>> Narrator: From theCUBE Studios in Palo Alto in Boston, connecting with thought leaders around the globe, these are Cloud Native Insights. >> Hi, I'm Stu Miniman the host of cloud native insights. And when we started this weekly program, we look at Cloud Native and you know, what does that mean? And of course, one of the most important topics in IT coming into 2020 was security. And once the global pandemic hit, security went from the top issue to oh my gosh, it's even more important. I've said a few times on the program while most people are working from home, it did not mean that the bad actors went home, we've actually seen an increase in the need for security. So really happy to be able to dig in and talk about what is Cloud Native security, and what should that mean to users? And to help me dig into this important topic, happy to welcome back to the program one of our CUBE alumni Dan Hubbard, he is the CEO of Lacework. Dan thanks so much for joining us. >> Thanks Stu. Happy to be here. >> Alright, so we don't want to argue too much on the Cloud Native term, I agree with you and your team. It's a term that like cloud before, it doesn't necessarily have a lot of meaning. But when we talk about modernization, we talked about customers leveraging the opportunity in innovation and cloud security of course is super important. You know most of us probably remember back, you go back a few years and it's like, "Oh well I adopt cloud. "It's secure, right? "I mean, it should just be built into my platform. "And I should have to think about that." Well, I don't think there's anybody out there at least hopefully there's not anybody out there that thinks that anything that I go to will just be inherently fully secure. So give us a little bit if you would, you know where you see us here in 2020 security's a complex landscape. What are you seeing? >> Yeah, so you know a lot of people as you said, used to talk about what's called the shared responsibility model, which was the cloud provider is responsible for a bunch of things. Like the physical access to the data center, the network, the hypervisor and you know that the core file system and operating system and then you're responsible for everything else that you could configure. But there's something that's not talked about as much. And that's kind of the shared irresponsibility model that's happening within companies where developers are saying they're not responsible for security saying that they're moving too fast. And so what we are seeing is that you know, as people migrate to the cloud or of course are born in the cloud, this notion of DevSecOps, or you know SecDevOps whatever you want to call it, is really about the architecture and the organization. It's not just about technology, and it's not just about people. And it's more about layer seven and eight, than it is about layer one to three. And so there's a bunch of trends that we're seeing in successful companies and customers and prospects will be seeing the market around how do they get to that level of cooperation between the security and the developers in the operation teams? >> Yeah Dan, first of all fully agree with what you're saying. I know when I go to like serverless.com they've got everybody chanting that security is everyone's responsibility. You know I think back to DevOps as a trend, when I read the Phoenix project it was, oh hey, the security is not something that you do bolt on, we're looking at after it's something that you need to shift into everyone thinking about it. Security is just going to be baked in along the process all the way. So the DevOps fail us when it comes to security, why do we need DevSecOps? You know why are you know as you say seven and eight the you know, political and organizational challenges still so much of an issue you know, decades into this discussion? >> Yeah. You know I think there's a few moving parts here and kind of post COVID is even more interesting is that companies have incredibly strategic initiatives to build applications that are core to their business. And in post COVID it's almost existential to their business. If you think of you know, markets like retail and hospitality and restaurants you know, they have to figure out how to digitize and how to deliver their business without potentially physical you know, access to two locations. So as that speed has happened, some of the safety has been left behind. And it's easy to say you have to kind of you know, one of our mantras is to run with speed and safety. But it's kind of hard to run with scissors you know, and be safe at the same time. So some of it is just speed. And the other is that unfortunately, the security people in many ways and the security products and a lot of the security solutions that are out there, the incumbents if you will, are trying to deliver their current solution in a cloud way. So they're doing sometimes it's called Cloud built or you know what I call Cloud washing and they're delivering a system that's not applicable to the modern infrastructure in the modern way that developers are building. So then you have a clash between the teams of like, "Hey I want to do this." And then I'd be like, "No you can't do that get out of our way. "This is strategic to the business." So a lot of it has just been you know, kind of combination of all those factors. >> Alright so Dan, we'll go back to Cloud Native security, you talked about sometimes people are Cloud washing, or they're just taking what they had putting it in the cloud. Sometimes it's just, oh hey we've got a SaaS model on this. Other times I hear cloud native security, and it just means hey I've got some hooks into Containers or Kubernetes. What does modern security look like? Help us understand a little bit. You mentioned some of the you know, legacy vendors what they're doing. I see lots of new security startups, some in you know specifically in that, you know, Kubernetes space. There's already been some acquisitions there. So you know, what do you see out there? You know what's good, what's bad in the trends that you're seeing? >> Yeah so I think the one thing that we really believe is that this is such a large problem that you have to be 100% focused on it. You know if you're doing this, you know, securing your infrastructure and securing your modern applications, and doing other parts of the business whether it's you know securing the endpoints of the laptops of the company and the firewall and authentication and all kinds of other things you have competing interests. So focus is pretty key. And it's obviously a very large addressable problem. What the market is telling us is a few things. The first one is that automation is critical. They may not have as many people to solve the problem. And the problem set is moving at such a scale that it's very, very hard to keep up. So a lot of people ask me you know, what do I worry about? You know, how do I stay awake at night? Or how do I get to sleep? And really the things I'm worried most about in the way where I spend most of my time on the product side is about how fast are builders building? Not necessarily about the bad guys. Now the bad guys are coming and they're doing all kinds of innovative and interesting things. But usually it starts off with the good guys and how they're deploying and how they're building. And you know, the cloud providers literally are releasing API's and new acronyms almost weekly it seems. So like new technology is being created such a scale. So automation the ability to adapt to that is one key message that we hear from the customers. The other is that it has to solve or go across multiple categories. So although things like Kubernetes and Containers are very popular today. The cloud security tackle and challenges is much more complex than that. You've got infrastructure as code, you've got server lists, you've got kind of fragmented workloads, whether some are Containers, some are VMs, maybe some are armies and then some are Kubernetes. So you've got a very fragmented world out there, and all of it needs to be secured. And then the last one is probably the most consistent theme we're hearing is that as DevOps becomes involved, because they know the application and the stack much better than security, it has to fit into your modern workflow of DevOps. So that means you know, deep integrations into Jira and Slack and PagerDuty and New Relic and Datadog are a lot more important in integrating to your you know, Palo Alto firewall and your Cisco IDs system and your endpoint you know antivirus. So those are the real key trends that we're seeing from the customers. >> Yeah Dan, you bring up a really important point, leveraging automation. I'm wondering what you're hearing from customers, because there definitely is a little bit of concern, especially if you take something like security and say, okay well, automation. Is that something that I'm just going to let the system do it? Or is it giving me to getting me to a certain point that then a human makes the final decision and enacts what's going to happen there? Where are we along that journey? >> Yeah, so I think of automation in two lenses. The first lens is efficacy, which is you know do