has kept the continuity, which is a big deal. >> Yeah, and now you're a CUBE alumni, welcome to the fold. >> Thank you. >> Appreciate you coming on. And we're looking forward to profiling you some day in our startup showcase, and certainly, we'll see you in the Palo Alto studios. Love to have you come in for a deeper dive. >> Sounds great. Looking forward to it. >> Congratulations on all your success, and thanks for coming on theCUBE, here at re:inforce. >> Thank you, John. >> Okay, we're here in, on the ground live coverage, Boston, Massachusetts for AWS re:inforce 22. I'm John Furrier, your host of theCUBE with Dave Vellante, who's in an analyst session, right? He'll be right back with us on the next interview, coming up shortly. Thanks for watching. (gentle music)

(bright music) >> Welcome back everyone to the live Cube coverage here in Boston, Massachusetts for AWS re:Inforce 22, with a great guest here, Denise Hayman, CRO, Chief Revenue of Sonrai Security. Sonrai's a featured partner of Season Two, Episode Four of the upcoming AWS Startup Showcase, coming in late August, early September. Security themed startup focused event, check it out. awsstartups.com is the site. We're on Season Two. A lot of great startups, go check them out. Sonrai's in there, now for the second time. Denise, it's great to see you. Thanks for coming on. >> Ah, thanks for having me. >> So you've been around the industry for a while. You've seen the waves of innovation. We heard encrypt everything today on the keynote. We heard a lot of cloud native. They didn't say shift left but they said don't bolt on security after the fact, be in the CI/CD pipeline or the DevStream. All that's kind of top of line, Amazon's talking cloud native all the time. This is kind of what you guys are in the middle of. I've covered your company, you've been on theCUBE before. Your, not you, but your teammates have. You guys have a unique value proposition. Take a minute to explain for the folks that don't know, we'll dig into it, but what you guys are doing. Why you're winning. What's the value proposition. >> Yeah, absolutely. So, Sonrai is, I mean what we do is it's, we're a total cloud solution, right. Obviously, right, this is what everybody says. But what we're dealing with is really, our superpower has to do with the data and identity pieces within that framework. And we're tying together all the relationships across the cloud, right. And this is a unique thing because customers are really talking to us about being able to protect their sensitive data, protect their identities. And not just people identities but the non-people identity piece is the hardest thing for them to reign in. >> Yeah. >> So, that's really what we specialize in. >> And you guys doing good, and some good reports on good sales, and good meetings happening here. Here at the show, the big theme to me, and again, listening to the keynotes, you hear, you can see what's, wasn't talk about. >> Mm-hmm. >> Ransomware wasn't talked about much. They didn't talk about air-gapped. They mentioned ransomware I think once. You know normal stuff, teamwork, encryption everywhere. But identity was sprinkled in everywhere. >> Mm-hmm. >> And I think one of the, my favorite quotes was, I wrote it down, We've security in the development cycle CSD, they didn't say shift left. Don't bolt on any of that. Now, that's not new information. We know that don't bolt, >> Right. >> has been around for a while. He said, lessons learned, this is Stephen Schmidt, who's the CSO, top dog on security, who has access to what and why over permissive environments creates chaos. >> Absolutely. >> This is what you guys reign in. >> It is. >> Explain, explain that. >> Yeah, I mean, we just did a survey actually with AWS and Forrester around what are all the issues in this area that, that customers are concerned about and, and clouds in particular. One of the things that came out of it is like 95% of clouds are, what's called over privileged. Which means that there's access running amok, right. I mean, it, it is, is a crazy thing. And if you think about the, the whole value proposition of security it's to protect sensitive data, right. So if, if it's permissive out there and then sensitive data isn't being protected, I mean that, that's where we really reign it in. >> You know, it's interesting. I zoom out, I just put my historian hat on going back to the early days of my career in late eighties, early nineties. There's always, when you have these inflection points, there's always these problems that are actually opportunities. And DevOps, infrastructure as code was all about APS, all about the developer. And now open source is booming, open source is the software industry. Open source is it in the world. >> Right. >> That's now the software industry. Cloud scale has hit and now you have the Devs completely in charge. Now, what suffers now is the Ops and the Sec, Second Ops. Now Ops, DevOps. Now, DevSecOps is where all the action is. >> Yep. >> So the, the, the next thing to do is build an abstraction layer. That's what everyone's trying to do, build tools and platforms. And so that's where the action is here. This is kind of where the innovation's happening because the networks aren't the, aren't in charge anymore either. So, you now have this new migration up to higher level services and opportunities to take the complexity away. >> Mm-hmm. >> Because what's happened is customers are getting complexity. >> That's right. >> They're getting it shoved in their face, 'cause they want to do good with DevOps, scale up. But by default their success is also their challenge. >> Right. >> 'Cause of complexity. >> That's exactly right. >> This is, you agree with that. >> I do totally agree with that. >> If you, you believe that, then what's next. What happens next? >> You know, what I hear from customers has to do with two specific areas is they're really trying to understand control frameworks, right. And be able to take these scenarios and build them into something that they, where they can understand where the gaps are, right. And then on top of that building in automation. So, the automation is a, is a theme that we're hearing from everybody. Like how, how do they take and do things like, you know it's what we've been hearing for years, right. How do we automatically remediate? How do we automatically prioritize? How do we, how do we build that in so that they're not having to hire people alongside that, but can use software for that. >> The automation has become key. You got to find it first. >> Yes. >> You guys are also part of the DevCycle too. >> Yep. >> Explain that piece. So, I'm a developer, I'm an organization. You guys are on the front end. You're not bolt-on, right? >> We can do either. We prefer it when customers are willing to use us, right. At the very front end, right. Because anything that's built in the beginning doesn't have the extra cycles that you have to go through after the fact, right. So, if you can build security right in from the beginning and have the ownership where it needs to be, then you're not having to, to deal with it afterwards. >> Okay, so how do you guys, I'm putting my customer hat on for a second. A little hard, hard question, hard problem. I got active directory on Azure. I got, IM over here with AWS. I wanted them to look the same. Now, my on-premises, >> Ah. >> Is been booming, now I got cloud operations, >> Right. >> So, DevOps has moved to my premise and edge. So, what do I do? Do I throw everything out, do a redo. How do you, how do you guys talk about, talk to customers that have that chance, 'cause a lot of them are old school. >> Right. >> ID. >> And, and I think there's a, I mean there's an important distinction here which is there's the active directory identities right, that customers are used to. But then there's this whole other area of non-people identities, which is compute power and privileges and everything that gets going when you get you know, machines working together. And we're finding that it's about five-to-one in terms of how many identities are non-human identities versus human identity. >> Wow. >> So, so you actually have to look at, >> So, programmable access, basically. >> Yeah. Yes, absolutely. Right. >> Wow. >> And privileges and roles that are, you know accessed via different ways, right. Because that's how it's assigned, right. And people aren't really paying that close attention to it. So, from that scenario, like the AD thing of, of course that's important, right. To be able to, to take that and lift it into your cloud but it's actually even bigger to look at the bigger picture with the non-human identities, right. >> What about the CISOs out there that you talk to. You're in the front lines, >> Yep. >> talking to customers and you see what's coming on the roadmap. >> Yep. >> So, you kind of get the best of both worlds. See what they, what's coming out of engineering. What's the biggest problem CISOs are facing now? Is it the sprawl of the problems, the hacker space? Is it not enough talent? What, I mean, I see the fear, what are, what are they facing? How do you, how do you see that, and then what's your conversations like? >> Yeah. I mean the, the answer to that is unfortunately yes, right. They're dealing with all of those things. And, and here we are at the intersection of, you know, this huge complex thing around cloud that's happening. There's already a gap in terms of resources nevermind skills that are different skills than they used to have. So, I hear that a lot. The, the bigger thing I think I hear is they're trying to take the most advantage out of their current team. So, they're again, worried about how to operationalize things. So, if we bring this on, is it going to mean more headcount. Is it going to be, you know things that we have to invest in differently. And I was actually just with a CISO this morning, and the whole team was, was talking about the fact that bringing us on means they have, they can do it with less resource. >> Mm-hmm. >> Like this is a a resource help for them in this particular area. So, that that was their value proposition for us, which I loved. >> Let's talk about Adrian Cockcroft who retired from AWS. He was at Netflix before. He was a big DevOps guy. He talks about how agility's been great because from a sales perspective the old model was, he called it the, the big Indian wedding. You had to get everyone together, do a POC, you know, long sales cycles for big tech investments, proprietary. Now, open sources like speed dating. You can know what's good quickly and and try things quicker. How is that, how is that impacting your sales motions. Your customer engagements. Are they fast? Are they, are they test-tried before they buy? What's the engagement model that you, you see happening that the customers like the best. >> Yeah, hey, you know, because of the fact that we're kind of dealing with this serious part of the problem, right. With the identities and, and dealing with data aspects of it it's not as fast as I would like it to be, right. >> Yeah, it's pretty important, actually. >> They still need to get in and understand it. And then it's different if you're AWS environment versus other environments, right. We have to normalize all of that and bring it together. And it's such a new space, >> Yeah. >> that they all want to see it first. >> Yeah. >> Right, so. >> And, and the consequences are pretty big. >> They're huge. >> Yeah. >> Right, so the, I mean, the scenario here is we're still doing, in some cases we'll do workshops instead of a POV or a POC. 90% of the time though we're still doing a POV. >> Yeah, you got to. >> Right. So, they can see what it is. >> They got to get their hands on it. >> Yep. >> This is one of those things they got to see in action. What is the best-of-breed? If you had to say best-of-breed in identity looks like blank. How would you describe that from a customer's perspective? What do they need the most? Is it robustness? What's some of the things that you guys see as differentiators for having a best-of-breed solution like you guys have. >> A best-of-breed solution. I mean, for, for us, >> Or a relevant solution for that matter, for the solution. >> Yeah. I mean, for us, this, again, this identity issue it, for us, it's depth and it's continuous monitoring, right. Because the issue in the cloud is that there are new privileges that come out every single day, like to the tune of like 35,000 a year. So, even if at this exact moment, it's fine. It's not going to be in another moment, right. So, having that continuous monitoring in there, and, and it solves this issue that we hear from a lot of customers also around lateral movement, right. Because like a piece of compute can be on and off, >> Yeah, yeah, yeah. >> within a few seconds, right. So, you can't use any of the old traditional things anymore. So to me, it's the continuous monitoring I think that's important. >> I think that, and the lateral movement piece, >> Yep. >> that you guys have is what I hear the most of the biggest fears. >> Mm-hmm. >> Someone gets in here and can move around, >> That's right. >> and that's dangerous. >> Mm-hmm. And, and no traditional tools will see it. >> Yeah. Yeah. >> Right. There's nothing in there unless you're instrumented down to that level, >> Yeah. >> which is what we do. You're not going to see it. >> I mean, when someone has a firewall, a perimeter based system, yeah, I'm in the castle, I'm moving around, but that's not the case here. This is built for full observability, >> That's right. >> Yet there's so many vulnerabilities. >> It's all open. Mm-hmm, yeah. And, and our view too, is, I mean you bring up vulnerabilities, right. It, it is, you know, a little bit of the darling, right. People start there. >> Yep. >> And, and our belief in our view is that, okay, that's nice. But, and you do have to do that. You have to be able to see everything right, >> Yep. >> to be able to operationalize it. But if you're not dealing with the sensitive data pieces right, and the identities and stuff that's at the core of what you're trying to do >> Yeah. >> then you're not going to solve the problem. >> Yeah. Denise, I want to ask you. Because you make what was it, five-to-one was the machine to humans. I think that's actually might be low, on the low end. If you could imagine. If you believe that's true. >> Yep. >> I believe that's true by the way If microservices continues to be the, be the wave. >> Oh, it'll just get bigger. >> Which it will. It's going to much bigger. >> Yeah. >> Turning on and off, so, the lateral movement opportunities are going to be greater. >> Yep. >> That's going to be a bigger factor. Okay, so how do I protect myself. Now, 'cause developer productivity is also important. >> Mm-hmm. >> 'Cause, I've heard horror stories like, >> Yep. >> Yeah, my Devs are cranking away. Uh-oh, something's out there. We don't know about it. Everyone has to stop, have a meeting. They get pulled off their task. It's kind of not agile. >> Right. Right. >> I mean, >> Yeah. And, and, in that vein, right. We have built the product around what we call swim lanes. So, the whole idea is we're prioritizing based on actual impact and context. So, if it's a sandbox, it probably doesn't matter as much as if it's like operational code that's out there where customers are accessing it, right. Or it's accessing sensitive data. So, we look at it from a swim lane perspective. When we try to get whoever needs to solve it back to the person that is responsible for it. So we can, we can set it up that way. >> Yeah. I think that, that's key insight into operationalizing this. >> Yep. >> And remediation is key. >> Yes. >> How, how much, how important is the timing of that. When you talk to your customer, I mean, timing is obviously going to be longer, but like seeing it's one thing, knowing what to do is another. >> Yep. >> Do you guys provide that? Is that some of the insights you guys provide? >> We do, it's almost like, you know, us. The, and again, there's context that's involved there, right? >> Yeah. >> So, some remediation from a priority perspective doesn't have to be immediate. And some of it is hair on fire, right. So, we provide actually, >> Yeah. >> a recommendation per each of those situations. And, and in some cases we can auto remediate, right. >> Yeah. >> If, it depends on what the customer's comfortable with, right. But, when I talk to customers about what is their favorite part of what we do it is the auto remediation. >> You know, one of the things on the keynotes, not to, not to go off tangent, one second here but, Kurt who runs platforms at AWS, >> Mm-hmm. >> went on his little baby project that he loves was this automated, automatic reasoning feature. >> Mm-hmm. >> Which essentially is advanced machine learning. >> Right. >> That can connect the dots. >> Yep. >> Not just predict stuff but like actually say this doesn't belong here. >> Right. >> That's advanced computer science. That's heavy duty coolness. >> Mm-hmm. >> So, operationalizing that way, the way you're saying it I'm imagining there's some future stuff coming around the corner. Can you share how you guys are working with AWS specifically? Is it with Amazon? You guys have your own secret sauce for the folks watching. 'Cause this remediation should, it only gets harder. You got to, you have to be smarter on your end, >> Yep. >> with your engineers. What's coming next. >> Oh gosh, I don't know how much of what's coming next I can share with you, except for tighter and tighter integrations with AWS, right. I've been at three meetings already today where we're talking about different AWS services and how we can be more tightly integrated and what's things we want out of their APIs to be able to further enhance what we can offer to our customers. So, there's a lot of those discussions happening right now. >> What, what are some of those conversations like? Without revealing. >> I mean, they have to do with, >> Maybe confidential privilege. >> privileged information. I don't mean like privileged information. >> Yep. I mean like privileges, right, >> Right. >> that are out there. >> Like what you can access, and what you can't. >> What you can, yes. And who and what can access it and what can't. And passing that information on to us, right. To be able to further remediate it for an AWS customer. That's, that's one. You know, things like other AWS services like CloudTrail and you know some of the other scenarios that they're talking about. Like we're, you know, we're getting deeper and deeper and deeper with the AWS services. >> Yeah, it's almost as if Amazon over the past two years in particular has been really tightly integrating as a strategy to enable their partners like you guys >> Mm-hmm. >> to be successful. Not trying to land grab. Is that true? Do you get that vibe? >> I definitely get that vibe, right. Yesterday, we spent all day in a partnership meeting where they were, you know talking about rolling out new services. I mean, they, they are in it to win it with their ecosystem. Not on, not just themselves. >> All right, Denise it's great to have you on theCUBE here as part of re:Inforce. I'll give you the last minute or so to give a plug for the company. You guys hiring? What are you guys looking for? Potential customers that are watching? Why should they buy you? Why are you winning? Give a, give the pitch. >> Yeah, absolutely. So, so yes we are hiring. We're always hiring. I think, right, in this startup world. We're growing and we're looking for talent, probably in every area right now. I know I'm looking for talent on the sales side. And, and again, the, I think the important thing about us is the, the fullness of our solution but the superpower that we have, like I said before around the identity and the data pieces and this is becoming more and more the reality for customers that they're understanding that that is the most important thing to do. And I mean, if they're that, Gartner says it, Forrester says it, like we are one of the, one of the best choices for that. >> Yeah. And you guys have been doing good. We've been following you. Thanks for coming on. >> Thank you. >> And congratulations on your success. And we'll see you at the AWS Startup Showcase in late August. Check out Sonrai Systems at AWS Startup Showcase late August. Here at theCUBE live in Boston getting all the coverage. From the keynotes, to the experts, to the ecosystem, here on theCUBE, I'm John Furrier your host. Thanks for watching. (bright music)

