>> From theCube studios in Paloalto and Boston, connecting with thought leaders all around the world, this is a Cube conversation. >> Hi, I'm Stu Miniman, and welcome to this special Cube conversation. I'm coming to you from our Boston area studio, and theCube is really mostly about people, about network, and so we're going to have a focus in, we're going to talk about some technology, we're also going to talk a little bit about careers. I want to welcome to the program, I've got two first-time guests on the program. First, Mark Zbikowski. Probably butchered that badly, Mark, sorry, technical advisor, and Blue Gaston. Uh, Gaston. Boy, I'm doing horrible with names here. Software engineer, you're both with Polyverse. But, you know, my last name's Miniman, it has been butchered a million times. But Mark, and Blue, thank you so much for joining us. >> You're welcome. Our pleasure. >> Yes. >> All right. So one of you I've read a lot about online and the other one is Mark, go to the Wikipedia page, stuff like that. So we'll get to that too. So, Blue, maybe start with you, give us a little bit about your background. >> Yeah, so I work at Polyverse now, a cybersecurity startup. But actually I got my undergraduate degree in Philosophy, and from there, kind of just like, what am I going to do with a philosophy degree? And it just weirdly was like a natural transition. I was like, oh, computer science. And kind of the logical, like the technical version of philosophy. So got my master's in philosophy and now, or not philosophy, in computer science, and now have been working at Polyverse. I started as an intern and they hired me on, I think after a month, they were like, no, we want you full-time. So that was cool and I've loved it. So I'm starting off my story, that's kind of where my kick-off point is. >> Awesome. So, and Mark, first of all, you have to give us the connection between yourself and Blue, and a little bit surprising that she waited so long to go into the computer business. >> Uh, okay, I'm her stepfather. It's not surprising that she, you know, wanted to go into computer science. She's got lots of aptitude for it. She was just on a career path and an education path that was primarily logic, analysis, which is basically what we do in computer science. >> All right. So Mark, if you could just give our audience a little bit of a thumbnail sketch as to your background in the tech industry, and it's a storied one. >> Uh, okay. I was, I think, employee number 55 at Microsoft, when I started back in 1981. The first task that they gave me was to work on something that ended up becoming MS-DOS. I worked on MS-DOS for a long time, about five and a half years, worked on a number of other operating systems at Microsoft, ending up with being one of the initial development managers and architects for Windows. I was responsible for all file storage. And I was there for about 26 years. >> Yeah, you know, interesting, you know, when you look on the Wikipedia page, you were the third employee that reached the 25-year milestone. Some guy, Bill Gates, and Steve Balmer, were the first two to reach that milestone. So, you know, quite impressive. I think back, back when I learned computers, it was programming, and you know, today it's coding, and things are quite different there. But, Mark, you were also, you're noted as one of the early hackers there, so what does that mean to you, how have you seen that's been changing? Polyverse is in the cybersecurity realm, so would love your kind of viewpoint on just hacking in general. >> Oh, the early days, well my hacking started pretty much when I was in eighth or ninth grade back in Detroit. We had access to an academic operating system called MTS by way of Wayne State University. I grew up in, just in the suburbs of Detroit. And we had access to it, and for me Excuse me. Hacking at the time was all about trying to understand and learn stuff that was arcane and hidden and mysterious. Figuring out how, for example, password encryption algorithms worked, figuring out how operating systems worked, because at the time, there were very few organized textbooks about how to construct operating systems. Even though operating systems had been around for 20 years. So my early, earliest stuff was in basically, finding holes in security at MTS, and that's how I started, in what they would say "hacking", but it was very innocent, it was very, let's see what we can do! As opposed to, let's extract information, let's go and ransom people's data for bitcoin, which is, you know, I think, a wrong direction to go. >> Yeah. I'm curious your thoughts as the decades have progressed, you know, hacking today, what's your take on, you know, there's the white hats and the black hats, and everything in between. >> Uh, it's kind of an arms race. (laughs) Everything that the white hats will throw up, the black hats will eventually attack to some degree. Social engineering is sort of the ultimate way that people have been getting around, you know, software protections. I think it's unfortunate that there is such a financial reward to the black hat side of things, as counter to one's ethics. I think there's a lot of slippery slopes involved, in terms of, you know, boy, these companies shouldn't be making money, so I deserve my bit. I think that it's much better that, you know, people should come at this from an intellectual, you know, exploration standpoint, rather than an exploitative. But that's the nature of the world. >> Yeah, well, Blue, maybe we can help connect the dots towards what you both do at Polyverse. You mentioned you started as an intern, and I loved the article that talked about this. Well, you know, you're going to be an intern. Can you fix the internet for us? And you did some things to help, you know, help stop some of that malicious hacking. >> Yeah, I, that was crazy. I was very intimidated when I heard that, you're going to be fixing the internet. What I've been working at the company, which is different from our flagship product, but kind of in the same vein, is to stop malicious php javascript code execution. So that's what they came in, that's how they prefaced that problem to me. It was, you're going to go fix the internet. Um, and it was crazy. It was really cool and surprisingly, a lot of philosophy that goes into the way we look at our problem-solving at Polyverse, and how we tackle problems, but of course, I have my Jedi master Mark over here, and I was constantly, "What do you think about this? Isn't this crazy? "Like, look at how Polyverse is attacking this." And I think finally I broke him down, and I was like, come join. Come jump in, and you be the foresight, and you tell us what we're going to do in a year or two. And I convinced him, and now, he's, he's with us too. >> Excellent. So, Mark, tell us a little bit about, you know, more about Polyverse, your role there. In the industry there's a lot of talk about, you know, lots of money obviously gets spent on cybersecurity, but it's still a major challenge in the industry. So what's your role there and how's Polyverse helping to attack that? >> Well, my title is Technology Advisor, and I'm one of a small collection of people who have pretty wide-ranging expertise across operating systems, networks, compilers, languages, development tools, all of that. And our goal is, you know, my role, as well the other Jedi masters, is to take a look at what Polyverse is doing at present, try to figure out where we need to go, try to figure out what the next set of challenges are, use our broad experience and knowledge of the computing milieu, and try to figure out what are the tough issues we need to face? We make some progress on those tough issues, and then turn everything over for the mainline Polyverse development staff to bring it to reality. We're not like researchers, we're much more into the product planning side of things, but product planning in, I hate to use this word, but in a visionary sense. (Blue laughs) >> Yeah, no, it's-- >> We look for the vision. We're not visionaries. We look for the vision. >> You're a visionary, Mark. Admit it. >> Excellent. Well, I do love the, you know, Jedi analogy there. When you look at, I'm curious to your thoughts, both of you, you know, some of the real challenges and opportunities facing the cybersecurity industry. It's a large financial industry company, they'll spend a billion dollars and, you know, does that make them secure? Well, at least they've done what they can and they're pushing enough pieces. But, you know, fundamentally, we understand that this is such a huge issue. >> I think-- >> Blue? >> Well, (laughs) I can try to answer. I think Polyverse recognizes that as well. So we're trying to create new solutions, that instead of just being compliant and checking the boxes, we're actually trying to create systems and products that will stop attacks from actually working. Rather than being reactive and being responsive, we're trying to build these systems out where the attacks just don't work as they're currently designed. And I think we, you know, and to do so in an easy-to-deploy, time-saving kind of way is definitely our goal. Rather than the status quo and, you know, we're fighting inertia, we're trying to, to change that narrative in a really meaningful way. >> Thanks, Blue. Mark, do you have some comments you can add to that? >> Once we started taking individual computers and hooking them up to the internet, where they can communicate fairly freely with each other, and by intent communicate fairly freely with each other, by design, by intent, all of a sudden that opened us to just a wide range of malicious behavior, from being DoS'd, to leaking passwords, et cetera. There are, there's layers and layers that one can do to mitigate these problems. From IT operational manuals to buzz-testing your API, to best practices, it's a, there's a long list. And every bit, every piece of it is important. You need to secure your passwords before you can do anything else. You need to make sure that there's a firewall in your system be fore you go and start, before you even start thinking about doing things like, like what's goin on with what we're doing at Polyverse. It's a, like I said, there's a wide range of tools that people need, that people use, that people spend money on today. Polyverse has got a very unique perspective on how to go and extend this. We, it's a, it's very pragmatic, you know, the realization is that these attackers are going to keep attacking, and they're going to exploit certain features that, despite everyone's best intentions, aren't covered, and we have found a rather unique and novel way to prevent people from doing it. Is it going to solve everything? No. There's still, there's all these other early layers that need to be taken care of first, before the more sophisticated tools that, for example, that Polyverse has or that other companies have. >> Great. Well, Blue, you talked a little bit about it, but, you know, love your, what you've found, you know, working together as a family dynamic here. You know, specifically. >> Um, (laughs) I think it's really cool. What's the best, I'll say this, is when, I always like asking Mark his opinion, because why wouldn't I? The brain that guy has, and just the experience, he can add so much. Every once in a while, I'll go, and I'll say, you know, oh, this is what I'm working on, and here's what I'm kind of thinking, and he'll say, oh, yeah, well what about this? And I'll actually get to explain something to him. And I got to tell you, that feels really good. Is when I get to say, oh, well, actually it looks like this, and this was my plan, and he's like, oh yeah, definitely. And I get that validation, which is really cool. And I can, you know, drive to his house and bug him whenever I want to. I know where he lives, so if I'm really stuck, or just want to bounce ideas off of him, it's