I have to write rules? And do I have to tune train and alter the system over time? Or can it do that on my behalf? Or is there a combination of both? So the notion of people writing rules and building rules is very, very hard in this world because things are moving so quickly. You know, what is the KMS you know threat surface? The threat attacks are just changing. And typically what happens when you write rules is they're either too narrow and you messed up or they're too broad you just get way too much noise. So there's automating the efficacy of the system. That's one that's really critical. The other one that is becoming more important is in the past it was called enforcement. And this is how do I automate a response to your efficacy. And in this scenario it were very, very early days. Some vendors have come out and said you know, we can do full remediation and blocking. And typically what happens is the DevOps team kind of gives the Heisman to the security team it says, "No, you're not doing that." You know this is my production servers, and my infrastructure that's you know running our business, you can't block anything without us knowing about it. So I think we're really early. I believe that you know we're going to move to a world that's more about orchestration and automation, where there's a set of parameters where you can orchestrate certain things or maybe an ops assist mode. You know for example, we have some customers that will send our alerts to Slack, then they have a Slack bot and they say, "Okay, is it okay that Bob just opened "an S3 bucket in this region, yes or no?" No, and then it runs a serverless function and closes it. So there's kind of a what we call driver assist mode versus you know full you know, no one behind the steering wheel today. But I think it's going to mature over time. >> Yeah, Dan one of the other big challenges customer has is that their environments are even more fragmented than they would in the past. So often they're leveraging multiple cloud providers, multiple SaaS providers then they have their hosting providers. And security is something that I need to have holistically across these environments but not have to worry about okay, do I have the skill set and understanding between those environments? Hopefully you know that's something you see out there and want to understand, you know how the security industry in general and maybe Lacework specifically is helping customers, get their arms a little bit more around that multi cloud challenge if you will? >> Yeah. So I totally agree things are you know, I think we have this Silicon Valley, West Coast bias that the world is all you know, great. And it says to utopia Kubernetes, modern infrastructure, everything runs up and down, and it's all you know super easy. The reality is much different. Even in the most sophisticated sets of infrastructure in the most sophisticated customers are very fragmented and diverse. The other challenge that security runs into is security in the past a lot of traditional security mindsets are all about point in time. And they're really all about inventory. So you know, I know used to be able to ask, you know a security person, how many servers do you have? Where are they? What are they doing this? They say, "Oh, you know we have 10 racks with 42 servers in each rack. "And here's our IP addresses." Nowadays, the answer is kind of like, "I don't know what time is it you know, "how busy is a service?" It's very ephemeral. So you have to have a system which can adapt with the ephemeral nature of everything. So you know in the past it was really difficult to spin up, say 10,000 servers in a Asia data center for four hours to do research you know. Security probably know if that's happening, you know they would know through a number of different ways could make big change control window would be really hard they have to ship the units, they bake them in you know, et cetera. Nowadays that's like three lines of code. So the security people have to know and get visibility into the changes and have an engine which can determine those changes and what the risk profile of those in near real time. >> Yeah it's the what we've seen is the monitoring companies out there now talking all about observability. Its real time, it's streamings. You know it reminds me of you know my physics. So you know Heisenberg's uncertainty principle when you try to measure something, you already can't because it's already changed. So what does that mean-- >> Dan: Yeah. >> You know what does security look like in my you know, real time serverless ever changing world? You know, how is it that we are going to be able to stay secure? >> Yeah, so I think there are some really positive trends. The first one is that this is kind of a reboot. So this is kind of a restart. You know there are things we've learned in the past that we can bring forward but it's also an opportunity to kind of clean the slate and think about how we can rebuild the infrastructure. The first kind of key one is that over time security in the traditional data center started understanding less and less about the application over time, what they did was they built this big fortress around it, some called it defense in depth you know, the Security Onion whatever you want to call it you know, the M&M'S. But they were really lacking in the understanding of the application. So now security really has to understand the application because that's the core of what's important. And that allows them to be smarter about what are the changes in their environment, and if those are good, bad or indifferent. The other thing that I think is interesting is that compliance was kind of a dirty word that no one really wanted to talk about. It was kind of this boring thing or auditors would show up once every six months go through a very complex checklist and say you're okay. Now compliance is actually very sophisticated. And the ability to look at your configuration in near real time and understand if you are compliant or following best practices is real. And we do that for our customers all the time. You know we can tell them how they're doing against the compliance standard within a you know, a minute timeframe. And we can tell that they're drifting in and out of that. And the last one and the one that I think most are excited about is really the journey towards least privileges and minimizing the scope of your attack surface within your developers and their access in your infrastructure. Now it's... We're pretty far from there, it's an easy thing to say it's a pretty hard thing to do. But getting towards and driving towards that journey of least privilege I think is where most people are looking to go. >> Alright Dan, I want to go back to something that we talked about early in the conversation, that relationship with the cloud providers themselves, so you know talking AWS, Azure, Google Cloud and the like. How should customers be thinking about how they manage security, dealing with them dealing with companies like Lacework and the ecosystem you mentioned in companies like Datadog and the New Relic? You know how do they sort through and manage how they can maintain those relationships? >> So there's kind of the layer eight relationships, of course which are starting you know in particular with the cloud providers, it's a lot more about bottoms up relationships and very technical understanding of product and features, than it is about being on the golf course, and you know eating steak dinners. And that's very different you know, security and buying IT infrastructure was very relationship driven in the past. Now you really especially with SaaS and subscriptions, you're really proving out your technology every day. You know I say kind of trust is built on consistent positive results over time. So you really have to have trust within your solution and within that service and that trust is built on obviously a lot of that go to market business side. But more often than not it's now being built on the ability for that solution to get better over time because it's a subscription. You know how do you deliver more features and increase value to the customer as you do more things over time? So that's really, really important. The other one is like, how do I integrate the technology together? And I believe it's more important for us to integrate our stack with the cloud provider with the adjacent spaces like APM and metrics and monitoring and with open source, because open source really is a core component to this. So how do we have the API's and integrations and the hooks and the visibility into all of those is really, really important for our customers in the market? >> Well Dan as I said at the beginning, security is such an important topic to everyone out there. You know we've seen from practitioners we talked to for the last few years not only is it a top issue it's a board level discussion for pretty much every company out there. So I want to give you the final word as to in today's you know modern era, what advice do you give to users out there to make sure that they are staying as secure as possible? >> Yeah so you know first and foremost, people often say, "Hey you