from the cube studios in palo alto in boston bringing you data driven insights from the cube and etr this is breaking analysis with dave vellante over the past 150 days virtually everybody that i know in the technology industry has become an expert on covid in some way shape or form we've all lived the reality that covet 19 has accelerated by at least two years many trends that were in motion well before the virus hit the cyber security sector is no exception and one of the best examples where we have witnessed the accelerated change hello everyone and welcome to this week's episode of wikibon cube insights powered by etr in this breaking analysis we'll update you on the all-important security sector which remains one of the top spending priorities for organizations and i want to give you a shout out to my colleague eric bradley from etr who gave me some really good data and some macro insights as well as some anecdotal data from csos for this episode let's take a look at the big picture first now for many years we've talked about the shifting patterns in networking moving from what's often referred to as a north-south architecture meaning a hierarchical network that supports you know age-old organizational structures well today the network is flattening into what they often refer to as an east-west model and the moat or perimeter it's been vaporized the perimeter is now wherever the user is and users are at home or they're at their beach houses thanks to kovid now this is a bad actor's dream as the threat surfaced has expanded by orders of magnitude and as we've said in the past the adversary is well funded extremely capable and highly motivated because the roi of infiltration and exfiltration is outstanding the cso's job quite simply stated is to lower that return on investment now the other big trend that we see is that the cloud and sas are reducing reliance on hardware-based solutions like traditional firewalls because so many workers are now at home they're in their accessing sensitive data identity and endpoint security are exploding xdr or extended detection and response and zero trust networks are on the rise organizations are increasingly relying on analytics and automation to detect and remediate threats you know alerts just don't cut it anymore i need action and so to do so they're turning to a number of best of breed point products that have the potential to become the next great security platforms and this is setting up an epic battle between hot startups that are growing very very quickly and entrenched incumbents that really aren't going to go down without a fight finally while security is clearly a top spending priority customers and their cfos continue to be somewhat circumspect with respect to how much they allocate toward security budgets especially in the context of a shrinking i.t spending climate that we have said is dropping between five and eight percent in 2020. now security is critical but even in these times spending is governed by these tight budgets well cyber remains a top category in the etr taxonomy in terms of its presence in the data set what this chart tells us is that cios and i.t buyers have other priorities that they have to fund this data shows a comparison of net scores over three survey dates october of last year april and july net score remember is an indicator of momentum which is calculated by subtracting the percent of customers spending less on the technology from those spending more it's more complicated than that but that's that's the basics and you can see that at a 29 net score the security sector is just one of many priorities that i.t buyers face now remember this is the july survey and it's asking customers are you planning to spend more or less in the second half of 2020 relative to the first half and it's a forward-looking metric so what may be happening here is that the height of the lockdown and in the u.s anyway and the pivot to work from home organizations were spending heavily and are now fine-tuning those investments and maybe addressing other digital priorities let's look back and do some pre and post-covet assessments of various players within the etr data set i'm gonna go fairly quickly through these next slides but i want to give you a perspective as to how the security landscape and the vendor momentum has changed in the past eight months first i'm going to take you back to the january data set we actually originally did this exercise last year and then we updated it right at the beginning of 2020. the chart shows the top-ranked cyber security companies based on two metrics the left-hand side sorts the data and ranks companies based on net score or spending momentum and the right-hand side shows the ranking by shared n which is a measure of the pervasiveness of a company in the data set i.e the number of mentions that they get in the sector and what we did is we gave four stars to those companies that showed up in the top of both of those rankings and two stars to those that were close so you can see that microsoft splunk palo alto and proofpoint as well as octa and crowdstrike and then we added z scalar in january as new and then cyber arc software all got four stars then we gave cisco and fortinet two stars now this next chart shows the same thing at the height of the u.s lockdown now you may say okay what's the difference there's still microsoft palo alto proof point octa cyber arc z scaler and crowdstrike at four stars with cisco and fortnite having two star stars splunk fell off but that's it well what's different is instead of making the cut the top 22 which we did last time we narrowed it down to the top ten in order for a company to make that grade so if we had done that in january octa crowdstrike zscaler and cyberark they wouldn't have made the cut but in april they did as their presence in the dataset grew and we strongly believe this is a direct result of the work from home pivot crowdstrike endpoint octa identity access management z-scaler cloud security and they're disrupting traditional appliance-based firewalls now just to note we placed dell emc which was rsa and ibm in the list just for context now let's take a look at the most recent july survey now a lot of i'm out on a limb a little bit here because many of these companies they haven't reported yet so we don't have full visibility on their business outlook but we show the same data for the most recent survey the red line that you see there is the top 10 cutoff point and you can see splunk which didn't make the cut in april is back on the four-star list it's very possible buyers took a pause last quarter and focused attention on work from home but splunk continues to impress as it shifts toward the subscription model that we've talked about in the past splunk has a very strong hold on the sim space but everyone wants a piece of splunk especially some of the traditional firewall companies who they're seeing their hardware business dying so we're watching the competition from these players but also some other players like tennable now proof point fell off the four-star list because its net score didn't make the top ten crowdstrike cyber arc and zscaler also fell back because they dropped below the top 10 in shared in but we still really like these companies and expect them to continue to do well you know it could be some anomalies in the survey but we're trying to be as transparent as possible with you share the data listen to it interpret it and really adjust our models accordingly each quarter now let me make a few points and try to interpret what might be happening here first i want to point out octa pops to the top of the net score ranking overtaking crowdstrike's momentum from the last survey now one customer in the financial services sector told eric bradley on a recent then we're seeing amazing things from octa but the traditional firewall companies are stepping into identity they may not be best of breed but they have a level of integration and that's appealing to this individual this person also specifically called out palo alto and fortinet is trying to encroach on that space so keep your eyes on that now crowdstrike has declined noticeably which surprised us z z scalar is actually showing more momentum relative to the last survey so that's a positive palo alto and microsoft are consistently holding serve and continue to be leaders proof point and cyber arc are showing a bit of a velocity drop and sales point and tenable are also catching our attention in this survey and of course sales sale point which is identity management had a great quarter and reinstituted its guidance giving us the benefit of hindsight on its performance so it was actually pretty easy to give them two stars now just a side note by the way we've cut the data here with those companies that have more than 50 mentions in the sector we didn't do that the first time we did this we allowed companies with less than 50. so we're trying to tighten that up a bit so we still maintain strongly that you're seeing cloud endpoint and identity as the big security themes here csos need tools to be responsive they don't want to just get an alert secops pros would rather immediately shut off access and risk pissing off a user than getting hacked and companies are increasingly turning to ai to detect and they're relying on automation to remediate or protect and fence off critical resources let's now look at the two players or players in our two-dimensional view followers of this program know that we like to plot vendors within a sector across two of our favorite metrics net score or spending momentum which is a simple metric that tracks those spending more versus less on the technology and market share which measu measures a vendor's pervasiveness in the data set and it's calculated by taking the number of mentions a vendor gets within a sector divided by the total responses what we show here are the key security players that we've highlighted over the last several quarters let me start with microsoft microsoft has consistently performed well in the security sector as well as other parts of the etr taxonomy as you know they have a huge presence in the survey which is indicated on the horizontal axis and you can see they have a very solid net score which is shown on the y-axis impressive for a company their size now one interesting thing is you don't see aws in this chart and it's because aws and microsoft at least so far have somewhat different strategies with respect to security microsoft with its long application software history and sas presence across office 365 and sharepoint etc with active directory has been really focused on selling security solutions to directly protect its apps they have offerings like defender atp which is advanced threat protection sentinel which is microsoft sim cloud offering azure identity access management and the company's really going hard after this space now aws of course prioritizes security but they don't show an etr data set the same way microsoft does it's almost like aws is hiding in plain sight look aws has always put a great deal of emphasis on security and securing its infrastructure like the s3 buckets and it's you know it announced iam for ec2 way back in 2012. and last year at its reinforced conference you saw an impressive focus on security in a burgeoning security ecosystem in fact when you think of getting started in aws you really think about three things ec2 s3 and iam so i'd expect to see aws really become more prominent over time in the data set now i'll spend a minute talking about octa for the first time since we've been analyzing the security space with etr data octa has the highest net score at 58 percent it had consistently been crowdstrike with this moniker and the momentum lead the company though is dropped in this quarter survey and that's something that we're watching and by the way we're not implying that octa and crowdstrike are direct competitors they're not now as you can see nonetheless that crowdstrike z scalar and sales point sale sale point show very elevated net scores and we've plotted tenable here which is also showing some strength so you can see the respective positions of proof point and fortinet these are more mature companies they were founded in the early part of the century so you'd expect them to have somewhat lower net scores given their history and maturity and then there's cisco they've got a huge presence in the data and big in security cisco's doing really well in that space it consistently grows its security business in the double digits each quarter and it's a real feather in the cisco portfolio cap this is important because cisco's traditional hardware business continues to come under pressure splunk we talked about a lot and it's no surprise at their leadership position but i want to talk a little bit more about palo alto networks here's a company that we've talked about quite a bit in the past they are a tier one player in security they got great service csos want to work with them because they are thought leaders they're like a gold standard and have an impressive portfolio of great solutions but their traditional firewall business is coming under pressure for the reasons that we discussed earlier now palo alto has expanded its portfolio into the cloud and with prisma the company's suite of security services it will maintain a leadership position in our view but palo alto networks as we've discussed had some missteps with its product transition its sales execution and some of some challenges with its pricing models and it hurt their stock price but we've always said that they would work through these issues and that that was a buying opportunity the other thing about palo alto is you know they're considered the expensive choice you got to pay for that gold standard but that's what customers you know will tell us and so you're paying up for those top tier offerings but that's a sort of two-edged sword for palo alto here's an example why people often compare fortinet to palo alto and as we've shared in previous segments the valuation divergence between palo alto and fortinet where the the latter was making a smoother transition to its future and people often tell us that fortinet well you know maybe it's considered not as elite as palo alto they are a value choice their stuff just works and fortinet is a great alternative to palo alto and that has served them very well now let's take a closer look at the valuations of some of these companies we started off this segment by saying that the pandemic has affected every sector and especially cyber security so the next chart that we're showing here is the progression of key valuation metrics since earlier this year what we show are the valuations of nine of the companies in the sector since mid-february the data tracks their respective valuations their revenue multiples their growth rates in both value and revenue revenue growth is shown in the last column for the most recent quarterly report now the companies in red have yet to report the report any day now so he said i'm flying a little bit blind here and we'll have to take a look after the earnings to see how the survey data aligns with the actual results but let me make a few points here first here's the s p in nasdaq performance you see it in february in june and august pandemic recession what are you talking about you'd never know it looking at this data the nasdaq especially is up 14 said since mid february which is quite astounding next i want to come back to the discussion about palo alto and fortinet fortinet already has reported this quarter and palo alto has not but you can see based on the revenue multiples highlighted in red that the valuation divergence is starting to shrink a little bit and we'll see if that holds up after palo alto reports now the big eye popper in this chart is the valuation increases from february to august for octa crowdstrike and z scalar 52 67 and 104 percent increase respectively now you can't say we didn't warn you that these companies were all well positioned when we reported last year and in our january episode but i did say actually to be honest in the last episode that these three i thought were getting a little expensive that was a couple months ago and since then they've continued to run up so if you've been waiting for an entry point based on my advice well i'm sorry for that but look at the revenue multiples look at the expansion in the orange octa goes from 34x to 52x crowdstrike from 39x to 66x z scalar 25x to 43x i mean wow let's see what happens after these three report by this time i would have hoped that they'd taken a little breather maybe over the summer and you could have jumped in to these stocks but they just keep going up and despite the decline in net score for crowdstrike i still really like all three of these companies and feel that they're very well positioned from a product standpoint and customer feedback perspective and finally i want to mention sale point which we said last time was one to watch sale point crushed its quarter bringing in some large deals and providing forward guidance nearly a 50 percent valuation increase since february in a revenue multiple expansion from last quarter where the street last quarter wasn't really thrilled with their numbers but identity management is hot and so now is sales point from the streets perspective the last thing i'll say here is watch the growth rates expectations are very high for some of these companies and the street will cream any of them that misses now that may be your opportunity to jump in because i like these companies i think they're disruptors but as always do your research and watch out for the big whales trying to freeze the markets on these guys all right let's wrap up we've covered a lot of ground today and surf the landscape a little bit so look the trend is plain as day the move to sas is entrenched and by the way this isn't necessarily all good news for buyers cios and cfos tell me that the dark side of capex to opex is unpredictable bills but the flexibility and business value gained is outweighing the downside and every vendor in this space is transitioning into a sas and annual recurring revenue model we believe the remote work trend is here to stay organizations are re-architecting their business around work from home and we think that they're seeing some real benefits they've made investments and it's driving new modes of work and productivity they're not just going to throw away those investments why should they what just to go back to the old way it's not going to happen and if we as we've said previously look the internet it's like the new private network so you've got a question vpns and sd-wan they start to look like stop gaps and of course you know the cloud endpoint security cloud-based iam they are clearly winning in the marketplace you know we're also seeing new security regimes emerge where the cso and the secops team are not this island we we've seen even some csos falling back under the cio which used to be taboo he used to be thought of that's like the fox guarding the hen house but this idea of shared responsibility is not just between the cloud providers and the secops teams because security is a board level priority everyone in the business is becoming more aware more attuned and despite the millennials fascination with and undotted courage when it comes to tick tock i digress now the last two points are interesting i remember reading a post by john oltzek who was an esg security analyst and he predicted last year that integrated suites would win out over the buffet of point products on the market and you know generally i i agreed with that assessment but look at least in the near term and probably mid-term that doesn't seem to be happening as we we've seen these hot companies really take off the ones that we've highlighted now these companies have ambitions beyond selling products and they would bristle at me lumping them into point products their boards are going after platform plays so they're on a collision course with each other and the big guys this should be fun to watch because the big integrated companies are well funded they got great cash flow they got large customer bases and and i've said they're not going down without a fight so i would expect eventually there's going to be more of an equilibrium to what seems to be right now a bifurcated and unbalanced market today so you're going to see more m a activity expect that however at these valuations some of these companies that we've highlighted they're becoming acquisition proof as such they'd better keep innovating or they're going to be in big trouble all right that's it for today remember these episodes are all available as podcasts wherever you listen so please subscribe i publish weekly on wikibon.com we've added in the wikibon menu bar a breaking analysis link that has all the episodes in there i also publish on siliconangle.com so check that out and please do comment on my linkedin posts don't forget to check out etr.plus for all the survey action get in touch on twitter i'm at d vellante or email me at david.vellante at siliconangle.com this is dave vellante for the cube insights powered by etr thanks for watching everybody be well and we'll see you next time [Music] you

(light music) >> Hi everybody. Welcome to this Cube Conversation. I'm really pleased to announce a collaboration with Rob Strechay. He's a guest cube analyst, and we'll be working together to extract the signal from the noise. Rob is a long-time product pro, working at a number of firms including AWS, HP, HPE, NetApp, Snowplow. I did a stint as an analyst at Enterprise Strategy Group. Rob, good to see you. Thanks for coming into our Marlboro Studios. >> Well, thank you for having me. It's always great to be here. >> I'm really excited about working with you. We've known each other for a long time. You've been in the Cube a bunch. You know, you're in between gigs, and I think we can have a lot of fun together. Covering events, covering trends. So. let's get into it. What's happening out there? We're sort of exited the isolation economy. Things were booming. Now, everybody's tapping the brakes. From your standpoint, what are you seeing out there? >> Yeah. I'm seeing that people are really looking how to get more out of their data. How they're bringing things together, how they're looking at the costs of Cloud, and understanding how are they building out their SaaS applications. And understanding that when they go in and actually start to use Cloud, it's not only just using the base services anymore. They're looking at, how do I use these platforms as a service? Some are easier than others, and they're trying to understand, how do I get more value out of that relationship with the Cloud? They're also consolidating the number of Clouds that they have, I would say to try to better optimize their spend, and getting better pricing for that matter. >> Are you seeing people unhook Clouds, or just reduce maybe certain Cloud activities and going maybe instead of 60/40 going 90/10? >> Correct. It's more like the 90/10 type of rule where they're starting to say, Hey I'm not going to get rid of Azure or AWS or Google. I'm going to move a portion of this over that I was using on this one service. Maybe I got a great two-year contract to start with on this platform as a service or a database as a service. I'm going to unhook from that and maybe go with an independent. Maybe with something like a Snowflake or a Databricks on top of another Cloud, so that I can consolidate down. But it also gives them more flexibility as well. >> In our last breaking analysis, Rob, we identified six factors that were reducing Cloud consumption. There were factors and customer tactics. And I want to get your take on this. So, some of the factors really, you got fewer mortgage originations. FinTech, obviously big Cloud user. Crypto, not as much activity there. Lower ad spending means less Cloud. And then one of 'em, which you kind of disagreed with was less, less analytics, you know, fewer... Less frequency of calculations. I'll come back to that. But then optimizing compute using Graviton or AMD instances moving to cheaper storage tiers. That of course makes sense. And then optimize pricing plans. Maybe going from On Demand, you know, to, you know, instead of pay by the drink, buy in volume. Okay. So, first of all, do those make sense to you with the exception? We'll come back and talk about the analytics piece. Is that what you're seeing from customers? >> Yeah, I think so. I think that was pretty much dead on with what I'm seeing from customers and the ones that I go out and talk to. A lot of times they're trying to really monetize their, you know, understand how their business utilizes these Clouds. And, where their spend is going in those Clouds. Can they use, you know, lower tiers of storage? Do they really need the best processors? Do they need to be using Intel or can they get away with AMD or Graviton 2 or 3? Or do they need to move in? And, I think when you look at all of these Clouds, they always have pricing curves that are arcs from the newest to the oldest stuff. And you can play games with that. And understanding how you can actually lower your costs by looking at maybe some of the older generation. Maybe your application was written 10 years ago. You don't necessarily have to be on the best, newest processor for that application per se. >> So last, I want to come back to this whole analytics piece. Last June, I think it was June, Dev Ittycheria, who's the-- I call him Dev. Spelled Dev, pronounced Dave. (chuckles softly) Same pronunciation, different spelling. Dev Ittycheria, CEO of Mongo, on the earnings call. He was getting, you know, hit. Things were starting to get a little less visible in terms of, you know, the outlook. And people were pushing him like... Because you're in the Cloud, is it easier to dial down? And he said, because we're the document database, we support transaction applications. We're less discretionary than say, analytics. Well on the Snowflake earnings call, that same month or the month after, they were all over Slootman and Scarpelli. Oh, the Mongo CEO said that they're less discretionary than analytics. And Snowflake was an interesting comment. They basically said, look, we're the Cloud. You can dial it up, you can dial it down, but the area under the curve over a period of time is going to be the same, because they get their customers to commit. What do you say? You disagreed with the notion that people are running their calculations less frequently. Is that because they're trying to do a better job of targeting customers in near real time? What are you seeing out there? >> Yeah, I think they're moving away from using people and more expensive marketing. Or, they're trying to figure out what's my Google ad spend, what's my Meta ad spend? And what they're trying to do is optimize that spend. So, what is the return on advertising, or the ROAS as they would say. And what they're looking to do is understand, okay, I have to collect these analytics that better understand where are these people coming from? How do they get to my site, to my store, to my whatever? And when they're using it, how do they they better move through that? What you're also seeing is that analytics is not only just for kind of the retail or financial services or things like that, but then they're also, you know, using that to make offers in those categories. When you move back to more, you know, take other companies that are building products and SaaS delivered products. They may actually go and use this analytics for making the product better. And one of the big reasons for that is maybe they're dialing back how many product managers they have. And they're looking to be more data driven about how they actually go and build the product out or enhance the product. So maybe they're, you know, an online video service and they want to understand why people are either using or not using the whiteboard inside the product. And they're collecting a lot of that product analytics in a big way so that they can go through that. And they're doing it in a constant manner. This first party type tracking within applications is growing rapidly by customers. >> So, let's talk about who wins in that. So, obviously the Cloud guys, AWS, Google and Azure. I want to come back and unpack that a little bit. Databricks and Snowflake, we reported on our last breaking analysis, it kind of on a collision course. You know, a couple years ago we were thinking, okay, AWS, Snowflake and Databricks, like perfect sandwich. And then of course they started to become more competitive. My sense is they still, you know, compliment each other in the field, right? But, you know, publicly, they've got bigger aspirations, they get big TAMs that they're going after. But it's interesting, the data shows that-- So, Snowflake was off the charts in terms of spending momentum and our EPR surveys. Our partner down in New York, they kind of came into line. They're both growing in terms of market presence. Databricks couldn't get to IPO. So, we don't have as much, you know, visibility on their financials. You know, Snowflake obviously highly transparent cause they're a public company. And then you got AWS, Google and Azure. And it seems like AWS appears to be more partner friendly. Microsoft, you know, depends on what market you're in. And Google wants to sell BigQuery. >> Yeah. >> So, what are you seeing in the public Cloud from a data platform perspective? >> Yeah. I think that was pretty astute in what you were talking about there, because I think of the three, Google is definitely I think a little bit behind in how they go to market with their partners. Azure's done a fantastic job of partnering with these companies to understand and even though they may have Synapse as their go-to and where they want people to go to do AI and ML. What they're looking at is, Hey, we're going to also be friendly with Snowflake. We're also going to be friendly with a Databricks. And I think that, Amazon has always been there because that's where the market has been for these developers. So, many, like Databricks' and the Snowflake's have gone there first because, you know, Databricks' case, they built out on top of S3 first. And going and using somebody's object layer other than AWS, was not as simple as you would think it would be. Moving between those. >> So, one of the financial meetups I said meetup, but the... It was either the CEO or the CFO. It was either Slootman or Scarpelli talking at, I don't know, Merrill Lynch or one of the other financial conferences said, I think it was probably their Q3 call. Snowflake said 80% of our business goes through Amazon. And he said to this audience, the next day we got a call from Microsoft. Hey, we got to do more. And, we know just from reading the financial statements that Snowflake is getting concessions from Amazon, they're buying in volume, they're renegotiating their contracts. Amazon gets it. You know, lower the price, people buy more. Long term, we're all going to make more money. Microsoft obviously wants to get into that game with Snowflake. They understand the momentum. They said Google, not so much. And I've had customers tell me that they wanted to use Google's AI with Snowflake, but they can't, they got to go to to BigQuery. So, honestly, I haven't like vetted that so. But, I think it's true. But nonetheless, it seems like Google's a little less friendly with the data platform providers. What do you think? >> Yeah, I would say so. I think this is a place that Google looks and wants to own. Is that now, are they doing the right things long term? I mean again, you know, you look at Google Analytics being you know, basically outlawed in five countries in the EU because of GDPR concerns, and compliance and governance of data. And I think people are looking at Google and BigQuery in general and saying, is it the best place for me to go? Is it going to be in the right places where I need it? Still, it's still one of the largest used databases out there just because it underpins a number of the Google services. So you almost get, like you were saying, forced into BigQuery sometimes, if you want to use the tech on top. >> You do strategy. >> Yeah. >> Right? You do strategy, you do messaging. Is it the right call by Google? I mean, it's not a-- I criticize Google sometimes. But, I'm not sure it's the wrong call to say, Hey, this is our ace in the hole. >> Yeah. >> We got to get people into BigQuery. Cause, first of all, BigQuery is a solid product. I mean it's Cloud native and it's, you know, by all, it gets high marks. So, why give the competition an advantage? Let's try to force people essentially into what is we think a great product and it is a great product. The flip side of that is, they're giving up some potential partner TAM and not treating the ecosystem as well as one of their major competitors. What do you do if you're in that position? >> Yeah, I think that that's a fantastic question. And the question I pose back to the companies I've worked with and worked for is, are you really looking to have vendor lock-in as your key differentiator to your service? And I think when you start to look at these companies that are moving away from BigQuery, moving to even, Databricks on top of GCS in Google, they're looking to say, okay, I can go there if I have to evacuate from GCP and go to another Cloud, I can stay on Databricks as a platform, for instance. So I think it's, people are looking at what platform as a service, database as a service they go and use. Because from a strategic perspective, they don't want that vendor locking. >> That's where Supercloud becomes interesting, right? Because, if I can run on Snowflake or Databricks, you know, across Clouds. Even Oracle, you know, they're getting into business with Microsoft. Let's talk about some of the Cloud players. So, the big three have reported. >> Right. >> We saw AWSs Cloud growth decelerated down to 20%, which is I think the lowest growth rate since they started to disclose public numbers. And they said they exited, sorry, they said January they grew at 15%. >> Yeah. >> Year on year. Now, they had some pretty tough compares. But nonetheless, 15%, wow. Azure, kind of mid thirties, and then Google, we had kind of low thirties. But, well behind in terms of size. And Google's losing probably almost $3 billion annually. But, that's not necessarily a bad thing by advocating and investing. What's happening with the Cloud? Is AWS just running into the law, large numbers? Do you think we can actually see a re-acceleration like we have in the past with AWS Cloud? Azure, we predicted is going to be 75% of AWS IAS revenues. You know, we try to estimate IAS. >> Yeah. >> Even though they don't share that with us. That's a huge milestone. You'd think-- There's some people who have, I think, Bob Evans predicted a while ago that Microsoft would surpass AWS in terms of size. You know, what do you think? >> Yeah, I think that Azure's going to keep to-- Keep growing at a pretty good clip. I think that for Azure, they still have really great account control, even though people like to hate Microsoft. The Microsoft sellers that are out there making those companies successful day after day have really done a good job of being in those accounts and helping people. I was recently over in the UK. And the UK market between AWS and Azure is pretty amazing, how much Azure there is. And it's growing within Europe in general. In the states, it's, you know, I think it's growing well. I think it's still growing, probably not as fast as it is outside the U.S. But, you go down to someplace like Australia, it's also Azure. You hear about Azure all the time. >> Why? Is that just because of the Microsoft's software state? It's just so convenient. >> I think it has to do with, you know, and you can go with the reasoning they don't break out, you know, Office 365 and all of that out of their numbers is because they have-- They're in all of these accounts because the office suite is so pervasive in there. So, they always have reasons to go back in and, oh by the way, you're on these old SQL licenses. Let us move you up here and we'll be able to-- We'll support you on the old version, you know, with security and all of these things. And be able to move you forward. So, they have a lot of, I guess you could say, levers to stay in those accounts and be interesting. At least as part of the Cloud estate. I think Amazon, you know, is hitting, you know, the large number. Laws of large numbers. But I think that they're also going through, and I think this was seen in the layoffs that they were making, that they're looking to understand and have profitability in more of those services that they have. You know, over 350 odd services that they have. And you know, as somebody who went there and helped to start yet a new one, while I was there. And finally, it went to beta back in September, you start to look at the fact that, that number of services, people, their own sellers don't even know all of their services. It's impossible to comprehend and sell that many things. So, I think what they're going through is really looking to rationalize a lot of what they're doing from a services perspective going forward. They're looking to focus on more profitable services and bringing those in. Because right now it's built like a layer cake where you have, you know, S3 EBS and EC2 on the bottom of the layer cake. And then maybe you have, you're using IAM, the authorization and authentication in there and you have all these different services. And then they call it EMR on top. And so, EMR has to pay for that entire layer cake just to go and compete against somebody like Mongo or something like that. So, you start to unwind the costs of that. Whereas Azure, went and they build basically ground up services for the most part. And Google kind of falls somewhere in between in how they build their-- They're a sort of layer cake type effect, but not as many layers I guess you could say. >> I feel like, you know, Amazon's trying to be a platform for the ecosystem. Yes, they have their own products and they're going to sell. And that's going to drive their profitability cause they don't have to split the pie. But, they're taking a piece of-- They're spinning the meter, as Ziyas Caravalo likes to say on every time Snowflake or Databricks or Mongo or Atlas is, you know, running on their system. They take a piece of the action. Now, Microsoft does that as well. But, you look at Microsoft and security, head-to-head competitors, for example, with a CrowdStrike or an Okta in identity. Whereas, it seems like at least for now, AWS is a more friendly place for the ecosystem. At the same time, you do a lot of business in Microsoft. >> Yeah. And I think that a lot of companies have always feared that Amazon would just throw, you know, bodies at it. And I think that people have come to the realization that a two pizza team, as Amazon would call it, is eight people. I think that's, you know, two slices per person. I'm a little bit fat, so I don't know if that's enough. But, you start to look at it and go, okay, if they're going to start out with eight engineers, if I'm a startup and they're part of my ecosystem, do I really fear them or should I really embrace them and try to partner closer with them? And I think the smart people and the smart companies are partnering with them because they're realizing, Amazon, unless they can see it to, you know, a hundred million, $500 million market, they're not going to throw eight to 16 people at a problem. I think when, you know, you could say, you could look at the elastic with OpenSearch and what they did there. And the licensing terms and the battle they went through. But they knew that Elastic had a huge market. Also, you had a number of ecosystem companies building on top of now OpenSearch, that are now domain on top of Amazon as well. So, I think Amazon's being pretty strategic in how they're doing it. I think some of the-- It'll be interesting. I think this year is a payout year for the cuts that they're making to some of the services internally to kind of, you know, how do we take the fat off some of those services that-- You know, you look at Alexa. I don't know how much revenue Alexa really generates for them. But it's a means to an end for a number of different other services and partners. >> What do you make of this ChatGPT? I mean, Microsoft obviously is playing that card. You want to, you want ChatGPT in the Cloud, come to Azure. Seems like AWS has to respond. And we know Google is, you know, sharpening its knives to come up with its response. >> Yeah, I mean Google just went and talked about Bard for the first time this week and they're in private preview or I guess they call it beta, but. Right at the moment to select, select AI users, which I have no idea what that means. But that's a very interesting way that they're marketing it out there. But, I think that Amazon will have to respond. I think they'll be more measured than say, what Google's doing with Bard and just throwing it out there to, hey, we're going into beta now. I think they'll look at it and see where do we go and how do we actually integrate this in? Because they do have a lot of components of AI and ML underneath the hood that other services use. And I think that, you know, they've learned from that. And I think that they've already done a good job. Especially for media and entertainment when you start to look at some of the ways that they use it for helping do graphics and helping to do drones. I think part of their buy of iRobot was the fact that iRobot was a big user of RoboMaker, which is using different models to train those robots to go around objects and things like that, so. >> Quick touch on Kubernetes, the whole DevOps World we just covered. The Cloud Native Foundation Security, CNCF. The security conference up in Seattle last week. First time they spun that out kind of like reinforced, you know, AWS spins out, reinforced from reinvent. Amsterdam's coming up soon, the CubeCon. What should we expect? What's hot in Cubeland? >> Yeah, I think, you know, Kubes, you're going to be looking at how OpenShift keeps growing and I think to that respect you get to see the momentum with people like Red Hat. You see others coming up and realizing how OpenShift has gone to market as being, like you were saying, partnering with those Clouds and really making it simple. I think the simplicity and the manageability of Kubernetes is going to be at the forefront. I think a lot of the investment is still going into, how do I bring observability and DevOps and AIOps and MLOps all together. And I think that's going to be a big place where people are going to be looking to see what comes out of CubeCon in Amsterdam. I think it's that manageability ease of use. >> Well Rob, I look forward to working with you on behalf of the whole Cube team. We're going to do more of these and go out to some shows extract the signal from the noise. Really appreciate you coming into our studio. >> Well, thank you for having me on. Really appreciate it. >> You're really welcome. All right, keep it right there, or thanks for watching. This is Dave Vellante for the Cube. And we'll see you next time. (light music)