(gentle upbeat music) >> Okay, welcome back everyone to theCUBE's live coverage here in Boston, Massachusetts for AWS RE:INFORCE 22. I'm John Furrier, your host with Dave Vellante co-host of theCUBE, and Shreyans Metah, CTO and founder of Cequence Security. CUBE alumni, great to see you. Thanks for coming on theCUBE. >> Yeah. Thanks for having me here. >> So when we chatted you were part of the startup showcase. You guys are doing great. Congratulations on your business success. I mean, you guys got a good product in hot market. >> Yeah. >> You're here before we get into it. I want to get your perspective on the keynote and the talk tracks here and the show. But for the folks that don't know you guys, explain what you guys, take a minute to explain what you guys do and, and key product. >> Yeah, so we are the unified API protection place, but I mean a lot of people don't know what unified API protection is but before I get into that, just just talking about Cequence, we've been around since 2014. But we are protecting close to 6 billion API transactions every day. We are protecting close to 2 billion customer accounts, more than 2 trillion dollars in customer assets and a hundred million plus sort of, data points that we look at across customer base. That's that's who we are. >> I mean, of course we all know APIs is, is the basis of cloud computing and you got successful companies like Stripe, for instance, you know, you put API and you got a financial gateway, billions of transactions. What's the learnings. And now we're in a mode now where single point of failure is a problem. You got more automation you got more reasoning coming a lot more computer science next gen ML, AI there too. More connections, no perimeter. Right? More and more use cases, more in the cloud. >> Yeah. So what, what we are seeing today is, I mean from six years ago to now, when we started, right? Like the monolith apps are breaking down into microservices, right? What effectively, what that means is like every of the every such microservices talking APIs, right? So what used to be a few million web applications have now become billions of APIs that are communicating with each other. I mean, if you look at the, I mean, you spoke about IOT earlier, I call, I call like a Tesla is an application on four wheels that is communicating to its cloud over APIs. So everything is API yesterday. 80% traffic on internet is APIs. >> Now that's dated transit right there. (laughing) Couldn't resist. >> Yeah. >> Fully encrypted too. >> Yeah. >> Yeah, well hopefully. >> Maybe, maybe, maybe. (laughing) We dunno yet, but seriously everything is talking to an API. >> Yeah. >> Every application. >> Yeah. And, and there is no single choke point, right? Like you spoke about it. Like everybody is hosting their application in the cloud environments of their choice, AWS being one of them. But it's not the only one. Right? The, the, your APIs are hosted behind a CDN. Your APIs are hosted on behind an API gateway behind a load balancer in guest controllers. There is no single. >> So what's the problem? What's the problem now that you're solving? Because one was probably I can imagine connecting people, connecting the APIs. Now you've got more operational data. >> Yeah. >> Potential security hacks? More surface area? What's the what's what are you facing? >> Well, I can speak about some of the, our, some of the well known sort of exploits that have been well published, right. Everybody gets exploited, but I mean some of the well knowns. Now, if you, if you heard about Expedian last year there was a third party API that was exposing your your credit scores without proper authentication. Like Facebook had Ebola vulnerability sometime ago, where people could actually edit somebody else's videos online. Peloton again, a well known one. So like everybody is exposed, right. But that is the, the end results. All right? But it all starts with people don't even know where their APIs are and then you have to secure it all the way. So, I mean, ultimately APIs are prone to business logic attacks, fraud, and that's what, what you need to go ahead and protect. >> So is that the first question is, okay, what APIs do I need to protect? I got to take a API portfolio inventory. Is that? >> Yeah, so I think starting point is where. Where are my APIs? Right, so we spoke about there's no single choke point. Right, so APIs could be in, in your cloud environment APIs could be behind your cloud front, like we have here at RE:INFORCE today. So APIs could be behind your AKS, Ingrid controllers API gateways. And it's not limited to AWS alone, right. So, so knowing the unknown is, is the number one problem. >> So how do I find him? I asked Fred, Hey, where are our API? No, you must have some automated tooling to help me. >> Yeah, so, I, Cequence provides an option without any integration, what we call it, the API spider. Whereas like we give you visibility into your entire API attack surface without any integration into any of these services. Where are your APIs? What's your API attack surface about? And then sort of more details around that as well. But that is the number one. Is that agent list or is that an agent? >> There's no agent. So that means you can just sign up on our portal and then, then, then fire it away. And within a few minutes to an hour, we'll give you complete visibility into where your API is. >> So is it a full audit or is it more of a discovery? >> Or both? >> So, so number one, it's it's discovery, but we are also uncovering some of the potential vulnerabilities through zero knowledge. Right? So. (laughing) So, we've seen a ton of lock for J exposed server still. Like recently, there was an article that lock four J is going to be endemic. That is going to be here. >> Long time. >> (laughs) For, for a very long time. >> Where's your mask on that one? That's the Covid of security. >> Yeah. Absolutely absolutely. So, you need to know where your assets are what are they exposing? So, so that is the first step effectively discovering your attack surface. Yeah. >> I'm sure it's a efficiency issue too, with developers. The, having the spider allows you to at least see what's connecting out there versus having a meeting and going through code reviews. >> Yeah. Right? Is that's another big part of it? >> So, it is actually the last step, but you have, you actually go through a journey. So, so effectively, once you're discovering your assets you actually need to catalog it. Right. So, so I know where they're hosted but what are developers actually rolling out? Right. So they are updating your, the API endpoints on a daily basis, if not hourly basis. They have the CACD pipelines. >> It's DevOps. (laughing) >> Welcome to DevOps. It's actually why we'll do it. >> Yeah, and people have actually in the past created manual ways to catalog their APIs. And that doesn't really work in this new world. >> Humans are terrible at manual catalogization. >> Exactly. So, cataloging is really the next step for them. >> So you have tools for that that automate that using math, presumably. >> Exactly. And then we can, we can integrate with all these different choke points that we spoke about. There's no single choke points. So in any cloud or any on-prem environment where we actually integrate and give you that catalog of your APIs, that becomes your second step really. >> Yeah. >> Okay, so. >> What's the third step? There's the third step and then compliance. >> Compliance is the next one. So basically catalog >> There's four steps. >> Actually, six. So I'll go. >> Discovery, catalog, then compliance. >> Yeah. Compliance is the next one. So compliance is all about, okay, I've cataloged them but what are they really exposing? Right. So there could be PII information. There could be credit card, information, health information. So, I will treat every API differently based on the information that they're actually exposing. >> So that gives you a risk assessment essentially. >> Exactly. So you can, you can then start looking into, okay. I might have a few thousand API endpoints, like, where do I prioritize? So based on the risk exposure associated with it then I can start my journey of protecting so. >> That that's the remediation that's fixing it. >> Okay. Keep going. So that's, what's four. >> Four. That was that one, fixing. >> Yeah. >> Four is the risk assessment? >> So number four is detecting abuse. >> Okay. >> So now that I know my APIs and each API is exposing different business logic. So based on the business you are in, you might have login endpoints, you might have new account creation endpoint. You might have things around shopping, right? So pricing information, all exposed through APIs. So every business has a business logic that they end up exposing. And then the bad guys are abusing them. In terms of scraping pricing information it could be competitors scraping pricing. They will, we are doing account take. So detecting abuse is the first step, right? The fifth one is about preventing that because just getting visibility into abuse is not enough. I should be able to, to detect and prevent, natively on the platform. Because if you send signals to third party platforms like your labs, it's already too late and it's too course grain to be able to act on it. And the last step is around what you actually spoke about developers, right? Like, can I shift security towards the left, but it's not about shifting left. Just about shifting left. You obviously you want to bring in security to your CICD pipelines, to your developers, so that you have a full spectrum of API securities. >> Sure enough. Dave and I were talking earlier about like how cloud operations needs to look the same. >> Yeah. >> On cloud premise and edge. >> Yes. Absolutely. >> Edge is a wild card. Cause it's growing really fast. It's changing. How do you do that? Cuz this APIs will be everywhere. >> Yeah. >> How are you guys going to reign that in? What's the customers journey with you as they need to architect, not just deploy but how do you engage with the customer who says, "I have my environment. I'm not going to be to have somebody on premise and edge. I'll use some other clouds too. But I got to have an operating environment." >> Yeah. "That's pure cloud." >> So, we need, like you said, right, we live in a heterogeneous environment, right? Like effectively you have different, you have your edge in your CDN, your API gateways. So you need a unified view because every gateway will have a different protection place and you can't deal with 5 or 15 different tools across your various different environments. So you, what we provide is a unified view, number one and the unified way to protect those applications. So think of it like you have a data plane that is sprinkled around wherever your edges and gateways and risk controllers are and you have a central brains to actually manage it, in one place in a unified way. >> I have a computer science or computer architecture question for you guys. So Steven Schmidt again said single controls or binary states will fail. Obviously he's talking from a security standpoint but I remember the days where you wanted a single point of control for recovery, you talked about microservices. So what's the philosophy today from a recovery standpoint not necessarily security, but recovery like something goes wrong? >> Yeah. >> If I don't have a single point of control, how do I ensure consistency? So do I, do I recover at the microservice level? What's the philosophy today? >> Yeah. So the philosophy really is, and it's very much driven by your developers and how you want to roll out applications. So number one is applications will be more rapidly developed and rolled out than in the past. What that means is you have to empower your developers to use any cloud and serverless environments of their choice and it will be distributed. So there's not going to be a single choke point. What you want is an ability to integrate into that life cycle and centrally manage that. So there's not going to be a single choke point but there is going to be a single control plane to manage them off, right. >> Okay. >> So you want that unified, unified visibility and protection in place to be able to protect these. >> So there's your single point of control? What about the company? You're in series C you've raised, I think, over a hundred million dollars, right? So are you, where are you at? Are you scaling now? Are you hiring sales people or you still trying to sort of be careful about that? Can you help us understand where you're at? >> Yeah. So we are absolutely scaling. So, we've built a product that is getting, that is deployed already in all these different verticals like ranging from finance, to detail, to social, to telecom. Anybody who has exposure to the outside world, right. So product that can scale up to those demands, right? I mean, it's not easy to scale up to 6 billion requests a day. So we've built a solid platform. We've rolled out new products to complete the vision. In terms of the API spider, I spoke about earlier. >> The unified, >> The unified API protection covers three aspects or all aspects of API life cycle. We are scaling our teams from go to market motion. We brought in recently our chief marketing officer our chief revenue officer as well. >> So putting all the new, the new pieces in place. >> Yeah. >> So you guys are like API observability on steroids. In a way, right? >> Yeah, absolutely. >> Cause you're doing the observability. >> Yes. >> You're getting the data analysis for risk. You're having opportunities and recommendations around how to manage the stealthy attacks. >> From a full protection perspective. >> You're the API store. >> Yeah. >> So you guys are what we call best of breed. This is a trend we're seeing, pick something that you're best in breed in. >> Absolutely. >> And nail it. So you're not like an observability platform for everything. >> No. >> You guys pick the focus. >> Specifically, APS. And, so basically your, you can have your existing tools in place. You will have your CDN, you will have your graphs in place. So, but for API protection, you need something specialized and that stuff. >> Explain why I can't just rely on CDN infrastructure, for this. >> So, CDNs are, are good for content delivery. They do your basic TLS, and things like that. But APIs are all about your applications and business that you're exposing. >> Okay, so you, >> You have no context around that. >> So, yeah, cause this is, this is a super cloud vision that we're seeing of structural change in the industry, a new thing that's happening in real time. Companies like yours are be keeping a focus and nailing it. And now the customer's can assemble these services and company. >> Yeah. - Capabilities, that's happening. And it's happening like right now, structural change has happened. That's called the cloud. >> Yes. >> Cloud scale. Now this new change, best of brief, what are the gaps? Because I'm a customer. I got you for APIs, done. You take the complexity away at scale. I trust you. Where are the other gaps in my architecture? What's new? Cause I want to run cloud operations across all environments and across clouds when appropriate. >> Yeah. >> So I need to have a full op where are the other gaps? Where are the other best of breed components that need to be developed? >> So it's about layered, the layers that you built. Right? So, what's the thing is you're bringing in different cloud environments. That is your infrastructure, right? You, you, you either rely on the cloud provider for your security around that for roll outs and operations. Right? So then is going to be the next layer, which is about, is it serverless? Is it Kubernetes? What about it? So you'll think about like a service mesh type environment. Ultimately it's all about applications, right? That's, then you're going to roll out those applications. And that's where we actually come in. Wherever you're rolling out your applications. We come in baked into that environment, and for giving you that visibility and control, protection around that. >> Wow, great. First of all, APIs is the, is what cloud is based on. So can't go wrong there. It's not a, not a headwind for you guys. >> Absolutely. >> Great. What's a give a quick plug for the company. What are you guys looking to do hire? Get customers who's uh, when, what, what's the pitch? >> So like I started earlier, Cequence is around unified API protection, protecting around the full life cycle of your APIs, ranging from discovery all the way to, to testing. So, helping you throughout the, the life cycle of APIs, wherever those APIs are in any cloud environment. On-prem or in the cloud in your serverless environments. That's what Cequence is about. >> And you're doing billions of transactions. >> We're doing 6 billion requests every day. (laughing) >> Which is uh, which is, >> A lot. >> Unheard for a lot of companies here on the floor today. >> Sure is. Thanks for coming on theCUBE, sure appreciate it. >> Yeah. >> Good, congratulations to your success. >> Thank you. >> Cequence Security here on theCUBE at RE:INFORCE. I'm chatting with Dave Vellante, more coverage after this short break. (upbeat, gentle music)

>>Okay, welcome back everyone. Cube's coverage here in Boston, Massachusetts, AWS reinforced 22, the security conference. It's ADOS big security conference. Of course, the cubes here, all the reinvent res re Mars reinforce. We cover 'em all now and the summits. I'm John. Very my host, Dave ante have IDC weighing in here with their analysis. We've got some great guests here, Jay Brisbane, research VP at IDC and Philip who research managed for cloud security. Gentlemen, thanks for coming on. Thank you. Appreciate it. Great >>To, to be here. I appreciate the got the full >>Circle, right? Just, security's more interesting >>Than storage. Isn't it? >>Dave, Dave and Jay worked together. This is a, a great segment. I'm psyched that you guys are here. We had Crawford and Matt Eastwood on at HPE discover a while back and really the, the, the data you guys are getting and the insights are fantastic. So congratulations to IDC. You guys doing great work. We appreciate your time. I wanna get your reaction to the event and the keynotes. AWS has got some posture and they're very aggressive on some tones. Some things that they didn't, we didn't hear. What's your reaction to the keynote, share your, your assessment. >>So, you know, I managed two different research services at IDC right now. They are both cloud security and identity and, and digital security. Right. And what was really interesting is the intersection between the two this morning, because every one of those speakers that came on had something to say about identity or least privileged access, or, you know, enable MFA, or make sure that you, you know, control who gets access to what and deny explicitly. Right? And it's always been a challenge a little bit in the identity world because a lot of people don't use MFA. And in RSA, that was another big theme at the RSA conference, right? MFA everywhere. Why don't they use it because it introduces friction and all of a sudden people can't get their jobs done. Right. And the whole point of a network is letting people on to get that data they want to get to. So that was kind of interesting, but, you know, as we have in the industry, this shared responsibility model for cloud computing, we've got shared responsibility for between Philip and I, I have done in the ke past more security of the cloud and Philip is more security in the cloud, >>So yeah. And it's, and now with cloud operation, super cloud, as we call it, you have on premises, private cloud coming back, or hasn't really gone anywhere, all that on premises, cloud operations, public cloud, and now edge exploding with new requirements. Yeah. It's really an ops challenge right now. Not so much dev. So the sick and op side is hot right now. >>Yeah. Well, we've made this move from monolithic to microservices based applications. And so during the keynote this morning, the announcement around the guard duty malware protection component, and that being built into the pricing of current guard duty, I thought was, was really key. And there was also a lot of talk about partnering in security certifications. Yeah. Which is also so very important. So we're seeing this move towards filling in that talent gap, which I think we're all aware of in the security industry. >>So Jake square, the circle for me. So Kirk, Coel talked about Amazon AWS identity, where does AWS leave off and, and companies like Okta or ping identity or crock pickup, how are they working together? Does it just create more confusion and more tools for customers? We, we have, we know the over word overused word of seamless. Yeah. Yeah. It's never seamless. So how should we think about that? >>So, you know, identity has been around for 35 years or something like that started with the mainframes and all that. And if you understand the history of it, you make more sense to the current market. You have to know where people came from and the baggage they're carrying, cuz they're still carrying a lot of that baggage. Now, when it comes to the cloud service providers, they're more an accommodation from the identity standpoint, let's make it easy inside of AWS to let you single sign on to anything in the cloud that they have. Right. Let's also introduce an additional MFA capability to keep people safer whenever we can and, you know, provide people the tools to, to get into those applications somewhat easily, right. While leveraging identities that may live somewhere else. So, you know, there's a whole lot of the world that is still active directory centric, right? There's another portion of companies that were born in the cloud that were able to jump on things like Okta and some of the other providers of these universal identities in the cloud. So, you know, like I said, you, if you understand where people came from in the beginning, you start to, to say, yeah, this makes sense. >>It's, it's interesting. You talk about mainframe. I, I always think about rack F you know, and I say, okay, who did what, when, where, yeah. And you hear about a lot of those themes. What, so what's the best practice for MFA? That's, that's non SMS based. Is it, you gotta wear something around your neck, is it to have sort of a third party authenticator? What are people doing that is that, that, that you guys would recommend? >>Yeah. One quick comment about adoption of MFA. You know, if you ask different suppliers, what percent of your base that does SSO also does MFA one of the biggest suppliers out there Microsoft will tell you it's under 25%. That's pretty shocking. Right? All the messaging that's come out about it. So another big player in the market was called duo. Cisco bought them. Yep. Right. And because they provide networks, a lot of people buy their MFA. They have probably the most prevalent type of MFA it's called push. Right. And push can be, you know, a red X and a green check mark to your phone. It can be a QR code, you know, somewhere, it can be an email push as well. So that is the next easiest thing to adopt after SMS. And as you know, SMS has been denigrated by N and others saying, you know, it's susceptible to man and middle attacks. >>It's built on a telephony protocol called SS seven. Yep. You know, predates