know, when we build our business, "you know, it'd be a good problem to start have to worry "about customers and you know, "all kinds of people using the service. "And you know, we'll worry about security then." And it's easy lip service to say start it as early as possible. The reality is sometimes it's hard to do that. You've got all kinds of competing interests, you're trying to build a business and an application and everything else depending obviously, the maturity of your organization. I would say that this is a great time to kind of crawl, walk, run. And you don't have to think about it. If you're building in the cloud you don't have to think of the end game you know right away, you can kind of stair step into that. So you know my suggestion to people that are moving into the cloud is really think about compliance and configuration best practices first and visibility, and then start thinking of the more complex things like triage alerts and how does that fit into my workflow? How do I look at breaches down the line? Now for the more mature orgs that are taking, you know an application or a new application or Stack and just dropping it in, those are the ones that should really think about how do I fit security into this new world order? And how do I make it as part of the design process? And it's not about how do I take my existing security stack and move it over? That's like taking, you know a centralized application moving to the cloud and calling it cloud. You know if you're going to build in the cloud, you have to secure it the same way that you're building it in a modern way. So really think about you know, modern, you know new generation vendors and solutions and a combination of kind of your provider, maybe some open source and then a service, of course like Lacework. >> Alright well Dan Hubbard, thank you so much for helping us dig into this important topic Cloud Native security, pleasure talking with you. >> Thank you. Have a great day. >> And I'm Stu Miniman your hosts for Cloud Native Insights and looking forward to hearing more of your Cloud Native Insights in the future. (upbeat music)

>>LA from Las Vegas. It's the cube covering AWS reinvent 2019 brought to you by Amazon web services and along with its ecosystem partners. >>Good afternoon. Welcome back to the cubes coverage of AWS reinvent 19 from Las Vegas. I'm Lisa Martin. Co-host is Justin Warren, the founder and chief, endless at pivot nine. Justin, great to have you. Great to be here next to me in the hosting chair today. Always fun. Let's have a great conversation next. Shall we? All right, please be a couple of our guests have joined Justin and me. I've got Dan Hubbard to my love CEO of Lacework and Ilan Rabinovitch, the VP of product at Datadog. Guys, welcome. Our pleasure to be here. Love anytime we can talk about dogs, even if there's no relation to the actual technology. Two thumbs up for me. So, but let's go ahead. I know that you guys have both been on or your companies have, but give our audience, Dan, we'll start with you on a refresher and overview. Lacework what do you guys >>sure. Yeah. Lacework we wake up every morning with a goal of trying to help our customers secure their public cloud infrastructure and, or any type of cloud native technologies such as Kubernetes or containers or any microservices. So our security company for the cloud and cloud native technologies. >>Awesome. Any long, give us a refresher about Datadog, >>Datadog as a monitoring and analytics platform for your modern infrastructure and applications. So micro services, containers, cloud providers like AWS. We're here at reinvent. Our goal is to help teams collaborate and understand the health of their business and their applications and their infrastructure. >>So how do you guys work together? >>So we recently announced a partnership and an integration of the intelligence and the data of all the risks and the threats that at least work as identifying, um, being, sending those, uh, automatically inside of the Datadog platform. So we're, we're putting the data that from our platform, uh, directly into obviously the monitoring the metrics, uh, platform, uh, Datadog's. Yep. And so, uh, what we, when we, we were pulling, um, that intelligence from, from Lacework into our, um, into our platform for our new security monitoring platform. In addition to enriching it with metrics from our infrastructure and application monitoring. Um, we find that a lot of the, a lot of times the first signs that something's going wrong might be a change in how your infrastructure or your applications are performing or a request that came in. And so if we're able to marry the two together, it's just a much better to get, it's a better together story. >>Um, give people much, much clearer insights into what's going on. The security has been a really tricky thing to solve. Well, as long as I've been in computing, which is longer than I can remember, but, uh, walk us through what does this extra visibility actually provide to customers? One of the big issues that seems to be that security is just too hard. So how does this make security easier for customers? >> So one of the big trends that we're seeing is that security and infrastructure were in the past very separate groups. Silos didn't men, many of them didn't know each other or talk to each other. But dev ops has become becoming a unifying force of data intelligence and infrastructure. You know, it's infrastructure as code. It's a little bit different like AWS for example, but it still is infrastructure. And so the combination of security and infrastructure comes together. >>When you get dev ops, some people call it secure dev ops, dev, sec ops, dev ops, whatever you want to call it. But really bringing those two together is finally the first time really where there's a meaningful connection at the data level. It allows you to actually combine both. >> Exactly. And so as all of these teams are taking advantage of infrastructure as code and other DevOps best practices, the security teams are looking at this and saying, how do I get earlier in the cycle? How do I make sure that code is enforcing this? Some scaling, you know, I'm scaling with automation, scaling with code rather than with people. Uh, and then as, as they start to do that, they realize that the data that's in the security silo and that's an application or infrastructure silo, uh, is actually very relevant to one another. Right? If a crypto miner shows up on your systems, the first thing it's going to do is spike your CPU. Um, the, you know, something like Lacework will also, you know, will, will detect that as well if we both look at both of those signals with detective faster. >>Yeah. So go ahead Justin. Sorry. This is a bit of it. That's the reactive side of, of security, which is, you know, there's a threat happens and you react to that, but part of DevSecOps or whichever term you want to actually use, part of that is act to actually shift left and try to get rid of these security flows before they even happen in the code, which is a lot of software development. I like to say that the first 80% of software development is putting the bugs in and the second 90% is taking them out again. So how do you help developers actually remove all of the security vulnerabilities before they even make it into production code? Yeah, >>so just like metrics and monitoring allow you to look at the quality of your infrastructure are very early in the pipeline. A security needs to go there also. Um, and it's, it's really, there is no time. It's just a continuous cycle. Um, early, what we allow you to do is to look at your configuration and check to see if your configuration is changing in a way that is leaving you at risk or an exposure. What's particularly interesting about this partnership is that quite often security people don't know enough about the application or the infrastructure to know if it's a risk. It's actually the dev ops people then now, so security people when when we send an alert many times to security person, they scratch their heads and go, I don't know if this is good, bad, or indifferent. The dev ops people look at it and go, Oh yeah, this is definitely okay. >>Yeah, that's the way our infrastructure should work. This is the way our application should work. Or they say, Oh no, this is a big problem. Let's get security involved. So doing that early is really critical and again, >> it's all about breaking down. I mean if dev ops was all about breaking down silos between Devin operations and and other parts of the business, dev, sec ops or secure dev ops or whatever we want to call it, is just bringing more people into the fold and helping security join that party, um, and get at things earlier in the cycle so we can catch it before it, you know, before, before there's a breach that's in the news, >>right? To be able to be predictive, which is, and then prescriptive, which is about a lot of businesses would love to be able to be, I'd like to get your opinion, Dan, on how cloud >>native cloud and the tra, the transformation of cloud technologies is changing the conversation within the customer base. One of the things Andy Jassy said yesterday is that