>>Hello, Ron. Welcome to AWS reinforce here. Live in Boston, Massachusetts. I'm John feer, host of the cube. We're here at Carl Matson. CSO at no name security. That's right, no name security, no name securities, also a featured partner at season two, episode four of our upcoming eightish startup showcase security themed event happening in the end of August. Look for that at this URL, AWS startups.com, but we're here at reinforc Carl. Thanks for joining me today. Good to see >>You. Thank you for having us, John. >>So this show security, it's not as packed as the eight of us summit was in New York. That just happened two weeks ago, 19,000 people here, more focused crowd. Lot at stake operations are under pressure. The security teams are under a lot of pressure as apps drive more and more cloud native goodness. As we say, the gen outta the bottle, people want more cloud native apps. Absolutely. That's put a lot of pressure on the ops teams and the security teams. That's the core theme here. How do you see it happening? How do you see this unfolding? Do you agree with that? And how would you describe today's event? >>Well, I think you're, you're spot on. I think the, the future of it is increasingly becoming the story of developers and APIs becoming the hero, the hero of digital transformation, the hero of public cloud adoption. And so this is really becoming much more of a developer-centric discussion about where we're moving our applications and, and where they're hosted, but also how they're designed. And so there's a lot of energy around that right now around focusing security capabilities that really appeal to the sensibilities and the needs of, of modern applications. >>I want to get to know name security a second, and let you explain what you guys do. Then I'll have a few good questions for you to kind of unpack that. But the thing about the structural change that's happened with cloud computing is kind of, and kind of in the past now, DevOps cloud scale, large scale data, the rise of the super cloud companies like snowflake capital, one there's examples of companies that don't even have CapEx investments building on the cloud. And in a way, our, the success of DevOps has created another sea of problems and opportunities that is more complexity as the benefits of DevOps and open source, continue to rise, agile applications that have value can be quantified. There's no doubt with the pandemic that's value there. Yeah. Now you have the collateral damage of success, a new opportunity to abstract away, more complexity to go to the next level. Yep. This is a big industry thing. What are the key opportunities and areas as this new environment, cuz that's the structural change happening now? Yep. What's the key dynamics right now. That's driving this new innovation and what are some of those problem areas that are gonna be abstracted away that you see? >>Well, the, the first thing I I'd suggest is is to, to lean into those structural changes and take advantage of them where they become an advantage for governance, security risk. A perfect example is automation. So what we have in microservices, applications and cloud infrastructures and new workloads like snowflake is we have workloads that want to talk, they want to be interoperated with. And because of that, we can develop new capabilities that take advantage of those of those capabilities. And, and so we want to have on our, on our security teams in particular is we wanna have the talent and the tools that are leaning into and capitalizing on exactly those strengths of, of the underlying capabilities that you're securing rather than to counter that trend, that the, the security professional needs to get ahead of it and, and be a part of that discussion with the developers and the infrastructure teams. >>And, and again, the tructure exchange could kill you too as well. I mean, some benefits, you know, data's the new oil, but end of the day it could be a problematic thing. Sure. All right. So let's get that. No names talk about the company. What you guys do, you have an interesting approach, heavily funded, good success, good buzz. What's going on with the company? Give the quick overview. >>Well, we're a company that's just under three years old and, and what APIs go back, of course, a, a decade or more. We've all been using APIs for a long time, but what's really shifted over the last couple of years is the, is the transition of, of applications and especially business critical processes to now writing on top of public facing APIs where API used to be the behind the scenes interconnection between systems. Now those APIs are exposed to their public facing. And so what we focus on as a company is looking at that API as a, as a software endpoint, just like any other endpoint in our environments that we're historically used to. That's an endpoint that needs full life cycle protection. It needs to be designed well secure coding standards for, for APIs and tested. Well, it also has to be deployed into production configured well and operated well. And when there's a misuse or an attack in progress, we have to be able to protect and identify the, the risks to that API in production. So when you add that up, we're looking at a full life cycle view of the API, and it's really it's about time because the API is not new yet. We're just starting to now to apply like actual discipline and, and practices that help keep that API secure. >>Yeah. It's interesting. It's like what I was saying earlier. They're not going anywhere. They're not going, they're the underpinning, the underlying benefit of cloud yes. Cloud native. So it's just more, more operational stability, scale growth. What are some of the challenges that, that are there and what do you guys do particularly to solve it? You're protecting it. Are you scaling it? What specifically are you guys addressing? >>But sure. So I think API security, even as a, as a discipline is not new, but I think the, the, the traditional look at API security looks only at, at the quality of the source code. Certainly quality of the source code of API is, is sort of step one. But what we see in, in practices is most of the publicly known API compromises, they weren't because of bad source code that they because of network misconfiguration or the misapplication of policy during runtime. So a great example of that would be developer designs, an API designs. It in such a way that Gar that, that enforces authentication to be well designed and strong. And then in production, those authentication policies are not applied at a gateway. So what we add to the, we add to the, to the conversation on API security is helping fill all those little gaps from design and testing through production. So we can see all of the moving parts in the, the context of the API to see how it can be exploited and, and how we can reduce risk in independent of. >>So this is really about hardening the infrastructure yep. Around cuz the developer did their job in that example. Yep. So academic API is well formed working, but something didn't happen on the network or gateway box or app, you know, some sort of network configuration or middleware configuration. >>Absolutely. So in our, in our platform, we, we essentially have sort of three functional areas. There's API code testing, and then we call next is posture management posture. Management's a real thing. If we're talking about a laptop we're talking about, is it up to date with patches? Is it configured? Well, is it secure network connectivity? The same is true with APIs. They have to be managed and cared for by somebody who's looking at their posture on the network. And then of course then there's threat defense and run time protection. So that posture management piece, that's really a new entrant into the discussion on API security. And that's really where we started as a company is focusing on that sort of acute gap of information, >>Posture, protection, >>Posture, and protection. Absolutely >>Define that. What does that, what does posture posture protection mean? How would you define that? >>Sure. I think it's a, it's identifying the inherent risk exposure of an API. Great example of that would be an API that is addressable by internal systems and external systems at the same time. Almost always. That is, that is an error. It's a mistake that's been made so well by, by identifying that misconfiguration of posture, then we can, we can protect that API by restricting the internet connectivity externally. That's just a great example of posture. We see almost every organization has that and it's never intended. >>Great, great, great call out. Thanks for sharing. All right, so I'm a customer. Yep. Okay. Look at, Hey, I already got an app firewall API gateway. Why do I need another tool? >>Well, first of all, web application firewalls are sort of essential parts of a security ecosystem. An API management gateway is usually the brain of an API economy. What we do is we, we augment those platforms with what they don't do well and also when they're not used. So for example, in, in any environment, we, we aspire to have all of our applications or APIs protected by web application firewall. First question is, are they even behind the web? Are they behind the w at all? We're gonna find that the WAFF doesn't know if it's not protecting something. And then secondary, there are attack types of business logic in particular of like authentication policy that a WAFF is not gonna be able to see. So the WAFF and the API management plan, those are the key control points and we can help make those better. >>You know what I think is cool, Carl, as you're bringing up a point that we're seeing here and we've seen before, but now it's kind of coming at the visibility. And it was mentioned in the keynote by one of the presenters, Kurt, I think it was who runs the platform. This idea of reasoning is coming into security. So the idea of knowing the topology know that there's dynamic stuff going on. I mean, topes aren't static anymore. Yep. And now you have more microservices. Yep. More APIs being turned on and off this runtime is interesting. So you starting to see this holistic view of, Hey, the secret sauce is you gotta be smarter. Yep. And that's either machine learning or AI. So, so how does that relate to what you guys do? Does it, cuz it sounds like you've got something of that going on with the product. Is that fair or yeah. >>Yeah, absolutely. So we, yeah, we talked about posture, so that's, that's really the inherent quality or secure posture of a, of an API. And now let's talk about sending traffic through that API, the request and response. When we're talking about organizations that have more APIs than they have people, employees, or, or tens of thousands, we're seeing in some customers, the only way to identify anomalous traffic is through machine learning. So we apply a machine learning model to each and every API in independently for itself because we wanna learn how that API is supposed to be behave. Where is it supposed to be talking? What kind of data is it supposed to be trafficking in, in, in all its facets. So we can model that activity and then identify the anomaly where there's a misuse, there's an attacker event. There's an, an insider employee is doing something with that API that's different. And that's really key with APIs is, is that no, a no two APIs are alike. Yeah. They really do have to be modeled individually rather than I can't share my, my threat signatures for my API, with your organization, cuz your APIs are different. And so we have to have that machine learning approach in order to really identify that >>Anomaly and watch the credentials, permissions. Absolutely all those things. All right. Take me through the life cycle of an API. There's pre-production postproduction what do I need to know about those two, those two areas with respect to what you guys do? >>Sure. So the pre-production activities are really putting in the hands of a developer or an APSEC team. The ability to test that API during its development and, and source code testing is one piece, but also in pre-production are we modeling production variables enough to know what's gonna happen when I move it into production? So it's one thing to have secure source code, of course, but then it's also, do we know how that API's gonna interact with the world once it's sort of set free? So the testing capabilities early life cycle is really how we de-risk in the long term, but we all have API ecosystems that are existing. And so in production we're applying the, all of those same testing of posture and configuration issues in runtime, but really what it, it may sound cliche to say, we wanna shift security left, but in APIs that's, that's a hundred percent true. We want to keep moving our, our issue detection to the earliest possible point in the development of an API. And that gives us the greatest return in the API, which is what we're all looking for is to capitalize on it as an agent of transformation. >>All right, let's take the customer perspective. I'm the customer, Carl, Carl, why do I need you? And how are you different from the competition? And if I like it, how do I get started? >>Sure. So the, the, the first thing that we differentiate selves from the customer is, or from our competitors is really looking at the API as an entire life cycle of activities. So whether it's from the documentation and the design and the secure source code testing that we can provide, you know, pre-development, or pre-deployment through production posture, through runtime, the differentiator really for us is being a one-stop shop for an entire API security program. And that's very important. And as that one stop shop, the, the great thing about that when having a conversation with a customer is not every customer's at the same point in their journey. And so if, if a customer discussion really focuses on their perhaps lack of confidence in their code testing, maybe somebody else has a lack of confidence in their runtime detection. We can say yes to those conversations, deliver value, and then consider other things that we can do with that customer along a whole continuum of life cycle. And so it allows us to have a customer conversation where we don't need to say, no, we don't do that. If it's an API, the answer is, yes, we do do that. And that's really where we, you know, we have an advantage, I think, in, in looking at this space and, and, and being able to talk with pretty much any customer in any vertical and having a, having a solution that, that gives them something value right away. >>And how do I get started? I like it. You sold me on, on operationalizing it. I like the one stop shop. I, my APIs are super important. I know that could be potential exposure, maybe access, and then lateral movement to a workload, all kinds of stuff could happen. Sure. How do I get started? What do I do to solve >>This? Well, no name, security.com. Of course we, we have, you know, most customers do sandboxing POVs as part of a trial period for us, especially with, you know, being here at AWS is wonderful because these are customers who's with whom we can integrate with. In a matter of minutes, we're talking about literally updating an IAM role. Permission is the complexity of implementation because cloud friendly workloads really allow us to, to do proofs of concept and value in a matter of minutes to, to achieve that value. So whether it's a, a dedicated sandbox for one customer, whether it's a full blown POC for a complicated organization, you know, whether it's here at AWS conference or, or, or Nona security.com, we would love to do a, do a, like a free demo test drive and assessment. >>Awesome. And now you guys are part of the elite alumni of our startup showcase yep. Where we feature the hot startups, obviously it's the security focuses episodes about security. You guys have been recognized by the industry and AWS as, you know, making it, making it happen. What specifically is your relationship with AWS? Are you guys doing stuff together? Cuz they're, they're clearly integrating with their partners. Yeah. I mean, they're going to companies and saying, Hey, you know what, the more we're integrated, the better security everyone gets, what are you doing with Amazon? Can you share any tidbits? You don't have to share any confidential information, but can you give us a little taste of the relationship? >>Well, so I think we have the best case scenario with our relationship with AWSs is, is as a, as a very, very small company. Most of our first customers were AWS customers. And so to develop the, the, the initial integrations with AWS, what we were able to do is have our customers, oftentimes, which are large public corporations, go to AWS and say, we need, we need that company to be through your marketplace. We need you to be a partner. And so that partnership with, with AWS has really grown from, you know, gone from zero to 60 to, you know, miles per hour in a very short period of time. And now being part of the startup program, we have a variety of ways that a customer can, can work with us from a direct purchase through the APS marketplace, through channel partners and, and VA, we really have that footprint now in AWS because our customers are there and, and they brought our customers to AWS with us. >>It's it nice. The customers pulls you to AWS. Yes. Its pulls you more customers. Yep. You get kind of intermingled there, provide the value. And certainly they got, they, they hyperscale so >>Well, that creates depth of the relationship. So for example, as AWS itself is evolving and changing new services become available. We are a part of that inner circle. So to speak, to know that we can make sure that our technology is sort of calibrated in advance of that service offering, going out to the rest of the world. And so it's a really great vantage point to be in as a startup. >>Well, Carl, the CISO for no name security, you're here on the ground. You partner with AWS. What do you think of the show this year? What's the theme. What's the top story one or two stories that you think of the most important stories that people should know about happening here in the security world? >>Well, I don't think it's any surprise that almost every booth in the, in the exhibit hall has the words cloud native associated with it. But I also think that's, that's, that's the best thing about it, which is we're seeing companies and, and I think no name is, is a part of that trend who have designed capabilities and technologies to take advantage and lean into what the cloud has to offer rather than compensating. For example, five years ago, when we were all maybe wondering, will the cloud ever be as secure as my own data center, those days are over. And we now have companies that have built highly sophisticated capabilities here in the exhibit hall that are remarkably better improvements in, in securing the cloud applications in, in our environments. So it's a, it's a real win for the cloud. It's something of a victory lap. If, if you hadn't already been there, you should be there at this point. >>Yeah. And the structural change is happening now that's clear and I'd love to get your reaction if you agree with it, is that the ops on security teams are now being pulled up to the level that the developers are succeeding at, meaning that they have to be in the boat together. Yes. >>Oh, lines of, of reporting responsibility are becoming less and less meaningful and that's a good thing. So we're having just in many conversations with developers or API management center of excellence teams to cloud infrastructure teams as we are security teams. And that's a good thing because we're finally starting to have some degree of conversions around where our interests lie in securing cloud assets. >>So developers ops security all in the boat together, sync absolutely together or win together. >>We, we, we win together, but we don't win on day one. We have to practice like we as organizations we have to, we have to rethink our, we have to rethink our tech stack. Yeah. But we also have to, you have to rethink our organizational models, our processes to get there, to get >>That in, keep the straining boat in low waters. Carl, thanks for coming on. No name security. Why the name just curious, no name. I love that name. Cause the restaurant here in Boston that used to be of all the people that know that. No name security, why no name? >>Well, it was sort of accidental at, in the, in the company's first few weeks, the there's an advisory board of CISOs who provides feedback on, on seed to seed companies on their, on their concept of, of where they're gonna build platforms. And, and so in absence of a name, the founders and the original investor filled out a form, putting no name as the name of this company that was about to develop an API security solution. Well, amongst this board of CSOs, basically there was unanimous feedback that the, what they needed to do was keep the name. If nothing else, keep the name, no name, it's a brilliant name. And that was very much accidental, really just a circumstance of not having picked one, but you know, a few weeks passed and all of a sudden they were locked in because sort of by popular vote, no name was, >>Was formed. Yeah. And now the legacy, the origination story is now known here on the cube call. Thanks for coming on. Really appreciate it. Thank you, John. Okay. We're here. Live on the floor show floor of AWS reinforced in Boston, Massachusetts. I'm John with Dave ALO. Who's out and about getting the stories in the trenches in the analyst meeting. He'll be right back with me shortly day tuned for more cube coverage. After this short break.

(upbeat music) >> Okay, welcome back everyone. CUBE's coverage here in Boston, Massachusetts, AWS re:inforce 22, security conference. It's AWS' big security conference. Of course, theCUBE's here, all the reinvent, reese, remars, reinforced. We cover 'em all now and the summits. I'm John Furrier, my host Dave Vellante. We have IDC weighing in here with their analysts. We've got some great guests here, Jay Bretzmann research VP at IDC and Philip Bues research manager for Cloud security. Gentlemen, thanks for coming on. >> Thank you. >> Appreciate it. Great to be here. >> Appreciate coming. >> Got a full circle, right? (all laughing) Security's more interesting than storage, isn't it? (all laughing) >> Dave and Jay worked together. This is a great segment. I'm psyched that you guys are here. We had Crawford and Matt Eastwood on at HPE Discover a while back and really the data you guys are getting and the insights are fantastic. So congratulations to IDC. You guys doing great work. We appreciate your time. I want to get your reaction to the event and the keynotes. AWS has got some posture and they're very aggressive on some tones. Some things that we didn't hear. What's your reaction to the keynote? Share your assessment. >> So, you know, I manage two different research services at IDC right now. They are both Cloud security and identity and digital security, right? And what was really interesting is the intersection between the two this morning, because every one of those speakers that came on had something to say about identity or least privileged access, or enable MFA, or make sure that you control who gets access to what and deny explicitly. And it's always been a challenge a little bit in the identity world because a lot of people don't use MFA. And in RSA, that was another big theme at the RSA conference, MFA everywhere. Why don't they use it? Because it introduces friction and all of a sudden people can't get their jobs done. And the whole point of a network is letting people on to get that data they want to get to. So that was kind of interesting, but as we have in the industry, this shared responsibility model for Cloud computing, we've got shared responsibility for between Philip and I. (Philip laughing) I have done in the past more security of the Cloud and Philip is more security in the Cloud. >> So yeah. >> And now with Cloud operation Super Cloud, as we call it, you have on premises, private Cloud coming back, or hasn't really gone anywhere, all that on premises, Cloud operations, public Cloud, and now edge exploding with new requirements. It's really an ops challenge right now. Not so much dev. So the sec and op side is hot right now. >> Yeah, well, we've made this move from monolithic to microservices based applications. And so during the keynote this morning, the announcement around the GuardDuty Malware Protection component, and that being built into the pricing of current GuardDuty, I thought was really key. And there was also a lot of talk about partnering in security certifications, which is also so very important. So we're seeing this move towards filling in that talent gap, which I think we're all aware of in the security industry. >> So Jake, square the circle for me. So Kirk Coofell talked about Amazon AWS identity, where does AWS leave off, and companies like Okta or Ping identity or Cybertruck pickup, how are they working together? Does it just create more confusion and more tools for customers? We know the overused word of seamless. >> Yeah, yeah. >> It's never seamless, so how should we think about that? >> So, identity has been around for 35 years or something like that. Started with the mainframes and all that. And if you understand the history of it, you make more sense to the current market. You have to know where people came from and the baggage they're carrying, 'cause they're still carrying a lot of that baggage. Now, when it comes to the Cloud Service providers, they're more an accommodation from the identity standpoint. Let's make it easy inside of AWS to let you single sign on to anything in the Cloud that they have, right? Let's also introduce an additional MFA capability to keep people safer whenever we can and provide people with tools, to get into those applications somewhat easily, while leveraging identities that may live somewhere else. So there's a whole lot of the world that is still active, directory-centric, right? There's another portion of companies that were born in the Cloud that were able to jump on things like Okta and some of the other providers of these universal identities in the Cloud. So, like I said, if you understand where people came from in the beginning, you start to say, "Yeah, this makes sense." >> It's interesting you talk about mainframe. I always think about Rack F, you know. And I say, "Okay, who did what, when, where?" And you hear about a lot of those themes. So what's the best practice for MFA, that's non-SMS-based? Is it you got to wear something around your neck, is it to have sort of a third party authenticator? What are people doing that you guys would recommend? >> Yeah, one quick comment about adoption of MFA. If you ask different suppliers, what percent of your base that does SSO also does MFA, one of the biggest suppliers out there, Microsoft will tell you it's under 25%. That's pretty shocking. All the messaging that's come out about it. So another big player in the market was called Duo, Cisco bought them. >> Yep. >> And because they provide networks, a lot of people buy their MFA. They have probably the most prevalent type of MFA, it's called Push. And Push can be a red X and a green check mark to your phone, it can be a QR code, somewhere, it can be an email push as well. So that is the next easiest thing to adopt after SMS. And as you know, SMS has been denigrated by NIST and others saying, it's susceptible to man and middle attacks. It's built on a telephony protocol called SS7. Predates anything, there's no certification either side. The other real dynamic and identity is the whole adoption of PKI infrastructure. As you know, certificates are used for all kinds of things, network sessions, data encryption, well, identity increasingly. And a lot of the consumers and especially the work from anywhere, people these days have access through smart devices. And what you can do there, is you can have an agent on that smart device, generate your private key and then push out a public key and so the private key never leaves your device. That's one of the most secure ways to- >> So if our SIM card gets hacked, you're not going to be as vulnerable? >> Yeah, well, the SIM card is another challenge associated with the older ways, but yeah. >> So what do you guys think about the open source connection and they mentioned it up top. Don't bolt on security, implying shift left, which is embedding it in like sneak companies, like sneak do that. Very container oriented, a lot of Kubernetes kind of Cloud native services. So I want to get your reaction to that. And then also this reasoning angle they brought up. Kind of a higher level AI reasoning decisions. So open source, and this notion of AI reasoning. or AI reason. >> And you see more open source discussion happening, so you have your building maintaining and vetting of the upstream open source code, which is critical. And so I think AWS talking about that today, they're certainly hitting on a nerve, as you know, open source continues to proliferate. Around the automated reasoning, I think that makes sense. You want to provide guide rails and you want to provide roadmaps and you want to have sort of that guidance as to, okay, what's a correlation analysis of different tools and products? And so I think that's going to go over really well, yeah. >> One of the other key points about open source is, everybody's in a multi-cloud world, right? >> Yeah. >> And so they're worried about vendor lock in. They want an open source code base, so that they don't experience that. >> Yeah, and they can move the code around, and make sure it works well on each system. Dave and I were just talking about some of the dynamics around data control planes. So they mentioned encrypt everything which is great and I message by the way, I love that one. But oh, and he mentioned data at rest. I'm like, "What about data in flight? "Didn't hear that one." So one of the things we're seeing with SuperCloud, and now multi-cloud kind of as destinations of that, is that in digital transformation, customers are leaning into owning their data flows. >> Yeah. >> Independent of say the control plane aspects of what could come in. This is huge implications for security, where sharing data is huge, even Schmidt on stage said, we have billions and billions of things happening that we see things that no one else sees. So that implies, they're sharing- >> Quad trillion. >> Trillion, 15 zeros. (Jay laughs) >> 15 zeros. >> So that implies they're sharing that or using that pushing that into something. So sharing is huge with cyber security. So that implies open data, data flows. How do you guys see this evolving? I know it's kind of emerging, but it's becoming a nuanced point, that's critical to the architecture. >> Well, yeah, I think another way to look at that is the sharing of intelligence and some of the recent directives, from the executive branch, making it easier for private companies to share data and intelligence, which I think strengthens the cyber community overall. >> Depending upon the supplier, it's either an aggregate level of intelligence that has been anonymized or it's specific intelligence for your environment that everybody's got a threat feed, maybe two or three, right? (John laughs) But back to the encryption point, I mean, I was working for an encryption startup for a little while after I left IBM, and the thing is that people are scared of it. They're scared of key management and rotation. And so when you provide- >> Because they might lose the key. >> Exactly. >> Yeah. >> It's like shooting yourself in the foot, right? So that's when you have things like, KMS services from Amazon and stuff that really help out a lot. And help people understand, okay, I'm not alone in this. >> Yeah, crypto owners- >> They call that hybrid, the hybrid key, they don't know how they call the data, they call it the hybrid. What was that? >> Key management service? >> The hybrid- >> Oh, hybrid HSM, correct? >> Yeah, what is that? What is that? I didn't get that. I didn't understand what he meant by the hybrid post quantum key agreement. >> Hybrid post quantum key exchange. >> AWS never made a product name that didn't have four words in it. (John laughs) >> But he did reference the new NIST algos. And I think I inferred that they were quantum proof or they claim to be, and AWS was testing those. >> Correct, yeah. >> So that was kind of interesting, but I want to come back to identity for a second. So, this idea of bringing traditional IAM and Privileged Access Management together, is that a pipe dream, is that something that is actually going to happen? What's the timeframe, what's your take on that? >> So, there are aspects of privilege in every sort of identity. Back when it was only the back office that used computers for calculations, right? Then you were able to control how many people had access. There were two types of users, admins and users. These days, everybody has some aspect of- >> It's a real spectrum, really. >> Yeah. >> Granular. >> You got the C-suite, the finance people, the DevOps people, even partners and whatever. They all need some sort of privileged access, and the term you hear so much is least-privileged access, right? Shut it down, control it. So, in some of my research, I've been saying that vendors who are in the PAM space, Privilege Access Management space, will probably be growing their suites, playing a bigger role, building out a stack, because they have the expertise and the perspective that says, "We should control this better." How do we do that, right? And we've been seeing that recently. >> Is that a combination of old kind of antiquated systems meets for proprietary hyper scale, or kind of like build your own? 'Cause I mean, Amazon, these guys, Facebook, they all build their own stuff. >> Yes, they do. >> Then enterprises buy services from general purpose identity management systems. >> So as we were talking about knowing the past and whatever, Privileged Access Management used to be about compliance reporting. Just making sure that I knew who accessed what? And could prove it, so I didn't fail at all. >> It wasn't a critical infrastructure item. >> No, and now these days, what it's transitioning into, is much more risk management, okay. I know what our risk is, I'm ahead of it. And the other thing in the PAM space, was really session monitor. Everybody wanted to watch every keystroke, every screen's scrape, all that kind of stuff. A lot of the new Privileged Access Management, doesn't really require that. It's a nice to have feature. You kind of need it on the list, but is anybody really going to implement it? That's the question, right. And then if you do all that session monitoring, does anybody ever go back and look at it? There's only so many hours in the day. >> How about passwordless access? (Jay laughs) I've heard people talk about that. I mean, that's as a user, I can't wait but- >> Well, it's somewhere we want to all go. We all want identity security to just disappear and be recognized when we log in. So the thing with passwordless is, there's always a password somewhere. And it's usually part of a registration action. I'm going to register my device with a username password, and then beyond that I can use my biometrics, right? I want to register my device and get a private key, that I can put in my enclave, and I'll use that in the future. Maybe it's got to touch ID, maybe it doesn't, right? So even though there's been a lot of progress made, it's not quote, unquote, truly passwordless. There's a group, industry standards group called Fido. Which is Fast Identity Online. And what they realized was, these whole registration passwords, that's really a single point of failure. 'Cause if I can't recover my device, I'm in trouble. So they just did new extension to sort of what they were doing, which provides you with much more of like an iCloud vault that you can register that device in and other devices associated with that same identity. >> Get you to it if you have to. >> Exactly. >> I'm all over the place here, but I want to ask about ransomware. It may not be your wheelhouse. But back in the day, Jay, remember you used to cover tape. All the backup guys now are talking about ransomware. AWS mentioned it today and they showed a bunch of best practices and things you can do. Air gaps wasn't one of them. I was really surprised 'cause that's all every anybody ever talks about is air gaps and a lot of times that air gap could be a guess to the Cloud, I guess, I'm not sure. What are you guys seeing on ransomware apps? >> We've done a lot of great research around ransomware as a service and ransomware, and we just had some data come out recently, that I think in terms of spending and spend, and as a result of the Ukraine-Russia war, that ransomware assessments rate number one. And so it's something that we encourage, when we talk to vendors and in our services, in our publications that we write about taking advantage of those free strategic ransomware assessments, vulnerability assessments, as well and then security and training ranked very highly as well. So, we want to make sure that all of these areas are being funded well to try and stay ahead of the curve. >> Yeah, I was surprised to not see air gaps on the list, that's all everybody talks about. >> Well, the old model for air gaping in the land days, the novel days, you took your tapes home and put them in the sock drawer. (all laughing) >> Well, it's a form of air gap. (all laughing) >> Security and no one's going to go there and clean out. >> And then the internet came around and ruined it. >> Guys, final question we want to ask you, guys, we kind of zoom out, great commentary by the way. Appreciate it. We've seen this in many markets, a collection of tools emerge and then there's its tool sprawl. So cyber we're seeing the trend now where mon goes up on stage of all the ecosystems, probably other vendors doing the same thing where they're organizing a platform on top of AWS to be this super platform, for super Cloud capability by building a more platform thing. So we're saying there's a platform war going on, 'cause customers don't want the complexity. I got a tool but it's actually making it more complex if I buy the other tool. So the tool sprawl becomes a problem. How do you guys see this? Do you guys see this platform emerging? I mean tools won't go away, but they have to be easier. >> Yeah, we do see a consolidation of functionality and services. And we've been seeing that, I think through a 2020 Cloud security survey that we released that was definitely a trend. And that certainly happened for many companies over the last six to 24 months, I would say. And then platformization absolutely is something we talk and write about all the time so... >> Couple of years ago, I called the Amazon tool set an erector set because it really required assembly. And you see the emphasis on training here too, right? You definitely need to go to AWS University to be competent. >> It wasn't Lego blocks yet. >> No. >> It was erector set. >> Yeah. >> Very good distinction. >> Loose. >> And you lose a few. (chuckles) >> But still too many tools, right? You see, we need more consolidation. It's getting interesting because a lot of these companies have runway and you look at sale point at stock prices held up 'cause of the Thoma Bravo acquisition, but all the rest of the cyber stocks have been crushed especially the high flyers, like a Sentinel-1 one or a CrowdStrike, but just still M and A opportunity. >> So platform wars. Okay, final thoughts. What do you, think is happening next? What's your outlook for the next year or so? >> So, in the identity space, I'll talk about, Philip can cover Cloud for us. It really is more consolidation and more adoption of things that are beyond simple SSO. It was, just getting on the systems and now we really need to control what you're able to get to and who you are. And do it as transparently as we possibly can, because otherwise, people are going to lose productivity. They're not going to be able to get to what they want. And that's what causes the C-suite to say, "Wait a minute," DevOps, they want to update the product every day. Make it better. Can they do that or did security get in the way? People, every once in a while call security, the Department of No, right? >> They ditch it on stage. They want to be the Department of Yes. >> Exactly. >> Yeah. >> And the department that creates additional value. If you look at what's going on with B2C or CIAM, consumer oriented identity, that is all about opening up new direct channels and treating people like their old friends, not like you don't know them, you have to challenge them. >> We always say, you want to be in the boat together, it sinks or not. >> Yeah. Exactly. >> Philip I'm glad- >> Okay, what's your take? What's your outlook for the year? >> Yeah, I think, something that we've been seeing as consolidation and integration, and so companies looking at from built time to run time, investing in shift left infrastructure is code. And then also in the runtime detection, makes perfect sense to have both the agent and agent lists so that you're covering any of the gaps that might exist. >> Awesome, Jay Phillip, thanks for coming on "theCUBE" with IDC and sharing your- >> Oh, our pleasure- >> Perspective, commentary and insights and outlook. Appreciate it. >> You bet. >> Thank you. >> Okay, we've got the great direction here from IDC analyst here on the queue. I'm John Furrier, Dave Vellante. Be back more after this short break. (bright upbeat music)

>> Narrator: theCUBE presents KubeCon, and CloudNativeCon Europe, 2022, brought to you by Red Hat, the Cloud Native Computing Foundation, and its ecosystem partners. >> Welcome to Valencia, Spain and KubeCon, CloudNativeCon Europe, 2022. I'm Keith Townsend, and we're continuing the conversation with builders, startups, large enterprise, customers, small customers, the whole community. Just got a interesting stat earlier in the day, 7.1 million community members in the CNCF foundation, and we're been interacting with 7,500 of them. But we're bringing the signal, separating the signal from the noise. We have a Kube alum who's been on both sides of the table, Omri Gazitt co-founder and CEO of Aserto. Welcome to the show. >> Thank you so much, Keith. >> So identity management, you know it's, it's critical need to the enterprise cloud native but there's plenty of solutions on the market, what unique problem are you solving you know how are you solving the problem in a unique way that we don't go to some of the big named vendors in this space? >> Yeah, we, my co-founder and I, were veterans of large clouds. We helped start Azure at Microsoft. We in fact helped build what became Azure Active Directory and those solutions entirely focus on one part, the "I" part, the identity part of the problem. They completely ignore the access management part and you could argue that is a larger problem and it is far from solved. So we completely agree. Identity management, a problem that's been solved over the last 15 years and solved well by great companies like Microsoft and Okta and Auth0. And we're best friends with them. We basically pick up where they leave off. We do the access management part. >> So the access management part, what specifically, what what am I getting when I engage with your team and your product? >> Yep. So basically I, authentication is all about proving that you are, who you say you are through a password or something else, you know, biometric. And that part is done. We basically pick up where that leaves off. So once you know who you are, once you've proven to a system that you are Keith. Now, what can Keith do? What roles, what permissions, , what operations can Keith perform on what resources? That's a harder problem. And that's the problem that we focus on. So for example, if you have a SaaS app - let's say you're building, you know an applicant tracking system and you Keith are an owner of some job descriptions and you have some candidates, but  somebody else has a different set of candidates and an admin, maybe has visibility at everything. How do you build that system? That actually is a pretty hard problem. And how do you build it to enterprise grade? That's where we come in. We basically have an end-to-end solution that gives you cloud native, end-to-end authorization that's built to enterprise grade. >> So when I think of this capability, I can't help but to think of AWS IAM and I'm in AWS IAM, I get my security role, and now I can assign to an EC2 instance, the ability to access some other AWS service or identity. So role based identity - are you giving me that type of capability? >> For everything else. So AWS IAM for AWS resources right? Google IAM for Google Resources. Azure has a similar system but they're all infrastructure focused. And what we're trying to do is bring that to your domain specific resources, right? So you, as an application builder, you have the things that correspond  you're not doing VMs, you're not doing storage arrays, you're not doing networks. You have higher level constructs, right. You know, like I said, if you're building Lever or Greenhouse, you have candidates and jobs and reports and things like that. So we basically allow you to create this fine grained access control, but for your own objects. >> So where's the boundaries? Let's say that I have a container or microservice that is a service and it has a role, it has an identity on my network. And there is a cloud based service, let's say a, a cloud SQL. And I want to do authentication across the two or can I only have the boundaries within my private infrastructure or does that boundary extend to the public cloud as well? >> It extends everywhere, right. So basically, you know, if you think about all the different hops here, you know, Zero Trust is the, the rage, right? And that encourages defense in depth. So you have an access proxy that does some type of authorization. Then you have an API Gateway that has a little bit more context, a little bit more authorization. For us we live inside of the application. So the application calls us, we give you a sidecar, you deploy it right next to your application. It gives you, you know, sub-millisecond response time, a hundred percent availability, all the authorization decisions are done with full context about who the user is and what resource they're trying to access. And so our sidecar will give you a response back, allow or deny, and then downstream from us, you could basically talk to another microservice. And at that point you're doing machine identities, right? So you may have a different authorization policy for those, only you know these particular services, are allowed to talk to these other services. And so we solve both the, you know authorization for machine identities as well as authorization for human identities. >> All right Omri are you ready for Q Clock? >> I sure am! >> Oh, I like the energy. >> Bring it on. >> You know, there have been many before you, they have failed the test. >> All right. I mean, they brought, they've brought the energy. You have the energy but do you have the ability to survive the clock? >> I'm going to do my best. >> So I'm going to say start the clock. I haven't said, said start cube clock yet, but when I say it, you have 60 seconds. There's no start overs. There's no repeats. The pressure's on, you ready? >> All right. I'm ready. >> Ready? Start Cube Clock. >> All right. If you are a VP of Engineering or a CTO or run a security or engineering organization what are you doing for roles and permissions? You're building it on your own, right? >> Tough times never last, tough people always do, and you're, you're delaying, you're letting me break you up. >> All right, I'm not going to let you break me up. Great. So you don't want to build it yourself. You don't want to build it yourself. Why would you spend engineering time? Why would you spend, you know, the- >> You deserve a seat at the table. >> No but look, why would you ever spend your time building something that is not differentiating your application? Instead use something like Aserto, just dear God use something, use a developer API. Don't build it yourself because what are you doing? You're reinventing the wheel, you know. You want to get out of the business of reinventing the wheel. >> Crawl before you walk. (Omri laughs) >> You think so? I think, I think you have to go you know, make sure that you spend your engineering resources on the things that matter and the things that matter are. >> Time up. >> Yep. >> You know what? You threw three great curve balls and struck me out. Great job. (Omri laughs) You, you, you just knocked it out the park. Great job Omri, I appreciate you coming in, stopping by, sharing your company's journey about authorization and authorization services and getting kind of this cloud capability, the cloud native. >> I appreciate your time as well Keith, always a pleasure. >> From Valencia Spain, I'm Keith Townsend, and you're watching theCUBE, the leader in high tech coverage. (soft instrumental music)