really cool. It's really cool, and I, you know, strong-armed, not strong-armed, I enticed him to come and join Polyverse just by the cool things that we're doing, and I think that's cool too. To now be able to work on something together. >> Yeah, and Mark, sounds like you're learning some things from Blue. Give us your side of that relationship. >> Well, it's a great relationship. Blue, um, Blue never hesitates to challenge. (Blue laughs) >> Blue: Okay. And that, I'm saying that in a very positive sense. Um, you know, she'll come up, every so often I'll get a text from her that says, "Help!" >> Oh my god! (laughing) >> Yes. Sorry. At least I'm not showing it. (laughs) But it's great. And we get together and we talk about stuff, and she says, you know, here's the problem I'm facing, and I'll ask her about it and she gets to go and teach me about what her problem is. I'm a big fan of teaching. I think one of the frustrations that Blue has is I almost never give her the answer when she asks a question. (laughs) >> Not even when I was in school, >> Yeah, not even when you were in school. I was always asking the questions and leading her to the answer rather than just giving it to her. >> Or saying, well why don't we sit down and I'll teach you how to implement knowledge. Just like, oh my god. What are you doing? >> Yeah. So, yeah, I'm a big fan of teaching and learning by way of teaching. One of the things I do is I'm an affiliate with the University of Washington, and I teach every year one quarter of their Operating Systems class. And I love teaching, I love seeing the light go on. But every year, when I'm teaching a class that I know pretty well, I learn something new. By a question the student asks, or by reading a paper that I'm asking the students to read, I learn something new just about every year. And so having Blue teach me is a way that I get to learn, but I think in the process Blue also gets to learn as well. You know, in the process of teaching me. >> Yeah, well, that's such a great point. All right, want to give you both the final word on what's exciting you, what draws you to working in the cybersecurity industry. >> Um, I'll start. (laughs) So when I started at Polyverse, I actually got to, as an intern, own my own product. And in, I think, less than a month now, we're actually officially releasing that product, polyscripting. Officially, like Marketing is coming up with materials for it, and that was right out of school is when I started on this project, so it's kind of like a big deal for me. You know, I've owned the project, I'd say like 90% of it, over the last year or two, and now I get to see it come into fruition. So that's really exciting to me. Um, you know, that's exciting. So I'm excited about that, I'm excited about what Polyverse is doing in general. So, yeah. >> And Mark? >> Yeah. It's great working in a startup, it's great working with a bunch of very, very bright, energetic people. For me, contributing to that environment is extremely valuable. Helping Polyverse out, they're, you know, cybersecurity is problem. Trying to come up with good, effective solutions that are really pragmatic in terms of, you know, we're not going to solve every problem, but here's a great little space that we're going to solve all the problems in. That's, there's a huge appeal to that for me. >> Well, Mark and Blue, thank you so much for joining. Appreciate you sharing some of the personal as well as the professional journeys that you've both been on. Thanks so much. >> Yeah, thank you >> Yeah, you're welcome. >> All right. Thank you for watching theCube. I'm Stu Miniman. Thanks for watching. (soothing music)

(upbeat music) >> Announcer: It's theCUBE covering the virtual Vertica Big Data Conference 2020 brought to you by Vertica. >> Welcome back to the Vertica Virtual Big Data Conference, BDC 2020. You know, it was supposed to be a physical event in Boston at the Encore. Vertica pivoted to a digital event, and we're pleased that The Cube could participate because we've participated in every BDC since the inception. Rich Gaston this year is the global solutions architect for security risk and governance at Micro Focus. Rich, thanks for coming on, good to see you. >> Hey, thank you very much for having me. >> So you got a chewy title, man. You got a lot of stuff, a lot of hairy things in there. But maybe you can talk about your role as an architect in those spaces. >> Sure, absolutely. We handle a lot of different requests from the global 2000 type of organization that will try to move various business processes, various application systems, databases, into new realms. Whether they're looking at opening up new business opportunities, whether they're looking at sharing data with partners securely, they might be migrating it to cloud applications, and doing migration into a Hybrid IT architecture. So we will take those large organizations and their existing installed base of technical platforms and data, users, and try to chart a course to the future, using Micro Focus technologies, but also partnering with other third parties out there in the ecosystem. So we have large, solid relationships with the big cloud vendors, with also a lot of the big database spenders. Vertica's our in-house solution for big data and analytics, and we are one of the first integrated data security solutions with Vertica. We've had great success out in the customer base with Vertica as organizations have tried to add another layer of security around their data. So what we will try to emphasize is an enterprise wide data security approach, where you're taking a look at data as it flows throughout the enterprise from its inception, where it's created, where it's ingested, all the way through the utilization of that data. And then to the other uses where we might be doing shared analytics with third parties. How do we do that in a secure way that maintains regulatory compliance, and that also keeps our company safe against data breach. >> A lot has changed since the early days of big data, certainly since the inception of Vertica. You know, it used to be big data, everyone was rushing to figure it out. You had a lot of skunkworks going on, and it was just like, figure out data. And then as organizations began to figure it out, they realized, wow, who's governing this stuff? A lot of shadow IT was going on, and then the CIO was called to sort of reign that back in. As well, you know, with all kinds of whatever, fake news, the hacking of elections, and so forth, the sense of heightened security has gone up dramatically. So I wonder if you can talk about the changes that have occurred in the last several years, and how you guys are responding. >> You know, it's a great question, and it's been an amazing journey because I was walking down the street here in my hometown of San Francisco at Christmastime years ago and I got a call from my bank, and they said, we want to inform you your card has been breached by Target, a hack at Target Corporation and they got your card, and they also got your pin. And so you're going to need to get a new card, we're going to cancel this. Do you need some cash? I said, yeah, it's Christmastime so I need to do some shopping. And so they worked with me to make sure that I could get that cash, and then get the new card and the new pin. And being a professional in the inside of the industry, I really questioned, how did they get the pin? Tell me more about this. And they said, well, we don't know the details, but you know, I'm sure you'll find out. And in fact, we did find out a lot about that breach and what it did to Target. The impact that $250 million immediate impact, CIO gone, CEO gone. This was a big one in the industry, and it really woke a lot of people up to the different types of threats on the data that we're facing with our largest organizations. Not just financial data; medical data, personal data of all kinds. Flash forward to the Cambridge Analytica scandal that occurred where Facebook is handing off data, they're making a partnership agreement --think they can trust, and then that is misused. And who's going to end up paying the cost of that? Well, it's going to be Facebook at a tune of about five billion on that, plus some other finds that'll come along, and other costs that they're facing. So what we've seen over the course of the past several years has been an evolution from data breach making the headlines, and how do my customers come to us and say, help us neutralize the threat of this breach. Help us mitigate this risk, and manage this risk. What do we need to be doing, what are the best practices in the industry? Clearly what we're doing on the perimeter security, the application security and the platform security is not enough. We continue to have breaches, and we are the experts at that answer. The follow on fascinating piece has been the regulators jumping in now. First in Europe, but now we see California enacting a law just this year. They came into a place that is very stringent, and has a lot of deep protections that are really far-reaching around personal data of consumers. Look at jurisdictions like Australia, where fiduciary responsibility now goes to the Board of Directors. That's getting attention. For a regulated entity in Australia, if you're on the Board of Directors, you better have a plan for data security. And if there is a breach, you need to follow protocols, or you personally will be liable. And that is a sea change that we're seeing out in the industry. So we're getting a lot of attention on both, how do we neutralize the risk of breach, but also how can we use software tools to maintain and support our regulatory compliance efforts as we work with, say, the largest money center bank out of New York. I've watched their audit year after year, and it's gotten more and more stringent, more and more specific, tell me more about this aspect of data security, tell me more about encryption, tell me more about money management. The auditors are getting better. And we're supporting our customers in that journey to provide better security for the data, to provide a better operational environment for them to be able to roll new services out with confidence that they're not going to get breached. With that confidence, they're not going to have a regulatory compliance fine or a nightmare in the press. And these are the major drivers that help us with Vertica sell together into large organizations to say, let's add some defense in depth to your data. And that's really a key concept in the security field, this concept of defense in depth. We apply that to the data itself by changing the actual data element of Rich Gaston, I will change that name into Ciphertext, and that then yields a whole bunch of benefits throughout the organization as we deal with the lifecycle of that data. >> Okay, so a couple things I want to mention there. So first of all, totally board level topic, every board of directors should really have cyber and security as part of its agenda, and it does for the reasons that you mentioned. The other is, GDPR got it all started. I guess it was May 2018 that the penalties went into effect, and that just created a whole Domino effect. You mentioned California enacting its own laws, which, you know, in some cases are even more stringent. And you're seeing this all over the world. So I think one of the questions I have is, how do you approach all this variability? It seems to me, you can't just take a narrow approach. You have to have an end to end perspective on governance and risk and security, and the like. So are you able to do that? And if so, how so? >> Absolutely, I think one of the key areas in big data in particular, has been the concern that we have a schema, we have database tables, we have CALMS, and we have data, but we're not exactly sure what's in there. We have application developers that have been given sandbox