transformation has gotta be driven from the top down like true business transformation. So that you know, a company is an Uber I's for example. Are you seeing that? Are these, are these, for example, what you're talking about with enlightening the DevOps folks in the security folks bringing them together so that they can be more collaborative? Are you seeing that come from more of a top down approach in terms of how do we leverage our data better, make sure that we have security and are able to securely extract insights from the data? Or is it still kind of from both ends? It depends on the, >>but he, it's, it's very diverse. Uh, what we see a lot is in large, uh, large companies that are migrating to the cloud but weren't born in the cloud. Every company they're buying is a cloud native company. So they buy these new companies and they look, everyone looks at the new company goes, wow, that's amazing. They can move so fast. They, they are, you know, super forward thinking and they're pushing code and are more efficient than us. We want to do that also. So it just kind of breeds the innovation and the speed from an M and a perspective. You know, in the, in the cloud native side, what we see is, it depends on your tenure as a company when you really want to take security seriously. You know, usually B2B companies take it more seriously in B to C for example. But it's usually, it's when your customers start asking you how secure are you, is when people start paying attention. >>We would like it to be before that. Right? And it's not always, you know, before that. Yup. I mean, I think it's from both directions. It depends on the size of the company and the culture, but you can't dictate culture. Right? So, uh, and a lot of, a lot of this, a lot of these silos and a lot of these sort of, these camps and fiefdoms that start to exist within organizations that have caused these groups to be separate. Um, they weren't necessarily top down. It's just, you know, it's a, it's human to human interactions. And so you, you, you can't just walk in and say, you must now be collaborative. Um, the executives have to beat that drum and help people understand why that's important to the business. But the folks on the ground have to actually want to be at one, want to be friends, want to talk, want to collaborate on projects, want to pull people in earlier. >>Um, and once they have that human connection, it's a lot more successful. So you have to do both. Yeah. Well, I mean what we're seeing is as it becomes more distributed and security is more centralized, you run to problems. So the people that are getting it right or are distributing security as close to those teams, whether it's a scrum team, a weekly get together, you know, whatever it is to get that human interaction together because you don't understand the application and what people are working on. How are you going to understand the risks and the threats in the models. So distributing it is really key and it's important those security teams understand the business requirements as well. Sometimes the most secure answer isn't necessarily the answer that actually serves their customers. Sometimes some, and sometimes app teams don't understand the trade offs that security people may understand. So it has to be, it has to be a partnership. Yep. >>You mentioned called change is probably >>harder than anything else, especially if there's a legacy organization. And Dan, to your point, a lot of the acquisitions they're doing are a cloud native companies who are presumably much fresher, maybe have a younger workforce. That's hard to do. Ultimately though, what a business needs to look at is legacy business. There's probably somebody in my rear view mirror is a lot closer than I might think that is more agile, more nimble than we are, has great technology and the aptitude and the culture to be able to move faster. How do you see some of these enterprises that you work with together? Let's put them in the context of they're an AWS customer. How are you seeing these enterprise organizations that are adopting and acquiring cloud native businesses? How are they able to pivot at the speed they need to use cloud technology, understand the security issues that they can remediate and really take that data to what it should be, which is a business differentiator. >>Yeah, I mean, you know, a lot of the times you run into the dev ops people say security slows us down. They're getting in our way and security says developers are insecure that, you know, we're totally gonna get breached. So, um, you know, one of our mottoes is you got to move with speed and safety. Um, as soon as you get in the way of anything. You know, typically the developer and the application's going to win. So you got to figure out where to get involved in that. And really big companies, what we've seen that are very inquisitive is they're moving the security to a central governance role, um, and maybe have tooling and uh, you know, some specialty teams and then they're distributing security baked as deep into the development infrastructure as they can. And then they have groups which kind of work together, uh, you know, broadly across that. >>So you can structurally set it up that way I think. And if you have the incentives right now, you know, nobody's looking to create a security breach, there are a vulnerability there. Gold engine engineers and your employees have your best, the company's best intentions at heart, otherwise they wouldn't, they wouldn't work, you know, work there. So they're looking to do the right thing. You just have to make it easy for them with, and some that's tooling. Some of that's culture. Some of that's just starting the conversation, not the day of the release started, you know, start it when the, when the, when the, when the first line of code is being written, what would it take for us to solve this problem in a secure fashion? And then everybody was happy to work together. They just don't want to redo things. You know, the, the, the day before the launch should have to, you know, be slowed down. >>Well that technical debt becomes a real problem. Right? Yeah. I think one of the great things about, uh, you know, our technical, uh, partnership and integration here is security in the past has always been just very binary. Are we insecure, secure? That's it. We're actually, there's all kinds of nuances around it and that's what lends itself to metrics. If, you know, what are our metrics? How are we doing, what's our risk? What's our exposures? Is getting better over time? Is it worse over time? So there's always the doomsday scenario, but there's also the, what's happening over time and are we getting better at what we do? And metrics really lends itself to that. And that comes right back to that, to that, uh, you know, some of dev ops philosophies of continuous improvement and continuous learning, uh, you know, bringing that into the world of security is, is just as critical. >>So you, so you mentioned, you've mentioned culture, you mentioned transformation, you mentioned metrics. So three things very close to my heart. Uh, we keep hearing this security is becoming a board level conversation. So a lot of this is very technical and, and DevSecOps is down here with the technical people, but that structure of the organization that you referred to and, and changing that structure and setting the culture that tends to come from the top level. And we heard from Andy in the keynote yesterday that that is very, very important. So what are the sorts of conversations you're having with senior management and board level from what your products do together? What does that look like from the board's perspective? So learning to manage risk, looking at how are we doing, how much of what of what you do is actually available to the board for them to make their job easier. >>I think one of the exciting trends is that compliance is cool again, right complaints. It's never a cool thing, you know, flight's kind of a boring thing. The auditors come in once a year, you know, you get stuck with it and the way you go. Um, but now compliance is continuous. It's always running and it's more about risks and exposures and Mia adhering to compliance via the risks and exposures executives get, ER, it's very challenging to explain things like Kubernetes and pods and nodes and all this technical acronyms and mumbo jumbo that we live in every day, you know, in this world. But compliance is real. Are we PCI, SOC two NIST, are we, are we applying best standards and best practices? So the ability to pull that in either via a metrics dashboard or through measurable things over time, I think is really key. As part of that. >>And similarly as, as, as filter moving, you know, whether whether they're moving new application, existing applications from, uh, you know, legacy or on prem environment into the cloud or building something from scratch. Um, it's, you know, visibility on compliance is important. We can bring that into our dashboards, into our, into the tooling that executives can look at over time. But also just understanding, am I done with the migration? Is my application there? Um, taking this nebulous thing