anything. There's no certification, either side. The other real dynamic and identity is the whole adoption of PKI infrastructure. As you know, certificates are used for all kinds of things, network sessions, data encryption, well identity increasingly, and a lot of the, you know, consumers and especially the work from anywhere, people these days have access through smart devices. Right. And what you can do there is you can have an agent on that smart device, generate your private key and then push out a public key. And so the private key never leaves your device. That's one of the most secure ways to, so if your >>SIM card gets hacked, you're not gonna be as at vulnerable >>Or as vulnerable. Well, the SIM card is another, you know, challenge associated with the, the older waste. But yeah. Yeah. >>So what do you guys think about the open source connection and, and they, they mentioned it up top don't bolt on security implying shift left, which is embedding it in like sneak companies, like sneak do that, right. Container oriented, a lot of Kubernetes kind of cloud native services. So I wanna get your reaction to that. And then also this reasoning angle, they brought up kind of a higher level AI reasoning decisions. So open source and this notion of AI reasoning >>Automation. Yeah. And, and you see more open source discussion happening, right. So you, you know, you have your building maintaining and vetting of the upstream open source code, which is critical. And so I think AWS talking about that today, they're certainly hitting on a nerve as, you know, open source continues to proliferate around the automated reasoning. I think that makes sense. You know, you want to provide guiderails and you want to provide roadmaps and you wanna have sort of that guidance as to okay. What's the, you know, a correlation analysis of different tools and products. And so I think that's gonna go over really well. >>Yeah. One of the other, you know, key points of what open source is, everybody's in a multi-cloud world, right? Yeah. And so they're worried about vendor lockin, they want an open source code base so that they don't experience that. >>Yeah. And they can move the code around and make sure it works well on each system. Dave and I were just talking about some of the dynamics around data control planes. So yeah. They mentioned encrypt everything, which is great. And I message, by the way, I love that one, but oh. And he mentioned data at rest. I'm like, what about data in flight? Didn't hear that one. So one of the things we're seeing with super cloud, and now multi-cloud kind of, as destinations of that, is that in digital transformation, customers are leaning into owning their data flows. >>Yeah. >>Independent of say the control plane aspects of what could come in. This is huge implications for security, where sharing data is huge. Even Schmidt on Steve said we have billions and billions of things happening that we see things that no one else else sees. So that implies, they're >>Sharing quad trillion, >>Trillion, 15 zeros trillion. Yeah. 15 >>Zeros, 15 zeros. Yeah. >>So that implies, they're sharing that or using that, pushing that into something. So sharing's huge with cyber security. So that implies open data, data flows. What do, how do you guys see this evolving? I know it's kind of emerging, but it's becoming a, a nuanced point that's critical to the architecture. >>Well, I, yeah, I think another way to look at that is the sharing of intelligence and some of the recent directives, you know, from the executive branch, making it easier for private companies to share data and intelligence, which I think strengthens the cyber community overall, >>Depending upon the supplier. Right? Yeah. It's either an aggregate level of intelligence that has been, you know, anonymized or it's specific intelligence for your environment that, you know, everybody's got a threat feed, maybe two or three, right. Yeah. But back to the encryption point, I mean, I was working for an encryption startup for a little while. Right after I left IBM. And the thing is that people are scared of it. Right. They're scared of key management and rotation. And so when you provide, >>Because they might lose the key. >>Exactly. Yeah. It's like shooting yourself in the foot. Right. So that's when you have things like, you know, KMS services from Amazon and stuff, they really help out a lot and help people understand, okay, I'm not alone in this. >>Yeah. Crypto >>Owners, they call that hybrid, the hybrid key, they call the, what they call the, today. They call it the hybrid. >>What was that? The management service. Yeah. The hybrid. So hybrid HSM, correct. >>Yeah. What is that? What is that? I didn't, I didn't get that. I didn't understand what he meant by the hybrid post hybrid, post quantum key agreement. Right. That still notes >>Hybrid, post quantum key exchange, >>You know, AWS never made a product name that didn't have four words in it, >>But he did, but he did reference the, the new N algos. And I think I inferred that they were quantum proof or the claim it be. Yeah. And AWS was testing those. Correct. >>Yeah. >>So that was kind of interesting, but I wanna come back to identity for a second. Okay. So, so this idea of bringing traditional IAM and, and privilege access management together, is that a pipe dream, is that something that is actually gonna happen? What's the timeframe, what's your take on that? >>So, you know, there are aspects of privilege in every sort of identity back when, you know, it was only the back office that used computers for calculations, right? Then you were able to control how many people had access. There were two types of users, admins, and users, right? These days, everybody has some aspect of, >>It's a real spectrum, really >>Granular. You got the, you know, the C suite, the finance people, the DevOps, people, you know, even partners and whatever, they all need some sort of privileged access. And the, the term you hear so much is least privileged access. Right? Shut it down, control it. So, you know, in some of my research, I've been saying that vendors who are in the Pam space privilege access management space will probably be growing their suites, playing a bigger role, building out a stack because they have, you know, the, the expertise and the, and the perspective that says we should control this better. How do we do that? Right. And we've been seeing that recently, >>Is that a combination of old kind of antiquated systems meets for proprietary hyperscale or kind of like build your own? Cause I mean, Amazon, these guys, they Facebook, they all build their own stuff. >>Yes. They >>Do enterprises buy services from general purpose identity management systems. >>So as we were talking about, you know, knowing the past and whatever privileged access management used to be about compliance reporting. Yeah. Right. Just making sure that I knew who accessed what and could prove it. So I didn't fail in art. It wasn't >>A critical infrastructure item. >>No. And now these days, what it's transitioning into is much more risk management. Okay. I know what our risk is. I'm ahead of it. And the other thing in the Pam space was really session monitor. Right. Everybody wanted to watch every keystroke, every screen's scrape, all that kind of stuff. A lot of the new privilege access Mon management doesn't really require that it's nice to have feature. You kind of need it on the list, but is anybody really gonna implement it? That's the question. Right. And then, you know, if, if you do all that session monitor, does anybody ever go back and look at it? There's only so many hours in the day. >>How about passwordless access? You know? Right. I've heard people talk about that. Yeah. I mean, that's as a user, I can't wait, but >>It's somewhere we want to all go. Yeah. Right. We all want identity security to just disappear and be recognized when we log in. So the, the thing with password list is there's always a password somewhere and it's usually part of a registration, you know, action. I'm gonna register my device with a username password. And then beyond that, I can use my biometrics. Right. I wanna register my device and get a private key that I can put in my enclave. And I'll use that in the future. Maybe it's gotta touch ID. Maybe it doesn't. Right. So even though there's been a lot of progress made, it's not quote unquote, truly passwordless, there's a group industry standards group called Fido. Right. Which is fast identity online. And what they realized was these whole registration passwords. That's really a single point of failure. Cuz if I can't recover my device, I'm in trouble. Yeah. So they just did a, a new extension to sort of what they were doing, which provides you with much more of a, like an iCloud vault, right. That you can register that device in and other devices associated with that same iPad that you can >>Get you to it. If you >>Have to. Exactly. I had >>Another have all over the place here, but I, I want to ask about ransomware. It may not be your wheelhouse. Yeah. But back in the day, Jay, remember you used to cover tape. All the, all the backup guys now are talking about ransomware. AWS mentioned it today and they showed a bunch of best practices and things you can do air gaps. Wasn't one, one of 'em. Right. I was really surprised cuz that's all, every anybody ever talks about is air gaps. And a lot of times that air gaps that air gap could be a guess to the cloud. I guess I'm not sure. What are you guys seeing on ransomware >>Apps? You know, we've done a lot of great research around ransomware as a service and ransomware and, and you know, we just had some data come out recently that I think in terms of spending and, and spend and in as a result of the Ukraine, Russia war, that ransomware assessments rate number one. And so it's something that we encourage, you know, when we talk to vendors and in our services, in our publications that we write about taking advantage of those free strategic ransomware assessments, vulnerability assessments, right. As well, and then security and training ranked very highly as well. So we wanna make sure that all of these areas are being funded well to try and stay ahead of the curve. >>Yeah. I was surprised that not the air gaps on the list, that's all everybody >>Talks about. Well, you know, the, the old model for air gaping in the, the land days, the Noel days, you took your tapes home and put 'em in the sock drawer. >>Well, it's a form of air gap security and no one's gonna go there >>Clean. And then the internet came around >>Guys. Final question. I want to ask you guys, we kind zoom out. Great, great commentary by the way. Appreciate it. As the, we've seen this in many markets, a collection of tools emerge and then there's it's tool sprawl. Oh yeah. Right? Yeah. So cyber we're seeing trend now where Mon goes up on stage of all the E probably other vendors doing the same thing where they're organizing a platform on top of AWS to be this super platform. If you super cloud ability by building more platform thing. So we're saying there's a platform war going on, cuz customers don't want the complexity. Yeah. I got a tool, but it's actually making it more complex if I buy the other tool. So the tool sprawl becomes a problem. How do you guys see this? Do you guys see this platform emerging? I mean, tools won't go away, but they have to be >>Easier. Yeah. We do see a, a consolidation of functionality and services. And we've been seeing that, I think through a 20, 20 flat security survey that we released, that that was definitely a trend. And you know, that certainly happened for many companies over the last six to 24 months, I would say. And then platformization absolutely is something we talk 'em right. About all the time. So >>More M and a couple of years ago, I called the, the Amazon tool set in rector set. Yeah. Because it really required assembly. Yeah. And you see the emphasis on training here too, right? Yeah. You definitely need to go to AWS university to be competent. It >>Wasn't Lego blocks yet. No, it was a rector set. Very good distinction rules, you know, and, and you lose a few. It's >>True. Still too many tools. Right. You see, we need more consolidation. That's getting interesting because a lot of these companies have runway and you look, you look at sale point, its stock prices held up cuz of the Toma Bravo acquisition, but all the rest of the cyber stocks have been crushed. Yeah. You know, especially the high flyers, like a Senti, a one or a crowd strike, but yeah, just still M and a opportunity >>Itself. So platform wars. Okay. Final thoughts. What do you thinks happening next? What's what's your outlook for the, the next year or so? >>So in the, in the identity space, I'll talk about Phillip can cover cloud force. You know, it really is more consolidation and more adoption of things that are beyond simple SSO, right. It was, you know, just getting on the systems and now we really need to control what you're able to get to and who you are and do it as transparently as we possibly can because otherwise, you know, people are gonna lose productivity, right. They're not gonna be able to get to what they want. And that's what causes the C-suite to say, wait a minute, you know, DevOps, they want to update the product every day. Right. Make it better. Can they do that? Or did security get in the way people every once in a while I'll call security, the department of no, right? Yeah. Well, >>Yeah. They did it on stage. Yeah. They wanna be the department of yes, >>Exactly. And the department that creates additional value. If you look at what's going on with B to C or C IAM, consumer identity, that is all about opening up new direct channels and treating people like, you know, they're old friends, right. Not like you don't know 'em you have to challenge >>'em we always say you wanna be in the boat together. It sinks or not. Yeah. Right. Exactly. >>Phillip, >>Okay. What's your take? What's your outlook for the year? >>Yeah. I think, you know, something that we've been seeing as consolidation and integration, and so, you know, companies looking at from built time to run time investing in shift left infrastructure is code. And then also in the runtime detection makes perfect sense to have both the agent and agentless so that you're covering any of the gaps that might exist. >>Awesome. Jerry, Phillip, thanks for coming on the queue with IDC and sharing >>Your oh our pleasure perspective. >>Commentary, have any insights and outlook. Appreciate it. You bet. Thank you. Okay. We've got the great direction here from IDC analyst here on the queue. I'm John for a Dave, we're back more after this shirt break.

(theme music) >> Okay, welcome back everyone, theCUBE's live coverage here in Boston, Massachusetts for AWS re:Inforce '22. Big show for ground security, Amazon re:Invent's coming up. That's the big event of all time for AWS. re:MARS was another one, re:Inforce, the re:Shows, they call them, theCUBE's got you covered. I'm John Furrier, host of theCUBE with Dave Vellante, who's in an analyst session right now. He'll be back shortly. We've got 2 great guests from an amazing company, HackerOne, been on theCUBE many times, (mumbles) Marten Mickos, of course, a big time, (mumbles) We got two great guests. Sean Ryan, Sr. Principal Product Marketing Manager Will Kapcio, Senior Sales Engineer. Gents, welcome to theCUBE. >> Thanks for having us John. >> So Marten's been on many times, he's such a character. He's such a legend. >> Yeah. >> Your company has had great traction, great community, just this phenomenal example of community meets technology and problem solver. >> Yeah. >> He's been part of that organization. Here at re:Inforce they're just kind of getting wind of it now, right? You hear an open, teamwork, breaking down the silos, a big theme is this whole idea of open community, but yet be hardcore with the security. It's been a big part of the re:Inforce. What do you guys think of the show so far? >> Loving it. Partly too, we're both local here in the Boston area. So the commute was pretty nice. (everyone laughs) And the heat wave broke the other day so that's wonderful, but yeah, great show. It's good to be back in person doing this kind of stuff and just, it's really lively. You get a lot of good energy. We've had a bunch of people stopping by trying to learn what we're all about and so, it's really fun. Great show so far. >> And you guys have a great company. Take a minute to explain for the folks who may not know HackerOne. Tell them what you guys do real quick in one minute. >> Okay, the quick elevator pitch. (chuckles) So really we're making the internet safer using a community of ethical hackers. And so our platform enables that so we can skill match the best talent that's out there around the world to help find all the vulnerabilities that your company needs to discover. So you can plug those holes and keep yourself safe. >> So in an era of a talent gap, Will, you know the technologies out there, but sometimes the skills are not there. So you guys can feel the void kind of a crowdsourced vibe, right? >> Yeah, exactly. If you're trying to build a security program, and apply defense in depth, we offer a terrific way to engage additional security talent either because you can't hire enough or your team is simply overloaded, too much to do, so. >> Hackers like to be a little bit, white hat hackers like to be independent, might want some flexibility in their schedule, live around the world. >> Yes. No question for hackers that do it full time, that do it part-time and then everything in between. >> Well, you guys are in the middle here with some real products. So talk about what's going on here. How vulnerable are the surface areas in organizations that you're seeing? >> Yeah, probably more so than you would think. So we ran a survey earlier this year, 800 security and IT professionals across North America and Europe. And one of the findings from that survey was that nearly a third, actually over a third, 37% of the attack surfaces, not secured. Some of it's not even known. They don't know what they don't know. They just have this entire area. And you can imagine, I mean there's a lot of reasons you know, real legitimate reasons that this happens. One of those really being that we don't know what we don't know. We haven't scanned our attack surface. >> And also it's about a decade of no perimeter anymore. >> Yes. >> Welcome to the cloud. >> For sure. Absolutely. And people are moving quick, right? You know, the Cloud perfect example. Cloud people are building new applications on top of these new underlying configurations happening on a constant basis. Acquisitions, you know, that's just a fast moving thing. Nobody can keep track of it. There's a lot of different skill sets you need you know. And yeah, skill shortage out there too. As we talked about. >> What's the attacker solution you guys have? You guys have this HackerOne attack resistance component, what's that about? >> That's right. So that is to solve what we call the attack resistance gap. So that area that's not protected, hasn't been secured, on top of just not knowing what those assets are, or how vulnerable they are. The other thing that happens is people are sort of doing status quo testing, or they're not able to keep up with effective testing. So scanners are great. They can catch common vulnerabilities, but they're not going to catch those really hard to find vulnerabilities. The thing that the really sophisticated attackers are going to go after. >> Yeah. >> So we use... This large community that we have of ethical hackers around the world to be able to skill match them and get them doing bug bounties, doing pen tests, really bulletproofing the organization, and helping them risk-rank what they find. >> Yeah. >> Triage these, do the retesting, you know, get it very secure. So that's how we do it on a high level. Will, you might have a-- >> Yeah. I mean there's a tremendous amount of automation out there, right? But you can't quite at least not yet replace critical thinking. >> Yeah. >> From smart security minds. So HackerOne has a number of solutions where we can apply those minds in different ways at different parts of the software life cycle at different cadences, to fit our customers' needs, to fit their security needs, and make sure that there's more complete human coverage throughout their software lifecycle, and not just automation. >> Yeah. I think that's a great point, Will and Sean, because you think about open source is like not only grown significantly, it's like's it is the software industry. If you believe that, which I do. Open source is there it's all software free. The integration is creating a DevOps movement that's going the whole level. So Devs are doing great. They're pumping out codes. In fact, I heard a quote here on theCUBE earlier this morning from the CTO Sequence Security that said: "Shift left but shield right." So shifting left is build your security into the code, but still you got to have a shield. You guys have this shielding capability with your attack module management service. So you now you got the Devs thinking: "I got to get better security native" So but they're pumping out so much code. >> Yep. >> There's more use cases, so there's going to be code reviews needed for stuff that she said, "What is this? We got to code review new stuff. A developer created something." >> Yes. >> I mean, that's what happened. That's what's going on everywhere, right? >> Exactly. We often hear that for every 100 developers, you've got one security professional. (John laughs) You know, talk about skill shortage that's just not sustainable. How are you going to keep up with that? >> Yeah. >> So-- >> Your phone is ringing off the hook. There's no phones anymore, but like technically-- >> Yeah, yeah, exactly. So, you know, yeah, you need to go external find some experts who can help you figure