(upbeat music) >> Welcome to today's session of theCUBE's presentation of the AWS Startup Showcase, The Next Big Thing in AI, Security, & Life Sciences, and in this segment, we feature Sonrai security, of course for the security track I'm your host, Dave Vellante, and today we're joined by Sandy Bird, who's the co-founder and chief technology officer of Sonrai, and Avi Boru, who's the director of cloud engineering at World Fuel Services, and in this discussion, we're going to talk about 22 to two data centers, how World Fuel Services and Sonrai Security actually made it happen securely. Folks, welcome to theCUBE, come on in. >> Thank you. >> So we hear consistent themes from chief information security officers, that many if not most enterprises they struggle today with cloud security, there's confusion with various tools and depressing lack of available talent to attack this problem. So Sandy, I want to start with you, we always love to ask co-founders, why did you start your company? Take us back to that decision. >> Yeah, I think looking at Sonrai Security was interesting in that, it was a time to start over, it was a time to build a native in the cloud, as opposed to having a data center, and be able to use, you know, a vendor of infrastructure, be able to use the latest and greatest technology and really change the way people secure their workloads, what was interesting, you know, when we started the company, I believe that the world was in a more mature space probably in cloud than they were at the time when we were starting it, in that we were really focused around, if we could understand all of the rights and entitlements to data, we could understand data movement, we'd had hope in protecting the data and arriving in cloud, we realized that the maturity of the companies building in cloud, we're not quite there yet, they were really struggling with, you know, the identities models in the cloud, how to actually secure, you know, workloads, server less functions that are ephemeral these types of things, and even just sometimes basic governance problems, and the technology we had built was great at understanding all of the ways that data could be accessed, and we were able to expand that into all the resources of the cloud and it's an exciting space to be in, and it's also, I truly believe we'll be able to actually make cloud environments more secure than what we were doing in enterprise, because again for the first time ever you have full inventory, you have the ability to make controls that apply to the entire infrastructure, it's really an exciting time. >> I mean, I've said many times I feel like security is a do over and the fact that you're coming at it as a data problem and bringing in the cloud that intersection, I think is actually quite exciting. So Avi let's bring you into the conversation, you know, obviously we've seen cloud exploding it's continuing to be a staple of digital business transformations and acceleration especially around identity, so what's your point of view on cloud security, what's different and how does your company approach it? >> Sure, thank you for having me Dave, and just to give you a bit of World Fuel Services, World Fuel Services is a public company, and it's based out of Miami, and we are ranked 91 in the fortune 500 list, so we are spread all across the globe, and as part of our transformation to distress our business, we took over a big challenge to migrate all our global infrastructure from 22 data centers to AWS, that was a massive challenge for us, and we are downright now to 20 data centers, we only have two more to go, and we did this in the last two years, and that was really good for us, but as we've been doing this migration, there was also a strong need for us to build a strong security foundation, because going into the cloud as much as capabilities it gives us to innovate, it also gives us a lot of challenges to deal with from security standpoint, and as part of building the security foundation, we had to tackle some key challenges, one was how do we build our cloud security operating model and how do we up skill our people, the talent that you've been binding it out, and how do we make security a way of working in this new world, and more than choosing a solution we needed a really strong security partner who can help us guide in this journey, help us build the foundations and take us further and mature us in this, and that's where it was really interesting for us to partner with Sonrai, who helped us along the way, develop a foundation and now helping us mature our security platform. >> Avi, what were the technology underpinnings, that enticed you to work with Sonrai? >> Sonrai has lot of unique capabilities but I'll take it out on two key points, right? One, Sonrai has a cloud security posture management which is different from other platforms that are out there because they give you capability for a lot of out of the box frameworks and controls, but in addition to that, every organization has need to build unique specific frameworks, specific controls, they give you that capability, which is massive for enterprises, and the second key thing is, if you look at AWS, it has more than 200 services and every service has its unique capability but one key component they use across all the services, is Identity and Access Management, IAM and Sonrai has a unique perspective of using IAM to track risks and identify the interactions between user and machine identities which was really exciting and new for us, and we felt that was a really good foundation and stepping point to use Sonrai. >> All right, Sandy, we definitely saw the need for a better identity explode, in conjunction with the cloud migrations during the pandemic, it was sort of building and building and then it was accelerated, maybe talk a little bit about how you approach this, and specifically talk about your identity analytics and the graph solution that you guys talk about. >> Yeah, I've been a fan of graph solutions for many years, one of the great benefits in this particular space with identity is that, the cloud models for identity are fairly complex and quite different between AWS, Azure and GCP, however, the way that entitlements work, some identity is granted in entitlement, and that entitlement gives them access to do something, sometimes that's something is to assume another identity, and then do something on that identities behalf, and when you're actually trying to secure these clouds this jumping of identities, which happens a lot in the AWS model, or inheritance which happens a lot in the Azure model where you're given access at one level of the tree and you automatically gain access to things below that if you have that entitlement, those models inside of graph allow us to understand exactly how any given identity when we talk about identity we always think of people, but it's not, of course as you said, sometimes it's a machine, sometimes it's a cloud service, it could be many different things, how does every single one of those identities get access to that given resource? And it's not always as clear as, okay, well, here are the direct identities that can access this resource, it may only be able to be accessed with a single key, but who has access to the key, and what has access to the key, and what's the policy on that key, and if that's set too widely can other maybe nefarious actors get access to that key, and by using the graph, we can tie that whole model together to understand the entire list, of what gets access, I think that's actually what surprises a lot of the identity governance and data governance teams that are not in cloud, you know, when enterprise was very intentional, you configured the database to use the identity provider and the rules that you wanted it to use, and that's all that ever got access to that database. In cloud, there are a lot of configuration knobs and things and depending on how you turn them, you could open up a lot of identities to get access to whatever that resource is, often it's data, but it could be a network, it could be many things. So, the graph allows us to tie all that together, the second part of it is, it really allows us to see, we call them effective permissions, what the effective permission of that identity is, the clouds have done this phenomenal thing in using identities as a control mechanism just like in firewall, like an identity firewall, where they can take permissions away from things based on sets of conditions, so one of the great ways, let's say you didn't want to have any data stored deployed without encryption, you could write a policy at the top of your cloud, that says, anytime a data stores is deployed, if encryption is not there, deny that function. And so what happens is, is you can create this very protective environment using identity controls, but the problem is when you actually go to evaluate your cloud for risk, you may find a scenario where an identity has access as an example, to do something like create an internet gateway, or create a public endpoint, but there's this policy somewhere else, that's taking that away, and you don't want thousands of alerts because of that, you want to actually understand the model and say, look if we understand that this policy is mitigating your risk, then don't show the alert in the first place. And it really helps by putting it in a graph, because we can actually see all of these interconnections, we can see how they're interrelated, and determine the exact effective permissions of any identity and what risks that may have. >> So Avi, I mean, Sandy is really getting to the heart of sort of operationalizing you security in the cloud, and we looked at the compelling aspect of the cloud, and one of them anyway is scale, but people tell us to really take advantage of the cloud, they have to evolve that operating model maybe completely change the operating model, to really take advantage of scale, so my question is how do you operationalize your security practices, what should people think about, in terms of the time it takes to build in automations and bots for things like continuous compliance what can you share in terms of best practice? >> So traditional ways of operating if you look at it is, you identify a security risk, and a ticket is created and teams starts mitigating them. But with so many cloud services and with many solutions, the team start building in the cloud, it becomes too much of an overhead for teams to mitigate all these security risks that keep coming into the backlog, so as we partner with Sonrai in building a foundation, the way we tried to approach it is differently, we said why don't we build this using automatic recommendations, if we know what are the security risks, that we should not be creating in our environment and be noncompliant, how can we mitigate them? And with Sonrai and AWS API capabilities, it's not that hard for us to be a lot of intimidation buds because I didn't find risks, 'cause they have been taken care by Sonrai, the only aspect we need to take care is, how do we mitigate that? So that's the part we chose in building, cloud security operating model, is modeling more than an automated imitations, but as part building that there is always, where everything cannot be remediated automatically, and for these kinds of scenarios, we built a workflow where it still gets funneled to teams, so they can prioritize in their backlog, but other key thing that we did as part of operationalizing is, teams need to use Sonrai as their way of working, teams need to know what and why they should be using Sonrai. So we conduct a lot of training and onboarding and working sessions for teams, so they understand how we use Sonrai, how to consume the data coming out of Sonrai, so they can proactively start acting on how to stay compliant, but yeah, it's been an amazing experience building our foundation though. >> Sandy, I wonder if we can come back to, talking about comparisons with the traditional prevailing security models, I mean, we entering this API economy, as I said before, cloud is a staple of digital business, but you know people have been doing on-prem security for decades, you know, data loss prevention is an entire sub-industry, so what's different about doing it in the cloud, how should we think about that, in terms of whether you know, what responsibilities we have, the technology, what's your perspective on that? >> There's at least five questions in there Dave, so we'll. >> Pick your favorite. >> Yeah, you know, to feed off of what Avi was talking about, you know, he said many times, you know, teams need to solve these issues, teams need to see the issues they're creating, and it's interesting as we move to cloud, we decentralize some of these security functions, and that's actually an important part of the Sonrai solution and how you build a cloud security operating model, there's a set of findings, we'll call them, maybe there are security findings, maybe they're informational findings, that are a fairly low risk, and should be dealt with by the individual teams themselves, but that same team, you know, maybe isn't the person that can sign off on the risk if it's high enough, and if it's not then it needs to be escalated to the next level up to have that risk signed off on. A lot of times in large enterprise for workloads, that was done using unfortunately, you know tickets and systems and, you know, humans actually, you know, filling out some form of a checklist, saying, yes I met this, no I didn't, and we can automate huge numbers of those tests, including distributing them to the teams for the teams to solve themselves, and if they do their job right, there's not even the need for the central security body necessarily to know about the issues because they got solved, but when they don't get solved, that's when rather, you know, escalation to Boston automation or escalating to a centralized team starts to make sense, you kind of said a lot about DLP there as you were doing in cloud and just data security in general, and I do think, you know, cloud has given us this interesting opportunity, that's really upset data security in the old way on its head, you know, we used to do data security by putting agents on systems, or sometimes it was a proxy in front of it but either way that doesn't work well in cloud, when you're consuming platform as a service, you know, Amazon is not going to let you put an agent on their database that they're provisioning for you, and, you know, if you put in your own proxy in front of it you probably just messed up the elastic scalability that was built into the whole thing to begin with. So we needed a different way to look at this, however, we also took away a couple of things, in cloud the application teams themselves generally use fit for purpose data stores, they use the data store that's the best for the workload they're doing, our own workload has many data stores under the covers, it's not one data store, and so because of that, this kind of, you know, the old world of there being a data security team or you know, database optimization team, that you know optimize the database workloads, actually gets distributed as well all back to those teams, and so, we've gained kind of this, you know, fit for purpose smaller sets of data stores that are being used all over, and on top of that, the cloud vendors in many cases have done great things to enable monitoring, you know, part of the reason we were putting agents on database servers, is because the Oracle admin said I can't turn logging on, I don't have a big enough system to do it, it's going to crash the system, well in cloud parts of that go away, you can scale the systems up, you can enable loggings, now you can get that rich data that you wanted when you were an enterprise, and so, you know Sonrai is really kind of taken that model and said, look we can give you the visibility around data movement, we can give you the visibility around all of the entitlements to that data, we can understand, is your data at risk? And then we can profile all that for anomalies, and say, you know, it's kind of odd that the workload that normally connects into this through this automated fashion is now using its access key from a different location, that doesn't make any sense, why is that happening? And so you get kind of strong anomaly detection as well as the governance. So, you know, data security and cloud, if we kind of fast forward a few years, will look very different than it does today, I still believe some of the teams are not quite there yet in cloud, you know, they're still struggling with some of these identity problems we talked about, they still struggle some of them with CSBM problems, and so we have to solve those first obviously before we get to the true data security. But it's interesting that cloud has enabled us with such rich tooling and APIs to actually do it better than what we've done on enterprise. >> A lot of really powerful concepts in there, thank you Sandy. I mean, this notion of decentralizing security functions reminds me when Vogels describes this hyper decentralized distributed system that Amazon is building, and it is clearly a theme, you know, maybe it's bromide, but people talk about shifting left, designing security in, and it's important, not just bolting it on as an afterthought, and so, maybe this next question sort of really relates to the theme of this event, which is all about scale, here's the question Sandy, thinking about your contribution to the future of cloud, obviously you start a company, you want to grow that company, you want to serve customers and grow your revenues et cetera. But what's your defining contribution to the future of cloud scale? >> Look, we want to enable companies to scale faster, we want them to be able to put more workloads in cloud using, you know, the right set of security controls to keep those workloads safe, I know we can actually do this in a way where, you know, we talk about defense in depth for years, right? And usually in enterprise that meant many levels of networks before you got access, now we need to do defense in depth in terms of, you know, actually variety of controls, we can't throw the network control away, it still has to be there, we need an identity control, and it will be the primary control for what we do in cloud, we need a data lock, you know, rather that's through an encryption key policy or whatever it is, so we have multiple different layers of defense in depth, we can use in cloud today, and so it will be a much more secure environment than it was in the future, but we have to, again, so my contribution is hopefully I can help everybody get to that level, because right now we still see way too many breaches with very simple configuration problems that ended up exposing data unintentionally, and that's worrisome. >> You know, it's funny, a lot of people maybe can't relate to that defense in depth, I mean, obviously security people can, but we as individuals who now rely so much on our mobile phones, and things like SMS, and then you start to build in, non SMS, you know, base two factor authentication and you start to build your own personal layers, it's sort of a microcosm of the complexity that you have to think about in the enterprise, but in having tools to automate is critical, and expertise obviously, so let's wrap. Avi give us your final thoughts and key takeaways on building a world-class cloud security. >> I guess the key take of this would be, you know, to choose the right partner, it's not just the solution, another key takeaway is automate your way, because with security in the cloud is different than traditionally how do you do it, and the only fastest way to move is automate yourself away out of it and rely on talent, rely on a lot of young talent that's coming in and all the tools like Sonrai AWS are making it easier to operate in the cloud, so bring up the young talent and up skill the talent and leverage on these tools to be more secure on the cloud. >> Yeah, use automation to solve the big problem of, you know, that talent gap, there is not enough of it out there, and the adversaries they're well-equipped and quite capable. Okay Sandy, please give us your last word. >> Look again, I think a cloud is going to get us to a point where we are more secure than we were on enterprise, we have all of the right tools and controls to do it, we can decentralize the security and make it better, again, I think if anything just to encourage people to really look at a cloud security governance model, right? You can't do this ad hoc, trying to whack-a-mole small issues as they come up, you build it in as an operating model, you automate it and you deal with the exceptions. >> Yeah, I mean, you're very optimistic and I think is for good reason, I just remembered listening to Steven Schmidt a couple of years ago at reinforce, basically saying, look, we feel pretty optimistic about solving this problem, whereas, I have to say every year I look back in the enterprise and on-prem and I know it's getting worse, and so, keep up the good work gents, I really appreciate the time on theCUBE today, thank you. >> Thank you. >> Thank you. >> And thank you for watching theCUBE presentation of the AWS Startup Showcase, The Next Big Thing in AI, Security & Life Sciences. I'm Dave Vellante. (upbeat music)

>> Narrator: From around the globe, it's theCUBE with digital coverage of DockerCon LIVE 2020, brought to you by Docker and its ecosystem partners. >> Hi, I'm Stu Miniman and this is theCUBE's coverage of DockerCon LIVE 2020. Happy to welcome back to the program one of our CUBE alumni, Deepak Singh. He's the vice president of compute services at Amazon Web Services. Deepak, great to see you. >> Likewise, hi, Stu. Nice to meet you again. >> All right, so for our audience that hasn't been in your previous times on theCUBE, give us a little bit about, you know, your role and your organization inside AWS? >> Yeah, so I'm, I've been part of the AWS compute services world from, for the last 12 years in various capacities. Today, I run a number of teams, all our container services, our Linux teams, I also happen to run a high performance computing organization, so it's a nice mix of all the computing that our customers do, especially some of the more new and large scale compute types that our customers are doing. >> All right, so Deepak, obviously, you know, the digital events, we understand what's happening with the global pandemic. DockerCon was actually always planned to be an online event but I want to understand, you know, your teams, how things are affecting, we know distributed is something that Amazon's done, but you have to cut up those two pizza and send them out to the additional groups or, you know, what advice are you giving the developers out there? >> Yeah, in many ways, obviously, how we operate has changed. We are at home, maybe I think with our families. DockerCon was always going to be virtual, but many other events like AWS Summits are now virtual so, you know, in some ways, the teams, the people that get most impacted are not necessarily the developers in our team but people who interact a lot with customers, who go to conferences and speak and they are finding new ways of being effective and being successful and they've been very creative at it. Our customers are getting very good at working with us virtually because we can always go to their site, they can always come to Seattle, or run of other sites for meeting. So we've all become very good at, and disciplined at how do you conduct really nice virtual meetings. But from a customer commitment side, from how we are operating, the things that we're doing, not that much has changed. We still run our projects the same way, the teams work together. My team tends to do a lot of happy things like Friday happy hours, they happen to be all virtual. I think last time we played, what word, bingo? I forget exactly what game we played. I know I got some point somewhere. But we do our best to maintain sort of our team chemistry or camaraderie but the mission doesn't change which is our customers expect us to keep operating their services, make sure that they're highly available, keep delivering new capabilities and I think in this environment, in some ways that's even more important than ever, as customer, as the consumer moves online and so much business is being done virtually so it keeps us on our toes but it's been an adjustment but I think we are all, not just us, I think the whole world is doing the best that they can under the circumstances. >> Yeah, absolutely, it definitely has humanized things quite a bit. From a technology standpoint, Deepak, you know, distributed systems has really been the challenge of you know, quite a long journey that people have been going on. Docker has played, you know, a really important role in a lot of these cloud native technologies. It's been just amazing to watch, you know, one of the things I point to in my career is, you know, watching from those very, very early days of Docker to the Cambrian explosion of what we've seen container based services, you know, you've been part of it for quite a number of years and AWS had many services out there. For people that are getting started, you know, what guidance do you give them? What do they understand about, you know, containerization in 2020? >> Yeah, containerization in 2020 is quite a bit different from when Docker started in 2013. I remember speaking at DockerCon, I forget, that's 2014, 2015, and it was a very different world. People are just trying to figure out what containers are that they could package code in deeper. Today, containers are mainstream, it is more customers or at least many customers and they are starting to build new applications, probably starting them either with containers or with some form of server technology. At least that's the default starting point but increasingly, we also seen customers with existing applications starting to think about how do they adapt? And containers are a means to an end. The end is how can we move faster? How can we deliver more quickly? How can our teams be more productive? And how can you do it more, less expensively, at lower cost? And containers are a big part, important and critical piece of that puzzle, both from how customers are operating their infrastructure, that there's a whole ecosystem of schedulers and orchestration and security tools and all the things that an enterprise need to deliver applications using containers that they have built up. Over the last few years, you know, we have multiple container services that meet those needs. And I think that's been the biggest change is that there's so much more. Which also means that when you're getting started, you're faced with many more options. When Docker started, it was this cute whale, Docker run, Docker build Docker push, it was pretty simple, you could get going really quickly. And today you have 500 different options. My guidance to customers really is, boils down to what are you trying to achieve? If you're an organization that's trying to corral infrastructure and trying to use an existing VM more effectively, for example, you probably do want to invest in becoming experts at schedulers and understanding orchestration technologies like ECS and EKS work but if you just want to run applications, you probably want to look at something like Fargate or more. I mean, you could go towards Lambda and just run code. But I think it all boils down to where you're starting your journey. And by the way, understanding Docker run, Docker build and Docker push is still a great idea. It helps you understand how things work. >> All right, so Deepak, you've already brought up a couple of AWS services of, you know, talk about the options out there, that you can either run on top of AWS, you have a lot of native services, you know, ECS, EKS, you mentioned, Fargate there, and very broad ecosystem in space. Could you just, you know, obviously, there are entire breakout sessions to talk about , the various AWS services, but you know, give us that one on one level as to what to understand for container service by AWS. >> Yeah, and these services evolved organically and we launched the Amazon Elastic Container Service or ECS in preview in November or whenever re:Invent was that year in 2014, which seems ages ago in the world of containers but in the end, our goal is to give our customers the most choice, so that they can solve problems the way they want to solve them. So Amazon ECS is our native container orchestration service, it's designed to work with and the rest of the AWS ecosystem. So it uses VPC for networking, it uses IAM identity, it uses ALB for load balancing, other than just good examples, some examples of how it works. But it became pretty clear over time that there was a lot of customers who were investing in communities, very often starting in their own data centers. And as they migrated onto the cloud, they wanted to continue using the same tool plane but they also wanted to not have to manage the complexity of communities control planes, upgrades. And they also wanted some of the same integrations that they were getting with ECS and so that's where the Amazon Elastic Kubernetes Service or EKS comes in, which is, okay, we will manage a control plane for you. We will manage upgrades and patches for you. You focus on building your applications in Kubernetes way, so it embraces Kubernetes. It has, invokes with all the Kubernetes tooling and gives you a Kubernetes native experience, but then also ties into the broad AWS ecosystem and allows us to take care of some of the muck that many customers quite frankly don't and shouldn't have to worry about. But then we took it one step further and actually launched the same time as EKS and that's, AWS Fargate, and Fargate was, came from the recognition that we had, actually, a long time ago, which is, one of the beauties of EC2 was that customers never had, had to stop, didn't have to worry about racking and stacking and where a server was running anymore. And the idea was, how can we apply that to the world of containers. And we also learned a little bit from what we had done with Lambda. And we took that and took the server layer and took it out of the way. Then from a customer standpoint, all you're launching is a pod or a task or a service and you're not worrying about which machines I need to get, what types of machines I need to get. And the operational simplicity that comes with it is quite remarkable and quite finding not that, surprisingly, our customers want us to keep pushing the boundary of the kind operational simplicity we can give them but Fargate serves a critical building block and part of that, and we're super excited because, you know, today by far when a new customer, when a customer comes and runs a container on AWS the first time they pick Fargate, we're usually using ECS because EKS and Fargate is much newer, but that is a default starting point for any new container customer on AWS which is great. >> All right, well, you know, Docker, the company really helped a lot with that democratization, container technologies, you know, all those services that you talked about from AWS. I'm curious now, the partnership with Docker here, you know, how do some of the AWS services, you know, fit in with Docker? I'm thinking Docker Desktop probably someplace that they're, you know, or some connection? >> Yeah, I think one of the things that Docker has always been really good at as a company, as a project, is understanding the developer and the fact that they start off on a laptop. That's where the original Docker experience that go well, and Docker Desktop since then and we see a ton of Docker Desktop customers have used AWS. We also learned very early on, because originally ECS CLI supported Docker Compose. That ecosystem is also very rich and people like building Docker files and post files and just being able to launch them. So we continue to learn from what Docker is doing with Docker Desktop. We continue working with them on making sure that customizing the Docker Compose and Docker Desktop can run all their services and application on AWS. And we'll continue working with Docker, the company, on how we make that a lot easier for our customers, they are our mutual customers, and how we can learn from their simplicity that Docker, the simplicity that Docker brings and the sort of ease of use the Docker bring for the developer and the developer experience. We learn from that for our own services and we love working with them to make sure that the customer that's starting with Docker Desktop or the Docker CLI has a great experience as they move towards a fully orchestrated experience in the cloud, for example. There's a couple of other areas where Docker has turned out to have had foresight and driven some of our thinking. So a few years ago, Docker released this thing called containerd, where they took out their container runtime from inside the bigger Docker engine. And containerd has become a very important project for us as well as, it's the underpinning of Fargate now and we see a lot of interest from customers that want to keep building on containerd as well. And it's going to be very interesting to see how we work with Docker going forward and how we can continue to give our customers a lot of value, starting from the laptop and then ending up with large scale services in the cloud. >> Very interesting stuff, you know, interesting. Anytime we have a conversation about Docker, there's Docker the technology and Docker the company and that leads us down the discussion of open-source technologies . You were just talking about, you know, containerd believe that connects us to Firecracker. What you and your team are involved in, what's your viewpoint is the, you know, what you're seeing from open-source, how does Amazon think of that? And what else can you share with the audience on this topic? >> Yeah, as you've probably seen over the last few years, both from our work in Kubernetes, with things like Firecracker and more recently Bottlerocket. AWS gets deeply involved with open-source in a number of ways. We are involved heavily with a number of CNCF projects, whether it be containerd, whether it be things like Kubernetes itself, projects in the Kubernetes ecosystem, the service mesh world with Envoy and with the containerd project. So where containerd fits in really well with AWS is in a project that we call firecracker-containerd. They're effectively for Fargate, firecracker-containerd as we move Fargate towards Firecracker becomes out of the container in which you run containerd. It's effectively the equivalent of runC in a traditional Docker engine world. And, you know, one of the first things we did when Firecracker got rolled out was open-source the firecracker-containerd project. It's a go project and the idea was it's a great way for people to build VM like isolation and then build sort of these serverless container architectures like we want to do with Fargate. And, you know, I think Firecracker itself has been a great success. You see customer, you know, companies like Libvirt integrating with Firecracker. I've seen a few other examples of, sometimes unbeknownst to us, of people picking a Firecracker and using it for very, very interesting use cases and not just on AWS in other places as well. And we learnt a lot from that that's kind of why Bottlerocket is, was released the way it was. It is both a product and a project. Bottlerocket, the operating system is an open-source project. It's on GitHub, it has all the building tooling, you can take it and do whatever you want with it. And then on the AWS side, we will build and publish Bottlerocket armies, Amazon machine images, we will support them on AWS and there it's a product. But then Bottlerocket the project is something that anybody in the world who wants to run a minimal operating system can choose to pick up. And I think we've learnt a lot from these experiences, how we deal with the community, how we work with other people who are interested in contributing. And you know, Docker is one of the, the Docker open-source pieces and Docker the company are both part of the growing open-source ecosystem that's coming from AWS, especially on the container world. So it's going to be very interesting. And I'll end with, containerization has started impacting other parts of AWS, as well as our other services are being built, very often through ECS and EKS, but they're also influencing how we think about what capabilities we need to build into the broader container ecosystem. >> Yeah, Deepak, you know, you mentioned that some of the learnings from Lambda has impacted the services you're doing on the containerization side. You know, we've been watching some of the blurring of the lines between another container world and the containerization world. You know, there's some open-source projects out there, the CNCS working on things, you know, what's the latest, as you see kind of containerization and serverless and you know, where do you see them going forward? >> This is that I say that crystal balls are not my strong suite. But we hear customers, customers often want the best of both world. What we see very often is that customers don't actually choose just Fargate or just Lambda, they'll choose both. Where for different pieces of their architecture, they may pick a different solution. And sometimes that's driven by what they know, sometimes driven by what fits into their need. Some of the lines blur but they're still quite different. Lambda, for example, as a very event driven architecture, it is one process at a time. It has all these event hooks into the rest of AWS that are hard to replicate. And if that's the world you want to live in or benefit from, you're going to use lambda. If you're running long running services or you want a particular size that you don't get in Lambda or you want to take a more traditional application and convert it into a more modern application, chances are you're starting on Fargate but it fits in really well you have an existing operational model that fits into it. So we see applications evolving very interestingly. It's one reason why when we build a service mesh, we thought forward instead. It is almost impossible that we will have a world that's 100% containers, 100% Lambda or 100% EC2. It's going to be some mix of all of these. We have to think about it that way. And it's something that we constantly think about is how can we do things in a way that companies aren't forced to pick one way to it and "Oh, I'm going to build on Fargate" and then months later, they're like, "Yeah, we should have probably done Lambda." And I think that is something we think a lot about, whether it's from a developer's experience side or if it's from service meshes, which allow you to move back and forth or make the mesh. And I think that is the area where you'll see us do a lot more going forward. >> Excellent, so last last question for you Deepak is just give us a little bit as to what, you know, industry watchers will be looking at the container services going forward, next kind of 12, 18 months? >> Yeah, so I think one of the great things of the last 18 months has been that type of application that we see customers running, I don't think there's any bound to it. We see everything from people running microservices, or whatever you want to call decoupled services these days, but are services in the end, people are running, most are doing a lot of batch processing, machine learning, artificial intelligence that work with containers. But I think where the biggest dangers are going to come is as companies mature, as companies make containers, not just things that they build greenfield applications but also start thinking about migrating legacy applications in much more volume. A few things are going to happen. I think we'll be, containers come with a lot of complexity right now. I think you've, if you've seen my last two talks at re:Invent along with David Richardson from the Lambda team. You'll hear that we talk a lot about the fact that we see, we've made customers think about more things than they used to in the pre container world. I think you'll see now that the early adopter techie part has done, cloud has adopted containers and the next wave of mainstream users is coming in, you'll see more attractions come on as well, you'll see more governance, I think service meshes have a huge role to play here. How identity works or this fits into things like control tower and more sort of enterprise focused tooling around how you put guardrails around your containerized applications. You'll see it two or three different directions, I think you'll see a lot more on the serverless side, just the fact that so many customers start with Fargate, they're going to make us do more. You'll see a lot more on the ease of use developer experience of production side because you started off with the folks who like to tinker and now you're getting more and more customers that just want to run. And then you'll see, and that's actually a place where Docker, the company and the project have a lot to offer, because that's always been different. And then on the other side, you have the governance guardrails, and how is going to be in a compliant environment, how am I going to migrate all these applications over so that work will keep going on and you'll more and more of that. So those are the three buckets I'll use, the world can surprise us and you might end up with something completely radically different but that seems like what we're hearing from our customers right now. >> Excellent, well, Deepak, always a pleasure to catch up with you. Thanks so much for joining us again on theCUBE. >> No, always a pleasure Stu and hopefully, we get to do this again someday in person. >> Absolutely, I'm Stu Miniman, thanks as always for watching theCUBE. >> Deepak: Yep, thank you. (gentle music)