that is a cloud and making it a tangible asset that you can look at and see the health and progress on overtime and Datadog has significantly sped up. Many of our customers cloud migrations, um, they often get stuck in a sort of analysis paralysis. Are we, are we performing the same as we did in the data center? I don't know. Uh, are we as secure? Can we move this workload and tooling like Datadog, like Lacework and the two together helps them put that into something concrete that they can say, actually, yes, we're ready to go. >>Or no, there's these three things we need to do first, let's go do them. Um, it's really challenging if for, um, traditional security people and this new world order because it's very ephemeral. Things change all the time. You know, it used to be like, I got five racks, I got 22, you know, 2200 servers. These are the IPS and that's it. Now it's like, what time is it? I don't know what I have, you know? So I think visibility's key, you used to be able to have a server that you might've monitored throughout your tenure at a company. Now you probably can't monitor it through the tenure of your lunch. Yeah. Yeah. >>Last question for you guys is how much do you see a lift or an impact from something the capital one data >>breach that happened a few months ago? You talked about, you know, B2B being more on it in terms of B to C, but we S we see these breaches that and many generations that are alive today understand to some degree is that in terms of getting insight into where are all of our risks and vulnerabilities and needing to get that visibility on it, do you see some of these big breaches as, um, catalysts for businesses to go, Oh, we have a lot of stake here. We don't really, and try to understand what the heck's going on and what we own. >>I mean, security has a very bad reputation of fear, uncertainty and doubt. And, you know, I've been in the, in the industry for a long time. Um, that said, you know, those moments do, uh, get up very high. Um, especially somebody like capital one who, who's one of them, no one to be one of the most sophisticated cloud security organizations on the planet. Um, so it certainly piques people's interests. Um, you know, I think people get carried away maybe on the messaging side of things, but you know, in order for security market to get really big, you have to have a big it transformation trend. You have to have a very diverse attack surface and you have to have the beginnings of breach. If you don't have the beginnings of breach, you spent all your time convincing people there may be a problem. And because there is problems that are happening almost every weekend are getting published. >>Um, they know many of them are, are, are being acknowledged. Uh, you know, publicly it does help, you know, it definitely helps the conversation. You know, I don't think that there's a lot more, there are a lot more breaches in the news off to some extent because there's a lot more tech companies using going through these digital transmissions, having tech news. I don't know that this is cloud versus not cloud. What cloud does, however introduces new concepts and new workflows that security teams need to understand and that application teams, they understand. And so this is where the new breed of tooling and education comes in, is helping people be ready for that. Um, and yeah, of course anytime there's a headline on, you know, the big on any of the big news shows, of course the first thing we're going to do is say, well clearly there's a, they're going to bring on, they're going to bring on Dan or you know, you know, uh, one of our security experts or somebody in industry to talk about how you prevent that in the future. >>And so it, it does bring some attention in our way, but it's, uh, I think that's great. It's just finding people that what's important. And one of the conversations we have with our prospects is, uh, have you ever had a breach before? You know, they're always going to say no, of course. But then you ask, how do you know, how do you know? How do you really know that? And then let's walk through how you would actually find that out if you did know. And that's a very different conversation than, Oh, my traditional data center, I would know this way. So it's just very different. >>Interesting stuff, guys. Thank you for sharing with us and congratulations on the integration with Datadog and Lacework. We appreciate your time. Our pleasure for Justin Warren. I am Lisa Martin and you're watching the cube live from AWS, reinvent 19 from Vegas. Thanks for watching.

(upbeat music) >> Woman: From our studios in the heart of Silicon Valley, Palo Alto, California. This is a Cube Conversation. >> Hello and welcome to the Cube studios in Palo Alto, California for another Cube Conversation where we go in depth with thought leaders driving innovation across the tech industry. I'm your host, Peter Burris. One of the biggest challenges that every enterprise face as they try to keep up with competitors today, is how to introduce the speed of adding new digital services, new digital capabilities, new types of customer experience, new types of operational challenges, et cetera, but do so in a way that retains the safety that's associated with traditional ways of doing IT. That leads to a set of tensions that exist between how DevOps, which is really driving that new speed equation, and security, which has been historically the locus of thinking about how to ensure that assets, digital assets don't get misappropriated by the business and by bad actors. So the big challenge is how can we bring people, the technology, and the processes together so we can achieve both the speed as well as the safety that are required to really drive business forward. So to have that conversation, we're joined by a great CEO today, Dan Hubbard who's the CEO of Lacework. Dan, welcome to the Cube. >> Thank you, great to be here. >> So let's start by getting a little bit of about Lacework. Tell us a little bit about Lacework. >> Sure, yeah, so Lacework we're really excited. Recently we raised another round of funding which is going to really allow us to focus totally on this problem which is how do we balance speed and safety in how we secure these modern architectures and infrastructure in cloud security? >> All right, so let's talk about, I mentioned up front that this notion of speed and safety, it's more than just a technology problem. It goes deep into how businesses run their enterprise today. What is the experiences that you see your customers having as they conceive of how to move forward to this new world? >> Yeah, so for cloud migrants what's happening is the development groups and applications are moving to the cloud at a very rapid rate, and every company that they're buying is cloud born, and they're moving at a really quick rate, and they're leaving security behind. So from the people aspect, the security people need to get involved with the developers to figure out how they can work in this, you know coexist in an environment that allows them to deliver obviously both security and speed, or speed and safety. >> So the problem is essentially that we need to move fast as a consequence of competition, and technology change, and achieving, you know being more opportunistic which is a fundamental tenet of agile and business today, but we need to do so in a way that provides the set of assurances that are required by compliance, by law, by new privacy regulations. How are you seeing customers solve this problem generally? How are they even thinking about solving it. >> Yeah, so I think the first thing is how they're not succeeding which is, you know, typically they go to their incumbent vendors, security vendors, and attempt to apply something that is not purpose fit for this new infrastructure, being in cloud and cloud native. So things like taking a firewall and calling it a cloud firewall isn't working. Things like taking traditional technologies like antivirus or next generation antivirus is not working. And what we're seeing working is when you really step back and they really start to understand how people are building and developing their code, pushing it out. What is that build time to runtime environment look like, and what are the services their using, and they need to apply some relatively fundamental security practices to it. How do I get visibility over time in real time? How do I attain compliance that is important to my company, PCI, SOC2, NIST, you know HIPAA, whatever is important to you, and then how can I assure that we haven't had a breach, and if we do, how can we triage that breach? >> So in man respects we are trying to bring tried and true security concepts to this new world, but we need to do so in a way that doesn't drag along the technology limitations or that technologies were necessarily applied to securing an old style of infrastructure. Have I got that right? >> Yeah, absolutely. You know there's a number of things in technologies that are really critical here, but also on the people side. You know we can't bring over some of the old processes, for example change control windows. You can't have a change control window in something that's