that out, and keep up with that cadence, you know keeps going and going. >> So, HackerOne. I love the ethical thing. I mean, you know, I'm a big fan. Everyone who watches theCUBE knows I'm a big fan of Marten and your company, but it's not just bug bounties that you do. That's just people think of, they see that in the news. "Oh, I made a million dollars from saving Microsoft teams from being exploited" or something like that, or weird things big numbers. But you do more than that. There's code reviews, there's assessments, like a variety of different things, right? >> Yes, exactly. Exactly. >> What are the hottest areas? >> Yeah, I mean, that's exactly why we coined the term, Attack Resistance Management really is to help describe all those areas that we cover, so you're right, bug bounty is our flagship product. It's what we're best known for. And it's a terrific solution. But on top of that, we're able to layer things like vulnerability disclosure, pen testing and code review. >> Pen test is actually really important-- >> Attack surface management, you know, a whole suite of complimentary offerings to help you engage these hackers in new and interesting ways. >> Yeah. >> The bug bounty is very popular because it's fun. >> Yeah. >> I mean if your going to work on something... It's fun for the hackers but the white hat hackers, the companies they can see where's my bugs it's the fear of missing out and the fear of getting screwed over. That's the biggest driver, right, you Know-- >> Yes, definitely and we now have a product called assets. So this is attack surface management. And what we're able to do with that is bring that in leverage the ethical hackers to risk-rank. What's your assets out there? How vulnerable are these? What's critical? Feed that in, and then you know, as Will was saying we've got all kinds of different testing options. Sometimes bug bounty continuous that works. Sometimes you want pen test, you know, you want it bound. >> Well, the thing about the thing about the pen test, well the soccer report, Amazon's got soccer reports but pen test is a moving train. >> Yeah >> Cause if you're pushing new code, you got to pen test it all the time. It's not a one and done. >> Exactly. >> You got to keep it running. Just one and run, right? >> You can't do the old school penetration test once a year, big monolithic thing. You know, this is just a check the box for compliances like, no, you need to be focusing this on the assets that you're releasing, which are constantly changing. And doing ongoing smaller cadences of pen testing. >> I had someone at a conference had a few cocktails in them, confessed to me, that they forged a pen test report. >> Oh man. >> Wow! (everyone laughs) >> Because he's like, "Oh! It was three months ago. Don't Worry about it." Like, but a lot can happen in three months. No, this is reality, they are like, "I can't turn it around fast enough" They had an Apsec review... >> Yeah. >> In their company and... >> And that's it. >> I mean, I'm not saying everyone's doing bad behavior, but like people can look the other way that creates more vulnerabilities. >> It can happen. And even just that time space. Let's say you're only doing a pen test once a year or once every two years. That's a long time. It's a lot of dwell time, you can have an attacker inside mulling around your network. >> All right. So we get a big service here. This one, AWS, we're here at re:Inforce the trend that you see Amazon getting closer to the ecosystem, lot more integration. How are you guys taking HackerOne's attack surface area product management software, closer to Amazon? What's going involved? Because at the end of the day they're enabling a lot of value and their partners are growing and becoming platforms within of themselves. What is the connection with Amazon? Keeping those apps running? How do you guys do that? >> Yeah. So we've got a specific assessment type for AWS. So... On the one hand, we're bringing in the right group of ethical hack hackers who are AWS certified. They have the right skillset, we're matching them. We've got the right assessment type for them to be able to track against and find the right vulnerabilities, report on those. So this is our pen test offering geared particularly towards the AWS platform. And then we also have an AWS security hub integration. So if customers are using the AWS security hub, we can plug into that, feed that information. And that gets more to it, the defense and depth for your AWS. >> And you guys verify all the ethical hackers? Everything's verified? >> Oh yes, absolutely. Fully. >> Yep. So they're verified for their pen testing experience, and skills and of course their AWS skills in particular. And their work experience, making sure that it's long enough that it's good, background check, the whole nine, so. >> How far has Amazon come from your perspective, over the past few years with the security partnerships? I mean their services have grown every year. I mean, every Amazon re:Invent, thousands of new announcements, new services. I mean if they update the DNS server, it's a new thing. Right? So like everything's happening. >> Yeah. >> What's different now? >> It's great to see. I mean, you look around at how many different types of security solutions there are here how many different types of partners, and it just shows you that defense in depth again, it's a really critical thing. Been a wonderful partner for us. I mean that, they're a big fan of us. They tell us that all the time. >> Yeah, 'cause the customers use you. >> Cause they're customers too. Right. Exactly. Exactly. But no, it's, it's been great. So we're looking at, we've got some things on the roadmap, some continued integrations that we look forward to doing with AWS, but you know, again it's a great powerful platform. It gives customers a lot of freedom, but with that freedom comes the responsibility that's needed to actually-- >> Will, what's your take? We hear hybrid security keys, management systems, announced today, encrypt everything, don't have over permissive environments. Obviously they're talking about more platform and that type of stuff >> Absolutely. My take would be, I think our own partnership with the AWS security team is great evidence that they're thinking about the right things. We worked within conjunction with them to develop our pen test methodology. So that combined for proprietary HackerOne platform data and findings across all of our customers that are common issues found in AWS environments with their own knowledge and their own experiences from the AWS security team directly. So it's a pretty powerful checklist that we're able to run through on some of these customers and make sure that all of the most common miss-configurations and such are covered. >> Yeah. They're highly motivated to do that. 'Cause they get blamed for the S3 buckets being kept open. It's not even their fault. >> Right. (crosstalk) >> We got hack over in Amazon. Amazon's terrible! >> Yeah. You know, one of the things we like to talk about is the fact that, you know, cloud is really about automation, right? >> Yeah. >> Yep. >> But you can't automate that human ingenuity the skills that come with an actual human who has the experience and the know how to fix these things. >> It's a lot going on in Amazon. It's always been kind of like, you just described earlier in theCUBE. An erector set, not Lego blocks yet, but still kind of, you still got to build it. It's getting better in the Lego model, but there are challenges in protecting cloud, Will. I mean this is a big part of protecting cloud platforms like AWS. What are some of those challenges? >> I think some of the challenges are the ephemeral nature of the cloud can really result in developers, and you know really business units across an organization spinning up assets that IT or security don't know about. And so that's where things like HackerOne assets in those attack surface management style solutions come into play, trying to identify those assets proactively and make sure that they're receiving some sort of attention from the security team whether it's automated or manual or ideally both. >> You guys got a good solution. So how about the partnership? We got one minute left. Talk about your partnership with AWS. You guys are certified in their security group, with their team and marketplace, right? Talk about some of those things. >> Yeah, we've been in marketplace over a year. We've had that the specific solution that I mentioned the App Pen test for AWS in place and integrated with security hub for some time now. There's some other stats that we could probably share around the ethical hackers that we have working on that. We have a number of certified AWS hackers, who again they have the right skill set for AWS, and they've been a great partner. We are very focused on continuing to work with them, and build out some new offerings going forward. >> Well, you guys have done a great job. Will, tell your team congratulations on the tech side, on the product side, very strong community. You guys had a lot of success. Congratulations! And thanks for sharing on theCUBE, appreciate it. >> Thanks for having us John. >> Thank you for your time-- We're here at re:Inforce where all the access tab is open, it's team oriented, we got cloud scale, data, encryption on everything. Big news coming out of re:Inforce, well, theCUBE's got it covered here. I'm John Furrier, your host. Thanks for watching. We'll be right back with more coverage after this short break. (theme music)

>>Okay, welcome back. Everyone's cubes live coverage of eight of us reinforced 22. I'm John furrier, my host David Lon. We've got a great guest from Cisco, Eric Costin, technical marketing engineer, Cisco systems. Great to have you on. Thanks with >>The all right. Thanks for having, >>Of course we've doing a lot of Cisco laws, Cisco events, Barcelona us know a lot of folks over there. A lot of great momentum supply chain challenges, but you got the cloud with a lot of networking there too. A lot of security conversations, dev sec ops, the trend we're hearing here is operations security and operations. What are some of the business realities that you guys are looking at right now focused on from a Cisco perspective and a landscape perspective? >>Well, the transition to the cloud is accelerating and it's really changed the way we're doing business and what we do now, this combined with the more and more remote work by remote users and also the consumption of cloud-based tools to perform your business functions has dramatically changed the contour of the business environment. The traditional trust boundary has evaporated or at least transformed dramatically, but you still have those requirements for trust for micro segmentation. So what we've seen is a dramatic change in how we do business and what we do. And this is essential because the value proposition is enormous and companies are able to pursue more and more ambitious objectives. But from a security point of view, it's quite challenging because on one hand, what we call the attack surface has increased and the stakes are much higher. So you have more sophisticated malicious actors taking advantage of a broader security target in order to conduct your business in order to maintain business continuity and achieve your objectives. You need to protect this environment. And one, one of the, >>Sorry, just to, just to clarify, sure. You said the value proposition is enormous. You mean the value proposition of the cloud is enormous. Exactly. So the business is leaning in big time and there are security consequences to >>That precisely. And so, and one thing that we've seen happen in the industry is as these components of the business environment have change, the industry has sort of bolted on more and more security solutions. But the problem with that is that's led to enormous complexity in administering security for the company, which is very expensive to find people with those expertise. And also the complexity itself is a vulnerability. >>And, and that traditional trust boundary that you talked about, it hasn't been vaporized has it, it's still there. So are you connecting into that? Is there an interoperability challenge? Does that create more security issues or are people kind of redoing? We talk about security as a do over, how are customers approaching it? >>It is a challenge because although the concept of a trust boundary still exists, the nature of the hybrid multi-cloud environment makes it very difficult to define furthermore, the traditional solutions such as simply having a, a, a firewall and, and an on-premise network is now much more complex because the on-premise network has to connect to the cloud infrastructure and parts of the cloud infrastructure have to be exposed to the public. Other parts have to be protected. So it's not that the, the concept of trusted versus untrusted has gone away. It's just become fundamentally more complex. >>So Eric, I wanna get your thoughts on this higher level abstraction trend, because you're seeing the complexity being pushed to the customers and they want to buy cloud or cloud operations from partners platforms that take the heavy lifting from there, and best of breed products that handle the complexity. What's your reaction to that, that statement? Do you think that's happening or that will happen because either the complexity is gonna be solved by the customer, or they're gonna buy a platform or SA product. >>Now the, the it's it's unreasonable to expect the customers to constantly adapt to this changing environment. From the point of view of, of security, they have to be able to focus on their business objectives, which is to actually sell their products and pursue their ambitions. And it's a distraction that they really can't afford if they have to be focused on security. So the solutions have to take that challenge that distraction away from them, and that has to be integral to the solution. >>So you're saying that the, the vendors, the provi supplier has to deal the underlying complexities on behalf of the customer. >>Exactly. The vendor can't do this without a robust partnership with the cloud provider, working together, the both at the engineering level to develop the products together and in the implementation, as well as standing side by side with the customer, as they expand their business into the >>Cloud, this is super cloud it's super cloud. Right? Exactly. So give us the specifics. What are you doing? What's Cisco doing? How are you working with AWS? What solutions are you talking about? >>Well, Cisco has a wide variety, quite an expansive portfolio because there's a large number of components to the solution. This spans both the, the workload protection, as well as the infrastructure protection. And these are integrated and in partnership with AWS not only integrated together, but integrated into the cloud components. And this is what allows comprehensive protection across the hybrid cloud environment. >>So are we talking about solutions that are embedded into switches? We're talking about software layers, maybe give, describe, add a little color, paint, a picture of the portfolio. >>And, and it's really all of those things. So the most of the solutions historically could say evolved from solutions that were utilized in the physical infrastructure, in the firewalls, in the switches, in the routers. And some of these technologies are still basically confined to those, to those form factors. But some of the most important technologies we use such as snort three, which is a best of breed intrusion protection system that we have adopted is, is applicable as well to the virtual environment, so that we, we push into the cloud in a way that's seamless. So that if you're, if you've developed those policies for your on-prem solutions, you can extend them into the cloud effortlessly. Another example of something that adapts quite well to the cloud is security intelligence. Cisco has talus. Talus is the world's leading security intelligence operation. This is fundamental for addressing threats day zero attacks and Taos updates are products approximately once every hour with the new, with information about these emerging attacks, as well as informing the community as a whole of this. And now that that architecture is very easily extensible into the cloud because you can inform a virtual device just as easily as you can inform a physical device of an emergent threat, >>But technically, how do you do that integration? That's just through AWS primitives. How do you, how does Cisco work with AWS at an engineering level to make that happen? >>So, part of it is that we, we, we have taken certain of our products and we virtualized them. So you could say the, the, the simplest or more straightforward approach is to take our firewalls and, and our other products and simply make virtual machines out of them. But that's really not sort of the most exciting thing. The most exciting thing is that working with them, with integration, with their components and doing such things as having our management platforms, like our Cisco defense orchestrator, be able to discover the virtual environment and utilize that discovery to, to manipulate the security components of that environment. Yeah. >>Kurt, this is where I think you, you, onto something big here management is kind of like, oh yeah, we have software management software kind of always a thing. When you talk about large scale, multiple data point billions and billions of things happening a month. Quantum, we mentioned that in the keynote, we heard Kurt who's VP of platform. So about reasoning. This is kind of a whole nother level of technology. Next level reasoning, knowing things mentioned micro segmentation. So we're seeing a new era of not just policies, reasoning around the networks, around the software stuff that needs to be better than just machine learning, doing predictive and, you know, analysis. Can you share your reaction to that? Because I see this dots connecting at a whole nother level. >>Yes. Now, as we understand artificial intelligence machine learning, I think we appreciate that one of the key components there, we think about it as data science, as data management. But when you think about data, you suddenly recognize where's it coming from data requires visibility. And when we talk about the transition to the cloud and the dispersion of the workforce, visibility is one of the great challenges and visibility even prior to these transitions has been one of the primary focuses of Cisco systems. So as we transition to the cloud and we recognize the need to be able to interpret what we're seeing, we have expanded our capacity to visualize what's happening. And I think there's a, a significant contribution yeah. To the >>Dave and I were talking about this in context to our thesis about super cloud, how that's going evolving building on top of the hyperscalers CapEx investment, doing things, customer data control flows are a huge thing going across multiple geographies. It's global, you got regions, you got network, some trusted, some not. And you have now applications that are global. So you got data flows. >>Yes. >>I mean, data's gotta move across multiple environments. So that's a challenge >>And it has to move secure securely. And furthermore, there's a real challenge here with confidence, with confidence of the company that it's data flow is secure in this new environment that is frankly, can be a little bit uncomfortable. And also the customer and the partners of that business have to be confident that their intellectual property, that their security and identity is protected. >>Yeah. Dave and I were talking also, we're kind of old and seen some seen the movie before. Remember the old days of multi-vendor and OSI models and, you know, interoperability, we're kind of at a new inflection point where teamwork, not just ecosystem partners, companies working together to make sure things are secure. This is a whole nother data problem, opportunity. Amazon sees things that other people don't seek and contribute that back. How does this whole next level multi-vendor partnerships, the open source is a big part of the software piece of it. You got it's custom Silicon. You mentioned. How do you view that whole team oriented approach in security? >>Now this is absolutely essential. The community, the industry has to work together. Fortunately, it's in the DNA of Cisco to interate, I've sat next to competitors at customer sites working to solve the customer's problem. It's just how we function. So it's not just our partnerships, but it's our relationship with industry because industry has common purpose in solving these problems. We have to be confident in order to pursue our objectives. >>You see, you see this industry at a flash point right now, everyone has to partner. >>Exactly. >>Okay. How would you summarize that? We, we are out of time, but so give us your leadership about the >>Part of you, of business leadership. A business needs business continuity, its contributors have to be able to access resources to perform their job. And the customers and partners need confidence to deal with that business. You need the continuity, you demand flexibility to adapt to the changing environment and to take advantage of emerging opportunities. And you expect security. The security has to be resilient. It has to be robust. The security has to be simple to implement Cisco in partnership with AWS provides the security. You need to succeed. >>Eric, thanks coming for so much for coming on the cube. Really appreciate your insights and your experience and, and candid commentary and appreciate your time. Thank >>You. Thank you very much for the >>Opportunity. Okay. We're here. Live on the floor and expo hall at reinforce Avis reinforced 22 in Boston, Massachusetts. I'm John ante. We'll be right back with more coverage after this short break.