space in our clusters, and what are they putting in there? So can we discover that data? We have those tools within Micro Focus to discover sensitive data within in your data stores, but we can also protect that data, and then we'll track it. And what we really find is that when you protect, let's say, five billion rows of a customer database, we can now know what is being done with that data on a very fine grain and granular basis, to say that this business process has a justified need to see the data in the clear, we're going to give them that authorization, they can decrypt the data. Secure data, my product, knows about that and tracks that, and can report on that and say at this date and time, Rich Gaston did the following thing to be able to pull data in the clear. And that could be then used to support the regulatory compliance responses and then audit to say, who really has access to this, and what really is that data? Then in GDPR, we're getting down into much more fine grained decisions around who can get access to the data, and who cannot. And organizations are scrambling. One of the funny conversations that I had a couple years ago as GDPR came into place was, it seemed a couple of customers were taking these sort of brute force approach of, we're going to move our analytics and all of our data to Europe, to European data centers because we believe that if we do this in the U.S., we're going to violate their law. But if we do it all in Europe, we'll be okay. And that simply was a short-term way of thinking about it. You really can't be moving your data around the globe to try to satisfy a particular jurisdiction. You have to apply the controls and the policies and put the software layers in place to make sure that anywhere that someone wants to get that data, that we have the ability to look at that transaction and say it is or is not authorized, and that we have a rock solid way of approaching that for audit and for compliance and risk management. And once you do that, then you really open up the organization to go back and use those tools the way they were meant to be used. We can use Vertica for AI, we can use Vertica for machine learning, and for all kinds of really cool use cases that are being done with IOT, with other kinds of cases that we're seeing that require data being managed at scale, but with security. And that's the challenge, I think, in the current era, is how do we do this in an elegant way? How do we do it in a way that's future proof when CCPA comes in? How can I lay this on as another layer of audit responsibility and control around my data so that I can satisfy those regulators as well as the folks over in Europe and Singapore and China and Turkey and Australia. It goes on and on. Each jurisdiction out there is now requiring audit. And like I mentioned, the audits are getting tougher. And if you read the news, the GDPR example I think is classic. They told us in 2016, it's coming. They told us in 2018, it's here. They're telling us in 2020, we're serious about this, and here's the finds, and you better be aware that we're coming to audit you. And when we audit you, we're going to be asking some tough questions. If you can't answer those in a timely manner, then you're going to be facing some serious consequences, and I think that's what's getting attention. >> Yeah, so the whole big data thing started with Hadoop, and Hadoop is open, it's distributed, and it just created a real governance challenge. I want to talk about your solutions in this space. Can you tell us more about Micro Focus voltage? I want to understand what it is, and then get into sort of how it works, and then I really want to understand how it's applied to Vertica. >> Yeah, absolutely, that's a great question. First of all, we were the originators of format preserving encryption, we developed some of the core basic research out of Stanford University that then became the company of Voltage; that build-a-brand name that we apply even though we're part of Micro Focus. So the lineage still goes back to Dr. Benet down at Stanford, one of my buddies there, and he's still at it doing amazing work in cryptography and keeping moving the industry forward, and the science forward of cryptography. It's a very deep science, and we all want to have it peer-reviewed, we all want to be attacked, we all want it to be proved secure, that we're not selling something to a major money center bank that is potentially risky because it's obscure and we're private. So we have an open standard. For six years, we worked with the Department of Commerce to get our standard approved by NIST; The National Institute of Science and Technology. They initially said, well, AES256 is going to be fine. And we said, well, it's fine for certain use cases, but for your database, you don't want to change your schema, you don't want to have this increase in storage costs. What we want is format preserving encryption. And what that does is turns my name, Rich, into a four-letter ciphertext. It can be reversed. The mathematics of that are fascinating, and really deep and amazing. But we really make that very simple for the end customer because we produce APIs. So these application programming interfaces can be accessed by applications in C or Java, C sharp, other languages. But they can also be accessed in Microservice Manor via rest and web service APIs. And that's the core of our technical platform. We have an appliance-based approach, so we take a secure data appliance, we'll put it on Prim, we'll make 50 of them if you're a big company like Verizon and you need to have these co-located around the globe, no problem; we can scale to the largest enterprise needs. But our typical customer will install several appliances and get going with a couple of environments like QA and Prod to be able to start getting encryption going inside their organization. Once the appliances are set up and installed, it takes just a couple of days of work for a typical technical staff to get done. Then you're up and running to be able to plug in the clients. Now what are the clients? Vertica's a huge one. Vertica's one of our most powerful client endpoints because you're able to now take that API, put it inside Vertica, it's all open on the internet. We can go and look at Vertica.com/secure data. You get all of our documentation on it. You understand how to use it very quickly. The APIs are super simple; they require three parameter inputs. It's a really basic approach to being able to protect and access data. And then it gets very deep from there because you have data like credit card numbers. Very different from a street address and we want to take a different approach to that. We have data like birthdate, and we want to be able to do analytics on dates. We have deep approaches on managing analytics on protected data like Date without having to put it in the clear. So we've maintained a lead in the industry in terms of being an innovator of the FF1 standard, what we call FF1 is format preserving encryption. We license that to others in the industry, per our NIST agreement. So we're the owner, we're the operator of it, and others use our technology. And we're the original founders of that, and so we continue to sort of lead the industry by adding additional capabilities on top of FF1 that really differentiate us from our competitors. Then you look at our API presence. We can definitely run as a dup, but we also run in open systems. We run on main frame, we run on mobile. So anywhere in the enterprise or one in the cloud, anywhere you want to be able to put secure data, and be able to access the protect data, we're going to be there and be able to support you there. >> Okay so, let's say I've talked to a lot of customers this week, and let's say I'm running in Eon mode. And I got some workload running in AWS, I've got some on Prim. I'm going to take an appliance or multiple appliances, I'm going to put it on Prim, but that will also secure my cloud workloads as part of a sort of shared responsibility model, for example? Or how does that work? >> No, that's absolutely correct. We're really flexible that we can run on Prim or in the cloud as far as our crypto engine, the key management is really hard stuff. Cryptography is really hard stuff, and we take care of all that, so we've all baked that in, and we can run that for you as a service either in the cloud or on Prim on your small Vms. So really the lightweight footprint for me running my infrastructure. When I look at the organization like you just described, it's a classic example of where we fit because we will be able to protect that data. Let's say you're ingesting it from a third party, or from an operational system, you have a website that collects customer data. Someone has now registered as a new customer, and they're going to do E-commerce with you. We'll take that data, and we'll protect it right at the point of capture. And we can now flow that through the organization and decrypt it at will on any platform that you have that you need us to be able to operate on. So let's say you wanted to pick that customer data from the operational transaction system, let's throw it into Eon, let's throw it into the cloud, let's do analytics there on that data, and we may need some decryption. We can place secure data wherever you want to be able to service that use case. In most cases, what you're doing is a simple, tiny little atomic efetch across a protected tunnel, your typical TLS pipe tunnel. And once that key is then cashed within our client, we maintain all that technology for you. You don't have to know about key management or dashing. We're good at that; that's our job. And then you'll be able to make those API calls to access or protect the data, and apply the authorization authentication controls that you need to be able to service your security requirements. So you might have third parties having access to your Vertica clusters. That is a special need, and we can have that ability to say employees can get X, and the third party can get Y, and that's a really interesting use case we're seeing for shared analytics in the internet now. >> Yeah for sure, so you can set the policy how we want. You know, I have to ask you, in a perfect world, I would encrypt everything. But part of the reason why people don't is because of performance concerns. Can you talk about, and you touched upon it I think recently with your sort of atomic access, but can you talk about, and I know it's Vertica, it's Ferrari, etc, but anything that slows it down, I'm going to be a concern. Are customers concerned about that? What are the performance implications of running encryption on Vertica? >> Great question there as well, and what we see is that we want to be able to apply scale where it's needed. And so if you look at ingest platforms that we find, Vertica is commonly connected up to something like Kafka. Maybe streamsets, maybe NiFi, there are a variety of different technologies that can route that data, pipe that data into Vertica at scale. Secured data is architected to go along with that architecture at the node or at the executor or at the lowest level operator level. And what I mean by that is that we don't have a bottleneck that everything has to go through one process or one box or one channel to be able to operate. We don't put an interceptor in between your data and coming and going. That's not our approach because those approaches are fragile and they're slow. So we typically want to focus on integrating our APIs natively within those pipeline processes that come into Vertica within the Vertica ingestion process itself, you can simply apply our protection when you do the copy command in Vertica. So really basic simple use case that everybody is typically familiar with in Vertica land; be able to copy the data and put it into Vertica, and you simply say protect as part of the data. So my