running, and you're pushing code a thousand times a day. There is no change control window. You're just doing it all the time, but you need to do things in a way that is mapping to the automation and the scale that's happening. In order to do that, you need definitely some technology, and people, and processes. >> So it sounds like what you're suggesting is we have to incorporate security directly into the DevOps process so that we at least feature some notion of a Pareto principle where each new push is at least as secure as the previous one, but ideally we're making things more secure as we go along. >> Yeah, I mean understanding change is really critical because things are changing so quickly. You know what we're seeing in a lot of companies is a shift over to security as a governance and tooling org., and then security engineering which is baked within DevOps teams. Whether it is a guild of people that are connected to the application developers, or right within the stand up, or the group directly. >> But if I think about kind of the outcome of DevOps, the outcome of DevOps really is this kind of more modern approach to thinking about technology resources. Service is a term that's thrown and it means a lot of things to a lot of people, but to a DevOps person, they create something that can then be used as a service by other folks within the organization. One of the fundamental challenges here it seems to me is that historically we've tried to secure the server, or the PC, or the network, or the perimeter, or whatever else it might be, but really this cloud native approach is securing some outcome, some capability, and that's really increasingly what we've got to focus on whether we call it a service or something else. Have I got that right? >> Yeah, absolutely, and you know I think we spent years kind of surrounding the applications in the development, really partly because we may have not been involved, so it was great. We had firewalls, we had defense in depth, multiple layers that we added on top of the next layer, and everything else, and really what needs to happen, it needs to be integrated. And you know, in order to integrate into the services world, it needs to be as a service. So your security needs to be a service that isn't surrounding, it's actually integrating directly, and that's partly from a process perspective, also from a people as we talked about, but also as a technology. It's got to be really baked into the solution. >> So one of the things we've seen in our research of Wikibon is that there are, as we think about how to introduce these new capabilities into this kind of DevOps culture, this DevOps approach to building new IT assets, new business capabilities, that if the solution itself doesn't correspond to a way that DevOps works, it itself gets abandoned. I mean it might integrate at some point in time in the future, but if it doesn't naturally fit into how things operate or how things evolve, then it gets abandoned. How would this new class of security products or services look so that DevOps picks it up, gets the best IP associated with the best security today? >> I think the first one is it can't be intrusive. So you know when you talk about blocking and tackling, it needs to be more about building and engineering than blocking. So you really need to make sure that you're not going to adversely or inadvertently affect the application and the service that's being run. So it's really important to the company. And anytime you introduce that, you're going to get blocked out, or your not going to be involved. The other is that it needs to pair to the tooling that is there. For example, you know our service integrates DarkLink, to Jira, and PagerDuty, and Slack, you know, real modern ways that DevOps work. So it needs to be directly integrated, and lastly the service and the context need to deliver information that serves two audiences, the security people, and the DevOps people, because the DevOps people are often the ones that are triaging, or they know the application and the information, the infrastructure's code, and the security people may not. So they have to work together and provide both of those. >> So as we think about what a modern secure DevOps function's going to look like, give us kind of the picture of what it looks like in three years. How are they going to be working together, and what are they going to be using to do so? >> Yeah, so I don't think there's, like this isn't the end of the SISO. There's still going to be a SISO. It's a incredibly important role. I think they're going to move a little bit more towards governance, compliance, and tooling. They may have a tooling org. You know for us, it's more important that we interoperate with open source and the cloud providers than we do with other vendors. So having tooling to do that is really critical. >> Peter: Especially in the visibility side. >> Absolutely, yeah getting visibility's key, and then there's going to be more security engineers. These are people with DNA in security but also are coders, versus the real deep threat specific environment that we see today. You know I would argue there's probably more people that write code and understand assembler than there is in Python and Go. So you know DevOps people, they don't know what assembler is, or are using assembler, so that is still important. There are still attacks. You need to deconstruct them, you need to understand them, but there's a lot you need to do on the security engineering side, which is really how do I program this service? How do I automate and orchestrate it? >> So today this is kind of where we're going. It makes perfect sense, but that's not where a lot of organizations are today. You mentioned the difference between built in cloud and migrating to the cloud. Give us a little bit of insight, visibility into how some of those migrate to the cloud shops are taking this roadmap as they move forward. >> Yeah, it's super interesting you know? We have customers that span across cloud born, you know more startupy, very tech savvy, and then very traditional, very large Fortune 50 companies. In the latter they're doing a couple things. One is they're trying to figure out how do I migrate a traditional app that's been built in a way, not for the cloud, to the cloud. That's kind of one, and there's all kindsa reasons why you'd want to do that, scale, performance, reliability, et cetera. The second is that they're being told or have initiatives driven from the top called cloud first, which means that everything new has to be that way. It has to be cloud native, and it has to be delivered as a service. And then the last one is that when you actually are building an application, and you're a new company, you're probably going to get acquired by one of these larger companies, which means that a cloud migrant becomes a cloud native company by definition because the company's they're buying. So it kind of spans across those three areas. What we run into though is that especially if they buy a company, they're very modern in how they think. They've got very modern practices, and then the traditional security people are going, oh who are these, what is this new technology? How do we interoperate, how do we take our policies, our practices, our functional organization and map those together? So they're really startin' to figure it out. So I think we're kind of in this middle ground. There is very forward thinking companies that have moved more forward, but still it's very, very early, and we talk to customers, we run workshops with customers, and a lot of it, just bringing the teams together and understanding both worlds, and getting to know what are the DevOps, things that they're working on, what are the security people, how do we meet in the technology, and then in the process side. So It's a little bit all over right now, and I think it's probably going to get worse before it gets better, but I think down the road as people deploy things like Kubernetes and containers, and services that are built a little bit better with resiliency into them, it's going to be a more secure place. >> Dan Hubbard, CEO of Laceworks. Great conversation about speed and safety. Thanks for being on the Cube. >> Thank you very much, nice to be here. >> And once again, I'm Peter Burris. Thank you very much for joining us. Until next time. (upbeat music)