>> Paige: Hello everybody and thank you for joining us today for the virtual Vertica BDC 2020. Today's breakout session is entitled End-to-End Security in Vertica. I'm Paige Roberts, Open Source Relations Manager at Vertica. I'll be your host for this session. Joining me is Vertica Software Engineers, Fenic Fawkes and Chris Morris. Before we begin, I encourage you to submit your questions or comments during the virtual session. You don't have to wait until the end. Just type your question or comment in the question box below the slide as it occurs to you and click submit. There will be a Q&A session at the end of the presentation and we'll answer as many questions as we're able to during that time. Any questions that we don't address, we'll do our best to answer offline. Also, you can visit Vertica forums to post your questions there after the session. Our team is planning to join the forums to keep the conversation going, so it'll be just like being at a conference and talking to the engineers after the presentation. Also, a reminder that you can maximize your screen by clicking the double arrow button in the lower right corner of the slide. And before you ask, yes, this whole session is being recorded and it will be available to view on-demand this week. We'll send you a notification as soon as it's ready. I think we're ready to get started. Over to you, Fen. >> Fenic: Hi, welcome everyone. My name is Fen. My pronouns are fae/faer and Chris will be presenting the second half, and his pronouns are he/him. So to get started, let's kind of go over what the goals of this presentation are. First off, no deployment is the same. So we can't give you an exact, like, here's the right way to secure Vertica because how it is to set up a deployment is a factor. But the biggest one is, what is your threat model? So, if you don't know what a threat model is, let's take an example. We're all working from home because of the coronavirus and that introduces certain new risks. Our source code is on our laptops at home, that kind of thing. But really our threat model isn't that people will read our code and copy it, like, over our shoulders. So we've encrypted our hard disks and that kind of thing to make sure that no one can get them. So basically, what we're going to give you are building blocks and you can pick and choose the pieces that you need to secure your Vertica deployment. We hope that this gives you a good foundation for how to secure Vertica. And now, what we're going to talk about. So we're going to start off by going over encryption, just how to secure your data from attackers. And then authentication, which is kind of how to log in. Identity, which is who are you? Authorization, which is now that we know who you are, what can you do? Delegation is about how Vertica talks to other systems. And then auditing and monitoring. So, how do you protect your data in transit? Vertica makes a lot of network connections. Here are the important ones basically. There are clients talk to Vertica cluster. Vertica cluster talks to itself. And it can also talk to other Vertica clusters and it can make connections to a bunch of external services. So first off, let's talk about client-server TLS. Securing data between, this is how you secure data between Vertica and clients. It prevents an attacker from sniffing network traffic and say, picking out sensitive data. Clients have a way to configure how strict the authentication is of the server cert. It's called the Client SSLMode and we'll talk about this more in a bit but authentication methods can disable non-TLS connections, which is a pretty cool feature. Okay, so Vertica also makes a lot of network connections within itself. So if Vertica is running behind a strict firewall, you have really good network, both physical and software security, then it's probably not super important that you encrypt all traffic between nodes. But if you're on a public cloud, you can set up AWS' firewall to prevent connections, but if there's a vulnerability in that, then your data's all totally vulnerable. So it's a good idea to set up inter-node encryption in less secure situations. Next, import/export is a good way to move data between clusters. So for instance, say you have an on-premises cluster and you're looking to move to AWS. Import/Export is a great way to move your data from your on-prem cluster to AWS, but that means that the data is going over the open internet. And that is another case where an attacker could try to sniff network traffic and pull out credit card numbers or whatever you have stored in Vertica that's sensitive. So it's a good idea to secure data in that case. And then we also connect to a lot of external services. Kafka, Hadoop, S3 are three of them. Voltage SecureData, which we'll talk about more in a sec, is another. And because of how each service deals with authentication, how to configure your authentication to them differs. So, see our docs. And then I'd like to talk a little bit about where we're going next. Our main goal at this point is making Vertica easier to use. Our first objective was security, was to make sure everything could be secure, so we built relatively low-level building blocks. Now that we've done that, we can identify common use cases and automate them. And that's where our attention is going. Okay, so we've talked about how to secure your data over the network, but what about when it's on disk? There are several different encryption approaches, each depends on kind of what your use case is. RAID controllers and disk encryption are mostly for on-prem clusters and they protect against media theft. They're invisible to Vertica. S3 and GCP are kind of the equivalent in the cloud. They also invisible to Vertica. And then there's field-level encryption, which we accomplish using Voltage SecureData, which is format-preserving encryption. So how does Voltage work? Well, it, the, yeah. It encrypts values to things that look like the same format. So for instance, you can see date of birth encrypted to something that looks like a date of birth but it is not in fact the same thing. You could do cool stuff like with a credit card number, you can encrypt only the first 12 digits, allowing the user to, you know, validate the last four. The benefits of format-preserving encryption are that it doesn't increase database size, you don't need to alter your schema or anything. And because of referential integrity, it means that you can do analytics without unencrypting the data. So again, a little diagram of how you could work Voltage into your use case. And you could even work with Vertica's row and column access policies, which Chris will talk about a bit later, for even more customized access control. Depending on your use case and your Voltage integration. We are enhancing our Voltage integration in several ways in 10.0 and if you're interested in Voltage, you can go see their virtual BDC talk. And then again, talking about roadmap a little, we're working on in-database encryption at rest. What this means is kind of a Vertica solution to encryption at rest that doesn't depend on the platform that you're running on. Encryption at rest is hard. (laughs) Encrypting, say, 10 petabytes of data is a lot of work. And once again, the theme of this talk is everyone has a different key management strategy, a different threat model, so we're working on designing a solution that fits everyone. If you're interested, we'd love to hear from you. Contact us on the Vertica forums. All right, next up we're going to talk a little bit about access control. So first off is how do I prove who I am? How do I log in? So, Vertica has several authentication methods. Which one is best depends on your deployment size/use case. Again, theme of this talk is what you should use depends on your use case. You could order authentication methods by priority and origin. So for instance, you can only allow connections from within your internal network or you can enforce TLS on connections from external networks but relax that for connections from your internal network. That kind of thing. So we have a bunch of built-in authentication methods. They're all password-based. User profiles allow you to set complexity requirements of passwords and you can even reject non-TLS connections, say, or reject certain kinds of connections. Should only be used by small deployments because you probably have an LDAP server, where you manage users if you're a larger deployment and rather than duplicating passwords and users all in LDAP, you should use LDAP Auth, where Vertica still has to keep track of users, but each user can then use LDAP authentication. So Vertica doesn't store the password at all. The client gives Vertica a username and password and Vertica then asks the LDAP server is this a correct username or password. And the benefits of this are, well, manyfold, but if, say, you delete a user from LDAP, you don't need to remember to also delete their Vertica credentials. You can just, they won't be able to log in anymore because they're not in LDAP anymore. If you like LDAP but you want something a little bit more secure, Kerberos is a good idea. So similar to LDAP, Vertica doesn't keep track of who's allowed to log in, it just keeps track of the Kerberos credentials and it even, Vertica never touches the user's password. Users log in to Kerberos and then they pass Vertica a ticket that says "I can log in." It is more complex to set up, so if you're just getting started with security, LDAP is probably a better option. But Kerberos is, again, a little bit more secure. If you're looking for something that, you know, works well for applications, certificate auth is probably what you want. Rather than hardcoding a password, or storing a password in a script that you use to run an application, you can instead use a certificate. So, if you ever need to change it, you can just replace the certificate on disk and the next time the application starts, it just picks that up and logs in. Yeah. And then, multi-factor auth is a feature request we've gotten in the past and it's not built-in to Vertica but you can do it using Kerberos. So, security is a whole application concern and fitting MFA into your workflow is all about fitting it in at the right layer. And we believe that that layer is above Vertica. If you're interested in more about how MFA works and how to set it up, we wrote a blog on how to do it. And now, over to Chris, for more on identity and authorization. >> Chris: Thanks, Fen. Hi everyone, I'm Chris. So, we're a Vertica user and we've connected to Vertica but once we're in the database, who are we? What are we? So in Vertica, the answer to that questions is principals. Users and roles, which are like groups in other systems. Since roles can be enabled and disabled at will and multiple roles can be active, they're a flexible way to use only the privileges you need in the moment. For example here, you've got Alice who has Dbadmin as a role and those are some elevated privileges. She probably doesn't want them active all the time, so she can set the role and add them to her identity set. All of this information is stored in the catalog, which is basically Vertica's metadata storage. How do we manage these principals? Well, depends on your use case, right? So, if you're a small organization or maybe only some people or services need Vertica access, the solution is just to manage it with Vertica. You can see some commands here that will let you do that. But what if we're a big organization and we want Vertica to reflect what's in our centralized user management system? Sort of a similar motivating use case for LDAP authentication, right? We want to avoid duplication hassles, we just want to centralize our management. In that case, we can use Vertica's LDAPLink feature. So with LDAPLink, principals are mirrored from LDAP. They're synced in a considerable fashion from the LDAP into Vertica's catalog. What this does is it manages creating and dropping users and roles for you and then mapping the users to the roles. Once that's done, you can do any Vertica-specific configuration on the Vertica side. It's important to note that principals created in Vertica this way, support multiple forms of authentication, not just LDAP. This is a separate feature from LDAP authentication and if you created a user via LDAPLink, you could have them use a different form of authentication, Kerberos, for example. Up to you. Now of course this kind of system is pretty mission-critical, right? You want to make sure you get the right roles and the right users and the right mappings in Vertica. So you probably want to test it. And for that, we've got new and improved dry run functionality, from 9.3.1. And what this feature offers you is new metafunctions that let you test various parameters without breaking your real LDAPLink configuration. So you can mess around with parameters and the configuration as much as you want and you can be sure that all of that is strictly isolated from the live system. Everything's separated. And when you use this, you get some really nice output through a Data Collector table. You can see some example output here. It runs the same logic as the real LDAPLink and provides detailed information about what would happen. You can check the documentation for specifics. All right, so we've connected to the database, we know who we are, but now, what can we do? So for any given action, you want to control who can do that, right? So what's the question you have to ask? Sometimes the question is just who are you? It's a simple yes or no question. For example, if I want to upgrade a user, the question I have to ask is, am I the superuser? If I'm the superuser, I can do it, if I'm not, I can't. But sometimes the actions are more complex and the question you have to ask is more complex. Does the principal have the required privileges? If you're familiar with SQL privileges, there are things like SELECT, INSERT, and Vertica has a few of their own, but the key thing here is that an action can require specific and maybe even multiple privileges on multiple objects. So for example, when selecting from a table, you need USAGE on the schema and SELECT on the table. And there's some other examples here. So where do these privileges come from? Well, if the action requires a privilege, these are the only places privileges can come from. The first source is implicit privileges, which could come from owning the object or from special roles, which we'll talk about in a sec. Explicit privileges, it's basically a SQL standard GRANT system. So you can grant privileges to users or roles and optionally, those users and roles could grant them downstream. Discretionary access control. So those are explicit and they come from the user and the active roles. So the whole identity set. And then we've got Vertica-specific inherited privileges and those come from the schema, and we'll talk about that in a sec as well. So these are the special roles in Vertica. First role, DBADMIN. This isn't the Dbadmin user, it's a role. And it has specific elevated privileges. You can check the documentation for those exact privileges but it's less than the superuser. The PSEUDOSUPERUSER can do anything the real superuser can do and you can grant this role to whomever. The DBDUSER is actually a role, can run Database Designer functions. SYSMONITOR gives you some elevated auditing permissions and we'll talk about that later as well. And finally, PUBLIC is a role that everyone has all the time so anything you want to be allowed for everyone, attach to PUBLIC. Imagine this scenario. I've got a really big schema with lots of relations. Those relations might be changing all the time. But for each principal that uses this schema, I want the privileges for all the tables and views there to be roughly the same. Even though the tables and views come and go, for example, an analyst might need full access to all of them no matter how many there are or what there are at any given time. So to manage this, my first approach I could use is remember to run grants every time a new table or view is created. And not just you but everyone using this schema. Not only is it a pain, it's hard to enforce. The second approach is to use schema-inherited privileges. So in Vertica, schema grants can include relational privileges. For example, SELECT or INSERT, which normally don't mean anything for a schema, but they do for a table. If a relation's marked as inheriting, then the schema grants to a principal, for example, salespeople, also apply to the relation. And you can see on the diagram here how the usage applies to the schema and the SELECT technically but in Sales.foo table, SELECT also applies. So now, instead of lots of GRANT statements for multiple object owners, we only have to run one ALTER SCHEMA statement and three GRANT statements and from then on, any time that you grant some privileges or revoke privileges to or on the schema, to or from a principal, all your new tables and views will get them automatically. So it's dynamically calculated. Now of course, setting it up securely, is that you want to know what's happened here and what's going on. So to monitor the privileges, there are three system tables which you want to look at. The first is grants, which will show you privileges that are active for you. That is your user and active roles and theirs and so on down the chain. Grants will show you the explicit privileges and inherited_privileges will show you the inherited ones. And then there's one more inheriting_objects which will show all tables and views which inherit privileges so that's useful more for not seeing privileges themselves but managing inherited privileges in general. And finally, how do you see all privileges from all these sources, right? In one go, you want to see them together? Well, there's a metafunction added in 9.3.1. Get_privileges_description which will, given an object, it will sum up all the privileges for a current user on that object. I'll refer you to the documentation for usage and supported types. Now, the problem with SELECT. SELECT let's you see everything or nothing. You can either read the table or you can't. But what if you want some principals to see subset or a transformed version of the data. So for example, I have a table with personnel data and different principals, as you can see here, need different access levels to sensitive information. Social security numbers. Well, one thing I could do is I could make a view for each principal. But I could also use access policies and access policies can do this without introducing any new objects or dependencies. It centralizes your restriction logic and makes it easier to manage. So what do access policies do? Well, we've got row and column access policies. Rows will hide and column access policies will transform data in the row or column, depending on who's doing the SELECTing. So it transforms the data, as we saw on the previous slide, to look as requested. Now, if access policies let you see the raw data, you can still modify the data. And the implication of this is that when you're crafting access policies, you should only use them to refine access for principals that need read-only access. That is, if you want a principal to be able to modify it, the access policies you craft should let through the raw data for that principal. So in our previous example, the loader service should be able to see every row and it should be able to see untransformed data in every column. And as long as that's true, then they can continue to load into this table. All of this is of course monitorable by a system table, in this case access_policy. Check the docs for more information on how to implement these. All right, that's it for access control. Now on to delegation and impersonation. So what's the question here? Well, the question is who is Vertica? And that might seem like a silly question, but here's what I mean by that. When Vertica's connecting to a downstream service, for example, cloud storage, how should Vertica identify itself? Well, most of the time, we do the permissions check ourselves and then we connect as Vertica, like in this diagram here. But sometimes we can do better. And instead of connecting as Vertica, we connect with some kind of upstream user identity. And when we do that, we let the service decide who can do what, so Vertica isn't the only line of defense. And in addition to the defense in depth benefit, there are also benefits for auditing because the external system can see who is really doing something. It's no longer just Vertica showing up in that external service's logs, it's somebody like Alice or Bob, trying to do something. One system where this comes into play is with Voltage SecureData. So, let's look at a couple use cases. The first one, I'm just encrypting for compliance or anti-theft reasons. In this case, I'll just use one global identity to encrypt or decrypt with Voltage. But imagine another use case, I want to control which users can decrypt which data. Now I'm using Voltage for access control. So in this case, we want to delegate. The solution here is on the Voltage side, give Voltage users access to appropriate identities and these identities control encryption for sets of data. A Voltage user can access multiple identities like groups. Then on the Vertica side, a Vertica user can set their Voltage username and password in a session and Vertica will talk to Voltage as that Voltage user. So in the diagram here, you can see an example of how this is leverage so that Alice could decrypt something but Bob cannot. Another place the delegation paradigm shows up is with storage. So Vertica can store and interact with data on non-local file systems. For example, HGFS or S3. Sometimes Vertica's storing Vertica-managed data there. For example, in Eon mode, you might store your projections in communal storage in S3. But sometimes, Vertica is interacting with external data. For example, this usually maps to a user storage location in the Vertica side and it might, on the external storage side, be something like Parquet files on Hadoop. And in that case, it's not really Vertica's data and we don't want to give Vertica more power than it needs, so let's request the data on behalf of who needs it. Lets say I'm an analyst and I want to copy from or export to Parquet, using my own bucket. It's not Vertica's bucket, it's my data. But I want Vertica to manipulate data in it. So the first option I have is to give Vertica as a whole access to the bucket and that's problematic because in that case, Vertica becomes kind of an AWS god. It can see any bucket, any Vertica user might want to push or pull data to or from any time Vertica wants. So it's not good for the principals of least access and zero trust. And we can do better than that. So in the second option, use an ID and secret key pair for an AWS, IAM, if you're familiar, principal that does have access to the bucket. So I might use my, the analyst, credentials, or I might use credentials for an AWS role that has even fewer privileges than I do. Sort of a restricted subset of my privileges. And then I use that. I set it in Vertica at the session level and Vertica will use those credentials for the copy export commands. And it gives more isolation. Something that's in the works is support for keyless delegation, using assumable IAM roles. So similar benefits to option two here, but also not having to manage keys at the user level. We can do basically the same thing with Hadoop and HGFS with three different methods. So first option is Kerberos delegation. I think it's the most secure. It definitely, if access control is your primary concern here, this will give you the tightest access control. The downside is it requires the most configuration outside of Vertica with Kerberos and HGFS but with this, you can really determine which Vertica users can talk to which HGFS locations. Then, you've got secure impersonation. If you've got a highly trusted Vertica userbase, or at least some subset of it is, and you're not worried about them doing things wrong but you want to know about auditing on the HGFS side, that's your primary concern, you can use this option. This diagram here gives you a visual overview of how that works. But I'll refer you to the docs for details. And then finally, option three, this is bringing your own delegation token. It's similar to what we do with AWS. We set something in the session level, so it's very flexible. The user can do it at an ad hoc basis, but it is manual, so that's the third option. Now on to auditing and monitoring. So of course, we want to know, what's happening in our database? It's important in general and important for incident response, of course. So your first stop, to answer this question, should be system tables. And they're a collection of information about events, system state, performance, et cetera. They're SELECT-only tables, but they work in queries as usual. The data is just loaded differently. So there are two types generally. There's the metadata table, which stores persistent information or rather reflects persistent information stored in the catalog, for example, users or schemata. Then there are monitoring tables, which reflect more transient information, like events, system resources. Here you can see an example of output from the resource pool's storage table which, these are actually, despite that it looks like system statistics, they're actually configurable parameters for using that. If you're interested in resource pools, a way to handle users' resource allocation and various principal's resource allocation, again, check that out on the docs. Then of course, there's the followup question, who can see all of this? Well, some system information is sensitive and we should only show it to those who need it. Principal of least privilege, right? So of course the superuser can see everything, but what about non-superusers? How do we give access to people that might need additional information about the system without giving them too much power? One option's SYSMONITOR, as I mentioned before, it's a special role. And this role can always read system tables but not change things like a superuser would be able to. Just reading. And another option is the RESTRICT and RELEASE metafunctions. Those grant and revoke access to from a certain system table set, to and from the PUBLIC role. But the downside of those approaches is that they're inflexible. So they only give you, they're all or nothing. For a specific preset of tables. And you can't really configure it per table. So if you're willing to do a little more setup, then I'd recommend using your own grants and roles. System tables support GRANT and REVOKE statements just like any regular relations. And in that case, I wouldn't even bother with SYSMONITOR or the metafunctions. So to do this, just grant whatever privileges you see fit to roles that you create. Then go ahead and grant those roles to the users that you want. And revoke access to the system tables of your choice from PUBLIC. If you need even finer-grained access than this, you can create views on top of system tables. For example, you can create a view on top of the user system table which only shows the current user's information, uses a built-in function that you can use as part of the view definition. And then, you can actually grant this to PUBLIC, so that each user in Vertica could see their own user's information and never give access to the user system table as a whole, just that view. Now if you're a superuser or if you have direct access to nodes in the cluster, filesystem/OS, et cetera, then you have more ways to see events. Vertica supports various methods of logging. You can see a few methods here which are generally outside of running Vertica, you'd interact with them in a different way, with the exception of active events which is a system table. We've also got the data collector. And that sorts events by subjects. So what the data collector does, it extends the logging and system table functionality, by the component, is what it's called in the documentation. And it logs these events and information to rotating files. For example, AnalyzeStatistics is a function that could be of use by users and as a database administrator, you might want to monitor that so you can use the data collector for AnalyzeStatistics. And the files that these create can be exported into a monitoring database. One example of that is with the Management Console Extended Monitoring. So check out their virtual BDC talk. The one on the management console. And that's it for the key points of security in Vertica. Well, many of these slides could spawn a talk on their own, so we encourage you to check out our blog, check out the documentation and the forum for further investigation and collaboration. Hopefully the information we provided today will inform your choices in securing your deployment of Vertica. Thanks for your time today. That concludes our presentation. Now, we're ready for Q&A.

(electronic music) >> From Santa Clara, California in the heart of Silicon Valley, its theCUBE. Covering Altitude 2020, brought to you by Aviatrix. (electronic music) >> Female pilot: Good morning, ladies and gentlemen, this is your captain speaking, we will soon be taking off on our way to altitude. (upbeat music) Please keep your seat belts fastened and remain in your seat. We will be experiencing turbulence, until we are above the clouds. (thunder blasting) (electronic music) (seatbelt alert sounds) Ladies and gentlemen, we are now cruising at altitude. Sit back and enjoy the ride. (electronic music) >> Female pilot: Altitude is a community of thought leaders and pioneers, cloud architects and enlightened network engineers, who have individually and are now collectively, leading their own IT teams and the industry. On a path to lift cloud networking above the clouds. Empowering enterprise IT to architect, design and control their own cloud network, regardless of the turbulent clouds beneath them. It's time to gain altitude. Ladies and gentlemen, Steve Mullaney, president and CEO of Aviatrix. The leader of multi-cloud networking. (electronic music) (audience clapping) >> Steve: All right. (audience clapping) Good morning everybody, here in Santa Clara as well as to the millions of people watching the livestream worldwide. Welcome to Altitude 2020, all right. So, we've got a fantastic event, today, I'm really excited about the speakers that we have today and the experts that we have and really excited to get started. So, one of the things I wanted to share was this is not a one-time event. This is not a one-time thing that we're going to do. Sorry for the Aviation analogy, but, you know, Sherry Wei, aviatrix means female pilot so everything we do has an aviation theme. This is a take-off, for a movement. This isn't an event, this is a take-off of a movement. A multi-cloud networking movement and community that we're inviting all of you to become part of. And why we're doing that, is we want to enable enterprises to rise above the clouds, so to speak and build their network architecture, regardless of which public cloud they're using. Whether it's one or more of these public clouds. So the good news, for today, there's lots of good news but this is one good news, is we don't have any PowerPoint presentations, no marketing speak. We know that marketing people have their own language. We're not using any of that, and no sales pitches, right? So instead, what are we doing? We're going to have expert panels, we've got Simon Richard, of Gartner here. We've got ten different network architects, cloud architects, real practitioners that are going to share their best practices and their real world experiences on their journey to the multi-cloud. So, before we start, everybody know what today is? In the U.S., it's Super Tuesday. I'm not going to get political, but Super Tuesday there was a bigger, Super Tuesday that happened 18 months ago. And Aviatrix employees know what I'm talking about. Eighteen months ago, on a Tuesday, every enterprise said, "I'm going to go to the cloud". And so what that was, was the Cambrian explosion, for cloud, for the enterprise. So, Frank Cabri, you know what a Cambrian explosion is. He had to look it up on Google. 500 million years ago, what happened, there was an explosion of life where it went from very simple single-cell organisms to very complex, multi-cell organisms. Guess what happened 18 months ago, on a Tuesday, I don't really know why, but every enterprise, like I said, all woke up that day and said, "Now I'm really going to go to cloud" and that Cambrian explosion of cloud meant that I'm moving from a very simple, single cloud, single-use case, simple environment, to a very complex, multi-cloud, complex use case environment. And what we're here today, is we're going to go undress that and how do you handle those, those complexities? And, when you look at what's happening, with customers right now, this is a business transformation, right? People like to talk about transitions, this is a transformation and it's actually not just a technology transformation, it's a business transformation. It started from the CEO and the Boards of enterprise customers where they said, "I have an existential threat to the survival of my company." If you look at every industry, who they're worried about is not the other 30-year-old enterprise. What they're worried about is the three year old enterprise that's leveraging cloud, that's leveraging AI, and that's where they fear that they're going to actually wiped out, right? And so, because of this existential threat, this is CEO led, this is Board led, this is not technology led, it is mandated in the organizations. We are going to digitally transform our enterprise, because of this existential threat and the movement to cloud is going to enable us to go do that. And so, IT is now put back in charge. If you think back just a few years ago, in cloud, it was led by DevOps, it was led by the applications and it was, like I said, before the Cambrian explosion, it was very simple. Now, with this Cambrian explosion, an enterprise is getting very serious and mission critical. They care about visibility, they care about control, they care about compliance, conformance, everything, governance. IT is in charge and that's why we're here today to discuss that. So, what we're going to do today, is much of things but we're going to validate this journey with customers. >> Steve: Did they see the same thing? We're going to validate the requirements for multi-cloud because, honestly, I've never met an enterprise that is not going to be multicloud. Many are one cloud today but they all say, " I need to architect my network for multiple clouds", because that's just what, the network is there to support the applications and the applications will run in whatever cloud it runs best in and you have to be prepared for that. The second thing is, is architecture. Again, with IT in charge, you, architecture matters. Whether its your career, whether its how you build your house, it doesn't matter. Horrible architecture, your life is horrible forever. Good architecture, your life is pretty good. So, we're going to talk about architecture and how the most fundamental and critical part of that architecture and that basic infrastructure is the network. If you don't get that right, nothing works, right? Way more important than compute. Way more important than storage. Network is the foundational element of your infrastructure. Then we're going to talk about day two operations. What does that mean? Well day one is one day of your life, where you wire things up they do and beyond. I tell everyone in networking and IT -- it's every day of your life. And if you don't get that right, your life is bad forever. And so things like operations, visibility, security, things like that, how do I get my operations team to be able to handle this in an automated way because it's not just about configuring it in the cloud, it's actually about how do I operationalize it? And that's a huge benefit that we bring as Aviatrix. And then the last thing we're going to talk and it's the last panel we have, I always sayyou can't forget about the humans, right? So all this technology, all these things that we're doing, it's always enabled by the humans. At the end of the day, if the humans fight it, it won't get deployed. And we have a massive skills gap, in cloud and we also have a massive skills shortage. You have everyone in the world trying to hire cloud network architects, right? There's just not enough of them going around. So, at Aviatrix, we said as leaders do, "We're going to help address that issue and try to create more people." We created a program, what we call the ACE Program, again, aviation theme, it stands for Aviatrix Certified Engineer. Very similar to what Cisco did with CCIEs where Cisco taught you about IP networking, a little bit of Cisco, we're doing the same thing, we're going to teach network architects about multicloud networking and architecture and yeah, you'll get a little bit of Aviatrix training in there, but this is the missing element for people's careers and also within their organizations. So we're going to go talk about that. So, great, great event, great show. We're going to try to keep it moving. I next want to introduce, my host, he is the best in the business, you guys have probably seen him multiple, many times, he is the co-CEO and co founder of theCUBE, John Furrier. (audience clapping) (electronic music) >> John: Okay, awesome, great speech there, awesome. >> Yeah. >> I totally agree with everything you said about the explosion happening and I'm excited, here at the heart of silicon valley to have this event. It's a special digital event with theCUBE and Aviatrix, where we're live-streaming to, millions of people, as you said, maybe not a million. >> Maybe not a million. (laughs) Really to take this program to the world and this is really special for me, because multi-cloud is the hottest wave in cloud. And cloud-native networking is fast becoming the key engine, of the innovations, so we got an hour and a half of action-packed programming. We have a customer panel. Two customer panels. Before that Gartner's going to come out, talk about the industry. We have global system integrators, that will talk about, how their advising and building these networks and cloud native networking. And then finally the ACE's, the Aviatrix Certified Engineers, are going to talk more about their certifications and the expertise needed. So, let's jump right in, let's ask, Simon Richard to come on stage, from Gartner. We'll kick it all off. (electronic music) (clapping) >> John: Hi, can I help you. Okay, so kicking things off, getting started. Gartner, the industry experts on cloud. Really kind of more, cue your background. Talk about your background before you got to Gartner? >> Simon: Before being at Gartner, I was a chief network architect, of a Fortune 500 company, that with thousands of sites over the world and I've been doing everything in IT from a C programmer, in the 90, to a security architect, to a network engineer, to finally becoming a network analyst. >> So you rode the wave. Now you're covering the marketplace with hybrid cloud and now moving quickly to multi-cloud, is really what everyone is talking about. >> Yes. >> Cloud-native's been discussed, but the networking piece is super important. How do you see that evolving? >> Well, the way we see Enterprise adapting, cloud. The first thing you do about networking, the initial phases they either go in a very ad hoc way. Is usually led by none IT, like a shadow IT, or application people, sometime a DevOps team and it just goes as, it's completely unplanned. They create VPC's left and right with different account and they create mesh to manage them and they have Direct Connect or Express Route to any of them. So that's the first approach and on the other side. again within our first approach you see what I call, the lift and shift. Where we see like enterprise IT trying to, basically replicate what they have in a data center, in the Cloud. So they spend a lot of time planning, doing Direct Connect, putting Cisco routers and F5 and Citrix and any checkpoint, Palo Alto device, that in a sense are removing that to the cloud. >> I got to ask you, the aha moment is going to come up a lot, in one our panels, is where people realize, that it's a multi-cloud world. I mean, they either inherit clouds, certainly they're using public cloud and on-premises is now more relevant than ever. When's that aha moment? That you're seeing, where people go, "Well I got to get my act together and get on this cloud." >> Well the first, right, even before multi-cloud. So there is two approach's. The first one, like the adult way doesn't scare. At some point IT has to save them, 'cause they don't think about the tools, they don't think about operation, they have a bunch of VPC and multiple cloud. The other way, if you do the lift and shift way, they cannot take any advantages of the cloud. They lose elasticity, auto-scaling, pay by the drink. All these agility features. So they both realize, okay, neither of these ways are good, so I have to optimize that. So I have to have a mix of what I call, the cloud native services, within each cloud. So they start adapting, like all the AWS Construct, Azure Construct or Google Construct and that's what I call the optimal phase. But even that they realize, after that, they are all very different, all these approaches different, the cloud are different. Identities is constantly, difficult to manage across clouds. I mean, for example, anybody who access' accounts, there's subscription, in Azure and GCP, their projects. It's a real mess, so they realized, well I don't really like constantly use the cloud product and every cloud, that doesn't work. So I have, I'm going multi-cloud, I like to abstract all of that. I still want to manage the cloud from an EPI point of view, I don't necessarily want to bring my incumbent data center products, but I have to do that and in a more EPI driven cloud environment. >> So, the not scaling piece that you where mentioning, that's because there's too many different clouds? >> Yes. >> That's the least they are, so what are they doing? What are they, building different development teams? Is it software? What's the solution? >> Well, the solution is to start architecting the cloud. That's the third phase. I called that the multi-cloud architect phase, where they have to think about abstraction that works across cloud. Fact, even across one cloud it might not scale as well, If you start having like ten thousand security agreement, anybody who has that doesn't scale. You have to manage that. If you have multiple VPC, it doesn't scale. You need a third-party, identity provider. In variously scales within one cloud, if you go multiple cloud, it gets worse and worse. >> Steve, weigh in here. What's your thoughts? >> I thought we said this wasn't going to be a sales pitch for Aviatrix. (laughter) You just said exactly what we do, so anyway, that's a joke. What do you see in terms of where people are, in that multi-cloud? So, like lot of people, you know, everyone I talk to, started at one cloud, right, but then they look and then say okay but I'm now going to move to Azure and I'm going to move to... (trails off) Do you see a similar thing? >> Well, yes. They are moving but there's not a lot of application, that uses three cloud at once, they move one app in Azure, one app in AWS and one app in Google. That's what we see so far. >> Okay, yeah, one of the mistakes that people think, is they think multi-cloud. No one is ever going to go multi-cloud, for arbitrage. They're not going to go and say, well, today I might go into Azure, 'cause I get a better rate on my instance. Do you agree? That's never going to happen. What I've seen with enterprise, is I'm going to put the workload in the app, the app decides where it runs best. That may be Azure, maybe Google and for different reasons and they're going to stick there and they're not going to move. >> Let me ask you guys-- >> But the infrastructure, has to be able to support, from a networking team. >> Yes. >> Be able to do that. Do you agree with that? >> Yes, I agree. And one thing is also very important, is connecting to the cloud, is kind of the easiest thing. So, the wide area network part of the cloud, connectivity to the cloud is kind of simple. >> Steve: I agree. >> IP's like VPN, Direct Connect, Express Route. That's the simple part, what's difficult and even the provisioning part is easy. You can use Terraform and create VPC's and Vnet's across your three cloud provider. >> Steve: Right. >> What's difficult is that they choose the operation. So we'll define day two operation. What does that actually mean? >> Its just the day to day operations, after you know, the natural, lets add an app, lets add a server, lets troubleshoot a problem. >> Something changes, now what do you do? >> So what's the big concerns? I want to just get back to the cloud native networking, because everyone kind of knows what cloud native apps are. That's been the hot trend. What is cloud native networking? How do you guys, define that? Because that seems to be the hardest part of the multi-cloud wave that's coming, is cloud native networking. >> Well there's no, you know, official Gartner definition but I can create one on the spot. >> John: Do it. (laughter) >> I just want to leverage the Cloud Construct and the cloud EPI. I don't want to have to install, like a... (trails off) For example, the first version was, let's put a virtual router that doesn't even understand the cloud environment. >> Right. If I have if I have to install a virtual machine, it has to be cloud aware. It has to understand the security group, if it's a router. It has to be programmable, to the cloud API. And understand the cloud environment. >> And one thing I hear a lot from either CSO's, CIO's or CXO's in general, is this idea of, I'm definitely not going API. So, its been an API economy. So API is key on that point, but then they say. Okay, I need to essentially have the right relationship with my suppliers, aka you called it above the clouds. So the question is... What do I do from an architectural standpoint? Do I just hire more developers and have different teams, because you mentioned that's a scale point. How do you solve this problem of, okay, I got AWS, I got GCP, or Azure, or whatever. Do I just have different teams or do I just expose EPI's? Where is that optimization? Where's the focus? >> Well, I think what you need, from a network point of view is a way, a control plane across the three clouds. And be able to