first name is coming in as part of this ingestion. I'll simply put the protect keyword in the Syntax right in SQL; it's nothing other than just an extension SQL. Very very simple, the developer, easy to read, easy to write. And then you're going to provide the parameters that you need to say, oh the name is protected with this kind of a format. To differentiate it between a credit card number and an alphanumeric stream, for example. So once you do that, you then have the ability to decrypt. Now, on decrypt, let's look at a couple different use cases. First within Vertica, we might be doing select statements within Vertica, we might be doing all kinds of jobs within Vertica that just operate at the SQL layer. Again, just insert the word "access" into the Vertica select string and provide us with the data that you want to access, that's our word for decryption, that's our lingo. And we will then, at the Vertica level, harness the power of its CPU, its RAM, its horsepower at the node to be able to operate on that operator, the decryption request, if you will. So that gives us the speed and the ability to scale out. So if you start with two nodes of Vertica, we're going to operate at X number of hundreds of thousands of transactions a second, depending on what you're doing. Long strings are a little bit more intensive in terms of performance, but short strings like social security number are our sweet spot. So we operate very very high speed on that, and you won't notice the overhead with Vertica, perse, at the node level. When you scale Vertica up and you have 50 nodes, and you have large clusters of Vertica resources, then we scale with you. And we're not a bottleneck and at any particular point. Everybody's operating independently, but they're all copies of each other, all doing the same operation. Fetch a key, do the work, go to sleep. >> Yeah, you know, I think this is, a lot of the customers have said to us this week that one of the reasons why they like Vertica is it's very mature, it's been around, it's got a lot of functionality, and of course, you know, look, security, I understand is it's kind of table sticks, but it's also can be a differentiator. You know, big enterprises that you sell to, they're asking for security assessments, SOC 2 reports, penetration testing, and I think I'm hearing, with the partnership here, you're sort of passing those with flying colors. Are you able to make security a differentiator, or is it just sort of everybody's kind of got to have good security? What are your thoughts on that? >> Well, there's good security, and then there's great security. And what I found with one of my money center bank customers here in San Francisco was based here, was the concern around the insider access, when they had a large data store. And the concern that a DBA, a database administrator who has privilege to everything, could potentially exfil data out of the organization, and in one fell swoop, create havoc for them because of the amount of data that was present in that data store, and the sensitivity of that data in the data store. So when you put voltage encryption on top of Vertica, what you're doing now is that you're putting a layer in place that would prevent that kind of a breach. So you're looking at insider threats, you're looking at external threats, you're looking at also being able to pass your audit with flying colors. The audits are getting tougher. And when they say, tell me about your encryption, tell me about your authentication scheme, show me the access control list that says that this person can or cannot get access to something. They're asking tougher questions. That's where secure data can come in and give you that quick answer of it's encrypted at rest. It's encrypted and protected while it's in use, and we can show you exactly who's had access to that data because it's tracked via a different layer, a different appliance. And I would even draw the analogy, many of our customers use a device called a hardware security module, an HSM. Now, these are fairly expensive devices that are invented for military applications and adopted by banks. And now they're really spreading out, and people say, do I need an HSM? Well, with secure data, we certainly protect your crypto very very well. We have very very solid engineering. I'll stand on that any day of the week, but your auditor is going to want to ask a checkbox question. Do you have HSM? Yes or no. Because the auditor understands, it's another layer of protection. And it provides me another tamper evident layer of protection around your key management and your crypto. And we, as professionals in the industry, nod and say, that is worth it. That's an expensive option that you're going to add on, but your auditor's going to want it. If you're in financial services, you're dealing with PCI data, you're going to enjoy the checkbox that says, yes, I have HSMs and not get into some arcane conversation around, well no, but it's good enough. That's kind of the argument then conversation we get into when folks want to say, Vertica has great security, Vertica's fantastic on security. Why would I want secure data as well? It's another layer of protection, and it's defense in depth for you data. When you believe in that, when you take security really seriously, and you're really paranoid, like a person like myself, then you're going to invest in those kinds of solutions that get you best in-class results. >> So I'm hearing a data-centric approach to security. Security experts will tell you, you got to layer it. I often say, we live in a new world. The green used to just build a moat around the queen, but the queen, she's leaving her castle in this world of distributed data. Rich, incredibly knowlegable guest, and really appreciate you being on the front lines and sharing with us your knowledge about this important topic. So thanks for coming on theCUBE. >> Hey, thank you very much. >> You're welcome, and thanks for watching everybody. This is Dave Vellante for theCUBE, we're covering wall-to-wall coverage of the Virtual Vertica BDC, Big Data Conference. Remotely, digitally, thanks for watching. Keep it right there. We'll be right back right after this short break. (intense music)

>> Paige: Hello everybody and thank you for joining us today for the Virtual Vertica BDC 2020. Today's breakout session is entitled Keep Data Private Prepare and Analyze Without Unencrypting With Voltage SecureData for Vertica. I'm Paige Roberts, Open Source Relations Manager at Vertica, and I'll be your host for this session. Joining me is Rich Gaston, Global Solutions Architect, Security, Risk, and Government at Voltage. And before we begin, I encourage you to submit your questions or comments during the virtual session, you don't have to wait till the end. Just type your question as it occurs to you, or comment, in the question box below the slide and then click Submit. There'll be a Q&A session at the end of the presentation where we'll try to answer as many of your questions as we're able to get to during the time. Any questions that we don't address we'll do our best to answer offline. Now, if you want, you can visit the Vertica Forum to post your questions there after the session. Now, that's going to take the place of the Developer Lounge, and our engineering team is planning to join the Forum, to keep the conversation going. So as a reminder, you can also maximize your screen by clicking the double arrow button, in the lower-right corner of the slides. That'll allow you to see the slides better. And before you ask, yes, this virtual session is being recorded and it will be available to view on-demand this week. We'll send you a notification as soon as it's ready. All right, let's get started. Over to you, Rich. >> Rich: Hey, thank you very much, Paige, and appreciate the opportunity to discuss this topic with the audience. My name is Rich Gaston and I'm a Global Solutions Architect, within the Micro Focus team, and I work on global Data privacy and protection efforts, for many different organizations, looking to take that journey toward breach defense and regulatory compliance, from platforms ranging from mobile to mainframe, everything in between, cloud, you name it, we're there in terms of our solution sets. Vertica is one of our major partners in this space, and I'm very excited to talk with you today about our solutions on the Vertica platform. First, let's talk a little bit about what you're not going to learn today, and that is, on screen you'll see, just part of the mathematics that goes into, the format-preserving encryption algorithm. We are the originators and authors and patent holders on that algorithm. Came out of research from Stanford University, back in the '90s, and we are very proud, to take that out into the market through the NIST standard process, and license that to others. So we are the originators and maintainers, of both standards and athureader in the industry. We try to make this easy and you don't have to learn any of this tough math. Behind this there are also many other layers of technology. They are part of the security, the platform, such as stateless key management. That's a really complex area, and we make it very simple for you. We have very mature and powerful products in that space, that really make your job quite easy, when you want to implement our technology within Vertica. So today, our goal is to make Data protection easy for you, to be able to understand the basics of Voltage Secure Data, you're going to be learning how the Vertica UDx, can help you get started quickly, and we're going to see some examples of how Vertica plus Voltage Secure Data, are going to be working together, in our customer cases out in the field. First, let's take you through a quick introduction to Voltage Secure Data. The business drivers and what's this all about. First of all, we started off with Breach Defense. We see that despite continued investments, in personal perimeter and platform security, Data breaches continue to occur. Voltage Secure Data plus Vertica, provides defense in depth for sensitive Data, and that's a key concept that we're going to be referring to. in the security field defense in depth, is a standard approach to be able to provide, more layers of protection around sensitive assets, such as your Data, and that's exactly what Secure Data is designed to do. Now that we've come through many of these breach examples, and big ticket items, getting the news around breaches and their impact, the business regulators have stepped up, and regulatory compliance, is now a hot topic in Data privacy. Regulations such as GDPR came online in 2018 for the EU. CCPA came online just this year, a couple months ago for California, and is the de-facto standard for the United States now, as organizations are trying to look at, the best practices for providing, regulatory compliance around Data privacy and protection. These gives massive new rights to consumers, but also obligations to organizations, to protect that personal Data. Secure Data Plus Vertica provides, fine grained authorization around sensitive Data, And we're going to show you exactly how that works, within the Vertica platform. At the bottom, you'll see some of the snippets there, of the news articles that just keep racking up, and our goal is to keep you off the news, to keep your company safe, so that you can have the assurance, that even if there is an unintentional, or intentional breach of Data out of the corporation, if it is protected by voltage Secure Data, it will be of no value to those hackers, and then you have no impact, in terms of risk to the organization. What do we mean by defense in depth? Let's take a look first at the encryption types, and the benefits that they provide, and we see our customers implementing, all kinds of different protection mechanisms, within the organization. You could be looking at