>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019. Brought to you by Amazon Web service is and its ecosystem partners. >> Welcome back. Everyone were accused Live coverage here in Boston, Massachusetts, for AWS reinforce. First inaugural conference runs security. I'm Jeffrey. David Lot there. Next guest is Dan Hubbard, CEO of lacework. I've started at a Mountain View, California. Great to have you on. Thanks for joining us. >> Thanks. Thanks for having me. >> So, you know, reinvent was developers Reinforces. Kind of like, si SOS coding security cloud and intersecting with security. This is a new kind of show. What's your take on? >> Super impressed so far? I mean, there's about 1000 people here, you know, way have literally hundreds of demos lined up in the booth s oh, really impressed so far. First impressions. >> It's a good move for Amazon. Do. Ah, security conference. Don't you think I mean >> really smart, Really smart. It's a lot more about defending than a lot of security conference about offense and vulnerabilities and how to find kind of holes and weak cracks. This is really about how do we defend you know, our security in the cloud >> Talk about your company. Your mission? You guys air started going after a hot space. Si SOS or CEO spending Talk to They want a new breed of supplier service provider. Certainly cloud a p. I is gonna be critical in all of this. So you start to see really smart platform thinking systems, thinking around companies around the security challenge and opportunity. What? What do you guys do? Explain what you guys? >> Yes, we really believed you know, this new wave of cloud I s and pass really needs a new architecture. It's a whole new architecture from a 90 perspective. So we need a new architect from a security perspective. And the great thing about the operating model is you could do a wide set of things and then go deep in the areas that are really important. So at least work does we allow you to secure? I asked. Past service is with compliance configuration host and container security. There's one platform that kind of wraps across all of those >> different targeting developers, right? So they don't have to think about security all the time. Is that the poor thing? >> Yeah, definitely. Eso in almost every case. Security is unlocking the budget. However, Dev Ops is involved, Dev Ops is involved from an influence. But, you know, it used to be that developers would ask security for permission. Now security's going back to developers and asking for permission to security >> infrastructure. He said that with the architecture is gonna be different because the the the I t. Is changing. So cloud security needs a new architecture. One of the fundamentals of that architecture and how is it different from security on prim? >> So I think it has to be SAS. So it's gotta be delivered multi cloud from the cloud. You know, we're gonna secure the cloud. It really should be from the cloud, their business models, that should be different. It's almost always a subscription is not perpetual models. You know you're annually re occurring your revenue. You're always keeping your customers happy and you're always innovating. The pace of innovation has to be really quick because the pace of the cloud is moving at such a dramatic speed. >> So that the those kind of business oriented you know, that's kind of a different definition of architecture. Technically, is it a fundamental do over Or is it fundamentally similar? >> Wolf. You know, there's some of the tenants which are the same, you know, we need to get visibility. That's very similar. You know, we have controls needed have auditing. We need to find threats. However, the way you do it is very different. So you don't own the hardware, you don't own the racks, you don't own the network. You gotta get used to that. You gotta live above the responsibility line. You have to fit within their infrastructure. So what that means is you need to be very happy. I friendly because we're sucking a lot of data on Amazon were pulling in configuration cloudtrail data, and you'll have to be able to deploy inside their infrastructures. We support things like kubernetes things like docker or we also interoperate things like bare metal and you know, in the AM eyes themselves, what >> problem you guys solve. Every startup has that cultural doctor, and they sometimes you weave into a market and also you get visibility into into a key value proper. What's the key problem that you saw? What's the benefit >> so that the key value we solve is if you are in the cloud or migraine in the cloud. We give you compliance configuration and threat protection across all your clowns. So, irrespective of which cloud you live in or operate in, we give you one central threat detection engine and that which gives you visibility but also gives you compliance and controls into that. >> So Amazon has this, you know she had responsibility model. They're they're protecting the compute, the storage, the database and customers are responsible for the end points. The operating system, the data, etcetera, etcetera. And Amazon certainly has tools. Help them. What is fuzzy to me sometimes is you know where eight of us leaves off. Where ecosystem partners like you guys come in. You obvious have to keep moving fast to your point. Absolute. Can you help us sort of squint through that maze? >> Sure. Yeah. I mean, the easiest way that I can explain it is if you could configure it, you have to secure everything. Below is the providers responsibility. That said, there are different areas where things are kind of peeking through the responsibility lines. So what I see is a world where there's not 50 security vendors that you've bought like in premise or traditional data center, but your Inter operating with a provider. So you know, the big three providers open source and then a solution like ours. So it's more about how do we interoperate there together? But what we do is we sit actually right within your container on the host themselves with an agent, and then we suck in there a p I. So technically, it's a little bit different. >> So the threat of containers is an interesting topic, right? You're spinning him up. It makes V M v ems look like child's play. Yeah, So are you using specific techniques, toe? So the fake out the bad guys make it. You're raising the bar on them and their cost using sort of algorithms to do that spin up, spin him down. You know, like the shell game of asking you. >> What we do is we get baked right into your infrastructure every single time you deploy and run through C I c d. A new container or a new app were baked in there and what we're doing, we're looking all your applications, processes the network traffic and then we look for that no one bad and the unknown bad based off of that. >> So it's native security in the container at the point of creation. Not a not an afterthought. Correct. Yep, >> What? Your take on kubernetes landscape? Obviously, pretty much everyone's kind of consolidate around that from a de facto standard. That's good news, wouldn't it? Koen ETS does is all kinds of stateless state full applications that becomes, like service mess conversation. You got all kinds of services that could land out there, automating all these things these sources were being turned on turned off in real time. >> It's >> a log it >> all. It's incredible. I think Cos. Is the fastest growing enterprise open source project ever. You know where every customer we talked to is either in the midst of migrating migrate or just thinking about it. That said, the world is looking to go multi cloud. But most customers today have, ah, a combination of in premise bare metal am eyes kubernetes containers. What we're doing is we give you visibility into your coup Bernays infrastructure. So we talk pods, nodes, clusters, name spaces and we allow you to secure the management plane. Any communication between those So it's really critical when you're deploying those from a security perspective that you know what's happening. The ephemeral nature of it is very different from regular security to you need to answer questions like what happened for 10 minutes during this time from six months ago, and that's really hard with traditional >> tools, really are. And that's really gonna with automation plays in Talk about the journey of where your customers are going out because we're seeing a progression kind of categorically three kind of levels. I really wanted to go to the cloud. I really want to convince you that cloud every aspiration. Yeah, not realistic, but it's on their plans. Then you've got people who go out and do it gets stuck in the mud. The wheels are spinning culturally, whatever's going on and then full on cloud native hard core Dev ops, eaten glass, spit nails, just kicking ass and taking names right? So you get the leaders. People are kind of in the middle, and then people jumping in. Where do you guys see your benefit? What are some of the challenges? How do you guys >> think it's a super dynamic marketplace? Because what's happening is every big company that may not be fully cloud native, is buying companies that are cloud native. So then they become the sexy new way to deploy, and then they start figure out how to deploy their there. So one of the trains were seeing is core centralized. Security is becoming governance and tooling, and then they're distributing the security function within the AP teams themselves. And that model seems to work really well because you've got security practitioners baked within the Dev Ops team. But then you've got a governing roll with tooling, centralized tooling from there. That said, depending on the customer or the prospect, it's all over the place. You know, many sisters, you're scratching their heads saying, No, you know, I don't know what's going over the cloud guys. They've got a different group that's running it. They're trying to figure out how do I just get visibility? I know my name's you know, I'm the one they're gonna come after if