use the API's of the cloud, to build networks but also to troubleshoot them and do day to day operation. So you need a view across the three clouds, that takes care of routing, connectivity. >> Steve: Performance. >> John: That's the Aviatrix plugin, right there. >> Steve: Yeah. So, how do you see, so again, your Gartner, you see the industry. You've been a network architect. How do you see this this playing out? What are the legacy incumbent client server, On Prem networking people, going to do? >> Well they need to.. >> Versus people like a Aviatrix? How do you see that playing out? >> Well obviously, all the incumbents, like Arista, Cisco, Juniper, NSX. >> Steve: Right. >> They want to basically do the lift and shift part, they want to bring, and you know, VMware want to bring in NSX on the cloud, they call that "NSX everywhere" and Cisco want to bring in ACI to the cloud, they call that "ACI Anywhere". So, everyone's.. (trails off) And then there's CloudVision from Arista, and Contrail is in the cloud. So, they just want to bring the management plane, in the cloud, but it's still based, most of them, is still based on putting a VM in them and controlling them. You extend your management console to the cloud, that's not truly cloud native. >> Right. >> Cloud native you almost have to build it from scratch. >> We like to call that cloud naive. >> Cloud naive, yeah. >> So close, one letter, right? >> Yes. >> That was a big.. (slurs) Reinvent, take the T out of Cloud Native. It's Cloud Naive. (laughter) >> That went super viral, you guys got T-shirts now. I know you're loving that. >> Steve: Yeah. >> But that really, ultimately, is kind of a double-edged sword. You can be naive on the architecture side and ruleing that. And also suppliers or can be naive. So how would you define who's naive and who's not? >> Well, in fact, their evolving as well, so for example, in Cisco, it's a little bit more native than other ones, because there really is, "ACI in the cloud", you can't really figure API's out of the cloud. NSX is going that way and so is Arista, but they're incumbent, they have their own tools, its difficult for them. They're moving slowly, so it's much easier to start from scratch. Even you, like, you know, a network company that started a few years ago. There's only really two, Aviatrix was the first one, they've been there for at least three or four years. >> Steve: Yeah. >> And there's other one's, like Akira, for example that just started. Now they're doing more connectivity, but they want to create an overlay network, across the cloud and start doing policies and things. Abstracting all the clouds within one platform. >> So, I got to ask you. I interviewed an executive at VMware, Sanjay Poonen, he said to me at RSA last week. Oh, there'll only be two networking vendors left, Cisco and VMware. (laughter) >> What's you're response to that? Obviously when you have these waves, these new brands that emerge, like Aviatrix and others. I think there'll be a lot of startups coming out of the woodwork. How do you respond to that comment? >> Well there's still a data center, there's still, like a lot, of action on campus and there's the wan. But from the cloud provisioning and cloud networking in general, I mean, they're behind I think. You know, you don't even need them to start with, you can, if you're small enough, you can just keep.. If you have AWS, you can use the AWS construct, they have to insert themselves, I mean, they're running behind. From my point of view. >> They are, certainly incumbents. I love the term Andy Jess uses at Amazon web services. He uses "Old guard, new guard", to talk about the industry. What does the new guard have to do? The new brands that are emerging. Is it be more DevOp's oriented? Is it NetSec ops? Is it NetOps? Is it programmability? These are some of the key discussions we've been having. What's your view, on how you see this programmability? >> The most important part is, they have to make the network simple for the Dev teams. You cannot make a phone call and get a Vline in two weeks anymore. So if you move to the cloud, you have to make that cloud construct as simple enough, so that for example, a Dev team could say, "Okay, I'm going to create this VPC, but this VPC automatically associates your account, you cannot go out on the internet. You have to go to the transit VPC, so there's lot of action in terms of, the IAM part and you have to put the control around them to. So to make it as simple as possible. >> You guys, both. You're the CEO of Aviatrix, but also you've got a lot of experience, going back to networking, going back to the, I call it the OSI days. For us old folks know what that means, but, you guys know what this means. I want to ask you the question. As you look at the future of networking, you hear a couple objections. "Oh, the cloud guys, they got networking, we're all set with them. How do you respond to the fact that networking's changing and the cloud guys have their own networking. What's some of the paying points that's going on premises of these enterprises? So are they good with the clouds? What needs... What are the key things that's going on in networking, that makes it more than just the cloud networking? What's your take on it? >> Well as I said earlier. Once you could easily provision in the cloud, you can easily connect to the cloud, its when you start troubleshooting applications in the cloud and try to scale. So that's where the problem occurred. >> Okay, what's your take on it. >> And you'll hear from the customers, that we have on stage and I think what happens is all the clouds by definition, designed to the 80-20 rule which means they'll design 80% of the basic functionality. And then lead to 20% extra functionality, that of course every Enterprise needs, to leave that to ISV's, like Aviatrix. Because why? Because they have to make money, they have a service and they can't have huge instances, for functionality that not everybody needs. So they have to design to the common and that, they all do it, right? They have to and then the extra, the problem is, that Cambrian explosion, that I talked about with enterprises. That's what they need. They're the ones who need that extra 20%. So that's what I see, there's always going to be that extra functionality. In an automated and simple way, that you talked about, but yet powerful. With the up with the visibility and control, that they expect of On Prem. That kind of combination, that Yin and the Yang, that people like us are providing. >> Simon I want to ask you? We're going to ask some of the cloud architect, customer panels, that same question. There's pioneer's doing some work here and there's also the laggards who come in behind their early adopters. What's going to be the tipping point? What are some of these conversations, that the cloud architects are having out there? Or what's the signs, that they need to be on this, multi-cloud or cloud native networking trend? What are some of the signal's that are going on in the environment? What are some of the thresholds? Are things that are going on, that they can pay attention to? >> Well, once they have the application on multiple cloud and they have to get wake up at two in the morning, to troubleshoot them. They'll know it's important. (laughter) So, I think that's when the rubber will hit the road. But, as I said, it's easier to prove, at any case. Okay, it's AWS, it's easy, user transit gateway, put a few VPC's and you're done. And you create some presents like Equinox and do a Direct Connect and Express Route with Azure. That looks simple, its the operations, that's when they'll realize. Okay, now I need to understand! How cloud networking works? I also need a tool, that gives me visibility and control. But not only that, I need to understand the basic underneath it as well. >> What are some of the day in the life scenarios. you envision happening with multi-cloud, because you think about what's happening. It kind of has that same vibe of interoperability, choice, multi-vendor, 'cause they're multi-cloud. Essentially multi-vendor. These are kind of old paradigms, that we've lived through with client server and internet working. What are some of the scenarios of success, that might be possible? Will be possible, with multi-cloud and cloud native networking. >> Well, I think, once you have good enough visibility, to satisfy your customers, not only, like to, keep the service running and application running. But to be able to provision fast enough, I think that's what you want to achieve. >> Simon, final question. Advice for folks watching on the Livestream, if they're sitting there as a cloud architect or CXO. What's your advice to them right now, in this market, 'cause obviously, public cloud check, hybrid cloud, they're working on that. That gets on premises done, now multi-cloud's right behind it. What's your advice? >> The first thing they should do, is really try to understand cloud networking. For each of their cloud providers and then understand the limitations. And, is what the cloud service provider offers enough? Or you need to look to a third party, but you don't look at a third party to start with. Especially an incumbent one, so it's tempting to say "I have a bunch of F5 experts", nothing against F5. I'm going to bring my F5 in the Cloud, when you can use an ELB, that automatically understand eases and auto scaling and so on. And you understand that's much simpler, but sometimes you need your F5, because you have requirements. You have like iRules and that kind of stuff, that you've used for years. 'cause you cannot do it. Okay, I have requirement and that's not met, I'm going to use Legacy Star and then you have to start thinking, okay, what about visibility control, above the true cloud. But before you do that you have to understand the limitations of the existing cloud providers. First, try to be as native as possible, until things don't work, after that you can start thinking of the cloud. >> Great insight, Simon. Thank you. >> That's great. >> With Gartner, thank you for sharing. (electronic music)

(electronic music) >> From Santa Clara, California in the heart of Silicon Valley, its theCUBE. Covering Altitude 2020, brought to you by Aviatrix. (electronic music) >> Female pilot: Good morning, ladies and gentlemen, this is your captain speaking, we will soon be taking off on our way to altitude. (upbeat music) Please keep your seat belts fastened and remain in your seat. We will be experiencing turbulence, until we are above the clouds. (thunder blasting) (electronic music) (seatbelt alert sounds) Ladies and gentlemen, we are now cruising at altitude. Sit back and enjoy the ride. (electronic music) >> Female pilot: Altitude is a community of thought leaders and pioneers, cloud architects and enlightened network engineers, who have individually and are now collectively, leading their own IT teams and the industry. On a path to lift cloud networking above the clouds. Empowering enterprise IT to architect, design and control their own cloud network, regardless of the turbulent clouds beneath them. It's time to gain altitude. Ladies and gentlemen, Steve Mullaney, president and CEO of Aviatrix. The leader of multi-cloud networking. (electronic music) (audience clapping) >> Steve: All right. (audience clapping) Good morning everybody, here in Santa Clara as well as to the millions of people watching the livestream worldwide. Welcome to Altitude 2020, all right. So, we've got a fantastic event, today, I'm really excited about the speakers that we have today and the experts that we have and really excited to get started. So, one of the things I wanted to share was this is not a one-time event. This is not a one-time thing that we're going to do. Sorry for the Aviation analogy, but, you know, Sherry Wei, aviatrix means female pilot so everything we do has an aviation theme. This is a take-off, for a movement. This isn't an event, this is a take-off of a movement. A multi-cloud networking movement and community that we're inviting all of you to become part of. And why we're doing that, is we want to enable enterprises to rise above the clouds, so to speak and build their network architecture, regardless of which public cloud they're using. Whether it's one or more of these public clouds. So the good news, for today, there's lots of good news but this is one good news, is we don't have any PowerPoint presentations, no marketing speak. We know that marketing people have their own language. We're not using any of that, and no sales pitches, right? So instead, what are we doing? We're going to have expert panels, we've got Simon Richard, of Gartner here. We've got ten different network architects, cloud architects, real practitioners that are going to share their best practices and their real world experiences on their journey to the multi-cloud. So, before we start, everybody know what today is? In the U.S., it's Super Tuesday. I'm not going to get political, but Super Tuesday there was a bigger, Super Tuesday that happened 18 months ago. And Aviatrix employees know what I'm talking about. Eighteen months ago, on a Tuesday, every enterprise said, "I'm going to go to the cloud". And so what that was, was the Cambrian explosion, for cloud, for the enterprise. So, Frank Cabri, you know what a Cambrian explosion is. He had to look it up on Google. 500 million years ago, what happened, there was an explosion of life where it went from very simple single-cell organisms to very complex, multi-cell organisms. Guess what happened 18 months ago, on a Tuesday, I don't really know why, but every enterprise, like I said, all woke up that day and said, "Now I'm really going to go to cloud" and that Cambrian explosion of cloud meant that I'm moving from a very simple, single cloud, single-use case, simple environment, to a very complex, multi-cloud, complex use case environment. And what we're here today, is we're going to go undress that and how do you handle those, those complexities? And, when you look at what's happening, with customers right now, this is a business transformation, right? People like to talk about transitions, this is a transformation and it's actually not just a technology transformation, it's a business transformation. It started from the CEO and the Boards of enterprise customers where they said, "I have an existential threat to the survival of my company." If you look at every industry, who they're worried about is not the other 30-year-old enterprise. What they're worried about is the three year old enterprise that's leveraging cloud, that's leveraging AI, and that's where they fear that they're going to actually wiped out, right? And so, because of this existential threat, this is CEO led, this is Board led, this is not technology led, it is mandated in the organizations. We are going to digitally transform our enterprise, because of this existential threat and the movement to cloud is going to enable us to go do that. And so, IT is now put back in charge. If you think back just a few years ago, in cloud, it was led by DevOps, it was led by the applications and it was, like I said, before the Cambrian explosion, it was very simple. Now, with this Cambrian explosion, an enterprise is getting very serious and mission critical. They care about visibility, they care about control, they care about compliance, conformance, everything, governance. IT is in charge and that's why we're here today to discuss that. So, what we're going to do today, is much of things but we're going to validate this journey with customers. >> Steve: Did they see the same thing? We're going to validate the requirements for multi-cloud because, honestly, I've never met an enterprise that is not going to be multicloud. Many are one cloud today but they all say, " I need to architect my network for multiple clouds", because that's just what, the network is there to support the applications and the applications will run in whatever cloud it runs best in and you have to be prepared for that. The second thing is, is architecture. Again, with IT in charge, you, architecture matters. Whether its your career, whether its how you build your house, it doesn't matter. Horrible architecture, your life is horrible forever. Good architecture, your life is pretty good. So, we're going to talk about architecture and how the most fundamental and critical part of that architecture and that basic infrastructure is the network. If you don't get that right, nothing works, right? Way more important than compute. Way more important than storage. Network is the foundational element of your infrastructure. Then we're going to talk about day two operations. What does that mean? Well day one is one day of your life, where you wire things up they do and beyond. I tell everyone in networking and IT -- it's every day of your life. And if you don't get that right, your life is bad forever. And so things like operations, visibility, security, things like that, how do I get my operations team to be able to handle this in an automated way because it's not just about configuring it in the cloud, it's actually about how do I operationalize it? And that's a huge benefit that we bring as Aviatrix. And then the last thing we're going to talk and it's the last panel we have, I always sayyou can't forget about the humans, right? So all this technology, all these things that we're doing, it's always enabled by the humans. At the end of the day, if the humans fight it, it won't get deployed. And we have a massive skills gap, in cloud and we also have a massive skills shortage. You have everyone in the world trying to hire cloud network architects, right? There's just not enough of them going around. So, at Aviatrix, we said as leaders do, "We're going to help address that issue and try to create more people." We created a program, what we call the ACE Program, again, aviation theme, it stands for Aviatrix Certified Engineer. Very similar to what Cisco did with CCIEs where Cisco taught you about IP networking, a little bit of Cisco, we're doing the same thing, we're going to teach network architects about multicloud networking and architecture and yeah, you'll get a little bit of Aviatrix training in there, but this is the missing element for people's careers and also within their organizations. So we're going to go talk about that. So, great, great event, great show. We're going to try to keep it moving. I next want to introduce, my host, he is the best in the business, you guys have probably seen him multiple, many times, he is the co-CEO and co founder of theCUBE, John Furrier. (audience clapping) (electronic music) >> John: Okay, awesome, great speech there, awesome. >> Yeah. >> I totally agree with everything you said about the explosion happening and I'm excited, here at the heart of silicon valley to have this event. It's a special digital event with theCUBE and Aviatrix, where we're live-streaming to, millions of people, as you said, maybe not a million. >> Maybe not a million. (laughs) Really to take this program to the world and this is really special for me, because multi-cloud is the hottest wave in cloud. And cloud-native networking is fast becoming the key engine, of the innovations, so we got an hour and a half of action-packed programming. We have a customer panel. Two customer panels. Before that Gartner's going to come out, talk about the industry. We have global system integrators, that will talk about, how their advising and building these networks and cloud native networking. And then finally the ACE's, the Aviatrix Certified Engineers, are going to talk more about their certifications and the expertise needed. So, let's jump right in, let's ask, Simon Richard to come on stage, from Gartner. We'll kick it all off. (electronic music) (clapping) >> John: Hi, can I help you. Okay, so kicking things off, getting started. Gartner, the industry experts on cloud. Really kind of more, cue your background. Talk about your background before you got to Gartner? >> Simon: Before being at Gartner, I was a chief network architect, of a Fortune 500 company, that with thousands of sites over the world and I've been doing everything in IT from a C programmer, in the 90, to a security architect, to a network engineer, to finally becoming a network analyst. >> So you rode the wave. Now you're covering the marketplace with hybrid cloud and now moving quickly to multi-cloud, is really what everyone is talking about. >> Yes. >> Cloud-native's been discussed, but the networking piece is super important. How do you see that evolving? >> Well, the way we see Enterprise adapting, cloud. The first thing you do about networking, the initial phases they either go in a very ad hoc way. Is usually led by none IT, like a shadow IT, or application people, sometime a DevOps team and it just goes as, it's completely unplanned. They create VPC's left and right with different account and they create mesh to manage them and they have Direct Connect or Express Route to any of them. So that's the first approach and on the other side. again within our first approach you see what I call, the lift and shift. Where we see like enterprise IT trying to, basically replicate what they have in a data center, in the Cloud. So they spend a lot of time planning, doing Direct Connect, putting Cisco routers and F5 and Citrix and any checkpoint, Palo Alto device, that in a sense are removing that to the cloud. >> I got to ask you, the aha moment is going to come up a lot, in one our panels, is where people realize, that it's a multi-cloud world. I mean, they either inherit clouds, certainly they're using public cloud and on-premises is now more relevant than ever. When's that aha moment? That you're seeing, where people go, "Well I got to get my act together and get on this cloud." >> Well the first, right, even before multi-cloud. So there is two approach's. The first one, like the adult way doesn't scare. At some point IT has to save them, 'cause they don't think about the tools, they don't think about operation, they have a bunch of VPC and multiple cloud. The other way, if you do the lift and shift way, they cannot take any advantages of the cloud. They lose elasticity, auto-scaling, pay by the drink. All these agility features. So they both realize, okay, neither of these ways are good, so I have to optimize that. So I have to have a mix of what I call, the cloud native services, within each cloud. So they start adapting, like all the AWS Construct, Azure Construct or Google Construct and that's what I call the optimal phase. But even that they realize, after that, they are all very different, all these approaches different, the cloud are different. Identities is constantly, difficult to manage across clouds. I mean, for example, anybody who access' accounts, there's subscription, in Azure and GCP, their projects. It's a real mess, so they realized, well I don't really like constantly use the cloud product and every cloud, that doesn't work. So I have, I'm going multi-cloud, I like to abstract all of that. I still want to manage the cloud from an EPI point of view, I don't necessarily want to bring my incumbent data center products, but I have to do that and in a more EPI driven cloud environment. >> So, the not scaling piece that you where mentioning, that's because there's too many different clouds? >> Yes. >> That's the least they are, so what are they doing? What are they, building different development teams? Is it software? What's the solution? >> Well, the solution is to start architecting the cloud. That's the third phase. I called that the multi-cloud architect phase, where they have to think about abstraction that works across cloud. Fact, even across one cloud it might not scale as well, If you start having like ten thousand security agreement, anybody who has that doesn't scale. You have to manage that. If you have multiple VPC, it doesn't scale. You need a third-party, identity provider. In variously scales within one cloud, if you go multiple cloud, it gets worse and worse. >> Steve, weigh in here. What's your thoughts? >> I thought we said this wasn't going to be a sales pitch for Aviatrix. (laughter) You just said exactly what we do, so anyway, that's a joke. What do you see in terms of where people are, in that multi-cloud? So, like lot of people, you know, everyone I talk to, started at one cloud, right, but then they look and then say okay but I'm now going to move to Azure and I'm going to move to... (trails off) Do you see a similar thing? >> Well, yes. They are moving but there's not a lot of application, that uses three cloud at once, they move one app in Azure, one app in AWS and one app in Google. That's what we see so far. >> Okay, yeah, one of the mistakes that people think, is they think multi-cloud. No one is ever going to go multi-cloud, for arbitrage. They're not going to go and say, well, today I might go into Azure, 'cause I get a better rate on my instance. Do you agree? That's never going to happen. What I've seen with enterprise, is I'm going to put the workload in the app, the app decides where it runs best. That may be Azure, maybe Google and for different reasons and they're going to stick there and they're not going to move. >> Let me ask you guys-- >> But the infrastructure, has to be able to support, from a networking team. >> Yes. >> Be able to do that. Do you agree with that? >> Yes, I agree. And one thing is also very important, is connecting to the cloud, is kind of the easiest thing. So, the wide area network part of the cloud, connectivity to the cloud is kind of simple. >> Steve: I agree. >> IP's like VPN, Direct Connect, Express Route. That's the simple part, what's difficult and even the provisioning part is easy. You can use Terraform and create VPC's and Vnet's across your three cloud provider. >> Steve: Right. >> What's difficult is that they choose the operation. So we'll define day two operation. What does that actually mean? >> Its just the day to day operations, after you know, the natural, lets add an app, lets add a server, lets troubleshoot a problem. >> Something changes, now what do you do? >> So what's the big concerns? I want to just get back to the cloud native networking, because everyone kind of knows what cloud native apps are. That's been the hot trend. What is cloud native networking? How do you guys, define that? Because that seems to be the hardest part of the multi-cloud wave that's coming, is cloud native networking. >> Well there's no, you know, official Gartner definition but I can create one on the spot. >> John: Do it. (laughter) >> I just want to leverage the Cloud Construct and the cloud EPI. I don't want to have to install, like a... (trails off) For example, the first version was, let's put a virtual router that doesn't even understand the cloud environment. >> Right. If I have if I have to install a virtual machine, it has to be cloud aware. It has to understand the security group, if it's a router. It has to be programmable, to the cloud API. And understand the cloud environment. >> And one thing I hear a lot from either CSO's, CIO's or CXO's in general, is this idea of, I'm definitely not going API. So, its been an API economy. So API is key on that point, but then they say. Okay, I need to essentially have the right relationship with my suppliers, aka you called it above the clouds. So the question is... What do I do from an architectural standpoint? Do I just hire more developers and have different teams, because you mentioned that's a scale point. How do you solve this problem of, okay, I got AWS, I got GCP, or Azure, or whatever. Do I just have different teams or do I just expose EPI's? Where is that optimization? Where's the focus? >> Well, I think what you need, from a network point of view is a way, a control plane across the three clouds. And be able to use the API's of the cloud, to build networks but also to troubleshoot them and do day to day operation. So you need a view across the three clouds, that takes care of routing, connectivity. >> Steve: Performance. >> John: That's the Aviatrix plugin, right there. >> Steve: Yeah. So, how do you see, so again, your Gartner, you see the industry. You've been a network architect. How do you see this this playing out? What are the legacy incumbent client server, On Prem networking people, going to do? >> Well they need to.. >> Versus people like a Aviatrix? How do you see that playing out? >> Well obviously, all the incumbents, like Arista, Cisco, Juniper, NSX. >> Steve: Right. >> They want to basically do the lift and shift part, they want to bring, and you know, VMware want to bring in NSX on the cloud, they call that "NSX everywhere" and Cisco want to bring in ACI to the cloud, they call that "ACI Anywhere". So, everyone's.. (trails off) And then there's CloudVision from Arista, and Contrail is in the cloud. So, they just want to bring the management plane, in the cloud, but it's still based, most of them, is still based on putting a VM in them and controlling them. You extend your management console to the cloud, that's not truly cloud native. >> Right. >> Cloud native you almost have to build it from scratch. >> We like to call that cloud naive. >> Cloud naive, yeah. >> So close, one letter, right? >> Yes. >> That was a big.. (slurs) Reinvent, take the T out of Cloud Native. It's Cloud Naive. (laughter) >> That went super viral, you guys got T-shirts now. I know you're loving that. >> Steve: Yeah. >> But that really, ultimately, is kind of a double-edged sword. You can be naive on the architecture side and ruleing that. And also suppliers or can be naive. So how would you define who's naive and who's not? >> Well, in fact, their evolving as well, so for example, in Cisco, it's a little bit more native than other ones, because there really is, "ACI in the cloud", you can't really figure API's out of the cloud. NSX is going that way and so is Arista, but they're incumbent, they have their own tools, its difficult for them. They're moving slowly, so it's much easier to start from scratch. Even you, like, you know, a network company that started a few years ago. There's only really two, Aviatrix was the first one, they've been there for at least three or four years. >> Steve: Yeah. >> And there's other one's, like Akira, for example that just started. Now they're doing more connectivity, but they want to create an overlay network, across the cloud and start doing policies and things. Abstracting all the clouds within one platform. >> So, I got to ask you. I interviewed an executive at VMware, Sanjay Poonen, he said to me at RSA last week. Oh, there'll only be two networking vendors left, Cisco and VMware. (laughter) >> What's you're response to that? Obviously when you have these waves, these new brands that emerge, like Aviatrix and others. I think there'll be a lot of startups coming out of the woodwork. How do you respond to that comment? >> Well there's still a data center, there's still, like a lot, of action on campus and there's the wan. But from the cloud provisioning and cloud networking in general, I mean, they're behind I think. You know, you don't even need them to start with, you can, if you're small enough, you can just keep.. If you have AWS, you can use the AWS construct, they have to insert themselves, I mean, they're running behind. From my point of view. >> They are, certainly incumbents. I love the term Andy Jess uses at Amazon web services. He uses "Old guard, new guard", to talk about the industry. What does the new guard have to do? The new brands that are emerging. Is it be more DevOp's oriented? Is it NetSec ops? Is it NetOps? Is it programmability? These are some of the key discussions we've been having. What's your view, on how you see this programmability? >> The most important part is, they have to make the network simple for the Dev teams. You cannot make a phone call and get a Vline in two weeks anymore. So if you move to the cloud, you have to make that cloud construct as simple enough, so that for example, a Dev team could say, "Okay, I'm going to create this VPC, but this VPC automatically associates your account, you cannot go out on the internet. You have to go to the transit VPC, so there's lot of action in terms of, the IAM part and you have to put the control around them to. So to make it as simple as possible. >> You guys, both. You're the CEO of Aviatrix, but also you've got a lot of experience, going back to networking, going back to the, I call it the OSI days. For us old folks know what that means, but, you guys know what this means. I want to ask you the question. As you look at the future of networking, you hear a couple objections. "Oh, the cloud guys, they got networking, we're all set with them. How do you respond to the fact that networking's changing and the cloud guys have their own networking. What's some of the paying points that's going on premises of these enterprises? So are they good with the clouds? What needs... What are the key things that's going on in networking, that makes it more than just the cloud networking? What's your take on it? >> Well as I said earlier. Once you could easily provision in the cloud, you can easily connect to the cloud, its when you start troubleshooting applications in the cloud and try to scale. So that's where the problem occurred. >> Okay, what's your take on it. >> And you'll hear from the customers, that we have on stage and I think what happens is all the clouds by definition, designed to the 80-20 rule which means they'll design 80% of the basic functionality. And then lead to 20% extra functionality, that of course every Enterprise needs, to leave that to ISV's, like Aviatrix. Because why? Because they have to make money, they have a service and they can't have huge instances, for functionality that not everybody needs. So they have to design to the common and that, they all do it, right? They have to and then the extra, the problem is, that Cambrian explosion, that I talked about with enterprises. That's what they need. They're the ones who need that extra 20%. So that's what I see, there's always going to be that extra functionality. In an automated and simple way, that you talked about, but yet powerful. With the up with the visibility and control, that they expect of On Prem. That kind of combination, that Yin and the Yang, that people like us are providing. >> Simon I want to ask you? We're going to ask some of the cloud architect, customer panels, that same question. There's pioneer's doing some work here and there's also the laggards who come in behind their early adopters. What's going to be the tipping point? What are some of these conversations, that the cloud architects are having out there? Or what's the signs, that they need to be on this, multi-cloud or cloud native networking trend? What are some of the signal's that are going on in the environment? What are some of the thresholds? Are things that are going on, that they can pay attention to? >> Well, once they have the application on multiple cloud and they have to get wake up at two in the morning, to troubleshoot them. They'll know it's important. (laughter) So, I think that's when the rubber will hit the road. But, as I said, it's easier to prove, at any case. Okay, it's AWS, it's easy, user transit gateway, put a few VPC's and you're done. And you create some presents like Equinox and do a Direct Connect and Express Route with Azure. That looks simple, its the operations, that's when they'll realize. Okay, now I need to understand! How cloud networking works? I also need a tool, that gives me visibility and control. But not only that, I need to understand the basic underneath it as well. >> What are some of the day in the life scenarios. you envision happening with multi-cloud, because you think about what's happening. It kind of has that same vibe of interoperability, choice, multi-vendor, 'cause they're multi-cloud. Essentially multi-vendor. These are kind of old paradigms, that we've lived through with client server and internet working. What are some of the scenarios of success, that might be possible? Will be possible, with multi-cloud and cloud native networking. >> Well, I think, once you have good enough visibility, to satisfy your customers, not only, like to, keep the service running and application running. But to be able to provision fast enough, I think that's what you want to achieve. >> Simon, final question. Advice for folks watching on the Livestream, if they're sitting there as a cloud architect or CXO. What's your advice to them right now, in this market, 'cause obviously, public cloud check, hybrid cloud, they're working on that. That gets on premises done, now multi-cloud's right behind it. What's your advice? >> The first thing they should do, is really try to understand cloud networking. For each of their cloud providers and then understand the limitations. And, is what the cloud service provider offers enough? Or you need to look to a third party, but you don't look at a third party to start with. Especially an incumbent one, so it's tempting to say "I have a bunch of F5 experts", nothing against F5. I'm going to bring my F5 in the Cloud, when you can use an ELB, that automatically understand eases and auto scaling and so on. And you understand that's much simpler, but sometimes you need your F5, because you have requirements. You have like iRules and that kind of stuff, that you've used for years. 'cause you cannot do it. Okay, I have requirement and that's not met, I'm going to use Legacy Star and then you have to start thinking, okay, what about visibility control, above the true cloud. But before you do that you have to understand the limitations of the existing cloud providers. First, try to be as native as possible, until things don't work, after that you can start thinking of the cloud. >> Great insight, Simon. Thank you. >> That's great. >> With Gartner, thank you for sharing. (electronic music) >> Welcome back to ALTITUDE 2020. For the folks in the live stream, I'm John Furrier, Steve Mullaney, CEO of Aviatrix. For our first of two customer panels with cloud network architects, we've got Bobby Willoughby, AEGON Luis Castillo from National Instruments and David Shinnick with FactSet. Guys, welcome to the stage for this digital event. Come on up. (audience clapping) (upbeat music) Hey good to see you, thank you. Customer panel, this is my favorite part. We get to hear the real scoop, we get the Gardener giving us the industry overview. Certainly, multi-cloud is very relevant, and cloud-native networking is a hot trend with the live stream out there in the digital events. So guys, let's get into it. The journey is, you guys are pioneering this journey of multi-cloud and cloud-native networking and are soon going to be a lot more coming. So I want to get into the journey. What's it been like? Is it real? You've got a lot of scar tissue? What are some of the learnings? >> Absolutely. Multi-cloud is whether or not we accept it, as network engineers is a reality. Like Steve said, about two years ago, companies really decided to just bite the bullet and move there. Whether or not we accept that fact, we need to not create a consistent architecture across multiple clouds. And that is challenging without orchestration layers as you start managing different tool sets and different languages across different clouds. So it's really important to start thinking about that. >> Guys on the other panelists here, there's different phases of this journey. Some come at it from a networking perspective, some come in from a problem troubleshooting, what's your experiences? >> From a networking perspective, it's been incredibly exciting, it's kind of once in a generational opportunity to look at how you're building out your network. You can start to embrace things like infrastructure as code that maybe your peers on the systems teams have been doing for years, but it just never really worked on-prem. So it's really exciting to look at all the opportunities that we have and all of the interesting challenges that come up that you get to tackle. >> And effects that you guys are mostly AWS, right? >> Yeah. Right now though, we are looking at multiple clouds. We have production workloads running in multiple clouds today but a lot of the initial work has been with Amazon. >> And you've seen it from a networking perspective, that's where you guys are coming at it from? >> Yup. >> Awesome. How about you? >> We evolve more from a customer requirement perspective. Started out primarily as AWS, but as the customer needed more resources from Azure like HPC, Azure AD, things like that, even recently, Google analytics, our journey has evolved into more of a multi-cloud environment. >> Steve, weigh in on the architecture because this is going to be a big conversation, and I wanted you to lead this section. >> I think you guys agree the journey, it seems like the journey started a couple of years ago. Got real serious, the need for multi-cloud, whether you're there today. Of course, it's going to be there in the future. So that's really important. I think the next thing is just architecture. I'd love to hear what you, had some comments about architecture matters, it all starts, every enterprise I talked to. Maybe talk about architecture and the importance of architects, maybe Bobby. >> From architecture perspective, we started our journey five years ago. >> Wow, okay. >> And we're just now starting our fourth evolution over network architect. And we call it networking security net sec, versus just as network. And that fourth-generation architecture should be based primarily upon the Palo Alto Networks and Aviatrix. Aviatrix to new orchestration piece of it. But that journey came because of the need for simplicity, the need for a multi-cloud orchestration without us having to go and do reprogramming efforts across every cloud as it comes along. >> I guess the other question I also had around architecture is also... Luis maybe just talk about it. I know we've talked a little bit about scripting, and some of your thoughts on that. >> Absolutely. So for us, we started creating the network constructs with cloud formation, and we've stuck with that for the most part. What's interesting about that is today, on-premise, we have a lot of automation around how we provision networks, but cloud formation has become a little bit like the new manual for us. We're now having issues with having to automate that component and making it consistent with our on-premise architecture and making it consistent with Azure architecture and Google cloud. So, it's really interesting to see companies now bring that layer of abstraction that SD-WAN brought to the wound side, now it's going up into the cloud networking architecture. >> Great. So on the fourth generation, you mentioned you're on the fourth-gen architecture. What have you learned? Is there any lessons, scratch issue, what to avoid, what worked? What was the path that you touched? >> It's probably the biggest lesson there is that when you think you finally figured it out, you haven't. Amazon will change something, Azure change something. Transit Gateway is a game-changer. And listening to the business requirements is probably the biggest thing we need to do upfront. But I think from a simplicity perspective, like I said, we don't want to do things four times. We want to do things one time, we want be able to write to an API which Aviatrix has and have them do the orchestration for us. So that we don't have to do it four times. >> How important is architecture in the progression? Is it do you guys get thrown in the deep end, to solve these problems, are you guys zooming out and looking at it? How are you guys looking at the architecture? >> You can't get off the ground if you don't have the network there. So all of those, we've gone through similar evolutions, we're on our fourth or fifth evolution. I think about what we started off with Amazon without Direct Connect Gateway, without Transit Gateway, without a lot of the things that are available today, kind of the 80, 20 that Steve was talking about. Just because it wasn't there doesn't mean we didn't need it. So we needed to figure out a way to do it, we couldn't say, "Oh, you need to come back to the network team in a year, and maybe Amazon will have a solution for it." We need to do it now and evolve later and maybe optimize or change the way you're doing things in the future. But don't sit around and wait, you can't. >> I'd love to have you guys each individually answer this question for the live streams that comes up a lot. A lot of cloud architects out in the community, what should they be thinking about the folks that are coming into this proactively and, or realizing the business benefits are there? What advice would you guys give them on architecture? What should be they'd be thinking about, and what are some guiding principles you could share? >> So I would start with looking at an architecture model that can spread and give consistency to the different cloud vendors that you will absolutely have to support. Cloud vendors tend to want to pull you into using their native tool set, and that's good if only it was realistic to talk about only one cloud. But because it doesn't, it's super important to talk about, and have a conversation with the business and with your technology teams about a