disk level protection, file system protection, protection on the files themselves. You could protect the entire Database, you could protect our transmissions, as they go from the client to the server via TLS, or other protected tunnels. And then we look at Field-level Encryption, and that's what we're talking about today. That's all the above protections, at the perimeter level at the platform level. Plus, we're giving you granular access control, to your sensitive Data. Our main message is, keep the Data protected for at the earliest possible point, and only access it, when you have a valid business need to do so. That's a really critical aspect as we see Vertica customers, loading terabytes, petabytes of Data, into clusters of Vertica console, Vertica Database being able to give access to that Data, out to a wide variety of end users. We started off with organizations having, four people in an office doing Data science, or analytics, or Data warehousing, or whatever it's called within an organization, and that's now ballooned out, to a new customer coming in and telling us, we're going to have 1000 people accessing it, plus service accounts accessing Vertica, we need to be able to provide fine level access control, and be able to understand what are folks doing with that sensitive Data? And how can we Secure it, the best practices possible. In very simple state, voltage protect Data at rest and in motion. The encryption of Data facilitates compliance, and it reduces your risk of breach. So if you take a look at what we mean by feel level, we could take a name, that name might not just be in US ASCII. Here we have a sort of Latin one extended, example of Harold Potter, and we could take a look at the example protected Data. Notice that we're taking a character set approach, to protecting it, meaning, I've got an alphanumeric option here for the format, that I'm applying to that name. That gives me a mix of alpha and numeric, and plus, I've got some of that Latin one extended alphabet in there as well, and that's really controllable by the end customer. They can have this be just US ASCII, they can have it be numbers for numbers, you can have a wide variety, of different protection mechanisms, including ignoring some characters in the alphabet, in case you want to maintain formatting. We've got all the bells and whistles, that you would ever want, to put on top of format preserving encryption, and we continue to add more to that platform, as we go forward. Taking a look at tax ID, there's an example of numbers for numbers, pretty basic, but it gives us the sort of idea, that we can very quickly and easily keep the Data protected, while maintaining the format. No schema changes are going to be required, when you want to protect that Data. If you look at credit card number, really popular example, and the same concept can be applied to tax ID, often the last four digits will be used in a tax ID, to verify someone's identity. That could be on an automated telephone system, it could be a customer service representative, just trying to validate the security of the customer, and we can keep that Data in the clear for that purpose, while protecting the entire string from breach. Dates are another critical area of concern, for a lot of medical use cases. But we're seeing Date of Birth, being included in a lot of Data privacy conversations, and we can protect dates with dates, they're going to be a valid date, and we have some really nifty tools, to maintain offsets between dates. So again, we've got the real depth of capability, within our encryption, that's not just saying, here's a one size fits all approach, GPS location, customer ID, IP address, all of those kinds of Data strings, can be protected by voltage Secure Data within Vertica. Let's take a look at the UDx basics. So what are we doing, when we add Voltage to Vertica? Vertica stays as is in the center. In fact, if you get the Vertical distribution, you're getting the Secure Data UDx onboard, you just need to enable it, and have Secure Data virtual appliance, that's the box there on the middle right. That's what we come in and add to the mix, as we start to be able to add those capabilities to Vertica. On the left hand side, you'll see that your users, your service accounts, your analytics, are still typically doing Select, Update, Insert, Delete, type of functionality within Vertica. And they're going to come into Vertica's access control layer, they're going to also access those services via SQL, and we simply extend SQL for Vertica. So when you add the UDx, you get additional syntax that we can provide, and we're going to show you examples of that. You can also integrate that with concepts, like Views within Vertica. So that we can say, let's give a view of Data, that gives the Data in the clear, using the UDx to decrypt that Data, and let's give everybody else, access to the raw Data which is protected. Third parties could be brought in, folks like contractors or folks that aren't vetted, as closely as a security team might do, for internal sensitive Data access, could be given access to the Vertical cluster, without risk of them breaching and going into some area, they're not supposed to take a look at. Vertica has excellent control for access, down even to the column level, which is phenomenal, and really provides you with world class security, around the Vertical solution itself. Secure Data adds another layer of protection, like we're mentioning, so that we can have Data protected in use, Data protected at rest, and then we can have the ability, to share that protected Data throughout the organization. And that's really where Secure Data shines, is the ability to protect that Data on mainframe, on mobile, and open systems, in the cloud, everywhere you want to have that Data move to and from Vertica, then you can have Secure Data, integrated with those endpoints as well. That's an additional solution on top, the Secure Data Plus Vertica solution, that is bundled together today for a sales purpose. But we can also have that conversation with you, about those wider Secure Data use cases, we'd be happy to talk to you about that. Security to the virtual appliance, is a lightweight appliance, sits on something like eight cores, 16 gigs of RAM, 100 gig of disk or 200 gig of disk, really a lightweight appliance, you can have one or many. Most customers have four in production, just for redundancy, they don't need them for scale. But we have some customers with 16 or more in production, because they're running such high volumes of transaction load. They're running a lot of web service transactions, and they're running Vertica as well. So we're going to have those virtual appliances, as co-located around the globe, hooked up to all kinds of systems, like Syslog, LDAP, load balancers, we've got a lot of capability within the appliance, to fit into your enterprise IP landscape. So let me get you directly into the neat, of what does the UDx do. If you're technical and you know SQL, this is probably going to be pretty straightforward to you, you'll see the copy command, used widely in Vertica to get Data into Vertica. So let's try to protect that Data when we're ingesting it. Let's grab it from maybe a CSV file, and put it straight into Vertica, but protected on the way and that's what the UDx does. We have Voltage Secure protectors, an added syntax, like I mentioned, to the Vertica SQL. And that allows us to say, we're going to protect the customer first name, using the parameters of hyper alphanumeric. That's our internal lingo of a format, within Secure Data, this part of our API, the API is require very few inputs. The format is the one, that you as a developer will be supplying, and you'll have different ones for maybe SSN, you'll have different formats for street address, but you can reuse a lot of your formats, across a lot of your PII, PHI Data types. Protecting after ingest is also common. So I've got some Data, that's already been put into a staging area, perhaps I've got a landing zone, a sandbox of some sort, now I want to be able to move that, into a different zone in Vertica, different area of the schema, and I want to have that Data protected. We can do that with the update command, and simply again, you'll notice Voltage Secure protect, nothing too wild there, basically the same syntax. We're going to query unprotected Data. How do we search once I've encrypted all my Data? Well, actually, there's a pretty nifty trick to do so. If you want to be able to query unprotected Data, and we have the search string, like a phone number there in this example, simply call Voltage Secure protect on that, now you'll have the cipher text, and you'll be able to search the stored cipher text. Again, we're just format preserving encrypting the Data, and it's just a string, and we can always compare those strings, using standard syntax and SQL. Using views to decrypt Data, again a powerful concept, in terms of how to make this work, within the Vertica Landscape, when you have a lot of different groups of users. Views are very powerful, to be able to point a BI tool, for instance, business intelligence tools, Cognos, Tableau, etc, might be accessing Data from Vertica with simple queries. Well, let's point them to a view that does the hard work, and uses the Vertical nodes, and its horsepower of CPU and RAM, to actually run that Udx, and do the decryption of the Data in use, temporarily in memory, and then throw that away, so that it can't be breached. That's a nice way to keep your users active and working and going forward, with their Data access and Data analytics, while also keeping the Data Secure in the process. And then we might want to export some Data, and push it out to someone in a clear text manner. We've got a third party, needs to take the tax ID along with some Data, to do some processing, all we need to do is call Voltage Secure Access, again, very similar to the protect call, and you're writing the parameter again, and boom, we have decrypted the Data and used again, the Vertical resources of RAM and CPU and horsepower, to do the work. All we're doing with Voltage Secure Data Appliance, is a real simple little key fetch, across a protected tunnel, that's a tiny atomic transaction, gets done very quick, and you're good to go. This is it in terms of the UDx, you have a couple of calls, and one parameter to pass, everything else is config driven, and really, you're up and running very quickly. We can even do demos and samples of this Vertical Udx, using hosted appliances, that we put up for pre sales purposes. So folks want to get up and get a demo going. We could take that Udx, configure it to point to our, appliance sitting on the internet, and within a couple of minutes, we're up and running with some simple use cases. Of course, for on-prem deployment, or deployment in the cloud, you'll want your own appliance in your own crypto district, you have your own security, but it just shows, that we can easily connect to any appliance, and get this working in a matter of minutes. Let's take a look deeper at the voltage plus Vertica solution, and we'll describe some of the use cases and path to success. First of all your steps to, implementing Data-centric security and Vertica. Want to note there on the left hand side, identify sensitive Data. How do we do this? I have one customer, where they look at me and say, Rich, we know exactly what our sensitive Data is, we develop the schema, it's our own App, we have a customer table, we don't need any help in this. We've got other customers that say, Rich, we have a very complex Database environment, with multiple Databases, multiple schemas, thousands of tables, hundreds of thousands of columns, it's really, really complex help, and we don't know what people have been doing exactly, with some of that Data, We've got various teams that share this resource. There, we do have