>> Narrator: Live from Las Vegas, it's theCUBE covering AWS re:Invent 2017 presented by AWS, Intel, and our ecosystem of partners. >> Welcome back to AWS re:Invent 2017. I am Lisa Martin with theCUBE, our day two of continuing coverage of this event that has attracted 44,000 people. Keith Townsend is my cohost, and we are very excited to welcome to theCUBE family Simon West, the CMO of Cyxtera. Welcome, Simon. >> Thank you, great to be here. >> Cyxtera, a six-month-old company. Tell us about it, what do you guys do? >> Sure, so as you said we are just six months old. It feels longer than that now, born at the intersection of five simultaneous acquisitions. One part of that was the acquisition of 57 data centers and a global co-location business that was formerly owned and operated by Century Link. Into that we've added the security and analytics capabilities of four modern startup software companies, and the vision is to provide a secure infrastructure solution both within our data centers, but interestingly even though I've got 57 data centers around the world, I want to be location agnostic. We recognize that today's enterprises are running multi-clouds, running hybrid environments, so we extend our security solutions on prem and into public clouds which is why we are here at AWS re:Invent. >> Fantastic. >> One of the big challenges that we hear from the enterprise perspective, hybrid IT is that the control that we have internally are very different from the controls that exist in AWS. How do you guys help even that out? >> You are exactly right, we would go so far as to gently suggest that the core method by which we protect access to infrastructure and applications which is still predicated on a physical perimeter is just fundamentally flawed in a 2017 world where your applications are everywhere, your users are everywhere connecting on a myriad of devices. You can't build a wall around that which doesn't exist. You have also obviously, as you say, you've got that problem of hydrogenous platforms, each with their own method of control. Our flagship product in that area is a product called AppGate SDP. SDP stands for software defined perimeter which is an emerging specification born out of the US government's disarm. Now a number of companies are offering software defined perimeter solutions. The basic premise that we hold is that security should be user centric rather than IP centric. A firewall is still predicated on granting access from one IP block to another IP block. The VPN may capture who is coming in, but once you are in, we give you basically unfettered access to flat corporate internal networks and we track you as an IP address rather than as a user. We think we should get more user centric. The user should be at the center of our policy. We think it should be more like cloud in the way we run security so rather than these hardware-based static central chokepoints, we think security should be real-time, it should be adaptive and intelligent, and it should be as agile as the cloud. You build cloud applications that are capable of spawning multiple copies of themselves, auto scaling up and down, moving from availability zone to availability zone yet our typical network security posture is still highly static. When you have some of the high profile attacks that we have seen over the last few months, our ability to change policy, immediately we recognize a problem. A particular operating system, apps in a particular service pack, is incredibly out of step with how agile the rest of our IT is. So more like cloud in terms of the way it operates, and finally we think, and so does the software defined perimeter spec, we think that access needs to be thought of as conditional rather than just a X, Y, yes or no. Jim has access to sensitive financial systems should be dependent on what operating system Jim is using whether Jim is on a coffee shop Wi-Fi network or on a structured corporate network, the time of day, the day of week, our overall security posture. The way AppGate works is when a user tries to access a system, the policy can ingest any one of these different conditional items. It can interrogate the device the user is using for the right software revisions. You can look at environmental variables. It can even look at internal business systems and check anything it can get to via an API, and only if those conditions are met will it provide access to a specific system, and then it can monitor that real time, so if your context changes, you move from a trusted network to an untested network, we can alter access. We can prime for a one time multifactor authentication or take any other steps the user wants. We offer that in cloud, on premise, integrated into our data centers to provide one central policy mechanism no matter what platform you are running on. In the case of AWS, we integrate with features like security groups, like AMI machine tagging, so you can build policy natively out of those Amazon features as well. >> Talk about that transition to this user based approach. I would imagine that a user can migrate their legacy systems into one of your 56, 57 data centers, and then as they start to expand out to the cloud, they have to change their operating model from they may migrate their traditional big firewall into your data center. What does that migration process look like? Is that an application by application spec, network by network? How do I transition? >> You know, it really varies. It feels a lot like I'm an old cloud guy, so it feels a lot like cloud did in the late 00s, in 2008, 2009. We think the software defined perimeter is going to have that big of an impact, a cloudlike impact on network and application security, but the way in which organizations will choose to implement it is going to vary. One of the things we did very early on was to integrate AppGate as a service into the data centers. If you think about co-location environments, when you bring new gear into a data center, you racket and stack it, the very next thing you do after that is drag a VPN back to the corporate office so you can access it remotely, which we would respectfully suggest is not necessarily the best way to do it in 2017 out of the chute. We've then integrated AppGate so organizations can just avail themselves of that as a service, and instantly have a kind of easy on-ramp. One of the big areas we see, and we've seen with customers here at re:Invent is customers who are moving workloads to cloud, and want to make sure that they can have that same sense of fine-grained access control common to those on premises and off premises environments, whether that's at migration or that's just an extension of an app into cloud environments, so it's kind of all over the place. >> Sorry Simon, what differentiates Cyxtera's approach to the software defined perimeter from your competitors? >> A couple of things, it's extremely robust in terms of one, being able to run in multiple environments, so a native AWS version, versions that run natively in other public cloud environments. Obviously we think the ability to offer it deeply integrated into the data centers is important. It's also capable of granting access to more than just web applications. You've got some solutions out there that are really web proxies and that are built for SAS apps and born on the cloud apps. This is more of a fundamental network platform by which you can gain access to any system or application you choose, and finally was introduced the concept of what we call scriptable entitlements which is the ability to interrogate third-party systems via API, and bring back those results as part of