>>Hello, everyone. Welcome to the Cube's live coverage here in Boston, Massachusetts for AWS reinforce 2022. I'm John fur, host of the cube with Dave. Valante my co-host for breaking analysis, famous podcast, Dave, great to see you. Um, Beck in Boston, 2010, we started >>The queue. It all started right here in this building. John, >>12 years ago, we started here, but here, you know, just 12 years, it just seems like a marathon with the queue. Over the years, we've seen many ways. You call yourself a historian, which you are. We are both now, historians security is doing over. And we said in 2013 is security to do where we asked pat GSK. Now the CEO of Intel prior to that, he was the CEO of VMware. This is the security show fors. It's called the reinforce. They have reinvent, which is their big show. Now they have these, what they call reshow, re Mars, machine learning, automation, um, robotics and space. And then they got reinforced, which is security. It's all about security in the cloud. So great show. Lot of talk about the keynotes were, um, pretty, I wouldn't say generic on one hand, but specific in the other clear AWS posture, we were both watching. What's your take? >>Well, John, actually looking back to may of 2010, when we started the cube at EMC world, and that was the beginning of this massive boom run, uh, which, you know, finally, we're starting to see some, some cracks of the armor. Of course, we're threats of recession. We're in a recession, most likely, uh, in inflationary pressures, interest rate hikes. And so, you know, finally the tech market has chilled out a little bit and you have this case before we get into the security piece of is the glass half full or half empty. So budgets coming into this year, it was expected. They would grow at a very robust eight point half percent CIOs have tuned that down, but it's still pretty strong at around 6%. And one of the areas that they really have no choice, but to focus on is security. They moved everything into the cloud or a lot of stuff into the cloud. >>They had to deal with remote work and that created a lot of security vulnerabilities. And they're still trying to figure that out and plug the holes with the lack of talent that they have. So it's interesting re the first reinforc that we did, which was also here in 2019, Steven Schmidt, who at the time was chief information security officer at Amazon web services said the state of cloud security is really strong. All this narrative, like the pat Gelsinger narrative securities, a do over, which you just mentioned, security is broken. It doesn't help the industry. The state of cloud security is very strong. If you follow the prescription. Well, see, now Steven Schmidt, as you know, is now chief security officer at Amazon. So we followed >>Jesse all Amazon, not just AWS. So >>He followed Jesse over and I asked him, well, why no, I, and they said, well, he's responsible now for physical security. Presumably the warehouses I'm like, well, wait a minute. What about the data centers? Who's responsible for that? So it's kind of funny, CJ. Moses is now the CSO at AWS and you know, these events are, are good. They're growing. And it's all about best practices, how to apply the practices. A lot of recommendations from, from AWS, a lot of tooling and really an ecosystem because let's face it. Amazon doesn't have the breadth and depth of tools to do it alone. >>And also the attendance is interesting, cuz we are just in New York city for the, uh, ado summit, 19,000 people, massive numbers, certainly in the pandemic. That's probably one of the top end shows and it was a summit. This is a different audience. It's security. It's really nerdy. You got OT, you got cloud. You've got on-prem. So now you have cloud operations. We're calling super cloud. Of course we're having our inaugural pilot event on August 9th, check it out. We're called super cloud, go to the cube.net to check it out. But this is the super cloud model evolving with security. And what you're hearing today, Dave, I wanna get your reaction to this is things like we've got billions of observational points. We're certainly there's no perimeter, right? So the perimeter's dead. The new perimeter, if you will, is every transaction at scale. So you have to have a new model. So security posture needs to be rethought. They actually said that directly on the keynote. So security, although numbers aren't as big as last week or two weeks ago in New York still relevant. So alright. There's sessions here. There's networking. Very interesting demographic, long hair. Lot of >>T-shirts >>No lot of, not a lot of nerds doing to build out things over there. So, so I gotta ask you, what's your reaction to this scale as the new advantage? Is that a tailwind or a headwind? What's your read? >>Well, it is amazing. I mean he actually, Steven Schmidt talked about quadrillions of events every month, quadrillions 15 zeros. What surprised me, John. So they, they, Amazon talks about five areas, but by the, by the way, at the event, they got five tracks in 125 sessions, data protection and privacy, GRC governance, risk and compliance, identity network security and threat detection. I was really surprised given the focus on developers, they didn't call out container security. I would've thought that would be sort of a separate area of focus, but to your point about scale, it's true. Amazon has a scale where they'll see events every day or every month that you might not see in a generation if you just kind of running your own data center. So I do think that's, that's, that's, that's a, a, a, a valid statement having said that Amazon's got a limited capability in terms of security. That's why they have to rely on the ecosystem. Now it's all about APIs connecting in and APIs are one of the biggest security vulnerability. So that's kind of, I, I I'm having trouble squaring that circle. >>Well, they did just to come up, bring back to the whole open source and software. They did say they did make a measurement was store, but at the beginning, Schmidt did say that, you know, besides scale being an advantage for Amazon with a quadri in 15 zeros, don't bolt on security. So that's a classic old school. We've heard that before, right. But he said specifically, weave in security in the dev cycles. And the C I C D pipeline that is, that basically means shift left. So sneak is here, uh, company we've covered. Um, and they, their whole thing is shift left. That implies Docker containers that implies Kubernetes. Um, but this is not a cloud native show per se. It's much more crypto crypto. You heard about, you know, the, uh, encrypt everything message on the keynote. You heard, um, about reasoning, quantum, quantum >>Skating to the puck. >>Yeah. So yeah, so, you know, although the middleman is logged for J heard that little little mention, I love the quote from Lewis Hamilton that they put up on stage CJ, Moses said, team behind the scenes make it happen. So a big emphasis on teamwork, big emphasis on don't bolt on security, have it in the beginning. We've heard that before a lot of threat modeling discussions, uh, and then really this, you know, the news around the cloud audit academy. So clearly skills gap, more threats, more use cases happening than ever before. >>Yeah. And you know, to your point about, you know, the teamwork, I think the problem that CISOs have is they just don't have the talent to that. AWS has. So they have a real difficulty applying that talent. And so but's saying, well, join us at these shows. We'll kind of show you how to do it, how we do it internally. And again, I think when you look out on this ecosystem, there's still like thousands and thousands of tools that practitioners have to apply every time. There's a tool, there's a separate set of skills to really understand that tool, even within AWS's portfolio. So this notion of a shared responsibility model, Amazon takes care of, you know, securing for instance, the physical nature of S3 you're responsible for secure, make sure you're the, the S3 bucket doesn't have public access. So that shared responsibility model is still very important. And I think practitioners still struggling with all this complexity in this matrix of tools. >>So they had the layered defense. So, so just a review opening keynote with Steve Schmidt, the new CSO, he talked about weaving insecurity in the dev cycles shift left, which is the, I don't bolt it on keep in the beginning. Uh, the lessons learned, he talked a lot about over permissive creates chaos, um, and that you gotta really look at who has access to what and why big learnings there. And he brought up the use cases. The more use cases are coming on than ever before. Um, layered defense strategy was his core theme, Dave. And that was interesting. And he also said specifically, no, don't rely on single security control, use multiple layers, stronger together. Be it it from the beginning, basically that was the whole ethos, the posture, he laid that down >>And he had a great quote on that. He said, I'm sorry to interrupt single controls. And binary states will fail guaranteed. >>Yeah, that's a guarantee that was basically like, that's his, that's not a best practice. That's a mandate. <laugh> um, and then CJ, Moses, who was his deputy in the past now takes over a CSO, um, ownership across teams, ransomware mitigation, air gaping, all that kind of in the weeds kind of security stuff. You want to check the boxes on. And I thought he did a good job. Right. And he did the news. He's the new CISO. Okay. Then you had lean is smart from Mongo DB. Come on. Yeah. Um, she was interesting. I liked her talk, obviously. Mongo is one of the ecosystem partners headlining game. How do you read into that? >>Well, I, I I'm, its really interesting. Right? You didn't see snowflake up there. Right? You see data breaks up there. You had Mongo up there and I'm curious is her and she's coming on the cube tomorrow is her primary role sort of securing Mongo internally? Is it, is it securing the Mongo that's running across clouds. She's obviously here talking about AWS. So what I make of it is, you know, that's, it's a really critical partner. That's driving a lot of business for AWS, but at the same time it's data, they talked about data security being one of the key areas that you have to worry about and that's, you know what Mongo does. So I'm really excited. I talked to her >>Tomorrow. I, I did like her mention a big idea, a cube alumni, yeah. Company. They were part of our, um, season one of our eight of us startup showcase, check out AWS startups.com. If you're watching this, we've been doing now, we're in season two, we're featuring the fastest growing hottest startups in the ecosystem. Not the big players, that's ISVs more of the startups. They were mentioned. They have a great product. So I like to mention a big ID. Um, security hub mentioned a config. They're clearly a big customer and they have user base, a lot of E C, two and storage going on. People are building on Mongo so I can see why they're in there. The question I want to ask you is, is Mongo's new stuff in line with all the upgrades in the Silicon. So you got graviton, which has got great stuff. Um, great performance. Do you see that, that being a key part of things >>Well, specifically graviton. So I I'll tell you this. I'll tell you what I know when you look at like snowflake, for instance, is optimizing for graviton. For certain workloads, they actually talked about it on their earnings call, how it's lowered the cost for customers and actually hurt their revenue. You know, they still had great revenue, but it hurt their revenue. My sources indicate to me that that, that Mongo is not getting as much outta graviton two, but they're waiting for graviton three. Now they don't want to make that widely known because they don't wanna dis AWS. But it's, it's probably because Mongo's more focused on analytics. But so to me, graviton is the future. It's lower cost. >>Yeah. Nobody turns off the database. >>Nobody turns off the database. >><laugh>, it's always cranking C two cycles. You >>Know the other thing I wanted to bring, bring up, I thought we'd hear, hear more about ransomware. We heard a little bit of from Kirk Coel and he, and he talked about all these things you could do to mitigate ransomware. He didn't talk about air gaps and that's all you hear is how air gap. David Flo talks about this all the time. You must have air gaps. If you wanna, you know, cover yourself against ransomware. And they didn't even mention that. Now, maybe we'll hear that from the ecosystem. That was kind of surprising. Then I, I saw you made a note in our shared doc about encryption, cuz I think all the talk here is encryption at rest. What about data in motion? >>Well, this, this is the last guy that came on the keynote. He brought up encryption, Kurt, uh, Goel, which I love by the way he's VP of platform. I like his mojo. He's got the long hair >>And he's >>Geeking out swagger, but I, he hit on some really cool stuff. This idea of the reasoning, right? He automated reasoning is little pet project that is like killer AI. That's next generation. Next level >>Stuff. Explain that. >>So machine learning does all kinds of things, you know, goes to sit pattern, supervise, unsupervised automate stuff, but true reasoning. Like no one connecting the dots with software. That's like true AI, right? That's really hard. Like in word association, knowing how things are connected, looking at pattern and deducing things. So you predictive analytics, we all know comes from great machine learning. But when you start getting into deduction, when you say, Hey, that EC two cluster never should be on the same VPC, is this, this one? Why is this packet trying to go there? You can see patterns beyond normal observation space. So if you have a large observation space like AWS, you can really put some killer computer science technology on this. And that's where this reasoning is. It's next level stuff you don't hear about it because nobody does it. Yes. I mean, Google does it with metadata. There's meta meta reasoning. Um, we've been, I've been watching this for over two decades now. It's it's a part of AI that no one's tapped and if they get it right, this is gonna be a killer part of the automation. So >>He talked about this, basically it being advanced math that gets you to provable security, like you gave an example. Another example I gave is, is this S3 bucket open to the public is a, at that access UN restricted or unrestricted, can anyone access my KMS keys? So, and you can prove, yeah. The answer to that question using advanced math and automated reasoning. Yeah, exactly. That's a huge leap because you used to be use math, but you didn't have the data, the observation space and the compute power to be able to do it in near real time or real time. >>It's like, it's like when someone, if in the physical world real life in real life, you say, Hey, that person doesn't belong here. Or you, you can look at something saying that doesn't fit <laugh> >>Yeah. Yeah. >>So you go, okay, you observe it and you, you take measures on it or you query that person and say, why you here? Oh, okay. You're here. It doesn't fit. Right. Think about the way on the right clothes, the right look, whatever you kind of have that data. That's deducing that and getting that information. That's what reasoning is. It's it's really a killer level. And you know, there's encrypt, everything has to be data. Lin has to be data in at movement at rest is one thing, but you gotta get data in flight. Dave, this is a huge problem. And making that work is a key >>Issue. The other thing that Kirk Coel talked about was, was quantum, uh, quantum proof algorithms, because basically he put up a quote, you're a hockey guy, Wayne Greski. He said the greatest hockey player ever. Do you agree? I do agree. Okay, great. >>Bobby or, and Wayne Greski. >>Yeah, but okay, so we'll give the nada Greski, but I always skate to the where the puck is gonna be not to where it's been. And basically his point was where skating to where quantum is going, because quantum, it brings risks to basically blow away all the existing crypto cryptographic algorithms. I, I, my understanding is N just came up with new algorithms. I wasn't clear if those were supposed to be quantum proof, but I think they are, and AWS is testing them. And AWS is coming out with, you know, some test to see if quantum can break these new algos. So that's huge. The question is interoperability. Yeah. How is it gonna interact with all the existing algorithms and all the tools that are out there today? So I think we're a long way off from solving that problem. >>Well, that was one of Kurt's big point. You talking about quantum resistant cryptography and they introduce hybrid post quantum key agreements. That means KMS cert certification, cert manager and manager all can manage the keys. This was something that's gives more flexibility on, on, on that quantum resistance argument. I gotta dig into it. I really don't know how it works, what he meant by that in terms of what does that hybrid actually mean? I think what it means is multi mode and uh, key management, but we'll see. >>So I come back to the ho the macro for a second. We've got consumer spending under pressure. Walmart just announced, not great earning. Shouldn't be a surprise to anybody. We have Amazon meta and alphabet announcing this weekend. I think Microsoft. Yep. So everybody's on edge, you know, is this gonna ripple through now? The flip side of that is BEC because the economy yeah. Is, is maybe not in, not such great shape. People are saying maybe the fed is not gonna raise after September. Yeah. So that's, so that's why we come back to this half full half empty. How does that relate to cyber security? Well, people are prioritizing cybersecurity, but it's not an unlimited budget. So they may have to steal from other places. >>It's a double whammy. Dave, it's a double whammy on the spend side and also the macroeconomic. So, okay. We're gonna have a, a recession that's predicted the issue >>On, so that's bad on the one hand, but it's good from a standpoint of not raising interest rates, >>It's one of the double whammy. It was one, it's one of the double whammy and we're talking about here, but as we sit on the cube two weeks ago at <inaudible> summit in New York, and we did at re Mars, this is the first recession where the cloud computing hyperscale is, are pumping full cylinder, all cylinders. So there's a new economic engine called cloud computing that's in place. So unlike data center purchase in the past, that was CapEx. When, when spending was hit, they pause was a complete shutdown. Then a reboot cloud computer. You can pause spending for a little bit, make, might make the cycle longer in sales, but it's gonna be quickly fast turned on. So, so turning off spending with cloud is not that hard to do. You can hit pause and like check things out and then turn it back on again. So that's just general cloud economics with security though. I don't see the spending slowing down. Maybe the sales cycles might go longer, but there's no spending slow down in my mind that I see. And if there's any pause, it's more of refactoring, whether it's the crypto stuff or new things that Amazon has. >>So, so that's interesting. So a couple things there. I do think you're seeing a slight slow down in the, the, the ex the velocity of the spend. When you look at the leaders in spending velocity in ETR data, CrowdStrike, Okta, Zscaler, Palo Alto networks, they're all showing a slight deceleration in spending momentum, but still highly elevated. Yeah. Okay. So, so that's a, I think now to your other point, really interesting. What you're saying is cloud spending is discretionary. That's one of the advantages. I can dial it down, but track me if I'm wrong. But most of the cloud spending is with reserved instances. So ultimately you're buying those reserved instances and you have to spend over a period of time. So they're ultimately AWS is gonna see that revenue. They just might not see it for this one quarter. As people pull back a little bit, right. >>It might lag a little bit. So it might, you might not see it for a quarter or two, so it's impact, but it's not as severe. So the dialing up, that's a key indicator get, I think I'm gonna watch that because that's gonna be something that we've never seen before. So what's that reserve now the wild card and all this and the dark horse new services. So there's other services besides the classic AC two, but security and others. There's new things coming out. So to me, this is absolutely why we've been saying super cloud is a thing because what's going on right now in security and cloud native is there's net new functionality that needs to be in place to handle multiple clouds, multiple abstraction layers, and to do all these super cloudlike capabilities like Mike MongoDB, like these vendors, they need to up their gain. And that we're gonna see new cloud native services that haven't exist. Yeah. I'll use some hatchy Corp here. I'll use something over here. I got some VMware, I got this, but there's gaps. Dave, there'll be gaps that are gonna emerge. And I think that's gonna be a huge wild >>Cup. And now I wanna bring something up on the super cloud event. So you think about the layers I, as, uh, PAs and, and SAS, and we see super cloud permeating, all those somebody ask you, well, because we have Intuit coming on. Yep. If somebody asks, why Intuit in super cloud, here's why. So we talked about cloud being discretionary. You can dial it down. We saw that with snowflake sort of Mongo, you know, similarly you can, if you want dial it down, although transaction databases are to do, but SAS, the SAS model is you pay for it every month. Okay? So I've, I've contended that the SAS model is not customer friendly. It's not cloudlike and it's broken for customers. And I think it's in this decade, it's gonna get fixed. And people are gonna say, look, we're gonna move SAS into a consumption model. That's more customer friendly. And that's something that we're >>Gonna explore in the super cloud event. Yeah. And one more thing too, on the spend, the other wild card is okay. If we believe super cloud, which we just explained, um, if you don't come to the August 9th event, watch the debate happen. But as the spending gets paused, the only reason why spending will be paused in security is the replatforming of moving from tools to platforms. So one of the indicators that we're seeing with super cloud is a flight to best of breeds on platforms, meaning hyperscale. So on Amazon web services, there's a best of breed set of services from AWS and the ecosystem on Azure. They have a few goodies there and customers are making a choice to use Azure for certain things. If they, if they have teams or whatever or office, and they run all their dev on AWS. So that's kind of what's happened. So that's, multi-cloud by our definition is customers two clouds. That's not multi-cloud, as in things are moving around. Now, if you start getting data planes in there, these customers want platforms. If I'm a cybersecurity CSO, I'm moving to platforms, not just tools. So, so maybe CrowdStrike might have it dial down, but a little bit, but they're turning into a platform. Splunk trying to be a platform. Okta is platform. Everybody's scale is a platform. It's a platform war right now, Dave cyber, >>A right paying identity. They're all plat platform, beach products. We've talked about that a lot in the queue. >>Yeah. Well, great stuff, Dave, let's get going. We've got two days alive coverage. Here is a cubes at, in Boston for reinforc 22. I'm Shante. We're back with our guests coming on the queue at the short break.