there's a problem. So it's really all over the place >> for your service. So you're baking it in creatively into the container. >> Yep, it doesn't matter. >> You're aware, if you will. >> It is a matter of urine premise or not. Containers or not, we worked across all of them. >> Was that the hook for your sort of original idea? Your business plan? Your investors you've raised, I think 32,000,000. You got 70 employees. What was that hook? What attracted the investment Community >> Theory journal? Idea was, if you're deployed in the cloud and you have a breach, how do you know you had a breach? Things that happen to come and go very quickly. All the data's encrypted on the network. I don't have full visibility on the network itself. So that was the original idea. How would I go back in time kind of time machine to find out what happened then? Way originally supported eight of us and it was really about visibility within 80 bus infrastructure. Then kubernetes happened. Now the big hook really is amazing containers. Am I using kubernetes? And then how do I make sure I'm compliant and then following best practices and then that breach that breach scenario still definitely happens. Everybody tries the service before they buy it. They're almost always finding out problems along the way. >> What did kubernetes do for you guys? That made a consensus step, function, change or what you guys were doing? Was it because they had the dynamic nature of the service's was orchestration? What specifically was the benefit? >> I think the orchestration, the single management plane from a security perspective, is one of the big things. You get access to that one brain, if you will. You have access to everything. Obviously, the ephemeral workload is big that it was enforcement kubernetes with service messes. Things like pot security policies allows us to hook a P eyes in a way that you can actually write enforcement versus a firewall or some of these old school ways of killing packets. >> Yes, you got a cloud native approach. Kubernetes comes along. It's aligns with your sort of philosophy and >> architectural, and we run today's ourselves. So our entire infrastructure is based off of kubernetes. We were kubernetes user very early on, so, you know, we just take the things that we learn to our customers. >> So here's a quote from a seesaw. I won't say his or her name, but I want to get your reaction to it when talking about dealing with suppliers, looking for the new generation of like what you guys are doing you got, I would put you in the new classification of emerging suppliers. This is the message to all the suppliers in the room. I happen to be in there having a P I and don't have its suck because you eyes shifting to a p a u ie Focus is shifting to FBI focus. So we are evaluating every supplier on their eight b. I's your reaction to that? >> I absolutely agree. So there's two levels of AP eyes. One is you have to interrupt it with the guys from the providers in order to get the data properly. Right. That's a big, big component. Others, you have to have a P eyes for your consumers. You can't automate without a P I. So that's really critical. That said, I will disagree a little bit on the u X and Y aspect. If you are triaging data, it's really important that you have the right data at the right time and visualizing that data in a ways. It's pretty important. >> How real is multi cloud, in your opinion, I mean, everybody's talking about multi cloud Ah la times we've said multi cloud. It's none of us a symptom of multi vendor. But increasingly it could be a strategy in terms of your thinking about your total available market, your market opportunity. How real is it when you're conversations with Coast? >> It's very really. We were really surprised. We first started supporting eight of us, and then we had a G, C, P and Azure together. Now we have a core principle that everything we build has to be parody across all the clouds. And we had a huge uptick across G, C, P and as your very early. So we were really surprised. What we were surprised about was, it's not portable workloads. So it's not about taking one application distributed across multi cloud. That's kind of fiction. That doesn't happen very often. It's either you bought a company that's in another cloud or use a past service in another cloud, or you have just two totally disparate applications in a large company. They just happen to be in different clouds in the data's in different places. They don't need to interoperate, so it's so it's just a little different, but we're seeing kind >> of horses for courses as well, right? Some clouds may be better for data oriented. >> Here's your point early, and we've heard this in some of the sea. So conversations em and becomes a big factor because they get new teams in new culture and they might have different cloud approaches. But I totally agree with you on that. I would say I would even go more further and saying It's absolute fiction between multi Cloud because it's just got a latent seizes on the connections, whether they're direct connections are not welcome on the factor. So I've always said, and I kind of believe in I'd love to get your thoughts on. It is the workload should dictate to the infrastructure which clouded should you know, and go with one cloud for that. If it makes sense on, then use multi cloud across workloads and low can handle a better cloud. Cloud Cloud selection. Be joined by the workload. >> Yeah, it's certainly from an out >> the other way around. >> Yeah, it's certainly from application perspective. You want a silo? It, you know, probably there. I think what's interesting about a lot of the work each provider is doing in security a lot people ask. Well, you know, why don't I just use all my provider security tools. And the answer is they got some great tools. You should use those for sure, but there is a bunch of technology above that you can use. And then you got a span across multiple clouds. What you don't want is three different AP eyes for security across every single cloud. That's gonna be a major pain or >> have to stitch. And that's where you guys come in. Absolutely. >> What's your take on this show? Reinforce against inaugural show. Love to go. The knuckle shows they don't have a 2nd 1 because they were there. Yeah, reinvent you made a calm before we came on. Reinvents started out. We were there early on as well. There's developers. Yeah, it wasn't a lot of fanfare. In fact, you could wander around Andy Jazz. It wasn't crowded. It all great, great time. That was younger. Now Amazons gotten much stronger. Bigger? What's the vibe here? Is that developers for security? Is it si SOS? Is it? What's your read on the makeup and the focus of the attendees? >> So I think it's it's a little bit of a mix of both, which I think is good you know, I've met a number of developers or what I would call kind of new breed security engineers. These are engineers that arm or interested in? How does the cloud work an inter operate? And how do you secure that versus, like reverse engineering malware with assembler, which you know a lot of the other places there really about the threats? And what of the threats and how specific or those This is really a little bit more about? How do we up our game from from a security perspective in this New World order, which is really >> get plowed. Very agile, very fast, yet horizontally scalable, elastic, all the goodness of cloud Final question developers Bottom line is developers continue to code and do the things, whether it's a devil's culture of having a hack a phone and testing new things, that which is how things roll now, getting into productions hard. What's the developers impact to security? Is the trend coming out of the show that security baked in enough to think about it like how configuration management took that track and Dev Ops took that away? You mentioned that earlier you figure you can secure it yet. So similar track for security going the way of automation. What's your? >> It's a lot of automation is gonna be critical for sure. And then it's gonna be a combination of Security and Dev ops together, you know, Call it DEP SEC Ops, code security engineer. Whatever you want to call it, it's definitely a combination of both. Security people are going away, that's for sure. You know, we're still gonna need security experts. And focus is just a critical aspect about this. >> Dan, Thanks for the insight coming on here. Reinforced. Take a quick second. Give a plug for your company. What you guys looking to do? Your hiring? What's going on? The company? >> Sure lacework. We're gonna help you protect all your workloads, Your configuration. Compliance in the cloud regardless of which cloud way are hiring websites lacework dot com and way love Thio culture Their cultures great, Very fast moving very fast paced, very modern way live and breathe by the success of our customers It's a subscription business. So now we have to continue innovating and renewing. Our customers >> got smart probably to get dealing combination containers. Thanks for coming on. Your coverage here live in Boston. General David, Want to stay tuned for more live coverage after this short break