additional tools, I wanted to give a shout out to another microfocus product, which is called Structured Data Manager. It's a great tool that helps you identify sensitive Data, with some really amazing technology under the hood, that can go into a Vertica repository, scan those tables, take a sample of rows or a full table scan, and give you back some really good reports on, we think this is sensitive, let's go confirm it, and move forward with Data protection. So if you need help on that, we've got the tools to do it. Once you identify that sensitive Data, you're going to want to understand, your Data flows and your use cases. Take a look at what analytics you're doing today. What analytics do you want to do, on sensitive Data in the future? Let's start designing our analytics, to work with sensitive Data, and there's some tips and tricks that we can provide, to help you mitigate, any kind of concerns around performance, or any kind of concerns around rewriting your SQL. As you've noted, you can just simply insert our SQL additions, into your code and you're off and running. You want to install and configure the Udx, and secure Data software plants. Well, the UDx is pretty darn simple. The documentation on Vertica is publicly available, you could see how that works, and what you need to configure it, one file here, and you're ready to go. So that's pretty straightforward to process, either grant some access to the Udx, and that's really up to the customer, because there are many different ways, to handle access control in Vertica, we're going to be flexible to fit within your model, of access control and adding the UDx to your mix. Each customer is a little different there, so you might want to talk with us a little bit about, the best practices for your use cases. But in general, that's going to be up and running in just a minute. The security software plants, hardened Linux appliance today, sits on-prem or in the cloud. And you can deploy that. I've seen it done in 15 minutes, but that's what the real tech you had, access to being able to generate a search, and do all this so that, your being able to set the firewall and all the DNS entries, the basically blocking and tackling of a software appliance, you get that done, corporations can take care of that, in just a couple of weeks, they get it all done, because they have wait waiting on other teams, but the software plants are really fast to get stood up, and they're very simple to administer, with our web based GUI. Then finally, you're going to implement your UDx use cases. Once the software appliance is up and running, we can set authentication methods, we could set up the format that you're going to use in Vertica, and then those two start talking together. And it should be going in dev and test in about half a day, and then you're running toward production, in just a matter of days, in most cases. We've got other customers that say, Hey, this is going to be a bigger migration project for us. We might want to split this up into chunks. Let's do the real sensitive and scary Data, like tax ID first, as our sort of toe in the water approach, and then we'll come back and protect other Data elements. That's one way to slice and dice, and implement your solution in a planned manner. Another way is schema based. Let's take a look at this section of the schema, and implement protection on these Data elements. Now let's take a look at the different schema, and we'll repeat the process, so you can iteratively move forward with your deployment. So what's the added value? When you add full Vertica plus voltage? I want to highlight this distinction because, Vertica contains world class security controls, around their Database. I'm an old time DBA from a different product, competing against Vertica in the past, and I'm really aware of the granular access controls, that are provided within various platforms. Vertica would rank at the very top of the list, in terms of being able to give me very tight control, and a lot of different AWS methods, being able to protect the Data, in a lot of different use cases. So Vertica can handle a lot of your Data protection needs, right out of the box. Voltage Secure Data, as we keep mentioning, adds that defense in-Depth, and it's going to enable those, enterprise wide use cases as well. So first off, I mentioned this, the standard of FF1, that is format preserving encryption, we're the authors of it, we continue to maintain that, and we want to emphasize that customers, really ought to be very, very careful, in terms of choosing a NIST standard, when implementing any kind of encryption, within the organization. So 8 ES was one of the first, and Hallmark, benchmark encryption algorithms, and in 2016, we were added to that mix, as FF1 with CS online. If you search NIST, and Voltage Security, you'll see us right there as the author of the standard, and all the processes that went along with that approval. We have centralized policy for key management, authentication, audit and compliance. We can now see that Vertica selected or fetch the key, to be able to protect some Data at this date and time. We can track that and be able to give you audit, and compliance reporting against that Data. You can move protected Data into and out of Vertica. So if we ingest via Kafka, and just via NiFi and Kafka, ingest on stream sets. There are a variety of different ingestion methods, and streaming methods, that can get Data into Vertica. We can integrate secure Data with all of those components. We're very well suited to integrate, with any Hadoop technology or any big Data technology, as we have API's in a variety of languages, bitness and platforms. So we've got that all out of the box, ready to go for you, if you need it. When you're moving Data out of Vertica, you might move it into an open systems platform, you might move it to the cloud, we can also operate and do the decryption there, you're going to get the same plaintext back, and if you protect Data over in the cloud, and move it into Vertica, you're going to be able to decrypt it in Vertica. That's our cross platform promise. We've been delivering on that for many, many years, and we now have many, many endpoints that do that, in production for the world's largest organization. We're going to preserve your Data format, and referential integrity. So if I protect my social security number today, I can protect another batch of Data tomorrow, and that same ciphertext will be generated, when I put that into Vertica, I can have absolute referential integrity on that Data, to be able to allow for analytics to occur, without even decrypting Data in many cases. And we have decrypt access for authorized users only, with the ability to add LDAP authentication authorization, for UDx users. So you can really have a number of different approaches, and flavors of how you implement voltage within Vertica, but what you're getting is the additional ability, to have that confidence, that we've got the Data protected at rest, even if I have a DBA that's not vetted or someone new, or I don't know where this person is from a third party, and being provided access as a DBA level privilege. They could select star from all day long, and they're going to get ciphertext, they're going to have nothing of any value, and if they want to use the UDF to decrypt it, they're going to be tracked and traced, as to their utilization of that. So it allows us to have that control, and additional layer of security on your sensitive Data. This may be required by regulatory agencies, and it's seeming that we're seeing compliance audits, get more and more strict every year. GDPR was kind of funny, because they said in 2016, hey, this is coming, they said in 2018, it's here, and now they're saying in 2020, hey, we're serious about this, and the fines are mounting. And let's give you some examples to kind of, help you understand, that these regulations are real, the fines are real, and your reputational damage can be significant, if you were to be in breach, of a regulatory compliance requirements. We're finding so many different use cases now, popping up around regional protection of Data. I need to protect this Data so that it cannot go offshore. I need to protect this Data, so that people from another region cannot see it. That's all the kind of capability that we have, within secure Data that we can add to Vertica. We have that broad platform support, and I mentioned NiFi and Kafka, those would be on the left hand side, as we start to ingest Data from applications into Vertica. We can have landing zone approaches, where we provide some automated scripting at an OS level, to be able to protect ETL batch transactions coming in. We could protect within the Vertica UDx, as I mentioned, with the copy command, directly using Vertica. Everything inside that dot dash line, is the Vertical Plus Voltage Secure Data combo, that's sold together as a single package. Additionally, we'd love to talk with you, about the stuff that's outside the dash box, because we have dozens and dozens of endpoints, that could protect and access Data, on many different platforms. And this is where you really start to leverage, some of the extensive power of secure Data, to go across platform to handle your web based apps, to handle apps in the cloud, and to handle all of this at scale, with hundreds of thousands of transactions per second, of format preserving encryption. That may not sound like much, but when you take a look at the algorithm, what we're doing on the mathematics side, when you look at everything that goes into that transaction, to me, that's an amazing accomplishment, that we're trying to reach those kinds of levels of scale, and with Vertica, it scales horizontally. So the more nodes you add, the more power you get, the more throughput you're going to get, from voltage secure Data. I want to highlight the next steps, on how we can continue to move forward. Our secure Data team is available to you, to talk about the landscape, your use cases, your Data. We really love the concept that, we've got so many different organizations out there, using secure Data in so many different and unique ways. We have vehicle manufacturers, who are protecting not just the VIN, not just their customer Data, but in fact they're protecting sensor Data from the vehicles, which is sent over the network, down to the home base every 15 minutes, for every vehicle that's on the road, and every vehicle of this customer of ours, since 2017, has included that capability. So now we're talking about, an additional millions and millions of units coming online, as those cars are sold and distributed, and used by customers. That sensor Data is critical to the customer, and they cannot let that be ex-filled in the clear. So they protect that Data with secure Data, and we have a great track record of being able to meet, a variety of different unique requirements, whether it's IoT, whether it's web based Apps, E-commerce, healthcare, all kinds of different industries, we would love to help move the conversations forward, and we do find that it's really a three party discussion, the customer, secure Data experts in some cases, and the Vertica team. We have great enablement within Vertica team, to be able to explain and present, our secure Data solution to you. But we also have that other ability to add other experts in, to keep that conversation going into a broader perspective, of how can I protect my Data across all my platforms, not just in Vertica. I want to give a shout out to our friends at Vertica Academy. They're building out a great demo and training facilities, to be able to help you learn more about these UDx's, and how they're implemented. The Academy, is a terrific reference and resource for your teams, to be able to learn more, about the solution in a self guided way, and then we'd love to have your feedback on that. How can