consistent model. >> And how do I do my day one work so that I'm not spending 80% of my time troubleshooting or managing my network? Because if I'm doing that, then I'm missing out on ways that I can make improvements or embrace new technologies. So it's really important early on to figure out, how do I make this as low maintenance as possible so that I can focus on the things that the team really should be focusing on? >> Bobby, your advice there, architecture. >> I don't know what else I can add to that. Simplicity of operations is key. >> So the holistic view of day two operations you mentioned, let's can jump in day one as you're getting stuff set up, day two is your life after. This is kind of of what you're getting at, David. So what does that look like? What are you envisioning as you look at that 20-mile stair, out post multi-cloud world? What are some of the things that you want in the day two operations? >> Infrastructure as code is really important to us. So how do we design it so that we can start fit start making network changes and fitting them into a release pipeline and start looking at it like that, rather than somebody logging into a router CLI and troubleshooting things in an ad hoc nature? So, moving more towards a dev-ops model. >> You guys, anything to add on that day two? >> Yeah, I would love to add something. In terms of day two operations you can either sort of ignore the day two operations for a little while, where you get your feet wet, or you can start approaching it from the beginning. The fact is that the cloud-native tools don't have a lot of maturity in that space and when you run into an issue, you're going to end up having a bad day, going through millions and millions of logs just to try to understand what's going on. That's something that the industry just now is beginning to realize it's such a big gap. >> I think that's key because for us, we're moving to more of an event-driven or operations. In the past, monitoring got the job done. It's impossible to monitor something that is not there when the event happens. So the event-driven application and then detection is important. >> Gardner is all about the cloud-native wave coming into networking. That's going to be a serious thing. I want to get your guys' perspective, I know you have each different views of how you come into the journey and how you're executing. And I always say the beauty's in the eye of the beholder and that applies to how the network's laid out. So, Bobby, you guys do a lot of high-performance encryption, both on AWS and Azure. That's a unique thing for you. How are you seeing that impact with multi-cloud? >> That's a new requirement for us too, where we have an increment to encrypt. And then if you ever get the question, should I encrypt, should I not encrypt? The answer is always yes. You should encrypt when you can encrypt. For our perspective, we need to migrate a bunch of data from our data centers. We have some huge data centers, and getting that data to the cloud is a timely expense in some cases. So we have been mandated, we have to encrypt everything, leave in the data center. So we're looking at using the Aviatrix insane mode appliances to be able to encrypt 10, 20 gigabits of data as it moves to the cloud itself. >> David, you're using Terraform, you've got FireNet, you've got a lot of complexity in your network. What do you guys look at the future for your environment? >> So many exciting that we're working on now as FireNet. So for our security team that obviously have a lot of knowledge base around Palo Alto, and with our commitments to our clients, it's not very easy to shift your security model to a specific cloud vendor. So there's a lot of SOC 2 compliance and things like that were being able to take some of what you've worked on for years on-prem and put it in the cloud and have the same type of assurance that things are going to work and be secure in the same way that they are on-prem, helps make that journey into the cloud a lot easier. >> And Louis, you guys got scripting, you got a lot of things going on. What's your unique angle on this? >> Absolutely. So for disclosure, I'm not an Aviatrix customer yet. (laughs) >> It's okay, we want to hear the truth, so that's good. Tell us, what are you thinking about? What's on your mind? >> When you talk about implementing a tool like this, it's really just really important to talk about automation focus on value. When you talk about things like encryption and things like so you're encrypting tunnels and encrypting the path, and those things should be second nature really. When you look at building those back-ends and managing them with your team, it becomes really painful. So tools like Aviatrix that add a lot automation it's out of sight, out of mind. You can focus on the value, and you don't have to focus on this. >> So I got to ask you guys. I see Aviatrix was here, they're supplier to this sector, but you guys are customers. Everyone's pitching your stuff, people knock on you, "Buy my stuff." How do you guys have that conversation with the suppliers, like the cloud vendors and other folks? What's it like? We're API all the way? You've got to support this? What are some of your requirements? How do you talk to and evaluate people that walk in and want to knock on your door and pitch you something? What's the conversation like? >> It's definitely API driven. We definitely look at the API structure that the vendors provide before we select anything. That is always first of mine and also, what problem are we really trying to solve? Usually, people try to sell or try to give us something that isn't really valuable, like implementing a Cisco solution on the cloud doesn't really add a lot of value, that's where we go. >> David, what's your conversation like with suppliers? Do you have a certain new way to do things? As it becomes more agile, essentially networking, and getting more dynamic, what are some of the conversations with either in commits or new vendors that you're having? What do you require? >> Ease of use is definitely high up there. We've had some vendors come in and say, "Hey, when you go to set this up, "we're going to want to send somebody on-site." And they're going to sit with you for a day to configure it. And that's a red flag. Well, wait a minute, do we really, if one of my really talented engineers can't figure it out on his own, what's going on there and why is that? Having some ease of use and the team being comfortable with it and understanding it is really important. >> Bobby, how about you? Old days was, do a bake-off and the winner takes all. Is it like that anymore? What's evolving? Bake-off last year for but still win. But that's different now because now when you get the product, you can install the product in AWS and Azure, have it up running in a matter of minutes. So the key is that can you be operational within hours or days instead of weeks? But do we also have the flexibility to customize it, to meet your needs? Because you don't want to be put into a box with the other customers when you have needs that are past their needs. >> I can almost see the challenge that you guys are living, where you've got the cloud immediate value, depending how you can roll up any solutions, but then you might have other needs. So you've got to be careful not to buy into stuff that's not shipping. So you're trying to be proactive and at the same time, deal with what you got. How do you guys see that evolving? Because multi-cloud to me is definitely relevant, but it's not yet clear how to implement across. How do you guys look at this baked versus future solutions coming? How do you balance that? >> Again, so right now, we're taking the ad hoc approach and experimenting what the different concepts of cloud are and really leveraging the native constructs of each cloud. But there's a breaking point for sure. You don't get to scale this like someone said, and you have to focus on being able to deliver, developers their sandbox or their play area for the things that they're trying to build quickly. And the only way to do that is with some consistent orchestration layer that allows you to-- >> So you expect a lot more stuff to becoming pretty quickly in that area. >> I do expect things to start maturing quite quickly this year. >> And you guys see similar trend, new stuff coming fast? >> Yeah. Probably the biggest challenge we've got now is being able to segment within the network, being able to provide segmentation between production, non-production workloads, even businesses, because we support many businesses worldwide and isolation between those is a key criteria there. So the ability to identify and quickly isolate those workloads is key. So the CIOs that are watching are saying, "Hey, take that hill, do multi-cloud." And then you have the bottoms up organization, "Pause, you're like off a little bit, it's not how it works." What is the reality in terms of implementing as fast as possible? Because the business benefits are clear, but it's not always clear on the technology how to move that fast. What are some of the barriers, what are the blockers, what are the enablers? >> I think the reality is that you may not think you're multi-cloud, but your business is. So I think the biggest barrier there is understanding what the requirements are and how best to meet those requirements in a secure manner. Because you need to make sure that things are working from a latency perspective that things work the way they did and get out of the mind shift that it was a tier-three application and the data center, it doesn't have to be a tier-three application in the cloud. So, lift and shift is not the way to go. >> Scale is a big part of what I see is the competitive advantage by these clouds and used to be proprietary network stacks in the old days, and then open systems came, that was a good thing. But as cloud has become bigger, there's an inherent lock-in there with the scale. How do you guys keep the choice open? How are you guys thinking about interoperability? What are some of the conversations that you guys are having around those key concepts? >> When we look at from a networking perspective, it's really key for you to just enable all the class to be able to communicate between them. Developers will find a way to use the cloud that best suits their business needs. And like you said, it's whether you're in denial or not, of the multi-cloud fact that your company is in already that's it becomes really important for you to move quickly. >> Yeah. And a lot of it also hinges on how well is the provider embracing what that specific cloud is doing? So, are they swimming with Amazon or Azure and just helping facilitate things, and they're doing the heavy lifting API work for you? Or are they swimming upstream and they're trying to hack it all together in messy way? And so that helps you stay out of the lock-in because there, if they're using Amazon native tools to help you get where you need to be, it's not like Amazon is going to release something in the future that completely makes you have designed yourself into a corner. So the closer, more than cloud-native they are, the more, the easier it is to deploy. >> Which also need to be aligned in such a way that you can take advantage of those cloud-native technologies. Will it make sense? TGW is a gamechanger in terms of cost and performance. So to completely ignore that, would be wrong. But if you needed to have encryption, TGW is not encrypted, so you need to have some type of Gateway to do the VPN encryption. So, the Aviatrix tool will give you the beauty of both worlds. You can use TGW or the Gateway. Real quick on the last minute we have, I want to just get a quick feedback from you guys. I hear a lot of people say to me, "Hey, pick the best cloud for the workload you got, then figure out multicloud behind the scenes." Do you guys agree with that? Do I go more to one cloud across the whole company or this workload works great on AWS, that workload works great on this. From a cloud standpoint, do you agree with that premise, and then when is multi-cloud stitching altogether? >> From an application perspective, it can be per workload, but it can also be an economical decision, certain enterprise contracts will pull you in one direction to add value, but the network problem is still the same. >> It doesn't go away. >> You don't want to be trying to fit a square into a round hall. If it works better on that cloud provider, then it's our job to make sure that service is there and people can use it. >> I agree, you just need to stay ahead of the game, make sure that the network infrastructure is there, security is available and is multi-cloud capable. >> At the end of the day, you guys are just validating that it's the networking game now. Cloud storage, compute check, networking is where the action is. Awesome. Thanks for your insights guys, appreciate you coming on the panel. Appreciate it, thanks. (upbeat music) >> John: Our next customer panel, got great another set of cloud network architects, Justin Smith with Zuora, Justin Brodley with EllieMae and Amit Utreja with Coupa. Welcome to stage. (audience applauds) (upbeat music) >> All right, thank you. >> How are ya? >> Thank you. Thank You. >> Hey Amit. How are ya? >> Did he say it right? >> Yeah. >> Okay he's got all the cliff notes from the last session, welcome back. Rinse and repeat. We're going to go into the hood a little bit. And I think they nailed what we've been reporting, we've been having this conversation around, networking is where the action is because that's at the end of the day you got to move packet from A to B and you got workloads exchanging data. So it's really killer. So let's get started. Amit, what are you seeing as the journey of multicloud as you go under the hood and say, "Okay, I got to implement this. "I have to engineer the network, "make it enabling, make it programmable, "make it interoperable across clouds." That almost sounds impossible to me. What's your take? >> Yeah, it seems impossible but if you are running an organization which is running infrastructure as a code it is easily doable. Like you can use tools out there that's available today, you can use third party products that can do a better job. But put your architecture first, don't wait. Architecture may not be perfect, put the best architecture that's available today and be agile, to iterate and make improvements over the time. >> We get to Justin's over here, so I have to be careful when I point a question to Justin, they both have the answer. Okay, journeys, what's the journey been like? Is there phases, We heard that from Gardner, people come into multicloud and cloud native networking from different perspectives? What's your take on the journey, Justin? >> Yeah, from our perspective, we started out very much focused on one cloud and as we've started doing acquisitions, we started doing new products to the market, the need for multicloud becomes very apparent, very quickly for us. And so having an architecture that we can plug and play into and be able to add and change things as it changes is super important for what we're doing in the space. >> Justin, your journey. >> Yes. For us, we were very ad hoc oriented and the idea is that we were reinventing all the time, trying to move into these new things and coming up with great new ideas. And so rather than it being some iterative approach with our deployments that became a number of different deployments. And so we shifted that toward and the network has been a real enabler of this. There's one network and it touches whatever cloud we want it to touch, and it touches the data centers that we need it to touch, and it touches the customers that we needed to touch. Our job is to make sure that the services that are available in one of those locations are available in all of the locations. So the idea is not that we need to come up with this new solution every time, it's that we're just iterating on what we've already decided to do. >> Before we get the architecture section, I want to ask you guys a question? I'm a big fan of let the app developers have infrastructure as code, so check. But having the right cloud run that workload, I'm a big fan of that, if it works great. But we just heard from the other panel, you can't change the network. So I want to get your thoughts, what is cloud native networking? And is that the engine really, that's the enabler for this multicloud trend? What's you guys take? We'll start with Amit, what do you think about that? >> Yeah, so you're going to have workloads running in different clouds and the workloads would have affinity to one cloud or other. But how you expose that it's a matter of how you are going to build your networks. How you're going to run security. How you're going to do egress, ingress out of it so -- >> You said networking is the big problem to solve. >> Yes. >> What's the solution? What's the key pain points and problem statement? >> The key pain point for most companies is how do you take your traditionally on premise network and then blow it out to the cloud in a way that makes sense. You have IP conflicts, you have IP space, you have public IPs on premise as well as in the cloud. And how do you kind of make sense of all of that? And I think that's where tools like Aviatrix make a lot of sense in that space. >> From our side, it's really simple. It's a latency, it's bandwidth and availability. These don't change whether we're talking about cloud or data center, or even corporate IT networking. So our job when these all of these things are simplified into like, S3, for instance and our developers want to use those. We have to be able to deliver that and for a particular group or another group that wants to use just just GCP resources. We have to support these requirements and these wants, as opposed to saying, "Hey, that's not a good idea." No, our job is to enable them not to disable them. >> Do you guys think infrastructure is code? Which I love that, I think that's the future in this. We even saw that with DevOps. But as you start getting the networking, is it getting down to the network portion where its network as code? Because storage and compute working really well, we're seeing all Kubernetes on service mesh trend. Network has code, reality is it there? Is it still got work to do? >> It's absolutely there, you mentioned net DevOps and it's very real. In Coupa we build our networks through terraform and not only just terraform, build an API so that we can consistently build VNets and VPC all across in the same way. >> So you guys are doing it? >> Yup. And even security groups. And then on top and Aviatrix comes in, we can peer the networks bridge all the different regions through code. >> Same with you guys. >> Yeah. >> What do you think about this? >> Everything we deploy is done with automation and then we also run things like Lambda on top to make changes in real time, we don't make manual changes on our network. In the data center, funny enough, it's still manual but the cloud has enabled us to move into this automation mindset. And all my guys, that's what they focus on is bringing, now what they're doing in the cloud into the data center, which is kind of opposite of what it should be or what it used to be. >> It's full DevOps then? >> Yes. >> For us, it was similar on-prem is still somewhat very manual, although we're moving more and more to ninja and terraform type concepts. But everything in the production environment is code, confirmation terraform code and now coming into the data center same (mumbles). >> So I just wanted to jump in Justin Smith, one of the comment that you made, because it's something that we always talk about a lot is that the center of gravity of architecture used to be an on-prem and now it's shifted in the cloud. And once you have your strategic architecture, what do you do? You push that everywhere. So what you used to see at the beginning of cloud was pushing the architecture on-prem into cloud. Now, I want to pick up on what you said, do you others agree that the center of gravity is here, I'm now pushing what I do in the cloud back into on-prem? And then so first that and then also in the journey, where are you at from zero to 100 of actually in the journey to cloud? Are you 50% there, are you 10%? Are you evacuating data centers next year? Where are you guys at? >> Yeah, so there's there's two types of gravity that you typically are dealing with, with the migration. First is data, gravity and your data set, and where that data lives. And then the second is the network platform that wraps all that together. In our case, the data gravity solely mostly on-prem but our network is now extending out to the app tier, it's going to be in cloud. Eventually, that data, gravity will also move to cloud as we start getting more sophisticated but in our journey, we're about halfway there. About halfway through the process, we're taking a handle of lift and shift and -- >> Steve: And when did that start? >> We started about three years ago. >> Okay, okay. >> Well for Coupa it's a very different story. It started from a garage and 100% on the cloud. So it's a business plan management platform, software as a service run 100% on the cloud. >> That was was like 10 years ago, right? >> Yes. >> Yeah. >> You guys are riding the wave of the architecture. Justin I want to ask you, Zuora, you guys mentioned DevOps. Obviously, we saw the huge observability wave, which essentially network management for the cloud, in my opinion. It's more dynamic, but this is about visibility. We heard from the last panel you don't know what's being turned on or turned off from a services standpoint, at any given time. How is all this playing out when you start getting into the DevOps down (mumbles)? >> This is the big challenge for all of us is visibility. When you talk transport within a cloud, very interestingly we we have moved from having a backbone that we bought, that we own, that would be data center connectivity. Zuora's a subscription billing company, so we want to support the subscription mindset. So rather than going and buying circuits and having to wait three months to install and then coming up with some way to get things connected and resiliency and redundancy. My backbone is in the cloud. I use the cloud providers interconnections between regions to transport data across and so if you do that with their native solutions, you do lose visibility. There are areas in that that you don't get, which is why controllers and having some type of management plane is a requirement for us to do what we're supposed to do and provide consistency while doing it. >> Great conversation. I loved what you said earlier latency, bandwidth, I think availability were your top three things. Guys SLA, just do ping times between clouds it's like, you don't know what you're getting for round trip time. This becomes a huge kind of risk management, black hole, whatever you want to call it, blind spot. How are you guys looking at the interconnect between clouds? Because I can see that working from ground to cloud on per cloud but when you start dealing with multiclouds workloads, SLAs will be all over the map, won't they just inherently. How do you guys view that? >> Yeah, I think we talked about workload and we know that the workloads are going to be different in different clouds, but they're going to be calling each other. So it's very important to have that visibility, that you can see how data is flowing at what latency and what availability is there and our authority needs to operate on that. >> So use the software dashboard, look at the times and look at the latency -- >> In the old days, Strongswan Openswan you try to figure it out, in the new days you have to figure out. >> Justin, what's your answer to that because you're in the middle of it? >> Yeah, I think the key thing there is that we have to plan for that failure, we have to plan for that latency in our applications. If certain things are tracking in your SLI, certain things are planning for and you loosely coupled these services in a much more microservices approach. So you actually can handle that kind of failure or that type of unknown latency and unfortunately, the cloud has made us much better at handling exceptions in a much better way. >> You guys are all great examples of cloud native from day one. When did you have the tipping point moment or the epiphany of saying a multiclouds real, I can't ignore it, I got to factor that into all my design principles and everything you're doing? Was there a moment or was it from day one? >> There are two reasons, one was the business. So in business, there were some affinity to not be in one cloud or to be in one cloud and that drove from the business side. So as a cloud architect our responsibility was to support that business. Another is the technology, some things are really running better in, like if you're running Dotnet workload or your going to run machine learning or AI so that you would have that preference of one cloud over other. >> Guys, any thoughts on that? >> That was the bill that we got from AWS. That's what drives a lot of these conversations is the financial viability of what you're building on top of. This failure domain idea which is fairly interesting. How do I solve our guarantee against a failure domain? You have methodologies with back end direct connects or interconnect with GCP. All of these ideas are something that you have to take into account but that transport layer should not matter to whoever we're building this for. Our job is to deliver the frames and the packets, what that flows across, how you get there? We want to make that seamless. And so whether it's a public internet API call or it's a back end connectivity through direct connect, it doesn't matter. It just has to meet a contract that you've signed with your application, folks. >> Yeah, that's the availability piece. >> Justin, your thoughts on that, any comment on that? >> So actually multiclouds become something much more recent in the last six to eight months, I'd say. We always kind of had a very much an attitude of like moving to Amazon from our private cloud is hard enough, why complicate it further? But the realities of the business and as we start seeing, improvements in Google and Azure and different technology spaces, the need for multicloud becomes much more important. As well as our acquisition strategies are matured, we're seeing that companies that used to be on premise that we typically acquire are now very much already on a cloud. And if they're on a cloud, I need to plug them into our ecosystem. And so that's really changed our multicloud story in a big way. >> I'd love to get your thoughts on the clouds versus the clouds, because you compare them Amazon's got more features, they're rich with features. Obviously, the bills are high to people using them. But Google's got a great network, Google's networks pretty damn good And then you got Azure. What's the difference between the clouds? Where do they fall? Where do they peak in certain areas better than others? What are the characteristics, which makes one cloud better? Do they have a unique feature that makes Azure better than Google and vice versa? What do you guys think about the different clouds? >> Yeah, to my experience, I think the approach is different in many places. Google has a different approach very DevOps friendly and you can run your workloads with your network can span regions. But our application ready to accept that. Amazon is evolving. I remember 10 years back Amazon's network was a flat network, we would be launching servers in 10.0.0/8, right. And then the VPCs came out. >> We'll have to translate that to English for the live feed. Not good. So the VPCs concept came out, multi account came out, so they are evolving. Azure had a late start but because they have a late start, they saw the pattern and they have some mature setup on the network. >> They've got around the same price too. >> I think they're all trying to say they're equal in their own ways. I think they all have very specific design philosophies that allow them to be successful in different ways and you have to kind of keep that in mind as you architect your own solution. For example, Amazon has a very regional affinity, they don't like to go cross region in their architecture. Whereas Google is very much it's a global network, we're going to think about as a global solution. I think Google also has advantage that it's third to market and so has seen what Azure did wrong, it seeing what AWS did wrong and it's made those improvements and I think that's one of their big advantage. >> They got great scale too. Justin thoughts on the cloud. >> So yeah, Amazon built from the system up and Google built from the network down. So their ideas and approaches are from a global versus original, I agree with you completely that is the big number one thing. But the if you look at it from the outset, interestingly, the inability or the ability for Amazon to limit layer to broadcasting and what that really means from a VPC perspective, changed all the routing protocols you can use. All the things that we had built inside of a data center to provide resiliency and make things seamless to users, all of that disappeared. And so because we had to accept that at the VPC level, now we have to accept that at the WAN level. Google's done a better job of being able to overcome those things and provide those traditional network facilities to us. >> Just a great panel, we could go all day here, it's awesome. So I heard, we will get to the cloud native naive questions. So kind of think about what's naive and what's cloud, I'll ask that next but I got to ask you I had a conversation with a friend he's like, "WAN is the new LAN?" So if you think about what the LAN was at a data center, WAN is the new LAN, cause you keep talking about the cloud impact? So that means ST-WAN, the old ST-WAN kind of changing. There's a new LAN. How do you guys look at that? Because if you think about it, what LANs were for inside a premises was all about networking, high speed. But now when you take the WAN and make it, essentially a LAN, do you agree with that? And how do you view this trend? Is it good or bad or is it ugly? What you guys take on this? >> Yeah, I think it's a thing that you have to work with your application architects. So if you are managing networks and if you're a server engineer, you need to work with them to expose the unreliability that it would bring in. So the application has to handle a lot of the difference in the latencies and the reliability has to be worked through the application there. >> LAN, WAN, same concept is that BS? Can you give some insight? >> I think we've been talking about for a long time the erosion of the edge. And so is this just a continuation of that journey we've been on for last several years. As we get more and more cloud native and we talked about API's, the ability to lock my data in place and not be able to access it really goes away. And so I think this is just continuation. I think it has challenges. We start talking about WAN scale versus LAN scale, the tooling doesn't work the same, the scale of that tooling is much larger. and the need to automation is much, much higher in a WAN than it wasn't a LAN. That's why you're seeing so much infrastructure as code. >> Yeah. So for me, I'll go back again to this, it's bandwidth and its latency that define those two LAN versus WAN. But the other thing that's comes up more and more with cloud deployments is whereas our security boundary and where can I extend this secure aware appliance or set of rules to protect what's inside of it. So for us, we're able to deliver VRFs or route forwarding tables for different segments wherever we're at in the world. And so they're trusted to talk to each other but if they're going to go to someplace that's outside of their network, then they have to cross the security boundary, where we enforce policy very heavily. So for me, there's it's not just LAN, WAN it's how does environment get to environment more importantly. >> That's a great point in security, we haven't talked it yet but that's got to be baked in from the beginning, this architecture. Thoughts on security, how you guys are dealing with it? >> Yeah, start from the base, have app to app security built in. Have TLS, have encryption on the data at transit, data at rest. But as you bring the application to the cloud and they're going to go multicloud, talking to over the internet, in some places, well have app to app security. >> Our principles day, security is day zero every day. And so we always build it into our design, build into our architecture, into our applications. It's encrypt everything, it's TLS everywhere. It's make sure that that data is secure at all times. >> Yeah, one of the cool trends at RSA, just as a side note was the data in use encryption piece, which is homomorphic stuff was interesting. Alright guys, final question. We heard on the earlier panel was also trending at re:Invent, we think the T out of cloud native, it spells cloud naive. They have shirts now, Aviatrix kind of got this trend going. What does that mean to be naive? To your peers out there watching the live stream and also the suppliers that are trying to supply you guys with technology and services, what's naive look like and what's native look like? When is someone naive about implementing all this stuff? >> So for me, because we are in 100% cloud, for us its main thing is ready for the change. And you will find new building blocks coming in and the network design will evolve and change. So don't be naive and think that it's static, evolve with the change. >> I think the biggest naivety that people have is that well, I've been doing it this way for 20 years, I've been successful, it's going to be successful in cloud. The reality is that's not the case. You got to think some of the stuff a little bit differently and you need to think about it early enough, so that you can become cloud native and really enable your business on cloud. >> Yeah for me it's being open minded. Our industry, the network industry as a whole, has been very much I'm smarter than everybody else and we're going to tell everybody how it's going to be done. And we fell into a lull when it came to producing infrastructure and so embracing this idea that we can deploy a new solution or a new environment in minutes as opposed to hours, or weeks or months in some cases, is really important in and so >> - >> It's naive being closed minded, native being open minded. >> Exactly. For me that was a transformative kind of where I was looking to solve problems in a cloud way as opposed to looking to solve problems in this traditional old school way. >> All right, I know we're at a time but I got to asked one more question, so you guys so good. Give me a quick answer. What's the BS language when you, the BS meter goes off when people talk to you about solutions? What's the kind of jargon that you hear, that's the BS meter going off? What are people talking about that in your opinion you here you go, "That's total BS?" What triggers you? >> So that I have two lines out of movies if I say them without actually thinking them. It's like 1.21 gigawatts are you out of your mind from Back to the Future right? Somebody's giving you all these wiz bang things. And then Martin Maul and Michael Keaton in Mr Mom when he goes to 220, 221, whatever it takes. >> Yeah. >> Those two right there, if those go off in my mind where somebody's talking to me, I know they're full of baloney. >> So a lot of speeds and feeds, a lot of speeds and feeds a lot of -- >> Just data. Instead of talking about what you're actually doing and solutioning for. You're talking about, "Well, it does this this this." Okay to 220, 221. (laughter) >> Justin, what's your take? >> Anytime I start seeing the cloud vendors start benchmarking against each other. Your workload is your workload, you need to benchmark yourself. Don't listen to the marketing on that, that's just awful. >> Amit, what triggers you in the BS meter? >> I think if somebody explains to you are not simple, they cannot explain you in simplicity, then it's all bull shit. >> (laughs) That's a good one. Alright guys, thanks for the great insight, great panel. How about a round of applause to practitioners. (audience applauds) (upbeat music) >> John: Okay, welcome back to Altitude 2020 for the digital event for the live feed. Welcome back, I'm John Furrier with theCUBE with Steve Mullaney, CEO Aviatrix. For the next panel from Global System Integrated, the folks who are building and working with folks on their journey to multicloud and cloud-native networking. We've got a great panel, George Buckman with DXC and Derrick Monahan with WWT, welcome to the stage. (Audience applauds) >> Hey >> Thank you >> Groovy spot >> All right (upbeat music) >> Okay, you guys are the ones out there advising, building, and getting down and dirty with multicloud and cloud-native networking, we just heard from the customer panel. You can see the diversity of where people come in to the journey of cloud, it kind of depends upon where you are, but the trends are all clear, cloud-native networking, DevOps, up and down the stack, this has been the main engine. What's your guys' take of this journey to multicloud? What do you guys think? >> Yeah, it's critical, I mean we're seeing all of our enterprise customers enter into this, they've been through the migrations of the easy stuff, ya know? Now they're trying to optimize and get more improvements, so now the tough stuff's coming on, right? They need their data processing near where their data is. So that's driving them to a multicloud environment. >> Yeah, we've heard some of the Edge stuff, I mean, you guys are-- >> Exactly. >> You've seen this movie before, but now it's a whole new ballgame, what's your take? Yeah, so, I'll give you a hint, our practice is not called the cloud practice, it's the multicloud practice, and so if that gives you a hint of how we approach things. It's very consultative. And so when we look at what the trends are, like a year ago. About a year ago we were having conversations with customers, "Let's build a data center in the cloud. Let's put some VPCs, let's throw some firewalls, let's put some DNS and other infrastructure out there and let's hope it works." This isn't a science project. What we're starting to see is customers are starting to have more of a vision, we're helping with that consultative nature, but it's totally based on the business. And you've got to start understanding how lines of business are using the apps and then we evolve into the next journey which is a foundational approach to-- >> What are some of the problems some of your customers are solving when they come to you? What are the top things that are on their mind, obviously the ease of use, agility, all that stuff, what specifically are they digging into? >> Yeah, so complexity, I think when you look at a multicloud approach, in my view is, network requirements are complex. You know, I think they are, but I think the approach can be, "Let's simplify that." So one thing that we try to do, and this is how we talk to customers is, just like you simplify in Aviatrix, simplifies the automation orchestration of cloud networking, we're trying to simplify the design, the plan, and implementation of the infrastructure across multiple workloads, across multiple platforms. And so the way we do it, is we sit down, we look at not just use cases, not just the questions we commonly anticipate, we actually build out, based on the business and function requirements, we build out a strategy and then create a set of documents, and guess what? We actually build it in a lab, and that lab that we platform rebuilt, proves out this reference architectural actually works. >> Absolutely, we implement similar concepts. I mean, they're proven practices, they work, right? >> But George, you mentioned that the hard part's now upon us, are you referring to networking, what specifically were you getting at there when you said, "The easy part's done, now the hard part?" >> So for the enterprises themselves, migrating their more critical apps or more difficult apps into the environments, ya know, we've just scratched the surface, I believe, on what enterprises are doing to move into the cloud, to optimize their environments, to take advantage of the scale and speed to deployment and to be able to better enable their businesses. So they're just now really starting to-- >> So do you guys see what I talked about? I mean, in terms of that Cambrian explosion, I mean, you're both monster system integrators with top fortune enterprise customers, you know, really rely on you for guidance and consulting and so forth, and deploy their networks. Is that something that you've seen? I mean, does that resonate? Did you notice a year and a half ago all of a sudden the importance of cloud for enterprise shoot up? >> Yeah, I mean, we're seeing it now. >> Okay. >> In our internal environment as well, ya know, we're a huge company ourselves, customer zero, our internal IT, so, we're experiencing that internally and every one of our other customers as well. >> So I have another question and I don't know the answer to this, and a lawyer never asks a question that you don't know the answer to, but I'm going to ask it anyway. DXC and WWT, massive system integrators, why Aviatrix? >> Great question, Steve, so I think the way we approach things, I think we have a similar vision, a similar strategy, how you approach things, how we approach things, at World Wide Technology. Number one, we want a simplify the complexity. And so that's your number one priority. Let's take the networking, let's simplify it, and I think part of the other point I'm making is we see this automation piece as not just an after thought anymore. If you look at what customers care about, visibility and automation is probably at the top three, maybe the third on the list, and I think that's where we see the value. I think the partnership that we're building and what I get excited about is not just putting yours and our lab and showing customers how it works, it's co-developing a solution with you. Figuring out, "Hey, how can we make this better?" >> Right >> Visibility is a huge thing, just in security alone, network everything's around visibility. What automation do you see happening, in terms of progression, order of operations, if you will? What's the low hanging fruit? What are people working on now? What are some of the aspirational goals around when you start thinking about multicloud and automation? >> So I wanted to get back to his question. >> Answer that question. >> I wanted to answer your question, you know, what led us there and why Aviatrix. You know, in working some large internal IT projects, and looking at how we were going to integrate those solutions, you know, we like to build everything with recipes. Network is probably playing catch-up in the DevOps world but with a DevOps mindset, looking to speed to deploy, support, all those things, so when you start building your recipe, you take a little of this, a little of that, and you mix it all together, well, when you look around, you say, "Wow, look, there's this big bag of Aviatrix. "Let me plop that in. That solves a big part "of my problems that I had, the speed to integrate, "the speed to deploy, and the operational views "that I need to run this." So that was what led me to-- >> John: So how about reference architectures? >> Yeah, absolutely, so, you know, they came with a full slate of reference architectures already out there and ready to go that fit our needs, so it was very easy for us to integrate those into our recipes. >> What do you guys think about all the multi-vendor inter-operability conversations that have been going on? Choice has been a big part of multicloud in terms of, you know, customers want choice, they'll put a workload in the cloud if it works, but this notion of choice and interoperability has become a big conversation. >> It is, and I think that our approach, and that's the way we talk to customers is, "Let's speed and de-risk that decision making process, "and how do we do that?" Because interoperability is key. You're not just putting, it's not just a single vendor, we're talking, you know, many many vendors, I mean think about the average number of cloud applications a customer uses, a business, an enterprise business today, you know, it's above 30, it's skyrocketing and so what we do, and we look at it from an interoperability approach is, "How do things inter-operate?" We test it out, we validate it, we build a reference architecture that says, "These are the critical design elements, "now let's build one with Aviatrix "and show how this works with Aviatrix." And I think the important part there, though, is the automation piece that we add to it and visibility. So I think the visibility is what I see lacking across industry today. >> In cloud-native that's been a big topic. >> Yep >> Okay, in terms of Aviatrix, as you guys see them coming in, they're one of the ones that are emerging and the new brands emerging with multicloud, you've still got the old guard encumbered with huge footprints. How are customers dealing with