(upbeat music) >> Welcome back to Boston, Massachusetts. We're here at the Seaport. You're watching theCUBE's coverage of Red Hat Summit 2022. My name is Dave Vellante and Paul Gillin is here. He's my cohost for the next day. We are going to dig in to the famous RHEL, Red Hat Enterprise Linux. Gunnar Hellekson is here, he's the Vice President and General Manager of Red Hat Enterprise Linux. Gunnar, welcome to theCUBE. Good to see you. >> Thanks for having me. Nice to be here, Dave, Paul. >> RHEL 9 is, wow, nine, Holy cow. It's been a lot of iterations. >> It's the highest version of RHEL we've ever shipped. >> And now we're talking edge. >> Yeah, that's right. >> And so, what's inside, tell us. to keep happy with a new RHEL release. to keep happy with a new RHEL release. The first is the hardware partners, right, because they rely on RHEL to light up all their delicious hardware that they're making, then you got application developers and the ISVs who rely on RHEL to be that kind of stable platform for innovation, and then you've got the operators, the people who are actually using the operating system itself and trying to keep it running every day. So we've got on the, I'll start with the hardware side, So we've got on the, I'll start with the hardware side, which is something, as you know, RHEL success, and I think you talked about this with Matt, just in a few sessions earlier that the success of RHEL is really, hinges on our partnerships with the hardware partners and in this case, we've got, let's see, in RHEL 9 we've got all the usual hardware suspects and we've added, just recently in January, we added support for ARM servers, as general ARM server class hardware. And so that's something customers have been asking for, delighted to be shipping that in RHEL 9. So now ARM is kind of a first-class citizen, right? Alongside x86, PowerZ and all the other usual suspects. And then of course, working with our favorite public cloud providers. So making sure that RHEL 9 is available at AWS and Azure and GCP and all our other cloud friends, right? >> Yeah, you mentioned ARM, we're seeing ARM in the enterprise. We're obviously seeing ARM at the edge. You guys have been working with ARM for a long time. You're working with Intel, you're working with NVIDIA, you've got some announcements this week. Gunnar, how do you keep Linux from becoming Franken OS with all these capabilities? >> This is a great question. First is, the most important thing is to be working closely with, I mean, the whole point of Linux and the reason why Linux works is because you have all these people working together to make the same thing, right? And so fighting that is a bad idea. Working together with everyone, leaning into that collaboration, that's an important part of making it work over time. The other one is having, just like in any good relationship, having healthy boundaries. And so making sure that we're clear about the things that we need to keep stable and the places where we're allowed to innovate and striking the right balance between those two things, that allows us to continue to ship one coherent operating system while still keeping literally thousands of platforms happy. >> So you're not trying to suck in all the full function, you're trying to accommodate that function that the ecosystem is going to develop? >> Yeah, that's right. So the idea is that what we strive for is consistency across all of the infrastructures and then allowing for kind of optimizations and we still let ourselves take advantage of whatever indigenous feature might appear on, such an ARM chip or thus in a such cloud platform. But really, we're trying to deliver a uniform platform experience to the application developers, right? Because they can't be having, like there can't be kind of one version of RHEL over here and another version of RHEL over here, the ecosystem wouldn't work. The whole point of Linux and the whole point of Red Hat Enterprise Linux is to be the same so that everything else can be different. >> And what incentives do you use to keep customers current? >> To keep customers current? Well so the best thing to do I found is to meet customers where they are. So a lot of people think we release RHEL 9 at the same time we have Red Hat Enterprise Linux 8, we have Red Hat Enterprise Linux 7, all these are running at the same time, and then we also have multiple minor release streams inside those. So at any given time, we're running, let's say, a dozen different versions of RHEL are being maintained and kept up-to-date, and we do this precisely to make sure that we're not force marching people into the new version and they have a Red Hat Enterprise Linux subscription, they should just be able to sit there and enjoy the minor version that they like. And we try and keep that going for as long as possible. >> Even if it's 10 years out of date? >> So, 10 years, interesting you chose that number because that's the end of life. >> That's the end of the life cycle. >> Right. And so 10 years is about, that's the natural life of a given major release, but again inside that you have several 10-year life cycles kind of cascading on each other, right? So nine is the start of the next 10-year cycle while we're still living inside the 10-year cycle of seven and eight. So lots of options for customers. >> How are you thinking about the edge? how do you define, let's not go to the definition, but at high level. (Gunnar laughing) Like I've been in a conference last week. It was Dell Tech World, I'll just say it. They were sort of the edge to them was the retail store. >> Yeah. >> Lowe's, okay, cool, I guess that's edgy, I guess, But I think space is the edge. (Gunnar chuckling) >> Right, right, right. >> Or a vehicle. How do you think about the edge? All the above or but the exciting stuff to me is that far edge, but I wonder if you can comment. >> Yeah, so there's all kinds of taxonomies out there for the edge. For me, I'm a simple country product manager at heart and so, I try to keep it simple, right? And the way I think about the edge is, here's a use case in which somebody needs a small operating system that deploys on probably a small piece of hardware, usually varying sizes, but it could be pretty small. That thing needs to be updated without any human touching it, right? And it needs to be reliably maintained without any human touching it. Usually in the edge cases, actually touching the hardware is a very expensive proposition. So we're trying to be as hands off as possible. >> No truck rolls. >> No truck rolls ever, right, exactly. (Dave chuckling) And then, now that I've got that stable base, I'm going to go take an application. I'll probably put it in a container for simplicity's sake and same thing, I want to be able to deploy that application. If something goes wrong, I need to build a roll back to a known good state and then I need to set of management tools that allow me to touch things, make sure that everything is healthy, make sure that the updates roll out correctly, maybe do some AB testing, things like that. So I think about that as, that's the, when we talk about the edge case for RHEL, that's the horizontal use case and then we can do specializations inside particular verticals or particular industries, but at bottom that's the use case we're talking about when we talk about the edge. >> And an assumption of connectivity at some point? >> Yeah. >> Right, you didn't have to always be on. >> Intermittent, latent, eventual connectivity. >> Eventual connectivity. (chuckles) That's right in some tech terms. >> Red Hat was originally a one trick pony. I mean, RHEL was it and now you've got all of these other extensions and different markets that you expanded into. What's your role in coordinating what all those different functions are doing? >> Yes, you look at all the innovations we've made, whether it's in storage, whether it's in OpenShift and elsewhere, RHEL remains the beating heart, right? It's the place where everything starts. And so a lot of what my team does is, yes, we're trying to make all the partners happy, we're also trying to make our internal partners happy, right? So the OpenShift folks need stuff out of RHEL, just like any other software vendor. And so I really think about RHEL is yes, we're a platform, yes, we're a product in our own right, but we're also a service organization for all the other parts of the portfolio. And the reason for that is we need to make sure all this stuff works together, right? Part of the whole reasoning behind the Red Hat Portfolio at large is that each of these pieces build on each other and compliment each other, right? I think that's an important part of the Red Hat mission, the RHEL mission. >> There's an article in the journal yesterday about how the tech industry was sort of pounding the drum on H-1B visas, there's a limit. I think it's been the same limit since 2005, 65,000 a year. We are facing, customers are facing, you guys, I'm sure as well, we are, real skills shortage, there's a lack of talent. How are you seeing companies deal with that? What are you advising them? What are you guys doing yourselves? >> Yeah, it's interesting, especially as everybody went through some flavor of digital transformation during the pandemic and now everybody's going through some, and kind of connected to that, everybody's making a move to the public cloud. They're making operating system choices when they're making those platform choices, right? And I think what's interesting is that, what they're coming to is, "Well, I have a Linux skills shortage and for a thousand reasons the market has not provided enough Linux admins." I mean, these are very lucrative positions, right? With command a lot of money, you would expect their supply would eventually catch up, but for whatever reason, it's not catching up. So I can't solve this by throwing bodies at it so I need to figure out a more efficient way of running my Linux operation. People are making a couple choices. The first is they're ensuring that they have consistency in their operating system choices, whether it's on premise or in the cloud, or even out on the edge, if I have to juggle three, four different operating systems, as I'm going through these three or four different infrastructures, that doesn't make any sense, 'cause the one thing is most precious to me is my Linux talent, right? And so I need to make sure that they're consistent, optimized and efficient. The other thing they're doing is tooling and automation and especially through tools like Ansible, right? Being able to take advantage of as much automation as possible and much consistency as possible so that they can make the most of the Linux talent that they do have. And so with Red Hat Enterprise Linux 9, in particular, you see us make a big investment in things like more automation tools for things like SAP and SQL server deployments, you'll see us make investments in things like basic stuff like the web console, right? We should now be able to go and point and click and go basic Linux administration tasks that lowers the barrier to entry and makes it easier to find people to actually administer the systems that you have. >> As you move out onto these new platforms, particularly on the edge, many of them will be much smaller, limited function. How do you make the decisions about what features you're going to keep or what you're going to keep in RHEL when you're running on a thermostat? >> Okay, so let me be clear, I don't want RHEL to run on a thermostat. (everybody laughing) >> I gave you advantage over it. >> I can't handle the margins on something like that, but at the end. >> You're running on, you're running on the GM. >> Yeah, no that's, right? And so the, so the choice at the, the most important thing we can do is give customers the tools that they need to make the choice that's appropriate for their deployment. I have learned over several years in this business that if I start choosing what content a customer decide wants on their operating system I will always guess it wrong, right? So my job is to make sure that I have a library of reliable, secure software options for them, that they can use as ingredients into their solution. And I give them tools that allow them to kind of curate the operating system that they need. So that's the tool like Image Builder, which we just announced, the image builder service lets a customer go in and point and click and kind of compose the edge operating system they need, hit a button and now they have an atomic image that they can go deploy out on the edge reliably, right? >> Gunnar can you clarify the cadence of releases? >> Oh yeah. >> You guys, the change that you made there. >> Yeah. >> Why that change occurred and what what's the standard today? >> Yeah, so back when we released RHEl 8, so we were just talking about hardware and you know, it's ARM and X86, all these different kinds of hardware, the hardware market is internally. I tell everybody the hardware market just got real weird, right? It's just got, the schedules are crazy. We got so many more entrance. Everything is kind of out of sync from where it used to be, it used to be there was a metronome, right? You mentioned Moore's law earlier. It was like a 18 month metronome. Everybody could kind of set their watch to. >> Right. >> So that's gone, and so now we have so much hardware that we need to reconcile. The only way for us to provide the kind of stability and consistency that customers were looking for was to set a set our own clock. So we said three years for every major release, six months for every minor release and that we will ship a new minor release every six months and a new major release every three years, whether we need it or not. And that has value all by itself. It means that customers can now plan ahead of time and know, okay, in 36 months, the next major release is going to come on. And now that's something I can plan my workload around, that something I can plan a data center migration around, things like that. So the consistency of this and it was a terrifying promise to make three years ago. I am now delighted to announce that we actually made good on it three years later, right? And plan two again, three years from now. >> Is it follow up, is it primarily the processor, optionality and diversity, or as I was talking to an architect, system architect the other day in his premise was that we're moving from a processor centric world to a connect centric world, not just the processor, but the memories, the IO, the controllers, the nics and it's just keeping that system in balance. Does that affect you or is it primarily the processor? >> Oh, it absolutely affects us, yeah. >> How so? >> Yeah, so the operating system is the thing that everyone relies on to hide all that stuff from everybody else, right? And so if we cannot offer that abstraction from all of these hardware choices that people need to make, then we're not doing our job. And so that means we have to encompass all the hardware configurations and all the hardware use cases that we can in order to make an application successful. So if people want to go disaggregate all of their components, we have to let 'em do that. If they want to have a kind of more traditional kind of boxed up OEM experience, they should be able to do that too. So yeah, this is what I mean is because it is RHEL responsibility and our duty to make sure that people are insulated from all this chaos underneath, that is a good chunk of the job, yeah. >> The hardware and the OS used to be inseparable right before (indistinct) Hence the importance of hardware. >> Yeah, that's right. >> I'm curious how your job changes, so you just, every 36 months you roll on a new release, which you did today, you announced a new release. You go back into the workplace two days, how is life different? >> Not at all, so the only constant is change, right? And to be honest, a major release, that's a big event for our release teams. That's a big event for our engineering teams. It's a big event for our product management teams, but all these folks have moved on and like we're now we're already planning. RHEL 9.1 and 9.2 and 8.7 and the rest of the releases. And so it's kind of like brief celebration and then right back to work. >> Okay, don't change so much. >> What can we look forward to? What's the future look like of RHEL, RHEL 10? >> Oh yeah, more bigger, stronger, faster, more optimized for those and such and you get, >> Longer lower, wider. >> Yeah, that's right, yeah, that's right, yeah. >> I am curious about CentOS Stream because there was some controversy around the end of life for CentOS and the move to CentOS Stream. >> Yeah. >> A lot of people including me are not really clear on what stream is and how it differs from CentOS, can you clarify that? >> Absolutely, so when Red Hat Enterprise Linux was first created, this was back in the days of Red Hat Linux, right? And because we couldn't balance the needs of the hobbyist market from the needs of the enterprise market, we split into Red Hat Enterprise Linux and Fedora, okay? So then for 15 years, yeah, about 15 years we had Fedora which is where we took all of our risks. That was kind of our early program where we started integrating new components, new open source projects and all the rest of it. And then eventually we would take that innovation and then feed it into the next version of Red Hat Enterprise Linux. The trick with that is that the Red Hat Enterprise Linux work that we did was largely internal to Red Hat and wasn't accessible to partners. And we've just spent a lot of time talking about how much we need to be collaborating with partners. They really had, a lot of them had to wait until like the beta came out before they actually knew what was going to be in the box, okay, well that was okay for a while but now that the market is the way that it is, things are moving so quickly. We need a better way to allow partners to work together with us further upstream from the actual product development. So that's why we created CentOS Stream. So CentOS Stream is the place where we kind of host the party and people can watch the next version of Red Hat Enterprise get developed in real time, partners can come in and help, customers can come in and help. And we've been really proud of the fact that Red Hat Enterprise Linux 9 is the first release that came completely out of CentOS Stream. Another way of putting that is that Red Hat Enterprise Linux 9 is the first version of RHEL that was actually built, 80, 90% of it was built completely in the open. >> Okay, so that's the new playground. >> Yeah, that's right. >> You took a lot of negative pushback when you made the announcement, is that basically because the CentOS users didn't understand what you were doing? >> No, I think the, the CentOS Linux, when we brought CentOS Linux on, this was one of the things that we wanted to do, is we wanted to create this space where we could start collaborating with people. Here's the lesson we learned. It is very difficult to collaborate when you are downstream of the product you're trying to improve because you've already shipped the product. And so once you're for collaborating downstream, any changes you make have to go all the way up the water slide and before they can head all the way back down. So this was the real pivot that we made was moving that partnership and that collaboration activity from the downstream of Red Hat Enterprise Linux to putting it right in the critical path of Red Hat Enterprise Linux development. >> Great, well, thank you for that Gunnar. Thanks for coming on theCUBE, it's great to, >> Yeah, my pleasure. >> See you and have a great day tomorrow. Thanks, and we look forward to seeing you tomorrow. We start at 9:00 AM. East Coast time. I think the keynotes, we will be here right after that to break that down, Paul Gillin and myself. This is day one for theCUBE's coverage of Red Hat Summit 2022 from Boston. We'll see you tomorrow, thanks for watching. (upbeat music)

>>To the Seaport in Boston, Massachusetts, everybody's buzzing. The Bruins are playing tonight. They tied it up. The Celtics tied it up last night. We're excited. We don't talk about the red Sox. Red Sox are getting struggles, but you know, we have good distractions. Paul goer is here. He's the president and chief executive officer at red hat and also a Boston fan of great to see, of course, you too. >>Nice to see you guys, you know, it's been a, it's been a while. >><laugh> yeah, we saw you, you know, online and virtually for a couple of years there, but, uh, you know, we've been doing red hat summit for a long, long time. Yeah, of course we were talking earlier. It's just much more intimate, kind of a VIP event, a few more suit jackets here. You know, I got my tie on, so I don't get too much grief. I usually get grief when I wear a tie of red hat summit, but it's a different format this year. Compressed keynotes. Your keynote was great. The new normal, sometimes we call it the new abnormal <laugh>, uh, but you know, how do you feel? >>I, I, I, I feel great. First of all, you know, combination today, virtual audience in, in house audience here today. I think we're gonna see a lot of that in the future. I mean, we designed the event around that and I, I think it, I think it played pretty well. Kudos, kudos to our team. You're right. It's, it's, it's a bit more intimate even the way it was set up, but those are the conversations we like having with our customers and our partners, much more partner centric, uh, as well right now, as well. >>You know, we were talking about, you know, hybrid cloud. It was kind of, you know, it was a good marketing term. And, but now it's, it's, it's become the real thing. I've said many times the, the definition of cloud is changing. It's expanding it's no, the cloud is no longer this remote set of services, you know, somewhere up in the cloud, it's on prem connecting to a cloud across clouds, out to the edge and you need capabilities that work everywhere. And that's what red hat did. The market's just swimming toward you. >>Yeah. I mean, you look at it, you know, I was, uh, you know, if you look at it, you know, the clouds are powerful unto themselves, right? The clouds are powerful unto themselves. They're all different. Right? And that that's, I mean, hardware vendors were, were similar, but different, same thing. You need that connective tissue across, across the whole thing. I mean, as I said, in my keynote today, I remember talking to some of our CIOs and customers 10 years ago and they said, we're going 90% of our apps tomorrow to one cloud. And we knew that wasn't practical because of course the clouds are built from Linux. So we knew it was underneath the hood and, and what's happened. It's taken some time, but as they started to get into that, they started to see, well, maybe one cloud's more suited for one application than the other, these apps. You may have to keep on premise, but you know, what really exploded at the, the, the hybrid thing, the edge. Now they're putting things at the edge, the GM announcement tell you, I know you're gonna talk to Francis. Yeah, yeah. Later. I mean, that's, that's a mini data center in, in every cloud, but that's still under the purview of the CIO, you know? So, so, so that's what hybrid's all about is tying all those pieces together, cuz it got more powerful, but it also more complex. >>You mentioned being the connective tissue, but we don't hear as much talk about multi-cloud seems to me, as we used to this conference has been all about hybrid cloud. You don't really talk about multi-cloud. How important is that to the red hat strategy, being that consistent layer? >>It's probably my mistake or our mistake because multi's more prevalent and more important than just hybrid alone. I mean, hybrid hybrid started from on-premise to one part to any one particular cloud. That was the, the first thought of hybrid. But as I said, as, as, as um, some of the cloud providers became so big, um, every, every CIO I talked to, whether they know whether they know it or not most do are in a multi environment for a whole bunch of reasons, right. You know, one cloud provider might be better in a different part of the world. And another one cloud provider might have a better service than another. Some just don't like to be stuck to one it's it's really hybrid multi. We should, we should train ourselves to every time we say hybrid, say multi, because that's really, that's really what it is. It, I think that happened overnight with, with Microsoft, you know, with Microsoft they've, they've, they've really grown over the last few years, so has Amazon for that matter. But Microsoft really coming up is what really made it a, a high, a multi world. >>Microsoft's remarkable what, what they're doing. But I, I, I have a different thinking on this. I, I heard Chuck Whitten last week at, at the Dell conference he used, he said used the phrase a multicloud, uh, by default versus multi-cloud by design. And I thought that was pretty interesting because I've said that multi-cloud is largely multi-vendor, you know? And so hybrid has implications, right? We, we bring and a shesh came up with a new term today. Metacloud I use Supercloud I like Metacloud better because something's happening, Paul. It feels like there's this layer abstraction layer that the underlying complexity is hidden. Think about OpenShift. Yeah. I could buy, I could get OpenShift for free. Yeah. I mean, I could, and I could cobble together and stitch together at 13, 15 dozens of different services and replicate, but I don't, I don't want that complexity. I want you to hide that complexity. I want, I'd rather spend money on your R and D than my engineering. So something's changing. It feels like >>You buy that. I totally buy that. I mean, you know, I, I, I'm gonna try to not make this sound like a marketing thing because it's not, not fair enough. Right. I mean, I'm engineer at heart, you know that, so, >>Okay. >>I really look to what we're trying to do is we're building a hybrid multi cloud. I mean that we, I look at us as a cloud provider spanning the hybrid multi all the way out to the edge world, but we don't have the data centers in the back. Like the cloud providers do in and by that is you're seeing our products being consumed more like cloud services because that's what our customers are demanding. Our, our products now can be bought out of the various marketplaces, et cetera. You're seeing different business models from us. So, uh, you're seeing, uh, committed spend, for example, like the cloud providers where a customer will buy so much up front and sort of just work it down. You're seeing different models on how they're consumed, consumption, based pricing. These, these are all things that came from the cloud providers and customers buying like that. >>They now want that across their entire environment. They don't wanna buy differently on premise or in one cloud and they don't wanna develop differently. They don't wanna operate differently. They don't wanna have to secure it differently. Security's the biggest thing with, with our, with our customers, because hybrid's powerful, but you no longer have the, you know, your security per perimeter, no longer the walls of your data center. You know, you're, you're responsible as a CIO. You're responsible for every app. Yeah. No matter where it's running, if that's the break in point, you're responsible for that. So that's why we've done things like, you know, we cried stack rocks. We've, we've built it into the container Kubernetes platform that spans those various footprints