we help you more? What are the topics you'd like to learn more about? How can we look to the future, in protecting unstructured Data? How can we look to the future, of being able to protect Data at scale? What are the requirements that we need to be meeting? Help us through the learning processes, and through feedback to the team, get better, and then we'll help you deliver more solutions, out to those endpoints and protect that Data, so that we're not having Data breach, we're not having regulatory compliance concerns. And then lastly, learn more about the Udx. I mentioned, that all of our content there, is online and available to the public. So vertica.com/secureData , you're going to be able to walk through the basics of the UDX. You're going to see how simple it is to set up, what the UDx syntax looks like, how to grant access to it, and then you'll start to be able to figure out, hey, how can I start to put this, into a PLC in my own environment? Like I mentioned before, we have publicly available hosted appliance, for demo purposes, that we can make available to you, if you want to PLC this. Reach out to us. Let's get a conversation going, and we'll get you the address and get you some instructions, we can have a quick enablement session. We really want to make this accessible to you, and help demystify the concept of encryption, because when you see it as a developer, and you start to get your hands on it and put it to use, you can very quickly see, huh, I could use this in a variety of different cases, and I could use this to protect my Data, without impacting my analytics. Those are some of the really big concerns that folks have, and once we start to get through that learning process, and playing around with it in a PLC way, that we can start to really put it to practice into production, to say, with confidence, we're going to move forward toward Data encryption, and have a very good result, at the end of the day. This is one of the things I find with customers, that's really interesting. Their biggest stress, is not around the timeframe or the resource, it's really around, this is my Data, I have been working on collecting this Data, and making it available in a very high quality way, for many years. This is my job and I'm responsible for this Data, and now you're telling me, you're going to encrypt that Data? It makes me nervous, and that's common, everybody feels that. So we want to have that conversation, and that sort of trial and error process to say, hey, let's get your feet wet with it, and see how you like it in a sandbox environment. Let's now take that into analytics, and take a look at how we can make this, go for a quick 1.0 release, and let's then take a look at, future expansions to that, where we start adding Kafka on the ingest side. We start sending Data off, into other machine learning and analytics platforms, that we might want to utilize outside of Vertica, for certain purposes, in certain industries. Let's take a look at those use cases together, and through that journey, we can really chart a path toward the future, where we can really help you protect that Data, at rest, in use, and keep you safe, from both the hackers and the regulators, and that I think at the end of the day, is really what it's all about, in terms of protecting our Data within Vertica. We're going to have a little couple minutes for Q&A, and we would encourage you to have any questions here, and we'd love to follow up with you more, about any questions you might have, about Vertica Plus Voltage Secure Data. They you very much for your time today.

>>from Las >>Vegas. It's the cues covering quality security Conference 2019 Bike. Wallace. Hey, welcome back It ready? Geoffrey here with the Cube were at the Bellagio in Las Vegas. It's actually raining outside, which is pretty odd, but through the desert is happy. We're here at the Kuala Security Conference. Been going on for 19 years. It's our first time here. We're excited to be here, but we got a really familiar Gaston. She's been on a number of times that Nutanix next, conferences and girls who code conferences, etcetera. So we're happy to have back Wendy Pfeifer. She's the C I O of Nutanix and as of August, early this year, a board member for quality. So great to see you. >>Nice to see you again, too. So it's raining outside. I'll have to get out. >>I know it's pretty, uh, pretty cool, actually. School coming in on the plane. But let's let's jump into a little bit from your C I, Oh, roll. We're talking a lot about security and in the age old thing came up in the keynote. You know, there's companies that have been hacked, and then there's companies that have been hacked and don't know it yet, but we're introducing 1/3 type of the company. Here is one of the themes which is that you actually can prevent, you know, not necessarily getting hacked, but kind of the damage and destruction and the duration once people get in. I'm just curious from your CEO >>hat. How >>do you look at this problem? That the space is evolving so quickly? How do you kind of organize your your thoughts around it? >>Yeah, for me. First of all, um, it starts with good architecture. So whether it's our own products running or third party products running, we need to ensure that those products are architected for resilience. And that third kind of company, the Resilient company, is one that has built in architecture er and a set of tools and service is that are focused on knowing that we will be hacked. But how can we minimize or even eliminate the damage from those hacks? And in this case, having the ability to detect those hacks when their incoming and to stop them autonomously is the key to HQ Wallace's play and the key to what I do as CEO at Nutanix, >>right? So one of the other things that keeps coming up here is kind of a budget allocation to security within the CEO budget on. And I think Mr Clark said that, you know, if you're doing 3% or less, you're losing, and you gotta be spending at least 8%. But I'm curious, because it to me is kind of like an insurance story. How much do you spend? How much do you allocate? Because potentially the downside is enormous. But you can't spend 100% of your budget just on security. So how do you think about kind of allocating budget as a percentage of spin versus the risk? >>Well, I love that question. That's part of the art of being a C i O A. C. So, you know, first of all, we have ah mixed portfolio of opportunities to spend toe hold to divest at any one time, and I t portfolio management has been around for 30 years, 40 years, almost as long as some of the people that I know. However, um, we always have that choice, right? We're aware of risk, and then we have the ability to spend. Now, of course, perfect security is to not operate at all. But that's about that's, you know, swinging too far the wrong way on Dhe. Then we also have that ability, maybe to not protect against anything and just take out a big old cyber security policy. And where is that policy might help us with lawsuits? It wouldn't necessarily have help us with ongoing operations. And so it's somewhere in the middle, and I liked some of the statistics that they share today. One of the big ones for me was that companies that tend to build resilient worlds of cybersecurity tend to spend about 10% of their total I t operating budgets on cyber security. That makes sense to me, and that reflects my track record at Nutanix and elsewhere, roughly in that amount of spending. Now you know, checking the box and saying, Well, we're spending 10% on cybersecurity doesn't really buy us that much, and also we have to think about how we're defining that spend on cyber security. Part of that spend is in building resilient architectures and building resilient code. And uh, that's sort of a dual purpose spend, because that also makes for performance code it makes for scalable, supportable code, et cetera. So you know, we can do well by doing good in this >>case. So again, just to stay on that beam permit, it went. So when you walk the floor at R S. A. And there's 50,000 people and I don't even know how many vendors and I imagine your even your I T portfolio now around security is probably tens of products, if not hundreds, and certainly tens of vendors again. How do you How do you? You kind of approach it. Do you have trusted advisors around certain point solutions? Are you leveraging? You know, system integrators or other types of specialists to help? You kind of sort through and get some clarity around this just kind of mess. >>Well, all of us actually are looking for that magic discernment algorithm. Wouldn't it be great if >>you could just >>walk up to a vendor and apply the algorithm? And ah ha. There's one who's fantastic. We don't have that, and so we've got a lot of layers of ingest. I try to leave room in my portfolio for stealth and emerging technologies because generally the more modern the technology Is the Mauritz keeping pace with the hackers out there and the bad guys out there? Um, we do have sort of that middle layer that surround the ability for us to operate at scale because we also have to operate these technologies. Even the most cutting edge technology sometimes lack some of the abilities for us to ingest them into our operations. And then they're sort of the tried and true bedrock that hopefully is built into products we consume. Everything from public Cloud service is to, uh, you know, hardware and so on. And so there's this range of choices. What we have to dio ultimately is we use that lens of operations and operational capability. And first of all, we also ensure that anything we ingest meets our design standards and our design standards include some things that I think are fascinating. I won't go into too much detail because I know how much you love this detail. But you know, things like are the AP eyes open? What is integration look like? What's the interaction design look like? And so those things matter, right? Ultimately, we have to be able to consume the data from those things, and then they have to work with our automation, our machine learning tools. Today at Nutanix, for example, you know, we weigh like toe. I'm happy to say we catch, you know, most if not all of any of the threats against us, and we deal with well over 95% of them autonomously. And so were a living example of that resilient organization that is, of course, being attacked, but at the same time hopefully responding in a resilient way. We're not perfect knock on wood, but we're actively engaged. >>So shifting gears a little bit a bit a bit now to your board hat, which again, Congratulations. Some curious. You know, your perspective on kind of breaking through the clutter from the from the board seat Cos been doing this for 19 years. Still relatively small company. But, you know, Philippe talked a lot about kind of company. Percy's me industry security initiatives that have to go through what are some of the challenges and opportunities see sitting at the board seat instead of down in the nitty gritty down the CEO. >>Well, first of all, um, quality is financially a well run responsible organization and one of Philippe and the leadership teams. Goals has always been toe operate profitably and tow. Have that hedge on DSO. What that means is that as consumers, we can count on the longevity of the organization and the company's ability to execute on its road map. It's the road map that I think is particularly attractive about Wallace. You know, I am who I am. I'm an operator. I'm a technologist. And so although I'm a board member and I care about all dimensions of the company, the most attractive component is that this this road map in those 19 years of execution are now coming to fruition at exactly the right time. For those of us who need these tools in these technologies to operate, this is a different kind of platform and its instrumented with machine learning