that kind of component in dealing with both of them? >> Yeah, I mean, we have customers that are ingrained with a particular vendor and you know, we have partnerships with many vendors. So our objective is to provide the solution that meets that client. >> John: And they all want multi-vendor, they all want interoperability. >> Correct. >> All right, so I got to ask you guys a question while we were defining Day-2 operations. What does that mean? You guys are looking at the big business and technical components of architecture, what does Day-2 operations mean, what's the definition of that? >> Yeah, so I think from our perspective, with my experience, we, you know, Day-2 operations, whether it's not just the orchestration piece in setting up and let it automate and have some, you know, change control, you're looking at this from a Day-2 perspective, "How do I support this ongoing "and make it easy to make changes as we evolve?" The cloud is very dynamic. The nature of how fast it's expanding, the number features is astonishing. Trying to keep up to date with the number of just networking capabilities and services that are added. So I think Day-2 operations starts with a fundamental understanding of building out supporting a customer's environments, and making the automation piece easy from a distance, I think. >> Yeah and, you know, taking that to the next level of being able to enable customers to have catalog items that they can pick and choose, "Hey I need this network connectivity "from this cloud location back to this on-prem." And being able to have that automated and provisioned just simply by ordering it. >> For the folks watching out there, guys, take a minute to explain as you guys are in the trenches doing a lot of good work. What are some of the engagements that you guys get into? How does that progress? What happens there, they call you up and say, "Hey I need some multicloud," or you're already in there? I mean, take us through how someone can engage to use a global SI, they come in and make this thing happen, what's the typical engagement look like? >> Derrick: Yeah, so from our perspective, we typically have a series of workshops in the methodology that we kind of go along the journey. Number one, we have a foundational approach. And I don't mean foundation meaning the network foundation, that's a very critical element, we got to factor in security and we got to factor in automation. So when you think about foundation, we do a workshop that starts with education. A lot of times we'll go in and we'll just educate the customer, what is VPC sharing? You know, what is a private link in Azure? How does that impact your business? We have customers that want to share services out in an ecosystem with other customers and partners. Well there's many ways to accomplish that. Our goal is to understand those requirements and then build that strategy with them. >> Thoughts George, on-- >> Yeah, I mean, I'm one of the guys that's down in the weeds making things happen, so I'm not the guy on the front line interfacing with the customers every day. But we have a similar approach. We have a consulting practice that will go out and apply their practices to see what those-- >> And when do you parachute in? >> Yeah, when I parachute in is, I'm on the back end working with our offering development leads for networking, so we understand and are seeing what customers are asking for and we're on the back end developing the solutions that integrate with our own offerings as well as enable other customers to just deploy quickly to meet their connectivity needs. So the patterns are similar. >> Right, final question for you guys, I want to ask you to paint a picture of what success looks like. You don't have to name customers, you don't have to get in and reveal who they are, but what does success look like in multicloud as you paint a picture for the folks here and watching on the live stream, if someone says, "Hey I want to be multicloud, I got to to have my operations Agile, I want full DevOps, I want programmability and security built in from Day-zero." What does success look like? >> Yeah, I think success looks like this, so when you're building out a network, the network is a harder thing to change than some other aspects of cloud. So what we think is, even if you're thinking about that second cloud, which we have most of our customers are on two public clouds today, they might be dabbling in it. As you build that network foundation, that architecture, that takes in to consideration where you're going, and so once we start building that reference architecture out that shows, this is how to approach it from a multicloud perspective, not a single cloud, and let's not forget our branches, let's not forget our data centers, let's not forget how all this connects together because that's how we define multicloud, it's not just in the cloud, it's on-prem and it's off-prem. And so collectively, I think the key is also is that we provide them an HLD. You got to start with a high level design that can be tweaked as you go through the journey but you got to give it a solid structural foundation, and that networking which we think, most customers think as not the network engineers, but as an after thought. We want to make that the most critical element before you start the journey. >> George, from your seat, how does success look for you? >> So, you know it starts out on these journeys, often start out people not even thinking about what is going to happen, what their network needs are when they start their migration journey to the cloud. So I want, success to me looks like them being able to end up not worrying about what's happening in the network when they move to the cloud. >> Steve: Good point. >> Guys, great insight, thanks for coming on and sharing. How about a round of applause for the global system integrators? (Audience applauds) (Upbeat music) >> The next panel is the AVH certified engineers, also known as ACEs. This is the folks that are certified, they're engineering, they're building these new solutions. Please welcome Toby Foss from Informatica, Stacey Lanier from Teradata, and Jennifer Reed with Viqtor Davis to the stage. (upbeat music) (audience cheering) (panelists exchanging pleasantries) >> You got to show up. Where's your jacket Toby? (laughing) You get it done. I was just going to rib you guys and say, where's your jackets, and Jen's got the jacket on. Okay, good. >> Love the Aviatrix, ACEs Pilot gear there above the Clouds. Going to new heights. >> That's right. >> So guys Aviatrix aces, I love the name, think it's great, certified. This is all about getting things engineered. So there's a level of certification, I want to get into that. But first take us through the day in the life of an ACE, and just to point out, Stacy is a squad leader. So he's, he's like a-- >> Squadron Leader. >> Squadron Leader. >> Yeah. >> Squadron Leader, so he's got a bunch of ACEs underneath him, but share your perspective a day in the Life. Jennifer, we'll start with you. >> Sure, so I have actually a whole team that works for me both in the North America, both in the US and in Mexico. So I'm eagerly working to get them certified as well, so I can become a squad leader myself. But it's important because one of the critical gaps that we've found is people having the networking background because you graduate from college, and you have a lot of computer science background, you can program you've got Python, but networking in packets they just don't get. So, just taking them through all the processes that it's really necessary to understand when you're troubleshooting is really critical. Because you're going to get an issue where you need to figure out where exactly is that happening on the network, Is my issue just in the VPCs? Is it on the instance side is a security group, or is it going on prem? This is something actually embedded within Amazon itself? I mean, I troubleshot an issue for about six months going back and forth with Amazon, and it was the VGW VPN. Because they were auto scaling on two sides, and we ended up having to pull out the Cisco's, and put in Aviatrix so I could just say, " okay, it's fixed," and actually helped the application teams get to that and get it solved. But I'm taking a lot of junior people and getting them through that certification process, so they can understand and see the network, the way I see the network. I mean, look, I've been doing this for 25 years when I got out. When I went in the Marine Corps, that's what I did, and coming out, the network is still the network. But people don't get the same training they got in the 90s. >> Was just so easy, just write some software, and they were, takes care of itself. I know, it's pixie dust.  >> I'll come back to that, I want to come back to that, the problem solved with Amazon, but Toby. >> I think the only thing I have to add to that is that it's always the network's fault. As long as I've been in networking, it's always been the network's fault. I'm even to this day, it's still the network's fault, and part of being a network guy is that you need to prove when it is and when it's not your fault. That means you need to know a little bit about 100 different things, to make that work. >> Now you got a full stack DevOps, you got to know a lot more times another hundred. >> Toby: And the times are changing, yeah. >> This year the Squadron Leader and get that right. What is the Squadron Leader firstly? Describe what it is. >> I think is probably just leading on the network components of it. But I think, from my perspective, when to think about what you asked them was, it's about no issues and no escalations. So of my day is like that, I'm happy to be a squadron leader. >> That is a good outcome, that's a good day. >> Yeah, sure, it is. >> Is there good days? You said you had a good day with Amazon? Jennifer, you mentioned the Amazon, and this brings up a good point, when you have these new waves come in, you have a lot of new things, new use cases. A lot of the finger pointing it's that guy's problem , that girl's problems, so how do you solve that, and how do you get the Young Guns up to speed? Is there training, is it this where the certification comes in? >> This is where the certifications really going to come in. I know when we got together at Reinvent, one of the questions that we had with Steve and the team was, what should our certification look like? Should we just be teaching about what AVH troubleshooting brings to bear, but what should that be like? I think Toby and I were like, No, no, no, no. That's going a little too high, we need to get really low because the better someone can get at actually understanding what's actually happening in the network, and where to actually troubleshoot the problem, how to step back each of those processes. Because without that, it's just a big black box, and they don't know. Because everything is abstracted, in Amazon and in Azure and in Google, is abstracted, and they have these virtual gateways, they have VPNs, that you just don't have the logs on, is you just don't know. So then what tools can you put in front of them of where they can look? Because there are full logs. Well, as long as they turned on the flow logs when they built it, and there's like, each one of those little things that well, if they'd had decided to do that, when they built it, it's there. But if you can come in later to really supplement that with training to actual troubleshoot, and do a packet capture here, as it's going through, then teaching them how to read that even. >> Yeah, Toby, we were talking before we came on up on stage about your career, you've been networking all your time, and then, you're now mentoring a lot of younger people. How is that going? Because the people who come in fresh they don't have all the old war stories, like they don't talk about it, There's never for, I walk in bare feet in the snow when I was your age, I mean, it's so easy now, right, they say. What's your take on how you train the young People. >> So I've noticed two things. One is that they are up to speed a lot faster in generalities of networking. They can tell you what a network is in high school level now, where I didn't learn that til midway through my career, and they're learning it faster, but they don't necessarily understand why it's that way here. Everybody thinks that it's always slash 24 for a subnet, and they don't understand why you can break it down smaller, why it's really necessary. So the ramp up speed is much faster for these guys that are coming in. But they don't understand why and they need some of that background knowledge to see where it's coming from, and why is it important, and that's old guys, that's where we thrive. >> Jennifer, you mentioned you got in from the Marines, it helps, but when you got into networking, what was it like then and compare it now? Because most like we heard earlier static versus dynamic Don't be static is like that. You just set the network, you got a perimeter. >> Yeah, no, there was no such thing. So back in the day, I mean, we had Banyan vines for email, and we had token ring, and I had to set up token ring networks and figure out why that didn't work. Because how many of things were actually sharing it. But then actually just cutting fiber and running fiber cables and dropping them over shelters to plug them in and all crap, they swung it too hard and shattered it and now I got to figure eight Polish this thing and actually should like to see if it works. I mean, that was the network , current cat five cables to run an Ethernet, and then from that I just said, network switches, dumb switches, like those were the most common ones you had. Then actually configuring routers and logging into a Cisco router and actually knowing how to configure that. It was funny because I had gone all the way up, I was the software product manager for a while. So I've gone all the way up the stack, and then two and a half, three years ago, I came across to work with Entity group that became Viqtor Davis. But we went to help one of our customers Avis, and it was like, okay, so we need to fix the network. Okay, I haven't done this in 20 years, but all right, let's get to it. Because it really fundamentally does not change. It's still the network. I mean, I've had people tell me, Well, when we go to containers, we will not have to worry about the network. And I'm like, yeah, you don't I do. >> And that's within programmability is a really interesting, so I think this brings up the certification. What are some of the new things that people should be aware of that come in with the Aviatrix A certification? What are some of the highlights? Can you guys share some of the highlights around the certifications? >> I think some of the importance is that it doesn't need to be vendor specific for network generality or basic networking knowledge, and instead of learning how Cisco does something, or how Palo Alto does something, We need to understand how and why it works as a basic model, and then understand how each vendor has gone about that problem and solved it in a general. That's true in multicloud as well. You can't learn how Cloud networking works without understanding how AWS and Azure and GCP are all slightly the same but slightly different, and some things work and some things don't. I think that's probably the number one take. >> I think having a certification across Clouds is really valuable because we heard the global s eyes as you have a business issues. What does it mean to do that? Is it code, is it networking? Is it configurations of the Aviatrix? what is, he says,the certification but, what is it about the multiCloud that makes it multi networking and multi vendor? >> The easy answer is yes, >> Yes is all of us. >> All of us. So you got to be in general what's good your hands and all You have to be. Right, it takes experience. Because every Cloud vendor has their own certification. Whether that's SOPs and advanced networking and event security, or whatever it might be, yeah, they can take the test, but they have no idea how to figure out what's wrong with that system. The same thing with any certification, but it's really getting your hands in there, and actually having to troubleshoot the problems, actually work the problem, and calm down. It's going to be okay. I mean, because I don't know how many calls I've been on or even had aviators join me on. It's like, okay, so everyone calm down, let's figure out what's happening. It's like, we've looked at that screen three times, looking at it again is not going to solve that problem, right. But at the same time, remaining calm but knowing that it really is, I'm getting a packet from here to go over here, it's not working, so what could be the problem? Actually stepping them through those scenarios, but that's like, you only get that by having to do it, and seeing it, and going through it, and then you get it. >> I have a question, so, I just see it. We started this program maybe six months ago, we're seeing a huge amount of interest. I mean, we're oversubscribed on all the training sessions. We've got people flying from around the country, even with Coronavirus, flying to go to Seattle to go to these events where we're subscribed, is that-- >> A good emerging leader would put there. >> Yeah. So, is that something that you see in your organizations? Are you recommending that to people? Do you see, I mean, I'm just, I guess I'm surprised or not surprised. But I'm really surprised by the demand if you would, of this MultiCloud network certification because there really isn't anything like that. Is that something you guys can comment on? Or do you see the same things in your organization? >> I see from my side, because we operate in a multiCloud environments that really helps and some beneficial for us. >> Yeah, true. I think I would add that networking guys have always needed to use certifications to prove that they know what they know. >> Right. >> It's not good enough to say, Yeah, I know IP addresses or I know how a network works. A couple little check marks or a little letters body writing helps give you validity. So even in our team, we can say, Hey, we're using these certifications to know that you know enough of the basics and enough of the understandings, that you have the tools necessary, right. >> I guess my final question for you guys is, why an ACE certification is relevant, and then second part is share with the live stream folks who aren't yet ACE certified or might want to jump in to be aviatrix certified engineers. Why is it important, so why is it relevant and why should someone want to be a certified aviatrix certified engineer? >> I think my views a little different. I think certification comes from proving that you have the knowledge, not proving that you get a certification to get an army there backwards. So when you've got the training and the understanding and you use that to prove and you can, like, grow your certification list with it, versus studying for a test to get a certification and have no understanding of it. >> Okay, so that who is the right person that look at this and say, I'm qualified, is it a network engineer, is it a DevOps person? What's your view, a little certain. >> I think Cloud is really the answer. It's the, as we talked like the edges getting eroded, so is the network definition getting eroded? We're getting more and more of some network, some DevOps, some security, lots and lots of security, because network is so involved in so many of them. That's just the next progression. >> Do you want to add something there? >> I would say expand that to more automation engineers, because we have those now, so I probably extend it beyond this one. >> Jennifer you want to? >> Well, I think the training classes themselves are helpful, especially the entry level ones for people who may be "Cloud architects" but have never done anything in networking for them to understand why we need those things to really work, whether or not they go through to eventually get a certification is something different. But I really think fundamentally understanding how these things work, it makes them a better architect, makes them better application developer. But even more so as you deploy more of your applications into the Cloud, really getting an understanding, even from people who have traditionally done Onprem networking, they can understand how that's going to work in Cloud. >> Well, I know we've got just under 30 seconds left. I want to get one more question then just one more, for the folks watching that are maybe younger than, that don't have that networking training. From your experiences each of you can answer why should they know about networking, what's the benefit? What's in it for them? Motivate them, share some insights of why they should go a little bit deeper in networking. Stacy, we'll start with you, we'll go then. >> I'll say it's probably fundamental, right? If you want to deliver solutions, networking is the very top. >> I would say if you, fundamental of an operating system running on a machine, how those machines start together is a fundamental changes, something that start from the base and work your way up. >> Jennifer? >> Right, well, I think it's a challenge. Because you've come from top down, now you're going to start looking from bottom up, and you want those different systems to cross-communicate, and say you've built something, and you're overlapping IP space, note that that doesn't happen. But how can I actually make that still operate without having to re IP re platform. Just like those challenges, like those younger developers or assistant engineers can really start to get their hands around and understand those complexities and bring that forward in their career. >> They get to know then how the pipes are working, and they're got to know it--it's the plumbing. >> That's right, >> They got to know how it works, and how to code it. >> That's right. >> Awesome, thank you guys for great insights, ACE Certified Engineers, also known as ACEs, give them a round of applause. (audience clapping) (upbeat music) >> Thank you, okay. All right, that concludes my portion. Thank you, Steve Thanks for having me. >> John, thank you very much, that was fantastic. Everybody round of applause for John Furrier. (audience applauding) Yeah, so great event, great event. I'm not going to take long, we got lunch outside for the people here, just a couple of things. Just to call the action, right? So we saw the ACEs, for those of you out of the stream here, become a certified, right, it's great for your career, it's great for not knowledge, is fantastic. It's not just an aviator's thing, it's going to teach you about Cloud networking, MultiCloud networking, with a little bit of aviatrix, exactly like the Cisco CCIE program was for IP network, that type of the thing, that's number one. Second thing is learning, right? So there's a link up there to join the community. Again like I started this, this is a community, this is the kickoff to this community, and it's a movement. So go to community.avh.com, starting a community of multiCloud. So get get trained, learn. I'd say the next thing is we're doing over 100 seminars across the United States and also starting into Europe soon, we will come out and we'll actually spend a couple hours and talk about architecture, and talk about those beginning things. For those of you on the livestream in here as well, we're coming to a city near you, go to one of those events, it's a great way to network with other people that are in the industry, as well as to start alone and get on that MultiCloud journey. Then I'd say the last thing is, we haven't talked a lot about what Aviatrix does here, and that's intentional. We want you leaving with wanting to know more, and schedule, get with us and schedule a multi hour architecture workshop session. So we sit down with customers, and we talk about where they're at in that journey, and more importantly, where they're going, and define that end state architecture from networking, computer, storage, everything. Everything you've heard today, everybody panel kept talking about architecture, talking about operations. Those are the types of things that we solve, we help you define that canonical architecture, that system architecture, that's yours. So many of our customers, they have three by five, plotted lucid charts, architecture drawings, and it's the customer name slash Aviatrix, network architecture, and they put it on their whiteboard. That's the most valuable thing they get from us. So this becomes their 20 year network architecture drawing that they don't do anything without talking to us and look at that architecture. That's what we do in these multi hour workshop sessions with customers, and that's super, super powerful. So if you're interested, definitely call us, and let's schedule that with our team. So anyway, I just want to thank everybody on the livestream. Thank everybody here. Hopefully it was it was very useful. I think it was, and Join the movement, and for those of you here, join us for lunch, and thank you very much. (audience applauding) (upbeat music)

(upbeat music) >> Narrator: Live from Las Vegas, its the Cube. Covering AWS reinvent 2019. Brought to you by Amazon web services and intel, along with its eco-system partners. >> So Good to have you with us on the Cube, we continue our coverage here. We are live on the AWS reinvent 2019. We've been here since Tuesday wrapping up a little bit later on this afternoon. It's a pleasure to welcome Jeff Frick in for the first time. Why I haven't seen you in a while. >> Great to see you John. >> Yeah Jeff Frick. >> Thanks for coming out. >> John Walls here and with Neha Rungta, who is the principal applied sciences for the automated reasoning group at AWS, Neha good to see you as well. Thanks for joining us here. >> Thank you for having me. >> All right, let's kind of put this in perspective for people at home, you've got the AI world and the email world all happening and automated reasoning, applying in all those contexts, so kind of give us an idea about what that mesh looks like, what is it all about, then we'll jump in what you're up to at AWS. >> Right, so automated reasoning is a subfield of AI. So the way you can think about is AI is a discipline of computer science that allows you to have rules, to teach a computer system or an algorithm, rules about how to think intelligently. So a lot of the tasks that traditionally humans did we transfer it to a computer doing it. And ML and automated reasoning are sub fields of AI, I would call them sister fields but on the opposite ends of the spectrum. So in machine learning you would have the computer system learn the rules by observing data, lots of data. And its very good for certain things like voice recognition. There is no definitive set of rules that says, "how can I recognize a voice?" While automated reasoning on the other hand doesn't look at data but it, for the things that we know that exists there are there definitive set of rules we encode them and the system and the algorithms can reason about it, and access control is a great example of that. There is no unknowns, we know what the shape of access control looks like what its definitions are, there is, and we encode those rules in a computer system and algorithm and allow, that allows us to ask, you know, many questions, and be able to have different applications and security, compliance, availability. >> All right, talk about asking questions in the context of security and access. Who's asking who what questions is the system, asking the person trying to get in? Is it the person trying to get in making sure they're getting in the right system? Who's actually asking those types of questions or what are those questions? >> So some questions are very general. For example, in most cases, you do not want, you want to make sure that your S3 bucket is not public. Only if you're hosting web assets or web pages are potentially the only cases where you would want a bucket with wall read access. So this is a question that's a global security best practice. So we would say, we would we would ask the question in AWS, is this the case that the bucket is public, but as a organization, you may have specific questions about who in my organization can access something. And that can vary based on organization based on the security based practices that you have based on the governance rules. So some questions I would say are best practices, while others can be specific to organizations and enterprises and companies. >> Now that's really important coz when we do hear about breaches, and we hear about breaches all the time, it seems like usually if Amazon is involved, it was some misconfiguration some switch got left in the wrong position. So this is the type of application that you guys can now search for in advance to make sure that whether it's industry best practices, or are you sure you want to leave this knob open, you guys can get ahead of the curve on that. >> Absolutely, and at AWS, we want the customers to have options and have flexibility to do those things. But we all and but at the same time, we want to provide them different means where they can check that, you know, check, double check, triple check that their configurations are as they intended. And we've partnered like, we've partnered with S3. So you see the public, not public badge industry console last year, we also partnered with them on the block public access, where it allows account administrators to turn on that nobody can ever access their bucket. And so we've been providing a lot of features to our customers to allow for them to detect and prevent misconfiguration of the resources. >> Yeah, how much more complicated is it now or complex because you have, you know so much more resource you've got a lot of data companies want it to be accessible to a lot of different people or people within the company want access to it. But just in terms of fundamentals, what does that do to your game, I mean, in terms of what you're trying to provide the controllers you're trying to provide, when there's a lot more of it, and a lot more people who want to get at it basically. >> Right, and this is where I, is one of the powerful things of automated reasoning, where, as I said, it's a sister field, but in a way, the opposite end of machine learning. It doesn't need data, or logs, or who has accessed things in the past, but it just looks at your configurations, your policies, and because of the rules we've encoded, it can very quickly tell you who outside your account has access. And we launched a feature this Monday called IAM access analyzer, that with one click, you can enable it in your account. It will scan all the resource policies in your account and tell you, "Hey, Bob here from marketing can read this bucket, is that intentional?" And that's not something we can say. Because that's a business use case. >> So you put that on the customer, right? To let them make that determination for themselves. >> Exactly, then we provide that visibility. >> And the goal is for the customer, to say, "Yeah, that's intended, he needs access." So I'm going to to archive this, I'm going to say this is intended. While if it's not, they can go to the respective service console and fix the access. And essentially, it empowers the customers to make decisions about what access is intentional versus not. >> Is it, does it just like fire off notifications, that there's something that seems kind of out of band within your system? That says, this doesn't seem right, or, you know, how is that actually executed? Coz I don't think most people understand how complex access control can be between different rules, different projects, different resources, it gets to be a pretty nasty, eerie mess. >> So I mean, we have many ways that customers can get notified, we've provided integrations in the S3 consoles. So a lot of, they don't need to go somewhere else. If people are in the S3 console, they can have this information, right there. There's a little tab in the S3 console that says access analyzer for S3. Security hub is where a lot of the security compliance people look for a holistic view of their security and compliance posture, look at findings from other security services as well as partner solutions. And we also provide integrations with cloud watch events. So people can just subscribe, "Hey, this bucket suddenly allowed John access, I don't know John." >> Be careful with that. >> Yeah. (laughing) >> Shut that thing down. >> How, what about just in terms of ease of use? I mean, that's always I guess, as more capabilities come to the market and you give me more choice as a customer. Sometimes, let me tell you, oh, you know, wait a minute, this seems like it's going to be over my head or a lot more complex or a lot more intricate than I thought. Can you keep it simple? I mean, I don't mean access for dummies, can you keep it relatively, that ease of use in a pretty comfortable level for me? >> Absolutely, and that's our goal. So traditionally, when you talk about automated reasoning, there's been this, oh, it's high touch, or you need to be an expert user to do it. And what's, with this offering here, all that, like it's all one click, and you don't have to be a security expert, or even know how access control works, or be like a mathematician or a logician. It's just simple declarative statements, it'll say, "John, from account one, two, three can read your resource." >> It's that simple. >> That's it, it's that simple. >> Yup. >> So it's essentially for customers of all verticals. You don't need to be a large customer with a huge team to be able to use it. Anybody, anybody can just turn it on and use it. And that's been one of the things that we pushed really hard on is to have that ease of use. >> Yup, yup. >> There's something, I'm curious philosophically, is this a different type of AI that could be applied when you have use cases that just don't have the big data set, because that's what we hear all the time about traditionally AIs, you know, to identify the, the chihuahua dog from the blueberry muffin, you need a lot of pictures. But this is something where you don't need a lot of data. So you see lots of different applications beyond, you know, this initial launch to apply this type of reasoning. >> Absolutely, so and there's a lot of systems, a lot of configurations, a lot of even code architecture, there's many, many systems I, that where we can apply these technologies for us to have. And that I think you hit a very key point, we don't need the data. We're in a way data agnostics, because the rules that we derive are the rules that we've made up. I mean, we know the rules because that's how AWS is constructed. So we leverage that to create these automated reasoning technologies. And we're starting with access control. But there's a lot of other places that we want to start using this and applying it. >> So how is this making our operations more secure then, I mean, ultimately, because if you're giving me a chance to better identify who's coming in, who's coming out, obviously, there's some protection there. >> Right. >> But, I mean, look at that for us, or at least try to paint that picture for us a little bit, in why does this give us better protections, better securities, in terms of protecting from invasion. >> So in the cloud, like cloud, security is our number one priority is, we call it job zero at AWS. And, as you talked about where, it's flexible, it's growing, your business is growing. You want to know what's happening. And you want to be, you want to have the, you want to be empowered to make the right choices and right decisions. And this provides you that visibility, you don't have to dig through, you know, the different configurations to see what's happening. Like for your compliance auditor comes on board say, are you sure that this meets these privileged practices and now you don't have to go digging, you can just say, "Oh, here's the report generated from this tool that has analyzed all the possible accesses." So it allows you to scale better as a business, you can focus more on your business value core propositions, rather than having to say, "Oh, how do I check the different configurations with my security requirements? And it's not passing judgment, it's not saying this is good or bad, because what may be good or bad for business can be different. >> Just depends on their perspective. >> Yeah. >> What they want. >> So I think that's the key part here. There are, I mean, there are some cases which we which we would call security best practices, but there's a whole, like tale of use cases that are very, very specific to your business. And I think by empowering you to make that choice and decision of what is intentional what is not, and do it in a way that's easy one click, you don't have to think hard about it, I think changes the game for security. >> Well, I would say my only piece of advice is don't give John access to anything. (laughing) >> And with that, with access analyzer you can. (laughing) >> You know, you can check (mumbles). >> Jeff, you now have control. >> Cut him down. >> Thanks for joining us appreciate the time and walking us through good luck with the product launch too. Sure things are rolling well for you Neha, thanks for being with us. >> Thank you. >> That with more we continue our coverage here we are live in Las Vegas at AWS reinvent 2019. (upbeat music)

>> Announcer: Live from Las Vegas, it's theCUBE. Covering AWS re:Invent 2019, brought to you by Amazon Web Services, and Intel, along with its ecosystem partners. >> Welcome back, this is theCUBE seventh year of coverage of the mega AWS re:Invent show, here in Las Vegas. Somewhere between 60 and 65,000, up and down the street. We are here in the Sands Convention Center. I am Stu Miniman, my cohost for this segment is Justin Warren. And happy to welcome back to the program, one of our CUBE alumni Jesse Rothstein, who is the co-founder and CTO of ExtraHop, Jesse, great to see you. >> Thank you for having me again. >> So, we caught up with you at AWS re:Inforce-- >> We did. >> Not that long ago, in Boston. Where, it rains more often in Boston than it does in Vegas and it's raining here in Vegas, which is a little odd. >> Strangely it is raining here in Vegas, but re:Inforce at the end of June in Boston was the first AWS security conference. Great energy, great size, we had a lot of fun at that show. >> Yeah, so Dave Vellante, who was one of the ones at re:Inforce, and he actually came out of the three-hour keynote yesterday with Andy Jassy and said, "I'm a little surprised there wasn't as much security talk." You know, it's not like we can remove security from the discussion of cloud, it is you know one of the top issues here. So I want to get your viewpoint, were we missing something? Is it just there, what grabbed you? >> I know this thing as well. I think, perhaps, they're saving some announcements for, you know, re:Inforce coming again in June in Houston this year. There was at least one announcement around IAM Access Analyzer as I recall. But generally the announcements seem to focus in some other areas. You know some big announcements around data warehousing, you know for federated red shift queries I think. And some big announcements around machine learning tooling, like the SageMaker Studio. But I noticed that as well, not as many security announcements. >> You never know, Werner still has his keynote tomorrow. So we're sure there'll still be another 50 or 100 announcements before the week is done. ExtraHop also has something new this week, so why don't we make sure-- >> Well first I can assure you that cloud security is not solved. It's not a solved problem, in fact, unfortunately despite record spend year after year after year, we still continue to see record numbers of compromises and data breaches that are published. I think cloud security in particular remains a challenge. There's a lot of energy there and I think a lot of attention, people recognize it's a problem. But we're dealing with massive cyber security skill shortages. It's very hard to find people with the expertise needed to really secure these workloads. We're dealing with more sophisticated attackers. I think in many cases, attackers with nation state sponsorship. Which is scary, you know five or 10 years ago we didn't see that quite as much. More cyber criminals, fewer nation states. And of course, we're seeing an ever increasing attack surface. So ExtraHop's right in the mix here, and we focus on network detection and response. I'm a huge believer in the power of network security, and I'll talk more about that. At re:Inforce last June, we announced ExtraHop Reveal(x) Cloud, which is a SaaS offering using AWS's recent VPC Traffic Mirroring capability. So the idea is, all you do is you mirror a copy of the traffic, using VPC Traffic Mirroring, to our SaaS, and then we provide all of the sophisticated detection, investigation and response capabilities, as a product. So that's hosted, you still do the work of investigating it, but you know we provide the entire offering around that. Very low TCO, very turnkey capabilities. And of course, it wouldn't be a modern day security offering if we didn't leverage very sophisticated machine learning, to detect suspicious behaviors and potential threats. But this is something I think we do better than anybody else in the world. >> So walk us through some of what the machine learning actually does. 