because you no longer can just do perimeter security because the perimeter is, is very, very, very large right now >>Diffuse. One of the thing on the multi-cloud hyper skills, I, I, red hat's never been defensive about public cloud. You, I think you look at the a hundred billion dollars a year in CapEx spend that's a gift to the industry. Not only the entire it industry, but, but the financial services companies and healthcare companies, they can build their own hybrid clouds. Metacloud super clouds taking advantage of that, but they still need that connective tissue. And that's where >>We products come in. We welcome our customers to go to, to the public cloud. Um, uh, look, it's it's. I said a long time ago, we said a long time it was gonna be a hybrid. Well, I should have said multi anybody said hybrid, then it's gonna be a hybrid world. It is. And it doesn't matter if it's a 20, 80, 80, 20, 40, 60, 60, 40. It's not gonna be a hundred percent anywhere. Yeah. And, and so in that, in that definition, it's a hybrid multi world. >>I wanna change the tune a little bit because I've been covering IBM for 40 years and seen a lot of acquisitions and see how they work. And usually it follows the same path. There's a commitment to leaving the acquire company alone. And then over time that fades, the company just becomes absorbed. Same thing with red hat. It seems like they're very much committed to, to, to leaving you alone. At least they said that upon the acquisition, have they followed through on that promise? >>I have to tell you IBM has followed through on every commitment they've made, made to us. I mean, I, I owe it, I owe a lot of it to Arvin. Um, he was the architect of the deal, right. Um, we've known each other for a long time. Um, he's a great guy. Um, he, uh, he, he believes in it. It's not, he's not just doing it that way because he thinks, um, something bad will happen if he doesn't, he's doing it that way. Cuz he believes in that our ecosystem is what made us. I mean, I mean, even here it's about the partners in the ecosystem. If you look at what made REL people think what made red hat as a company was support, right. Support's really important. Small piece of the value proposition life cycle supports certainly their life cycle a 10 year life cycle just came out of a, a, a customer conference asking about the life cycle and could we extend it to 15 years? You know? Um, the ecosystem is probably the most important part of, of, of, of the, of the overall value proposition. And Arvin knows in IBM knows that, you know, we have to be neutral to be able to do everything the same for all of our ecosystem partners. Some that are IBM's competitors, even. So, >>So we were noticing this morning, I mean, aside from a brief mention of power PC and the IBM logo during, at one point, there was no mention of IBM during the keynote sessions this morning. Is that intentional? Or is that just >>No, no, it it's, it's not intentional. I mean, I think that's part of, we have our strategy to drive and we're, we're driving our, our strategy. We, we, we IBM great partner. We look at them as a partner just as we do our, our many other partners and we won't, you know, we wouldn't, we wouldn't do something with our products, um, for I with IBM that we wouldn't offer to our, our entire ecosystem. >>But there is a difference now, right? I don't know these numbers. Exactly. You would know though, but, but pre 2019 acquisition red hat was just, I think north of 3 billion in revenue growing at maybe 12% a year. Something like that, AR I mean, we hear on the earnings calls, 21% growth. I think he's publicly said you're north of 5 billion or now I don't know how much of that consulting gets thrown in. IBM likes to, you know, IBM math, but still it's a much bigger business. And, and I wonder if you could share with us, obviously you can't dig into the numbers, but have you hired more people? I would imagine. I mean, sure. Like what's been different from that standpoint in terms of the accelerant to your >>Business. Yeah. We've been on the same hiring cycle percentage wise as, as we, we always were. I mean, I think the best way to characterize the relationship and where they've helped is, um, Arvin, Arvin will say, IBM can be opinionated on red hat, but not the other way around <laugh>. So, so what that, what that means is they had a lot of, they had, they had a container based Linux platform. Yeah, right, right. They, they had all their, they were their way of moving to the cloud was that when we came in, they actually stopped that. And they standardized on OpenShift across all of their products. We're now the vehicle that brings the blue software products to the hybrid cloud. We are that vehicle that does it. So I think that's, that's how, that's how they, they look about it. I mean, I know, I mean in IBM consulting, I know, I know they have a great relationship with Microsoft of course. >>Right. And so, so that's, that's how to really look at it. They they're opinionated on us where we not the other way around, but that, but they're a great partner. And even if we're at two separate companies, we'd do be doing all the same things we're doing with them. Now, what they do do for us can do for us is they open a lot of doors in many cases. I mean, IBM's been around for over a hundred years. So in many cases, they're in, in, in the C-suite, we, we may be in the C suite, but we may be one layer down, one, two layers down or something. They, they can, they help us get access. And I think that's been a, a part of the growth as well as is them talking into their, into, into their >>Constituents. Their consulting's one of the FA if not the fastest growing part of their business. So that's kind of the tip of the spear for application modernization, but enough on IBM you said something in your keynote. That was really interesting to me. You said, you, you, you didn't use the word hardware Renaissance, but that my interpretation was you're expecting the next, you know, several years to be a hardware Renaissance. We, we certainly have done relationships with arm. You mentioned Nvidia and Intel. Of course, you've had relationships with Intel for a long time. And we're seeing just the spate of new hardware developments, you know, does hardware matter? I'll ask you, >>Oh, oh, I mean the edge, as I said, you're gonna see hardware innovation out in the edge, software innovation as well. You know, the interesting part about the edge is that, you know, obviously remade red hat. What we did with REL was we did a lot of engineering work to make every hardware architecture when, when it was, when, when the world was just standalone servers, we made every hardware architecture just work out of the box. Right? And we did that in such, because with an open source development model. So embedded in our psyche, in our development processes is working upstream, bringing it downstream 10 years, support all of that kind of thing. So we lit up all that hardware. Now we go out to the edge, it's a whole new, different set of hardware innovation out at the edge. We know how to do that. >>We know how to, we know how to make hardware, innovation safe for the customer. And so we're bringing full circle and you have containers embedded in, in Linux and REL right now as well. So we're actually with the edge, bringing it all full circle back to what we've been doing for 20 plus years. Um, on, on the hardware side, even as a big part of the world, goes to containers and hybrid in, in multi-cloud. So that's why we're so excited about, about, about the edge, you know, opportunity here. That's, that's a big part of where hybrid's going. >>And when you guys talk about edge, I mean, I, I know a lot of companies will talk about edge in the context of your retail location. Okay. That's fine. That's cool. That's edge or telco that that's edge. But when you talk about, um, an in vehicle operating system, right. You know, that's to me the far edge, and that's where it gets really interesting, massive volumes, different architectures, both hardware and software. And a lot of the data may stay. Maybe it doesn't even get persisted. May maybe some comes back to the club, but that's a new >>Ballgame. Well, think about it, right? I mean, you, if you listen, I think you, right. My talk this morning, how many changes are made in the Linux kernel? Right? You're running in a car now, right? From a safety perspective. You wanna update that? I mean, look, Francis talked about it. You'll talk to Francis later as well. I mean, you know, how many, how many in, in your iPhone world Francis talked about this this morning, you know, they can, they can bring you a whole new world with software updates, the same in the car, but you have to do it in such a way that you still stay with the safety protocols. You're able to back things out, things like that. So it's open source, but getting raw upstream, open source and managing itself yourself, I just, I'm sorry. It takes a lot of experience to be able to be able to do those kinds of things. So it's secure, that's insecure. And that's what that's, what's exciting about it. You look at E the telco world look where the telco world came from in the telco world. It was a hardware stack from the hardware firmware operating system, every service, whether it was 9 1, 1 or 4, 1, 1 was its own stack. Yep. In the 4g, 3g, >>4g >>Virtualized. Now, now it's all software. Yeah. Now it's all software all the way out to the cell tower. So now, so, so now you see vendors out there, right? As an application, as a container based application, running out, running in the base of a cell tower, >>Cell tower is gonna be a little mini data >>Center. Yeah, exactly. Because we're in our time here asking quickly, because you've been at red hat a long time. You, you, you, uh, architected a lot of the reason they're successful is, is your responsibility. A lot of companies have tried to duplicate the red hat model, the, the service and support model. Nobody has succeeded. Do you think anybody ever will or will red hat continue to be a unicorn in that respect? >>No, I, I, I think, I think it will. I think open source is making it into all different parts of technology. Now I have to tell you the, the reason why we were able to do it is we stayed. We stayed true to our roots. We made a decision a long time ago that we weren't gonna put a line, say everything below the line was open and above the line was closed. Sometimes it's hard sometimes to get a differentiation with the competition, it can be hard, but we've stayed true to that. And I, to this day, I think that's the thing that's made us is never a confusion on if it's open or not. So that forces us to build our business models around that as well. But >>Do you have a differentiated strategy? Talk about that. What's your what's your differentiation >>Are, are, well, I mean, with the cloud, a differentiation is that common cloud platform across I differentiate strategy from an open source perspective is to, to sort make open source consumable. And, and it's even more important now because as Linux Linux is the base of everything, there's not enough skills out there. So even, even a container platform like open source op like OpenShift, could you build your own? Certainly. Could you keep it updated? Could you keep it updated without breaking all the applications on top? Do you have an ecosystem around it? It's all of those things. It was, it was the support, the, the, the hardening the 10 year to predictability the ecosystem. That was, that was, that is the secret. I mean, we even put the secret out as open. >>Yeah, <laugh> right. Free, like a puppy, as they say. All right, Paul, thanks so much for coming back in the cubes. Great to see you face to face. Nice to see you guys get it. All right. Keep it right there. Dave Valante for Paul Gill, you're watching the cubes coverage of red hat summit, 2022 from Boston. Be right back.

welcome back to the seaport in boston massachusetts with cities crazy with bruins and celtics talk but we're here we're talking red hat linux open shift ansible and ashesh badani is here he's the senior vice president and the head of products at red hat fresh off the keynotes had amex up in the state of great to see you face to face amazing that we're here now after two years of of the isolation economy welcome back thank you great to see you again as well and you as well paul yeah so no shortage of announcements uh from red hat this week paul wrote a piece on siliconangle.com i got my yellow highlights i've been through all the announcements which is your favorite baby hard for me to choose hard for me to choose um i'll talk about real nine right well nine's exciting um and in a weird way it's exciting because it's boring right because it's consistent three years ago we committed to releasing a major well uh every three years right so customers partners users can plan for it so we released the latest version of rel in between we've been delivering releases every six months as well minor releases a lot of capabilities that are bundled in around security automation edge management and then rel is also the foundation of the work we announced with gm with the in-vehicle operating system so you know that's extremely exciting news for us as well and the collaboration that we're doing with them and then a whole host of other announcements around you know cloud services work around devsecops and so on so yeah a lot of news a lot of announcements i would say rel nine and the work with gm probably you know comes right up to the top i wanted to get to one aspect of the rail 9 announcement that is the the rose centos streams in that development now in december i think it was red hat discontinued development or support for for centos and moved to central streams i'm still not clear what the difference is between the two can you clarify that i think we go into a situation especially with with many customers many partners as well that you know didn't sort of quite exactly uh get a sense of you know where centos was from a life cycle perspective so was it upstream to rel was it downstream to rel what's the life cycle for itself as well and then there became some sort of you know implied notions around what that looked like and so what we decided was to say well we'll make a really clean break and we'll say centos stream is the upstream for enterprise linux from day one itself partners uh you know software partners hardware partners can collaborate with us to develop rel and then take it all the way through life cycle right so now it becomes a true upstream a true place for development for us and then rel essentially comes uh out as a series of releases based on the work that we do in a fast-moving center-os environment but wasn't centos essentially that upstream uh development environment to begin with what's the difference between centos stream yeah it wasn't wasn't um it wasn't quite upstream it was actually a little bit downstream yeah it was kind of bi-directional yeah and yeah and so then you know that sort of became an implied life cycle to it when there really wasn't one but it was just became one because of some usage and adoption and so now this really clarifies the relationship between the two we've heard feedback for example from software partners users saying hey what do i do for development because i used you know centervis in the past we're like yup we have real for developers available we have rel for small teams available we have rel available for non-profit organizations up and so we've made rail now available in various form factors for the needs that folks had and they were perhaps using centos for because there was no such alternative or rel history so language so now it's this clarity so that's really the key point there so language matters a lot in the technology business we've seen it over the years the industry coalesces around you know terminology whether it was the pc era everything was pc this pc that the internet era and and certainly the cloud we we learned a lot of language from the likes of you know aws two pizza teams and working backwards and things like that became common commonplace hybrid and multi-cloud are kind of the the parlance of the day you guys use hybrid you and i have talked about this i feel like there's something new coming i don't think my term of super cloud is the right necessary terminology but it signifies something different and i feel like your announcements point to that within your hybrid umbrella point being so much talk about the edge and it's we heard paul cormier talk about new hardware architectures and you're seeing that at the edge you know what you're doing with the in-vehicle operating system these are new the cloud isn't just a a bunch of remote services in the cloud anymore it's on-prem it's a cloud it's cross-clouds it's now going out to the edge it's something new and different i think hybrid is your sort of term for that but it feels like it's transcending hybrid are your thoughts you know really really great question actually since you and i talked dave i've been spending some time you know sort of noodling just over that right and you're right right there's probably some terminology something sort of you know that will get developed you know either by us or you know in collaboration with the industry you know where we sort of almost have the connection almost like a meta cloud right that we're sort of working our way towards because there's if you will you know the cloud right so you know on premise you know virtualized uh bare metal by the way you know increasingly interesting and important you know we do a lot of work with nvidia folks want to run specific workloads there we announced support for arm right another now popular architecture especially as we go out to the edge so obviously there's private cloud public cloud then the edge becomes a continuum now you know on that process we actually have a major uh uh shipping company so uh a cruise lines that's talking about using openshift on cruise lines right so you know that's the edge right last year we had verizon talking about you know 5g and you know ran in the next generation there to then that's the edge when we talk to retail the store front's the edge right you talk to a bank you know the bank environments here so everyone's got a different kind of definition of edge we're working with them and then when we you know announce this collaboration with gm right now the edge there becomes the automobile so if you think of this as a continuum right you know bare metal private cloud public cloud take it out to the edge now we're sort of almost you know living in a world of you know a little bit of abstractions and making sure that we are focused on where uh data is being generated and then how can we help ensure that we're providing a consistent experience regardless of you know where meta meta cloud because i can work in nfts i can work a little bit we're going to get through this whole thing without saying metaverse i was hoping i do want to ask you about about the edge and the proliferation of hardware platforms paul comey mentioned this during the keynote today hardware is becoming important yeah there's a lot of people building hardware it's in development now for areas like uh like intelligent devices and ai how does this influence your development priorities you have all these different platforms that you need to support yeah so um we think about that a lot mostly because we have engagements with so many partners hardware right so obviously there's more traditional partners i'd say like the dell and the hpes that we work with we've historically worked with them also working with them in in newer areas uh with regard to appliances that are being developed um and then the work that we do with partners like nvidia or new architectures like arm and so our perspective is this will be uh use case driven more than anything else right so there are certain environments right where you have arm-based devices other environments where you've got specific workloads that can take advantage of being built on gpus that we'll see increasingly being used especially to address that problem and then provide a solution towards that so our belief has always been look we're going to give you a consistent platform a consistent abstraction across all these you know pieces of hardware um and so you mr miss customer make the best choice for yourself a couple other areas we have to hit on i want to talk about cloud services we've got to talk about security leave time to get there but why the push to cloud services what's driving that it's actually customers they're driving right so we have um customers consistently been asking us say you know love what you give us right want to make sure that's available to us when we consume in the cloud so we've made rel available for example on demand right you can consume this directly via public cloud consoles we are now making available via marketplaces uh talked about ansible available as a managed service on azure openshift of course available as a managed service in multiple clouds um all of this also is because you know we've got customers who've got these uh committed spends that they have you know with cloud providers they want to make sure that the environments that they're using are also counting towards that at the same time give them flexibility give them the choice right if in certain situations they want to run in the data center great we have that solution for them other cases they want to procure from the cloud and run it there we're happy to support them there as well let's talk about security because you have a lot of announcements like security everywhere yeah um and then some specific announcements as well i i always think about these days in the context of the solar wind supply chain hack would this have you know how would this have affected it but tell us about what's going on in security your philosophy there and the announcements that you guys made so our secure announcements actually span our entire portfolio yeah right and and that's not an accident right that's by design because you know we've really uh been thinking and emphasizing you know how we ensure that security profile is raised for users both from a malicious perspective and also helping accidental issues right so so both matters so one huge amounts of open source software you know out of the world you know and then estimates are you know one in ten right has some kind of security vulnerability um in place a massive amount of change in where software is being developed right so rate of change for example in kubernetes is dramatic right much more than even than linux right entire parts of kubernetes get rewritten over over a three-year period of time so as you introduce all that right being able to think for example about you know what's known as shift left security or devsec ops right how do we make sure we move security closer to where development is actually done how do we ensure we give you a pattern so you know we introduced a software supply chain pattern uh via openshift delivers complete stack of code that you know you can go off and run that follows best practices uh including for example for developers you know with git ops and support on the pipelines front a whole bunch of security capabilities in rel um a new image integrity measurement architecture which allows for a better ability to see in a post install environment what the integrity of the packages are signing technology they're incorporating open shift as well as an ansible so it's it's a long long list of cables and features and then also more and more defaults that we're putting in place that make it easier for example for someone not to hurt themselves accidentally on security front i noticed that uh this today's batch of announcements included support within openshift pipelines for sigstor which is an open source project that was birthed actually at red hat right uh we haven't heard a whole lot about it how important is zig store to to you know your future product direction yeah so look i i think of that you know as you know work that's you know being done out of our cto's office and obviously security is a big focus area for them um six store's great example of saying look how can we verify content that's in uh containers make sure it's you know digitally signed that's appropriate uh to be deployed across a bunch of environments but that thinking isn't maybe unique uh for us uh in the container side mostly because we have you know two decades or more of thinking about that on the rel side and so fundamentally containers are being built on linux right so a lot of the lessons that we've learned a lot of the expertise that we've built over the years in linux now we're starting to you know use that same expertise trying to apply it to containers and i'm my guess is increasingly we're going to see more of the need for that you know into the edge as well i i i picked up on that too let me ask a follow-up question on sigstor so if i'm a developer and i and i use that capability it it ensures the provenance of that code is it immutable the the signature uh and the reason i ask is because again i think of everything in the context of the solar winds where they were putting code into the the supply chain and then removing it to see what happened and see how people reacted and it's just a really scary environment yeah the hardest part you know in in these environments is actually the behavior change so what's an example of that um packages built verified you know by red hat when it went from red hat to the actual user have we been able to make sure we verify the integrity of all of those when they were put into use um and unless we have behavior that you know make sure that we do that then we find ourselves in trouble in the earliest days of open shift uh we used to get knocked a lot by by developers because i said hey this platform's really hard to use we investigate hey look why is that happening so by default we didn't allow for root access you know and so someone's using you know the openshift platform they're like oh my gosh i can't use it right i'm so used to having root access we're like no that's actually sealed by default because that's not a good security best practice now over a period of time when we you know randomly enough times explained that enough times now behavior changes like yeah that makes sense now right so even just kind of you know there's behaviors the more that we can do for example in in you know the shift left which is one of the reasons by the way why we bought uh sac rocks a year right right for declarative security contain native security so threat detection network segmentation uh watching intrusions you know malicious behavior is something that now we can you know essentially make native into uh development itself all right escape key talk futures a little bit so i went downstairs to the expert you know asked the experts and there was this awesome demo i don't know if you've seen it of um it's like a design thinking booth with what happened how you build an application i think they were using the who one of their apps um during covet and it's you know shows the the granularity of the the stack and the development pipeline and all the steps that have to take place and it strikes me of something we've talked about so you've got this application development stack if you will and the database is there to support that and then over here you've got this analytics stack and it's separate and we always talk about injecting more ai