with a I. At a time when the Attackers and the attacks are instrumented that way as well as as you mentioned, we have a lot of noise in the market today, and these point solutions, they're gonna be around for a while, right? We operate a messy and complex and wonderful ecosystem. But at the same time, the more that we can streamline, simplify on and sort of raised that bar. And the more we can depend on the collected data. From all of these point tools to instrument are automated responses, the better off we'll be. And so this is, Ah, platform whose whose time has come and as we see all of the road map items sort of coming to fruition. It's really, really exciting. And it's, you know, just speaking for a moment of someone who's been a leader in various technology companies in the security and, you know, technology space for some time. One of the most disappointing things about many technology startups is that they don't build in that that business strength. Thio have enough longevity and have enough of a hedge to execute on that brilliant vision. And so many brilliant ideas have just not seen the light of day because of a failure to execute. In this case, we have a company with a track record of execution that's monetized the build out of the platform, and now also these game changing technologies are coming to fruition. It's it's really, really exciting to be a part of it. >>So Wendy, you've mentioned a I machine learning Probably get checked. The transfer of a number of times 85 times is this interview. So it's really interesting, you know, kind of there's always a lot of chatter in the marketplace, But you talked about so many threats coming in and we heard about Mickey noticed. Not really for somebody sitting in front of a screen anymore to pay attention, this stuff. So when you look at the opportunity of machine learning and artificial intelligence and how that's going to change the role of the CEO and specifically and security when if you can share your thoughts on what that opens up >>absolutely s so there's kind of two streams here I'd love to talk about. The first is that we've had this concern as we've moved to Public Cloud and I t that i t people would be left behind. But in fact, after sort of ah little Dev ops blip where non i t people were writing code that was them consumed by enterprises were now seen the growth of I t. Again and what this relates to is this In the past, when we wanted to deploy something in public cloud. We had to be able Thio compose an express infrastructure as code. And, um, folks who are great at infrastructure are actually pretty lousy at writing code, and so that was a challenge. But today we have low code and know code tools, things like work Otto, for example, that my team uses that allow us to express the operational processes that we follow sort of the best practices and the accumulated knowledge of these I t professionals. And then we turn the machine on that inefficient code and the machine improves and refines the code. So now, adding machine learning to the mix enables us to have these I t professionals who know more than you'd ever imagine about storage and compute and scaling and data and cybersecurity and so on. And they're able to transform that knowledge into code that a machine can read, refine and execute against. And so we're seeing this leap forward in terms of the ability of some of these tools. Thio transform how we address the scale and the scope in the complexity of these challenges. And so on the one side, I think there's new opportunity for I T professionals and for those who have that operational expertise to thrive because of these tools on the other side, there's also the opportunity for the bad guys in the in the cyberspace. Um, Thio also engage with the use of thes tools. And so the use of these tools, that sort of a baseline level isn't enough. Now we need to train the systems, and the systems need to be responsive, performance resilient. And also, they need to have the ability to be augmented by to be integrated with these tools. And so suddenly we go from having this utopian. Aye, aye. Future where you know, the good looking male or female robot, you know, is the nanny for our kids, um, to something much more practical that's already in place, which is that the machine itself, the computer itself is refining in augmenting the things that human beings are doing and therefore able to be first of all, more responsive, more performance, but also to do that layer of work that is not unique to human discernment. >>Right? We hear that over and over because the press loved to jump on the general. May I think it's much more fun to show robots than then Really, the applied A I, which is lots of just kind of like Dev ops. Lots of little improvements. Yeah, lots of little places. >>Exactly. Exactly. You know, I mean, I kind of like the stories of our robot overlords, you know, take it over to. But the fact is, at the end of the day, these machine, it's just math. It's just mathematics. That's all it is. It's compute. >>So when you find let you go, I won't touch about women in tech. You know, you're a huge proponent of women in tech. You're very active on lots of boards and cure with Adriaan on the girls and Tech board where we last where we last sat down. Um, and you're making moves now. Obviously, you've already got a C title. Now you're doing more bored work. I just wonder if you can kind of share your thoughts of how this thing's kind of movement is progressing. It seems to have a lot of of weight behind it, but I don't know if the numbers air really reflecting that, but you're you're on the front lines. What can you shares? You know, you're trying to help women. That's much getting detect. But to stay into tech, I think, is what most of the stats talk about. >>Yeah, I've got a lot of thoughts on this. I think I'll try to bring our all the vectors together. So I recently was awarded CEO of the year by the Fisher Center for Data and Analytics and thank you very much. And the focus there is on inclusive analytics and inclusive. Aye, aye. And And I think this this is sort of a story that that makes the point. So if we think about all of the data that is training these technology tools and systems, um, and we think about the people who are creating these systems and the leaders who are our building, these systems and so on, for the most part, the groups of people who are working on these things technologists, particularly in Silicon Valley. They're not a diverse set of people. They're mostly male. They're overwhelmingly male. Many are from just a handful of of, um, you know, countries and groups, right? It's it's It's mainly, you know, Caucasian males, Indian males and Asian males. And and because of that, um, this lack of diverse thinking and diverse development is being reflected in the tools in ways that eventually will build barriers for folks who don't share those characteristics. As an example, Natural language processing tooling is trained by non diverse data sets, and so we have challenges with that. For example, people who are older speak a little bit more slowly and have different inflections in general on how they speak. And the voice recognition tools don't recognize them as often. People who have heavy accents, for example, are just not recognized. Yes, you know, I always have a phone, Um, and this is my iPhone and I have had an iPhone for 10 years. Siri, my, you know, helpful Agent has been on the phone in all those years. And in all of those years, um, I have had a daughter named Holly H O l L Y. And every time that I speak Thio, I dictate to Syria to send a message on. I use my daughter's name. Holly. Syria always responds with the spelling. H o L I. The Hindu holiday. Now, in 10 years, Siri has never learned that. When I say Holly, I'm most likely mean my daughter >>was in the context of the sentence. >>Exactly. Never, ever, ever. Because, you know Siri is an Aye aye, if you will. That was built without allowing for true user input through training at the point of conversation. And so s So that's it. That's bad architecture. There's a lot of other challenges with that architecture that reflect on cybersecurity and so on. One tiny example. But I think that, um now more than ever, we need diverse voices in the mix. We need diverse training data. We need, you know, folks who have different perspectives and who understand different interaction design to be not only as a tech entrepreneurs, builders and leaders of country of companies like, you know, girls in tech Support's educating women supporting women entrepreneurs. I'm I'm also on the board of another group called Tech Wald. That's all about bringing US combat veterans into the technology workforce. There's another diverse group of people who again can have a voice in this technology space. There are organizations that I work with that go into the refugee that the permanent refugee camps and find technically qualified folks who can actually build some of this training data for, ah, you know, analytics and a I We need much, much more of that. So, you know, my heart is full of the opportunity for this. My my head's on on fire, you know, and just trying to figure out how can we get the attention of technology companies of government leaders and and before it's too late, are training data sets are growing exponentially year over year, and they're being built in a way that doesn't reflect the potential usage. I was actually thinking about this the other day. I had an elderly neighbor who ah, spoke with me about how excited he waas that he he no longer could drive. He wasn't excited about that. He no longer could drive. He couldn't see very well and couldn't operate a car. And he was looking forward to autonomous vehicles because he was gonna have a mobility and freedom again. Right? Um, but he had asked me to help him to set up something that he had on his computer, and it was actually on his phone. But he there was their voice commands, but But it didn't understand him. He was frustrated. So he said, Could you help me. And I thought, man, if his mobile phone doesn't understand him, how's the autonomous vehicle going to understand him so that the very population who needs these technologies the most will will be left out another digital divide? And and, um, now is the moment while these tools and technologies are being developed, a word about Wallace. You know, when I was recruited for the board, um, you know, they already had 50 50 gender parity on the board. It wasn't even a thing in my interviews. We didn't talk about the fact that I am female at all. We talked about the fact that I'm an operator, that I'm a technologist. And so, um, you know that divide? It was already conquered on HK. Wallace's board that's so not true for many, many other organizations and leadership teams is particularly in California Silicon Valley. And so I think there's a great opportunity for us to make a difference. First of all, people like me who have made it, you know, by representing ourselves and then people of every gender, every color, every ethnicity, immigrants, et cetera, um, need to I'm begging you guys stick with it, stay engaged don't let the mean people. The naysayers force you to drop out. Um, you know, reconnect with your original values and stay strong because that's what it's gonna take. >>It's a great message. And thank you for your passion and all your hard work in the space. And the today it drives better outcomes is not only the right thing to do and a good thing to do that it actually drives better outcomes. >>We see that. >>All right, Wendy, again. Always great to catch up. And congratulations on the award and the board seat and look forward to seeing you next time. Thank you. All right, She's windy. I'm Jeff. You're watching the Cube with a quality security conference at the Bellagio in Las Vegas. Thanks for watching. We'll see you next time.