the building policy. An example there is we've got service provider customers who are running large multitenant environments. You then have a technical support organization who needs to support a huge multi thousands of servers environment with multiple customers running in multiple VLANs and typically the way you have to do that is a jam box in the middle and then giving these technical support folks access to that entire backend management network which is a security risk. With AppGate, you can actually integrate into a ticketing system and when John in support asks for access to a customer database server, at runtime, we can find out whether there is a trouble ticket open on that box assigned to that rep, and only then will we grant access. We don't grant level network access. We grant access to that specific application. We call it a segment of one, secure and cryptic connection between the user's device and the application or the applications they have access to but to nothing else. Everything else on the network is literally dark. It cannot be port scanned. It doesn't show up at all, so it's a much narrower sense of control, a much narrower sense of access, and again it's dynamic. If that trouble ticket that shut off, the access goes away automatically. We think the integration into business systems is a critical piece of the puzzle and an area where I think we have innovated with AppGate. >> Let's talk about security in depth. Obviously you guys are putting the software security perimeter around the data center, what we would classify as the data center which is kind of disappearing in a sense, and the edge. You talked about end-user protection. Where do you guys pickup and drop off when it comes to MDM, mobile device management, which is much more important now with mobile, and then laptops, desktops, et cetera, and you mentioned third parties, pieces of data center equipment that's not in your data center, like a wind farm. >> Sure, so you are right. We are absolutely moving to the edge. I think we continue to think that the data center will be as important as it ever was. The more cloud we have, the more data centers it needs to run in. The more public cloud we have the more people want to move some of their machines that might have historically run on prem to cloud data centers with low latency direct connect to public cloud environments. If you look at our data center footprint with regard to the edge, we are not just in the major markets, although in major metropolitan markets I've got half a dozen data centers all linked together, but I'm also in markets started across the country, so I've got half a dozen in New York and New Jersey, half a dozen in DC, half a dozen in the Bay Area, but I'm in Tampa, I'm in Columbus Ohio, I'm in Dallas, I'm in Denver, and so that distribution becomes particularly important as more customers move data to the edge. From a security perspective, again, we think of that data center as the nexus of enterprise at IT and the cloud. The data center is where our conversation about security in terms of access control starts. It's a physical security message of biometrics, and ID checks, and so forth, but there, we think is the missing piece of the puzzle. The principal point of ingress and egress into a data center today is not to the front door, the back door, or the loading dock. It's the massively clustered multicarrier network core, so if you are not providing some level of access control in and out of the network, I'd offer you are not providing a truly secure infrastructure solution. We start there. We are focused mainly at this point with AppGate at controlling the conversation between the user device and the system applications themselves. One of our other acquisitions, a company called Cat Bird has done some innovative work in terms of east/west segmentation in virtual environments, which is notoriously difficult otherwise to see, to stop the spread of how machines can talk to each other in a large virtualized forms as well, and so it's the infrastructure where we principally focus. >> Where are we, or maybe where are you guys in this revolution of information security? Are we at the forefront of massive change? What is Cyxtera's view on that? >> I think we are at the beginnings of a revolution that's about 20 years late. If you can kind of carbon date year zero of modern IT at around 1996, which is the advent of the Internet as a commercial and consumer force, that was the revolution for enterprise IT. That was the moment that we had to move IT outside the four walls of the machine room on the corporate campus. Prior to that, the applications all ran on big beige boxes in one room. The users were largely tethered to them by smaller beige boxes in other rooms, and the notion of perimeter security worked. It was a valid construct. As soon as enterprises had to start thinking about an increasingly global user base, as soon as users started to connect from all over the place, the concept of this perimeter goes away. Over the last 20 years, you've seen revolution after revolution and the way in which we design, provision, deploy, manage and operate our business applications, our development frameworks, and our infrastructure. We've revolutionized for availability. We've revolutionized agility. We've turned IT into a real-time API driven motion, and we've revolutionized for scalability with platforms like AWS just industrializing this real time IT on a global scale, and if you took a systems administrator from '96, and you showed them IT today, I think you have some explaining to do. If you took a security administrator from 1996 and showed him 2017, I think the construct would be familiar. We are still hardware driven in a software defined world. We are still assuming that access is static, that it's never changing, that it's predicated on the users being someplace, the applications being another, and again, in a world of real time IT, a world in which our underlying application footprint changes without any human intervention whatsoever, and I think you see with WannaCry, with NotPetya, with all of these attacks, the commonalities that they have in the terms of the reason they were so devastating is one, they take advantage of lateral spread. They take advantage of riding an authorized access into a corporate network where port scans show up 10,000s of ports where you can rattle the handles, break the locks, and spread like wildfire, and two, in the case of something like WannaCry, days after we realized what the problem was, we were unable to simply alter as an institution, as an industry, or as an enterprise access policy at the press of a button until we could get things patched. We had to sit, and wait, and watch the fires continue to burn, so it's a question of security being insufficiently agile, insufficiently automated and adaptive, and insufficiently software driven. We think that is just starting. I think on the SDP side, we've noticed in the last six months the conversation changing. We've noticed customers who now have SDP mandates internally who are seriously starting to evaluate these technologies. >> Wow, it sounds like Cyxtera is at the beginning of being potentially a great leader in this security revolution. We wish you, Simon, and the entire company the best of luck. We thank you so much for joining us on theCUBE, and we look forward to hearing great things from you guys down the road. >> Much appreciated, thank you both. >> Absolutely, for my cohost, Keith Townsend, I'm Lisa Martin. You are watching theCUBE's continuous coverage of AWS re:Invent 2017. Stick around guys, we will be right back.