into apps more data into apps but there's separate stacks do you see a day where those two stacks can come together and if not how do we inject more data and ai into apps what are your thoughts on that so great that's another area we've talked about dave in the past right um so we definitely agree with that right and and what final shape it takes you know i think we've got some ideas around that what we started doing is starting to pick up specific areas where we can start saying let's go and see what kind of usage we get from customers around it so for example we have openshift data science which is basically a way for us to talk about ml ops right and you know how can we have a platform that allows for different models that you can use we can uh test and train data different frameworks that you can then deploy in an environment of your choice right and we run that uh for you up and assist you in in uh making sure that you're able to take the next steps you want with with your machine learning algorithms um there's work that we've uh introduced at summit around databases service so essentially our uh a cloud service that allows for deep as an easy way for customers to access either mongodb or or cockroach in a cloud native fashion and all of these things that we're sort of you know experimenting with is to be able to say look how do we sort of bring the world's closer together right off database of data of analytics with a core platform and a core stack because again right this will become part of you know one continuum that we're going to work with it's not i'd like your continuum that's that's i think really instructive it's not a technical barrier is what i'm hearing it's maybe organizational mindset i can i should be able to insert a column into my my my application you know development pipeline and insert the data i mean kafka tensorflow in there there's no technical reason i can't can't do that it's just we've created these sort of separate stovepipe organizations 100 right right so they're different teams right you've got the platform team or the ops team and you're a separate dev team there's a separate data team there's a separate storage team and each of them will work you know slightly differently independently right so the question then is i mean that's sort of how devops came along then you're like oh wait a minute yeah don't forget security and now we're at devsecops right so the more of that that we can kind of bring together i think the more convergence that we'll see when i think about the in-vehicle os i see the the that is a great use case for real-time ai inferencing streaming data i wanted to ask you that about that real quickly because at the very you know just before the conference began we got an announcement about gm but your partnership with gm it seems like this came together very quickly why is it so important for red hat this is a whole new category of application that you're going to be working on yeah so we've been working with gm not publicly for a while now um and it was very clear that look you know gm believes this is the future right you know electric vehicles into autonomous driving and we're very keen to say we believe that a lot of attributes that we've got in rel that we can bring to bear in a different form factor to assist with the different needs that exist in this industry so one it's interesting for us because we believe that's a use case that you know we can add value to um but it's also the future of automotive right so the opportunity to be able to say look we can get open source technology we can collaborate out with the community to fundamentally help transform that industry uh towards where it wants to go you know that that's just the passion that we have that you know is what wakes us up every morning you're opening into that yeah thank you for coming on the cube really appreciate your time and your insights and uh have a great rest of rest of the event thank you for having me metacloud it's a thing it's a thing right it's it's it's kind of there we're gonna we're gonna see it emerge over the next decade all right you're watching the cube's coverage of red hat summit 2022 from boston keep it right there be right back you

from the silicon angle media office in Boston Massachusetts it's the queue now here's your host David on tape the imperative to protect data has never been more pressing as companies transform themselves from businesses into digital businesses the intrinsic value of their data Rises exponentially the problem for infrastructure pros is that everything in IT is additive it seems like nothing ever dies which means more things to manage now think about that when you're protecting data you have bare metal VMs now containers you've got cloud you got to worry about the edge all this data needs to be protected not only does this increase complexity it expands the attack surface for adversaries wanting to steal or ransom your data at the heart of all this is a build out of a massively global distributed cloud we saw wave 1 of the cloud which was public wave 2 was really hybrid and that's evolving now in parallel you're seeing the emergence of multi cloud and as I said these earlier trends are additive they're not replacements and with me to discuss these important issues and how Dell EMC specifically is pivoting toward cloud data protection is Beth Phelan who was the president of Dell emcs Data Protection Division that's great to see you well good to be here again so we know the world is hybrid it's a fundamental the on-prem stuff is part of the fundamental digital digital transformations of these these companies and now you've got data protection for the cloud so what do you see happening in that world yeah let's start with what we're seeing in the market we recently remade our global data protection index we've been doing it for many years and we've been really using that to help us understand the landscape and what our customers need and first not surprisingly it shows that continued trend of movement and reliance towards cloud environments for business applications sure continuing to increase on top of that the customers despite that are continuing to struggle with ensuring they have the right data protection for their cloud environments right so they're they're struggling you see that we see that as well what what's going on there Wow what is the data tell you yeah first of all more than half the customers don't have a comprehensive data protection solution for their Salas cloud native and multi cloud environments more than two-thirds of the customers who may be relying on their cloud service providers for data protection say that they do not have a solution that covers all of their workloads so whether they're working with a cloud service provider or some other vendor they're being really clear that they do not have a comprehensive approach to cloud data protection yeah so I mean you see the cloud adoption is going like crazy but it seems like the data protection component is lagging how is that affecting the traction in your business yeah you know it's a double-edged sword right on one level customers see the advantages of moving to a cloud but on the other hand you know they are really looking for vendors that they can partner with to still have the same confidence that the data is protected that they have on Prem and what we're seeing now is that customers are turning to us to help solve that problem we have over a thousand customers using Dell EMC for their Cloud Data Protection and we're narrowing in on three exabytes of data that we're currently protecting in the cloud so it's happening yeah that's pretty good traction so I want to talk about VMware obviously VMware is the linchpin of many customers hybrid strategy and it's a clearly an important component of Dell technologies talk a little bit about the relationship between Dell EMC data protection specifically and VMware I'm interested in you know they've announced project tenzou and there's kubernetes how are you guys working together to really deliver a value for customers so we are super excited about the opportunity to work so closely with VMware because as their in their domain we're working directly with them and that's an advantage that comes with being part of the dell technologies family and so we were the first company to bring data protection for were kubernetes environments out to market it's available now so you'll see us bring that into the tan zoom mission-critical has been moved forward partnering closely with with VMware and of course we're already fully certified for VMware cloud it's really an ongoing regular conversation about how we can work together to bring the best to our customers so Beth I gotta ask you so you're part of your role as the leader of the the division is obviously you got a you got a lot of mouths to feed big division you got to make your plan you got to deliver for customers but strategy is another key component of this how do all these cloud trends shape your strategy so core to our strategy is to be the essential provider of data protection for multi cloud environments so no matter where customers are choosing to deploy their applications they can have the same confidence that they always did that that data is protected and the way they can get it back so that's core and if you want three words to remember for our strategy think VMware cloud and cyber cloud is central to it and you're gonna be hearing a lot more about it in the weeks and months ahead okay so I gotta ask you break out your binoculars maybe even the telescope what are the future what are the futures look like when you think about the division and the market so we've been talking about cloud for a long time but we are still in the middle of this journey customers are going to rely on the cloud even more for additional use cases and especially in the data protection space right now we're seeing backup to the cloud dr to the cloud but the future will include cyber resiliency that's leveraging cloud deployments you're also going to see more and more of an emphasis on people leveraging SAS for their software consumption and for us that means not only protecting SAS applications but it also means giving customers the option to consume data protection in a SAS model we already do that today with things like cloud snapshot manager with things like the power protect management and orchestration but you're going to see us do even more of that because they're just incredible benefits of people leveraging sass to consume their software data constantly evolving lamps landscape data protection has to evolve with it that thanks so much for her thank you thank you keep it right there we'll be right back right after this short break

from the silicon angle media office in Boston Massachusetts it's the cube now here's your host David on tape the imperative to protect data has never been more pressing as companies transform themselves from businesses into digital businesses the intrinsic value of their data Rises exponentially the problem for infrastructure pros is that everything in IT is additive it seems like nothing ever dies which means more things to manage now think about that when you're protecting data you have bare metal VMs now containers you've got cloud you got to worry about the edge all this data needs to be protected not only does this increase complexity it expands the attack surface for adversaries wanting to steal or ransom your data at the heart of all this is a build out of a massively global distributed cloud we saw wave 1 of the cloud which was public wave 2 was really hybrid and that's evolving now in parallel you're seeing the emergence of multi cloud and as I said these earlier trends are additive they're not replacements and with me to discuss these important issues and how Dell EMC specifically is pivoting toward cloud data protection is Beth Phelan who is the president of Dell emcs Data Protection Division that's great to see you well good to be here again so we know the world is hybrid it's a fundamental the on-prem stuff is part of the fundamental digital digital transformations of these these companies and now you've got data protection for the cloud so what do you see happening in that world yeah let's start with what we're seeing in the market we recently remade on our global data protection index we've been doing it for many years and we've been really using that to help us understand the landscape and what our customers need and first not surprisingly it shows that continued trend of movement and reliance towards cloud environments for business applications continuing to increase on top of that the customers despite that are continuing to struggle with ensuring they have the right data protection for their cloud environments right so they're they're struggling you see that we see that as well what what's going on there well what is the data tell you yeah first of all more than half of the customers don't have a comprehensive data protection solution for their Salas cloud native and multi cloud environments more than two-thirds of the customers who may be relying on their cloud service providers for data protection say that they do not have a solution that covers all of their workloads so whether they're working with a cloud service provider or some other vendor they're being really clear that they do not have a comprehensive approach to cloud data protection yeah so I mean you see the cloud adoption is going like crazy but it seems like the data protection component is lagging how is that affecting the traction in your business yeah you know it's a double-edged sword right on one level customers see the advantages of moving to a cloud on the other hand you know they are really looking for vendors that they can partner with to still have the same confidence that the data is protected that they have on Prem and what we're seeing now is that customers are turning to us to help solve that problem we have over a thousand customers using Dell EMC for their Cloud Data Protection and we're narrowing in on three exabyte the data that we're currently protecting in the cloud so it's happening yeah that's pretty good traction so I want to talk about VMware obviously VMware is the linchpin of many customers hybrid strategy and it's a clearly an important component of Dell technologies talk a little bit about the relationship between Dell EMC data protection specifically and VMware I'm interested in you know they've announced project tenzou and there's kubernetes how are you guys working together to really deliver a value for customers so we are super excited about the opportunity to work so closely with VMware because as they're cut in their domain we're working directly with them and that's an advantage that comes with being part of the dell technologies family and so we were the first company to bring data protection for were kubernetes environments out to market it's available now so you'll see us bring that into the tenzou mission-critical has been moved forward partnering closely with with vmware and of course we're already fully certified for vmware cloud it's really an ongoing regular conversation about how we can work together to bring the best to our customers so Beth I gotta ask you so you're part of your role as the leader of the the division is obviously you gotta get a lot of mouths to feed big division you got to make your plan you got to deliver for customers but strategy is another key component of this how do all these cloud trends shape your strategy so core to our strategy is to be the essential provider of data protection for multi cloud environments so no matter where customers are choosing to deploy their applications they can have the same confidence that they always did that that data is protected and the way they can get it back so that's core and if you want three words to remember for our strategy think VMware cloud and cyber cloud is central to it and you're going to be hearing a lot more about it in the weeks and months ahead okay so I gotta ask you break out your binoculars maybe even the telescope what are the future what are the future's look like when you think about the division and the market so we've been talking about cloud for a long time but we are still in the middle of this journey customers are going to rely on the cloud even more for additional use cases and especially in the data protection space right now we're seeing backup to the cloud dr to the cloud but the future will include cyber resiliency that's leveraging cloud deployments you're also going to see more and more of an emphasis on people leveraging SAS for their software consumption and for us that means not only protecting SAS applications but it also means giving customers the option to consume data protection in a SAS model we already do that today with things like cloud snapshot manager with things like the power protect management and orchestration but you're going to see us do even more of that because they're just incredible benefits of people leveraging sass to consume their software data constantly evolving lamps landscape data protection has to evolve with it Beth thanks so much for thank you and thank you keep it right there we'll be right back right after this short break from world famous cloud Studios Dell Technologies presents the world's number one show on data protection solutions for today's organizations it's proven in modern magazine with Jake and Emmy hello everyone and welcome to the premiere of PM magazine where we cover the proven Dell technology solutions that you've come to rely on and the latest modern innovation driving powerful data protection for the future I recently spent some quality time with one of our customers and I learned a thing or two about Dell proven data protection solutions let's watch the clip we've always relied on tell performance efficiency and scale to help us keep pace with our data protection needs but there's so much more for example we've been crushing it with Dell cloud data protection for backup to the cloud in cloud backup cloud tearing cloud dr uh-huh look at the picture it's a huge business advantage how so our costs are down we spend less time on management we're meeting our service levels and we have peace of mind that all of our data is protected right awesome did you talk about how Dells agile development approach is accelerating the speed at which we deliver customer value yes and how cloud capabilities will continue to grow yes and about VMware protection yes and cyber recovery yes I mean we covered all of that as well as the mega trends that require data protection with a modern approach well modern is exactly what our guests today are here to discuss Jake he is Ken fatale a noted data protection expert and joining us from the field on her vacation in the Bahamas is Barbara Penner of the data management Institute thank you both for being here so Ken what should our viewers think about when they hear the phrase modern data protection they should think new requirements for modern applications cloud native workloads Cubana is multi-cloud and data services to name a few Barbara would you add anything to that list I would add business service recovery on premises or in the cloud autonomous protection to auto detect and protect workloads across edge core and cloud infrastructure and lastly all of this must operate at global scale thank you both this is exactly where we're heading with Dell power protect solutions well it's time for a break but when we come back we've got something special in store for you don't we Jake I was hoping you forgot oh no someone learned how to make cream puffs and it did not turn out well for him yeah my apologies in advance to my mother who tried to show me around the kitchen but as you can see we'll be right back [Music] we're back with Rob and Rob Emslie who's the director of product marketing for Delhi MCS data protection division Rob good to see you hi Dave good to be back so we just heard from Beth about some of the momentum that you guys have from your perspective from a product angle what is really driving this yeah well one of the things that we've you know definitely seen is that as we talk to our customers both existing and new customers cloud journeys is is top of mind for all of the CIOs it's being driven by either the desire to drive efficiency take out costs and data protection is one of the the most common use cases and one of the things that we find is that there's four use cases for data protection that we see long term retention of data cloud disaster recovery backup to the cloud and the emerging desire to stand up new applications in the cloud that need to be protected so backup in the cloud really completes the four major use cases well one of the things I think is really important this market is that you deliver optionality to your customers so how are our customers enabling these use cases yeah so the the first two UK's first two use cases of long term retention and cleitus recovery is is really driven by our software on our appliances both of those are really predicated based upon the assumption that customers are going to deploy data protection on premises to protect their on-premises workloads and then it's here to the cloud or which is becoming more common used to cloud as a disaster recovery target you know it's delivered by our data protection software and that's either in a software form factor or that software delivered in an integrated appliance form factor so let's talk about purpose-built backup appliances I think you know our friends at IDC I think you know coined that they tracked that market for a while you guys have been a leader there the acquisition of data domain obviously put you in a really strong position give us the update there is it's still a vibrant market is it growing what's the size it's it look like yeah so as we look at 2020 you know IDC forecasts the market size to be a little under five billion dollars so it's still a very large market the overall market is growing at a little over four percent but the interesting thing is that if you think about how the market is is made up it's made up of two different types of appliances one is a target appliance such as data domain and the new power protect dd and the other is integrated appliances where you integrate the target appliance architecture with data protection software and it's the integrated appliance part of the market that is really growing faster than the other part of the of the people being market it's actually growing at 8% in fact IBC's projection is that by 2022 half of the purpose-built back to appliance market will be made up of integrated appliance solutions so it's growing at twice the overall market rate but you guys have two integrated appliances what why - how should people think about those yeah so a little under three years ago we introduced a new integrated appliance the called the integrated data protection appliance it was really the combination of our backup software with our data domain appliance architecture and the integrated air protection appliance has been our workhorse for the last three years really allowing us to to support that that fastest-growing segment of the market in fact last year the integrated air protection appliance grew by over a hundred percent so triple digit growth was great you know it's something that you know allows us to address all market segments all the way down to SMB all the way to the enterprise but last year one of the things you may remember at Delta Nadi's world is we introduced our power to protect portfolio you know and that constituted power protect data manager our new software to find platform as well as the delivery of packet there in an integrated appliance form-factor with perfectly x400 so that's really our our new scale out data protection appliance we've never had a scale out appliance in the architecture before in the portfolio before and that gives us the ability to offer customers choice scale up or scale out integrated and target and with the X 400 it's available is a hybrid configuration or it's also our first or flash architecture so really we're providing customers with the existing software solutions that we've had in the market for a long time an integrated form factor with the integrator protection appliance as well as the brand-new software platform that will really be our innovation engine that will be where we'll be looking at supporting new workloads and certainly leaning into how we support cloud air protection and the hybrid cloud reality of the next decade okay so one of the other things I want to explore is we've heard a lot about your new agile development organization Beth has talked about that a lot and the benefit obviously is you're more you're able to get products out more quickly respond to market changes but ultimately the proof is in translating that development into product what can you tell us about how that's progressing yep so certainly with Papa Tech Data Manager and the X 400 that really is the the epicenter of our agile product development activities you know we've moved to a three-month cadence for software releases so working to deliver a small batch releases into the market much more rapidly than we've ever done before in fact since we introduced palpitate Denham manager where we we shipped the first release in July we're now at the third iteration of palpitate Data Manager and therefore the third iteration of the x100 appliance so there's three things that you know I'd like to highlight within the x100 appliance specifically first is really the the exciting news that we've introduced support for kubernetes so we're really the first you know large enterprise data protection vendor to to lean into providing kubernetes data protection so that becomes the vitally important especially with the developments over our partner in VMware with vSphere 7 with the introduction of tan zoo and the reality is that customers will have both these fear virtual machines and kubernetes containers working side-by-side and both of those environments need to be protected soap a patek denim algae and the x400 appliance has that support available now for customers to take advantage of second we talked about long-term retention of of data in the cloud the x100 appliance has just received the capabilities to also take part in long term retention to AWS so those are two very important cloud capabilities that are brand-new with the excellent appliance and then finally we introduced yet 400 appliance with a maximum configuration of four capacity cubes rough-and-tough that was 400 terabytes of usable capacity we've just introduced support of 12 capacity cubes so that gives the customers the ability to scale out the x100 appliance from 64 terabytes all the way to over a petabyte storage so now if you look at our two integrated appliances we now cover the landscape from small numbers of terabytes all the way through to a petabyte of capacity whether or not you pick a scale up architecture or a scale length architecture yeah so that really comes back to the point I was making about optionality and kubernetes is key it's gonna be a linchpin obviously a portability for multi cloud sets that up as we've said it's it's not the be-all end-all but it's a really necessary condition to enable multi cloud which is fundamental to your strategy absolutely alright Rob thanks very much for coming on the cube it's great to have you thanks Dave and thank you for watching everybody this is Dave Volante for the cube we'll see you next time [Music]