'Cause I feel that the machine learning and AI is kind of hitting peak hype cycle maybe. >> You know I almost can't say it with a straight face because it's so overused. But, it is absolutely real, that's where the state of the art is. Machine learning allows us to recognize behaviors, and behaviors are very important because we're looking for post-breach behaviors and indicators of compromise. So there are a million ways that you can be breached. The attack surface is absolutely enormous. But there's actually a relatively small number, and a relatively tractable set of post-breach behaviors that attackers will do once you're compromised. And I think more and more organizations are realizing that it's a matter of when and not if. So what we've done is we've built the machine learning behavioral model so that we can detect these suspicious behaviors. In some cases we have an entire team of threat researchers that are simulating attacks, simulating pen testing tools, lateral movement, exfiltration so we can train our models on these behaviors. In some cases, we're looking for very specific indicators of compromise. But in just about all cases, this results in very high quality detections. And because just detections alone are completely insufficient, ExtraHop is built on top of an entire analytics platform, so that you're always one or two clicks away from being able to determine, is this something that requires immediate attention and requires kind of an incident response scenario? One of the capabilities that we announced here at this show, is automated response. So we integrate with the AWS API, so that we can automatically isolate and quarantine a workload that's behaving suspiciously. You know in cyber security, some attacks are low and slow but some are very fast and destructive. And for the fast and destructive ones, you move faster than a human's ability to respond, so we need that automated response. And we also announced a continuous packet capture capability for forensics, because sometimes you need the packets. >> That's a response, a lot of different things that we'd actually like to bring the capability a little bit earlier than that so that we don't actually get breached. It's great that we can detect it and say, great we've got the indication of compromise and we can react very, very quickly to that. Are you able to help us get one step ahead of the cyber crimes? >> So I'll actually be a little contrarian on that. I'm going to say that organizations have really been investing in protection and prevention, for the last decade or two. You know this strategy's called defense and depth, and you should do it, everybody should, that's a best practice. But, you know, with defense and depth, you have lots of layers of defense at the perimeters. You know keep the attackers out of the perimeter, gateways, firewalls, proxies. Lots of layers of defense at the end point, you know keep attackers off of my workstations, my instances, my laptops, things like that. But, you know, I think again, organizations have learned that attackers can fire, you know, 1,000 arrows, or 100,000 arrows, or 100 million arrows and only one needs to land. So the pendulum is really swung toward detection response. How do I know if I'm breached right now? How can I detect it quickly? The industry average dwell time is over three months, which is unacceptably long, and we always hear about cases in the news that are three years or more. And what I like to say is if it were three weeks, that would be too long. If it were three days, that would be too long, if it were three hours, I think you could do a lot of damage in three hours. If you can start getting this down to three minutes, well maybe, you know, we can limit the blast radius in three minutes. >> So Jesse, you brought up the ever growing surface area of attack and one of the big themes we've seen at the show is AWS is pushing the boundaries of where they touch customers. You know I said if Amazon is the everything store, AWS is becoming the everywhere cloud. Outposts, from Amazon's perspective, they said Outposts just extends their security models. I see and hear a lot of the ecosystem talking about how they're leveraging that and integrating with that. Does Outposts or any of their other Edge solutions impact what your customers and your solutions are doing? >> So it's funny you say that, I was wondering that myself. My expectation is that Outposts are a good thing because they the have same security controls that we expect to see in any AWS kind of VPC enabled environment. Where I haven't gotten full clarification is do we have the full capabilities that we expect with VPCs? In particular, you know VPC Traffic Mirroring, which is the capability that was announced at re:Inforce, that I'm so excited about, because it allows us to actually analyze and inspect that traffic. Another capability that I think slipped in under the radar but it was announced yesterday is VPC Ingress Routing. This doesn't really effect ExtraHop that much, but as a network head, I like seeing Amazon enable organizations to kind of make their own choices around how they want to inspect and control traffic. And with VPC Ingress Routing, it actually allows you to run in-line devices between your VPCs, which previously you were unable to do. So I think that one slipped in under the radar, maybe you have to be a network head like me to really appreciate it. But I'm seeing more flexibility and not less and that's something that I'm really pleased with. >> That one thing that we definitely see with cloud is that explosion of customer choice, and all of these different methods that are available. And Amazon just keeps pushing the boundaries on how quickly they can release new features. What does that mean for ExtraHop in being able to keep up with the pace of change that customers are using all of these different features? >> That's a good question, I think that's just the reality, so I don't think about what it means or doesn't mean, that's just the way it is. In general though, I've seen this trend toward more flexibility. You know VPC Traffic Mirroring, to use that example again, was one of the few examples I could point to a year ago as something really useful and valuable that I could do on-premises, you know for diagnostic purposes, for forensics purposes, that for some reason wasn't available in public cloud, at least not easily. And, you know, with this announcement six months ago, and going to general availability, Amazon finally ticked that one off. And we're starting to see the rest of the public cloud ecosystem move that way as well. So I'm seeing more flexibility, and more control. Maybe that comes with a pace of innovation, but I think that's just the world we live in. >> You do mention that the customers are having to adopt this new regime, of look we need to look at compromise, can we detect if we've been compromised, and can we do it quickly. We have a lot of tools that are now being made available, like Igress Routing, but, sorry Ingress Routing. But what does that mean for customers in changing their mindset? One of the themes that we had from the keynote yesterday was transformation, so do customers need to just transform the way they think about security? >> Yes and no. You know certainly customers who are used to a certain set of on-prem tool set, tool chain can't necessarily just shoehorn that into their public cloud workloads. But on the other hand, I think that public cloud workloads have really suffered from an opacity problem, it's very difficult to see what's going on, you know its hard to sift through all those logs, it's hard to get the visibility that you expect. And I think that the cyber security tool set, tool chain, has been pretty fragmented. There are a lot of vulnerability scanners, there are a lot of kind of like API inspectors and recommendation engines. But I think the industry is still really trying to figure out what this means. So I'm seeing a lot of innovation, and I'm seeing kind of a rapid maturing of that kind of cloud security ecosystem. And for products like ExtraHop, I'm just a huge believer in the power of the network for security, because it's got these great properties that other sources of data don't have. It's as close to ground truth as you could possibly get, very hard to tamper with and impossible to turn off. With VPC Traffic Mirroring, we get the full power of network security and it's really designed with the controls and kind of the IAM roles and such that you would expect for these security use cases, which, I just, great, great advance. >> So along the discussion of transformation, one of the things Andy Jassy talked about is the you know, the senior leadership, the CEOs need to be involved. Something we've been saying in the security industry for years. Not only CEOs, the board is you know, talking about this and it's there, so you know, what are you seeing? You stated before that we haven't solved security yet, but so, bring us inside the mindset of your customers today, and what's the angst and you know, where are we making progress? >> That's a very interesting question. I'll probably be a little contrarian here as well, maybe not but I think we see a lot of pressure is regulatory pressure. You know were seeing a lot of new regulations come out around data privacy and security, GDPR was you know pretty transformative in terms of how organizations thought about that. I also think it's important that there are consequences. I was worried that for a few years data breaches were becoming so commonplace that people were getting kind of desensitized to it. Like, there was once a time that if, when there was a massive data breach kind of heads would roll. And there was a sense of consequences all the way up into the C-suite. But a few years ago I was starting to get concerned that people were getting a little lackadaisical like, "Oh just another data breach." My perception is that the pendulum's swinging back again. I think for truly massive data breaches, there really is a sense of brand. And I'm seeing the industry starting to demand better privacy. The consumer industry is perhaps leading the way. I think Apple's doing a very good job of actually selling privacy. So when you see the economics, I mean we're, it's a capitalist system. And when you see kind of the market economics align with the incentives, then that's when you actually see change. So I'm very encouraged by the alignment of kind of the market economics for paying greater attention to privacy and security. >> All right, want to give you a final word here, you said you'd like to have some contrarian viewpoints. So you know, the last question is just you know, what would you like to kind of just educate the marketplace on that maybe goes against the common perception when it comes to security in general, maybe network security specifically? >> Well, I'll probably just reiterate what I said earlier. Network security is a fundamental capability, and a fundamental source of data. I think organizations pay a lot of attention to their log files. I think organizations do invest in protection and prevention. But I think the ability to observe all of the network communications, and then the ability to detect suspicious behaviors and potential threats, bring it to your attention, take you through an investigative workflow, make sure that you're one click away from determining you know, whether this requires an actual incident response, and in some cases take an automated response. I think that is a very powerful solution and one that drastically increases an organization's cyber security posture. So I would always encourage organizations to invest there regardless of whether it's our solution or somebody else's. I'm a huge believer in the space. >> All right so, Jesse, thank you so much for sharing. We know that the security industry still has lots of work to do. So we look forward to catching ExtraHop soon at another event. And we have lots of work to do to cover all of the angles of this sprawling ecosystem here at AWS re:Invent. For Justin Warren, I'm Stu Miniman, be back with lots more right after this, and thank you for watching theCUBE. (bouncy electronic music)

>> Announcer: From Boston, Massachusetts it's The Cube. Covering AWS re:Inforce 2019. Brought to you by Amazon Web Services and it's ecosystem partners. >> Hey, welcome back everyone. This is The Cube's live coverage of AWS re:Inforce in Boston, Massachusetts. I'm John Furrier with Dave Vallante. This is re:Inforce. This is the inaugural conference for AWS on the security and Cloud security market. A new category being formed from an events standpoint around Cloud security. Our next guest is Cube alumni guest analyst Corey Quinn, and Cloud Economist with the Duckbill Group. Good to see you again. Great to have you on. Love to have you come back, because you're out in the hallways. You're out getting all the data and bringing it back and reporting. But this event, unlike the other ones, you had great commentary and analysis on. You were mentioned onstage during the Keynote from Stephen Smith. Congratulations. >> Thank you. I'm still not quite sure who is getting fired over that one, but somehow it happened, and I didn't know it was coming. It was incredibly flattering to have that happen, but it was first "Huh, awesome, he knows who I am." Followed quickly by "Oh dear, he knows who I am." And it, at this point, I'm not quite sure what to make of that. We'll see. >> It's good news, it's good business. All press is good press as they say, but let's get down to it. Obviously, it's a security conference. This is the inaugural event. We always love to go to inaugural events because, in case there's no second event, we were there - >> Corey: Oh yes >> for one event. So, that's always the case. >> Corey: Been there since the beginning is often great bragging rights. And if there isn't a second one, well, you don't need to bring it up ever again. So, they've already announced there's another one coming to Houston next year. So that'll be entertaining. >> So a lot of people were saying to us re:Inforce security event, some skepticism, some bullish on the sector. obviously, Cloud is hot. But the commentary was, oh, no one's really going to be there. It's going to be more of an educational event. So, yeah, it's more of an educational event for sure. That they're talking about stuff that they can't have time to do and reinvent. But there's a lot of investment going on there. There are players here from the companies. McAfee, you name the big name companies here, they're sending real people. A lot of biz dev folks trying to understand how to build up the sector. A lot of technical technologists here, as well. Digging in to some of the deep conversations. Do you agree? What's your thoughts of the event? >> I'm surprised, I was expecting this to be a whole bunch of people trying to sell things to other people, who were trying to sell them things in return, and it's not. There are, there are people who are using the Cloud for interesting things walking around. And that's fantastic. One thing that's always struck me as being sort of strange, and why I guess I feel sort of spiritually aligned here if nothing else. Is cost and security are always going to be trailing functions. No company is excited to invest in those things, until immediately after they really should have been investing in those things and weren't. So with time to market, velocity are always going to be something much valuable and important to any company strategically. But, we're seeing people start to get ahead of the curve in some ways. And that's, it's refreshing and frankly surprising. >> What is the top story in your mind? Top three stories coming out of re:Inforce. From industry standpoint, or from a product standpoint, that you think need to be told or amplified, or not being told, be told? >> Well there's been the stuff that we've seen on the stage and that's terrific. And, I think that you've probably rehashed those a fair bit with other guests. For me, what I'm seeing, the story that resonates as I walk around the Expo Hall here. Is we're seeing a bunch of companies that have deep roots in data centered environments. And now they're trying to come up with stories that resonate with Cloud. And if they don't, this is a transformational moment. They're going to effectively, likely find themselves in decline. But, they're not differentiating themselves from one another particularly well. There are a few very key things that we're seeing people operate within. Such as, with the new port mirroring stuff coming out of NVPC Traffics. You're right. You have a bunch of companies that are able to consume those, or flow logs. If you want to go back in time a little bit, and spit out analysis on this. But you're not seeing a lot of differentiation around this. Or, Hey we'll take all your security events and spit out the useful things. Okay, that is valuable, and you need to be able to do that. How many vendors do you need in one company doing the exact same thing? >> You know, we had a lot of sites CSO's on here and practitioners. And one of the comments on that point is Yeah, he's like, "Look I don't need more alerts." "I need things fixed." "Don't just tell me what's going on, fix it." So the automation story is also a pretty big one. The VCP traffic mirror, I think, is going to be just great for analytics. Great for just for getting that data out. But what does it actually impact In the automation piece? And the, okay there's an alert. Pay attention to it or ignore it. Or fix it. Seems to be kind of the next level conversation. Your thoughts around that piece. >> I think that as we take a look at the space and we see companies continuing to look at things like auto remediation. Automation's terrific, until the first time it does something you didn't want it to do and takes something down. At which point no one trusts it ever again. And that becomes something hard to tend to. I also think we're starting to see a bit of a new chapter as alliance with this from AWS and it's relationship with partners. I mean historically you would look at re:Invent, and you're sitting in the Expo Hall and watching the keynote. And it feels like it's AWS Red Wedding. Where, you're trying to see who's about to get killed by a feature that just comes out. And now were seeing that they've largely left aspects of the security space alone. They've had VPC flow logs for a long time, but sorting through those yourself was always like straining raw sewage with your teeth. You had to find a partner solution or build something yourself out of open source tooling from spit and duct tape. There's never been a great tool there. And it almost feels like they're leaving that area, for example, alone. And leaving that as an area rife for partners. Now how do you partner with something like AWS? That's a hard question to answer. >> So one of the other things we've heard from practitioners is they don't want incrementalism. They're kind of sick of that. They want step functions, that do as John said, remediate. >> Corey: Yeah. So, like you say, you called it the Red Wedding at the main stage. What does a partner have to do to stay viable in this ecosystem? >> Historically, the answer to that has always been to continue innovating ahead of the bow wave of AWS's own innovation. The problem is you see that slide that they put on in every event, that everyone who doesn't work at AWS sees. That shows the geometric increase in number of feature and service releases. And we all feel this sinking sensation of not even the partner side. But, they're releasing so much that I know some of that is going to fix things for my company, but I'll never hear it. Because it's drowned in the sheer volume of what they're releasing. AWS is rapidly increasing their pace of innovation to the point where companies that are not able to at least match that are going to be in for a bad time. As they find themselves outpaced by the vendor they're partnering with. >> And you heard Liberty Mutual say their number one challenge was actually the pace of Cloud. Being able to absorb all these new features >> Yes. >> And so, you mentioned the partner ecosystem. I mean, so it's not just the partners. It's the customers as well. That bow is coming faster than they can move. >> Absolutely. I can sit here now and talk very convincingly about services that don't exist. And not get called out on them by an AWS employee who happens to be sitting here. Because no one person can have all of this in their head anymore. It's outpaced most people's ability to wrap their heads around that and contextualize it. So people specialize, people focus. And, I think, to some extent that might be an aspect of why we're seeing re:Inforce as its own conference. >> So we talked a lot of CSO's this trip. >> Yeah. >> John: A lot of one on ones. We had some interviews. Some private meetings. I'm going to read you a list of key areas that they brought up as concern. I want to get you're reaction to. >> Sure. >> You pick the ones out you think are very relevant. >> Sure. >> Speedily, very fast. Vendor lock in. Spend. >> Not concerned. Yep. Security Native. >> Yeah. >> Service provider supplier relationship. Metrics, cloud securities, different integration, identity, automation, work force talent, coding security, and the human equation. There were all kind of key areas that seemed to glob and be categorically formed. Your thoughts to those. Which ones do you think jump out as criticalities on the market? >> Sure. I think right now people talking about lock in are basically wasting their time and spinning their wheels. If you, for example, you go with two cloud providers because you don't want to be locked into one. Well now there's a rife partner ecosystem. Because translating things like IAM into another provider's environment is completely foreign. You have to build an entire new security model on top of things in order to do that effectively. That's great. In security we're seeing less of an aversion to lock in than we are in other aspects of the business. And I think that is probably the right answer. Again, I'm not partisan in this battle. If someone wants to go with a different Cloud provider than AWS, great! Awesome! Make them pick the one that makes sense for your business. I don't think that it necessarily matters. But pick one. And go all in on that. >> Well this came up to in a couple of ways. One was, the general consensus was, who doesn't like multi Cloud? If you can seamlessly move stuff between Clouds. Without having to do the modification on all this code that has to be developed. >> Who wouldn't love that? But the reality is, doesn't exist. >> Corey : Well. To your point, this came up again, is that workplace, workforce talent is on CSO said "I'm with AWS." "I have a little bit of Google. I could probably go Azure." "Maybe I bought a company with dealing some stuff over there." "But for the most part all of my talent is peaked on AWS." "Why would I want to have three separate security teams peaking on different things? When I want everyone on our stack." They're building their own stacks. Then outsourcing or using suppliers where it supports it. >> Sure. >> But the focus of building their own stacks. Their own security. Coding up was critical. And having a split competency on code bases just to make it multi, was a non starter. >> And I think multi Cloud has been a symptom. I mean, it's more than a strategy. I think it's in a large part a somewhat desperate attempt by a number of vendors who don't have their own Cloud. To say Hey, you need to have a multi Cloud strategy. But, multi Cloud has been really an outcome of multiple projects. As you say, MNA. Horses for courses. Lines of business. So my question is, I think you just answered it. Multi Cloud is more complex, less secure, and probably more costly. But is it a viable strategy for things other than lock in? >> To a point. There are stories about durability. There's business reasons. If you have a customer who does not want their data living one one particular Cloud provider. Those are strategic reasons to get away from it. And to be clear, I would love the exact same thing that you just mentioned. Where I could take what I've built and run that seamlessly on other providers. But I don't just want that to be a pile of VM's and maybe some disc. I want those to be the higher level services that take care of massive amounts of my business for me. And I want to flow those seamlessly between providers. And there's just no story around that for anything reasonable or modern. >> And history would say there won't really ever be. Without some kind of open source movement to - >> Oh yes. A more honest reading of some of the other cloud providers that are talking about multi cloud extensively translates that through a slight filter. To, we believe you should look into Multi Cloud. Because if you're going all in on a single provider there is no way in the world it's going to be us. And that's sort of a challenge. If you take a look at a number of companies out here. If someone goes all in on one provider they will not have much, if anything, to sell them of differentiated value. And that becomes the larger fixture challenge for an awful lot of companies. And I empathize with that, I really do. >> Amazon started to do a lot of channel development. Obviously their emphasis on helping people make some cash. Obviously their vendors are, ecosystems a fray. Always a fray. So sheer responsibility at one level is, well we only have one security model. We do stuff and you do stuff. So obviously it's inherently shared. So I think that's really not a surprise for me. The issue is how to get successful monetization in the ecosystem. Clearly defining lines of, rules of engagement, around where the white spaces are. And where the differentiation can occur. Your thoughts on how that plays out. >> Yeah. And that's a great question. Because I don't think you're ever going to get someone from Amazon sitting in a room. And saying Okay, if you build a tool that does this, we're never, ever, ever going to build a thing that does that. They just launched a service at re:Invent that talks to satellites in orbit. If they're going to build that, I don't, there's nothing that I will say they're never going to get involved with. Their product strategy, from the outside, feels like it's a post it note that says Yes on it. And how do you wind up successfully building and scaling a business around that? I don't have a clue. >> Eddie Jafse's on the record here in The Cube and privately with me on my reporting. Saying never say never. >> Never say never. >> We'll never say never. So that is actually an explicit >> Take him at his word on that one. >> Right. And I'm an independent consultant. Where my first language is sarcasm. So, I basically make fun of AWS in the newsletter and podcast. And that seems to go reasonably well. But, I'm never going to say that they're not going to move into self deprecation as a business model. Look at some of their service names. They're clearly starting to make inroads in that space. So, I have to keep innovating ahead of that bow wave. And for now, okay. I can't fathom trying to build a business model with a 300 person company and being able to continue to innovate at that pace. And avoid the rapid shifts as AWS explores on new offers. >> And I what I like about why, well, we were always kind of goofing on AWS. But we're fanboys as well, as you know. But what I love about AWS is that they give the opportunity for their partners. They give them plenty of head's up. It's pretty much the rules of engagement is never say never. But if they're not differentiating, that's their job. >> Corey: Yeah. >> Their job is to be better. Now one thing Amazon does say is Hey we might have a competing service, but we're always going to favor the customer. So, the partner. If a customer wants an Amazon Cloud trail. They want Cloud trail for a great example. There's been requests for that. So why wouldn't they do it? But they also recognize it's bus - people in the ecosystem that do similar things. >> Corey: Yeah. >> And they are not going to actively try to put them out of business, per se. >> Oh yeah! One company that's done fantastically well partnering with everyone is PagerDuty. And even if AWS were to announce a service that wakes you up in the middle of the night when something breaks. It's great. Awesome. How about you update your status page in a timely fashion first? Then talk about me depending on the infrastructure that you run to tell me when the infrastructure that you run is now degraded? The idea of being able to take some function like that and outsource worked well enough for them to go public. >> So where are the safe points in the ecosystem? So obviously a partner that has a strong on-prem presence that Amazon wants to get access to. >> That's a short term, or maybe even a mid term strategy. Okay. Professional services. If you're Accenture, and Ernie Young, and Deloitte, PWC, you're probably okay. Because that's not a business that Amazon really wants to be in. Now they might want to, they might want to automate as much to that as possible. But the world's going to do that anyway. But, what's your take where it's safe? >> I would also add cost optimization to that. Not from a basis of technical capability. And I think that their current tooling is disappointing. I'd argue that cost explorer and the rest of their billing situation is the asterisk next to customer obsession if we're being perfectly honest. But there's always going to be some value in an external party coming in from that space. And what form that takes is going to change. But, it is not very defensible internally to say our Cloud spend is optimized, because the vendor we're writing those large checks to tells us it is. There's always going to be a need for some third-party validation. And whether that can come through software? >> How big is that business? >> It's a great question. Right now, we're seeing that people are spending over 30 billion dollars a year on AWS and climbing. One thing we can say with a certainty in almost every case is that people's Cloud bills are not getting smaller month over month. >> Yep. >> So, it's a growing market. It's one that people feel incredibly acutely. And when you get a few drinks into people and they start complaining about various aspects of Cloud, one of the first most common points that comes up is the bill. Not that it's too high, but that it is inscrutable. >> And so, just to do a back of napkin tam, how much optimization potential is there? Is it a ten percent factor? More? >> It depends on the level of effort you're willing to invest. I mean, there's a story for almost environments where you can save 70% on your Cloud bill. All you have to do is spend 18 months of rewriting everything to use serverless primitives. Six of those months you'll be hard down across the board. And then, wait where did everyone go? Because no one's going to do that. >> Dave: You might be out of business. So it's always a question of effort spent doing optimization, versus improving features, speeding time to market and delivering something that will generate for more revenue. The theoretical upside of cost optimization is 100% of your Cloud bill. Launching the right service or product can bring in multiples of that in revenue. >> I think my theory on differentiation, Dave, is that I think Amazon is basically saying in so many words, not directly. But it's my interpretation. Hold on to the rocket ship of AWS as long as you can. And if you can get stable, hold on. If you fall off that's just your fault, right? So, what that means is, to me, move up the stack. So Amazon is clearly going to continue to grow and create scale. So the benefits to the companies create a value proposition that can extract rents out of the marketplace from value that they create on the Amazon growth. Which means, they got to lock step with Amazon on growth. And cost leap, pivot up to where there's space. And Amazon is just a steam roller that will come in. The rocket ship that's going so fast. Whatever metaphor. And so people who just say We made a deal with Amazon, we're in. And then kind of sit idle. Will probably end up getting spun off. I mean, cause it's like they fall off and Amazon will be like All right so we did that. You differentiate enough, you didn't innovate enough. But, they're going to give everyone the opportunity to take a place with the growth. So the strategy, management wise, is just constantly push the envelope. >> So that's implicit in the Amazon posture. What's explicit in Amazon's posture is build applications on our platform. And you should be okay. You know? For a while. >> Yeah. And again, I think that a lot of engineers get stuck in a trap of building something and spending all their time making their code quality as best as possible. But, that's not going to lead to a business outcome one way or another. We see stories of companies hitting success with a tire fire of an infrastructure all the time. Twitter used to display massive downtime until they were large enough to justify the time and expense of a massive rewrite. And now Twitter is effectively up all the time. Whether that's good or not is a separate argument. But, they're there. So there's always going to be time to fix things. >> Well the Twitter example is a great example. Because they built it on rails. >> Yes. >> And they put it on Amazon Cloud. It was just kind of a hack, and then all of the sudden Boom, people loved it. And then, that's to me, the benefit of Cloud. One you get the scape velocity, the investment to start Twitter was fairly low, given what the success was. And then they had to rewrite, because the scale was bursting up. That's called prototyping. >> Oh yeah. >> That's what enterprises have to do. This is the theme of, agile. Get started as a theme, just dig in. Do a hack up font. But don't get confuse that with scale. That's where the rubber meets the road. >> Right and the, Oh Cloud isn't for us because we're an exception case. There are very few companies for whom that statement is true in the modern era. And, do an honest analysis first, before deciding we're going to build our own data centers because we can do it for cheaper. If you're Dropbox, putting storage in, great. Otherwise you're going to end up in this story where Oh, well, we have 20 instances now, so we can do this cheaper in Iraq somewhere. I will bet you a house you're wrong. But okay. >> Yeah. People are telling me that. Okay final question for you. As you've wandered around and been in the sessions, been in the analyst thing. What are some slice of life commentary stories you've bumped into that you found either funny, clever, insulting, or humorous? What's out on the floor? What are some of the conversations? >> One of the best ones was a company I'm not going to name, but the story they told was fantastic. They have, they're primarily on Azure. But they also have a strong secondary presence with AWS, and that's fascinating to me. How does that work internally? It turns out their cloud of choice is Azure. And they have to mandate that with guardrails in place. Because if you give developers a choice they will all go and build on AWS instead. Which is fascinating. And there are business reasons behind why they're doing what they're doing. But that story was just very humorous. I can't confirm or deny whether it was true or not. Because it was someone with way too much to drink telling an awesome story. But the idea of having to forcibly drag your developers away from a thing in a favor of another thing? >> That's like being at a bad party. It's like Oh, the better party is over there. All my friends are over there. >> But they have a commitment to Microsoft software estate. So, that's likely why they're. >> They just deal with Microsoft. >> And I'm not saying this is necessarily the wrong approach. I just find it funny. >> Might be the right business decision, but when you ask the developers, we see that all the time, John. >> All the time. I mean I had a developer one time come to me and start, he like "Look, we thought it would be great to build on Azure. We were actually being paid. They were writing checks to incent us. And I had a revolt. Engineers were revolting. Because the reverse proxies as there was cobbled together services. And they weren't clean native services and primitives. So the engineers were revolting. So they, we had to turn down the cash from Microsoft and go back to Amazon." >> Azure is much better now, but they have to outrun that legacy shadow of at first, it wasn't great. And people try something once, "That was terrible!" Well would you like to try it again now? "Why would I do that? It was terrible!" And it takes time to overcome that knee-jerk reaction. >> Well, but to your point about the business decision. It might make business sense to do that with Microsoft. It's maybe a little bit more predictable than Amazon is as a partner. >> Oh the way to optimize your bill on another Cloud provider that isn't AWS these days is to call up your account rep and yell at them. They're willing to buy business in most cases. That's not specific to any one provider. That's most of them. It's challenging to optimize free, so we don't see the same level of expensive bill problems in most companies there as well. >> Well the good news is on Microsoft, and I was a really big critic of Azure going back a few years ago. Is that they absolutely have changed their philosophy going back, I'd say two, three years ago. In the past two years, particular 24 months, they really have been cranking. They've been pedaling as fast as they can. They're serious. There's commitment from the top. And then they tell us, so there's no doubt. They're doing it also with the Kubernetes. What they're seeing, as they're doing is phenomenal. So... >> Great developer jobs at Microsoft. >> They're in for the long game. They're not going to be a fad. No doubt about it. >> No. And we're not going to see for example the Verizon public Cloud the HP public Cloud. Both of which were turned off. The ones that we're seeing today are largely going to be to stay of the big three. Big four if we include Alibaba. And it's, I'm not worried about the long term viability of any of them. It's just finding their niche, finding their market. >> Yeah, finding their lanes. Cory. Great to have you on. Good to hear some of those stories. Thanks for the commentary. >> Thank you. >> As always great guest analyst Cube alumni, friend, analyst, Cory Quinn here in the Cube. Bringing all the top action from AWS re:Inforce. Their first inaugural security conference around Cloud security. And Cube's initiation of security coverage continues, after this break. (upbeat electronic music)

>> Announcer: Live from Copenhagen Denmark, it's theCUBE covering Kubecon and CloudnativeCon Europe 2018. Brought to you by the Cloud Native Computing Foundation and its ecosystem partners. >> Welcome back everyone, live here at Copenhagen, Denmark, Cube's coverage of Kubecon 2018 in Europe, this is all about the Kubernetes the future of cloud native, CloudNativeCon part of the CNCF Cloud Native Foundation, I'm John Furrier and my co-host Lauren Cooney, founder of Spark Labs industry expert of open source. So, we have two end user customers of Kubernetes and Cloud Native, Zach Arnold, software engineer Ygenre energy fund, and Austin Adams software development manager, same company. You guys are doing really interesting business model around energy and equity in buildings and homes, but you're writing code, so you have to make all this stuff work, so I'm sure you're cloud native, why have a data center when you can have the cloud >> Austin : We were born in the cloud. >> You were born in the cloud. So take us through, explain the business real quick, and then what's your back end, technical scaling situation look like in terms of infrastructure, software and what's the make up of the systems. >> Zach: You know the business best. >> Yeah, so Ygrene operates under something called PACE, property assess clean energy. We operate in a couple of different states. We work with local governments to create a PACE program that is accepted in different counties or jurisdictions within the state, and then we allow homeowners and contracting companies to provide financing for home improvements that are specifically within the domain of renewable energy or energy efficiency. >> So, you basically finance a solar panel that I put on my house or building if there's benefits there, and then you guys get the financing and you tie in with the government so the property taxes, the leverage the security is the building right, or the asset. >> Yeah, and the way that we're chartered is basically we can put a tax on the property which gives us some guarantees on repayment and things like that, and it's a great model so far. >> It's a new financial engineering around energy efficiancy so you've got to build systems, so you're working with government, so now we all know how government systems work, so you've got to be agile and nimble. Take us through how the back end works, what's it look like, what's the system look like, you're hosted in the cloud, is it Amazon, Google? >> So everything that we have is in a cloud provider that starts with an A, and ends with an S, it's AWS I don't know if I can say that, I think I can say that, AWS all the way-- >> Yes, it's good. >> And we have tons of services, we have Kubernetes running most of our main services. Within our migration we actually started with our main service. A lot of people start with, you know, their smallest microservice, we just went whole-hog and just went in for it, so they system is mainly a lone-management system. Underwriting data aggregation and underwriting processing, so every application that comes in we have to underwrite it and make sure every little thing checks out, and our underwriting system has won awards for how accurate it is and how high quality it is as well. >> So, I'm doing a mental white board in my mind, just kind of graphing this so just help me out here and take us through this. So, you guys are a cutting edge company, new progressive business model, real innovative, great stuff. Cloud native, so you're born in the cloud no data center, cool, check, it's what everyone does, and now you're like okay, now I've got to deal with these legacy systems. So, you're putting containers around things, so you have to interface, you build your own system so that's cool, but you're dealing with other systems and then how are you handling that, you are just containerizing it, so take us through some of those linkages. >> Yeah, so where we're creating, a lot of times when we have to integrate with another system, we'll create a small service that is code that we own, and we'll reach out to those integrations, those vendors and we'll do aggregation within our system and provide an interface back to our systems. You know, like everyone, we're breaking up the monolith or whatever, maybe in 10 years we'll go back to a monolith, who knows but you know we're slicing out things, making microservices, it looks like a mess on the back end, just tons of microservices going everywhere and that's why we're using all these Cloud Native tools to be able to manage that. So, in order to move quickly, we're wanting to containerize everything, everything runs in a container at this point. >> Lauren: Great. >> A lot of our services follow this kind of we're kind of calling the container adaptor pattern, it follows the software adaptor pattern where, just like Austin was saying, let's say for example we're interfacing with a credit vendor, we create a service where we talk to our own service that has a well defined interface that we know will always get a credit report back with the following fields, but then where that information actually comes from, whether it's one of the big three credit vendors or someone else who has a well defined API, that's largely not the concern of the main loan management system, it's the concern of the microservice that's responsible for reaching out to that other entity there. So, that's how we've kind of gotten to beat around the legacy interfacing of all these other different financial services and tools that help to aggregate data.. >> It's super clever you can optimize on a service basis but now you have to orchestrate and kind of conduct everything through-- >> And keep everything secure. >> That's really interesting, I mean I think what I'm looking at here is a huge ecosystem of partners and companies and end users coming together and one of the questions, beyond why you are here, what are you looking at here, what is interesting to you, what do you want to learn about that you might bring into your, you know, architecture essentially? >> Austin and I were talking about this, we kind of tend to look at the CNCF list of projects as a dinner menu. (laughs) >> We're refreshing that page frequently, because we're adding projects at an alarming rate, but one project we're using FluentD, Notary, Kubernetes, of course, Prometheus, things like that, we want to start using those things more extensively. One's that we're really excited about are Spire and Spiffy, the identity, kind of a new take, not necessarily new but new for cloud native take on identity of services and authentication, as well as the open policy agent to provide a single DSL to do all of your policy and authorization-- >> Lauren: That's a lot of work, load and management and identity correct? >> Yeah, yes. >> Authorization and authentication are two of the most important things that happen in our system and we have so many different ways that it happens right now, it can tend to look a little clogy, just from the sense of the fact that we need a little more coordination or standardization around it, I mean we have well written policies that are documented but the way that those actually get enforced are, it's individualized based on the service, you know, if it's a cloud based policy, then it's AWS IAM, if it's Kubernetes based policy it's RBAC using Kubernetes RBAC, so it kind of looks like if we can abstact a lot of that functionality out of the services, the containers, the orchestration tool or the cloud, to making those decisions, that would really, really simplify things for us. >> So, you guys are end users, so are you part of like an end user group that gives feedback directly into the community or how does that work, and do you contribute to that? >> Yes, so we're on the fringes of the contributor community as well, and we're definitely on GitHub on all these projects posting issues and in some cases providing our own PR's or whatever. None of us are within the Kubernetes orb but that's definitely something we all are achieving or aspiring to be is jumping into some of these projects, especially some of the smaller projects that we're using on a daily basis on our build servers like, Portheurs or Notary, some of those things we're actively contributing to those. >> So, you've traded on mastery of product but being active on the project is the key, the balance there. >> Yeah, I mean typically what you find in the fiance industry is when they go for a solution, they lead with their wallet as for what we can purchase, or what we can sponsor, but Ygrene has been, our managers and management have been incredibly empowering this way, they say well what can we give, we lead with our hands. >> Yeah, and this is interesting, if you have a good business model innovation, which you guys have, you can be a completely clean sheet of paper to build it. >> Right >> So, that's the best thing about the cloud. You can really move fast and go from, you know, point A to point B, move the needle. >> Yeah, with it at the same time there's kind of a clean slate, there's even a clean slate in terms of best practices within our industry. Now if we were in mortgage, there's a lot of rules, there's a lot of clear guidelines on how to do security and auditing and things that you need, where in our industry that's all emerging, so we have a chance to also set the pace, set the tone for what security might look like, or what cloud usage might look like within the PACE industry. But at the same time, we're getting increasing government regulations, so we're having to make these decisions around, what are the tools that are going help us achieve maximum customer protection and audit-ability while maintaining our business model without totally-- >> And you're going to need flexibility because you don't know what's going to come next you've got to be ready for anything, and that is what leads to my next question, two points, how do you guys prepare for what's next, what's the main ethos around, technical architecture around being prepared for that, ready state that's coming to you, and then two, what have you learned over the, what's the scar tissue look like, what's the moments of joy and despair going on because you're reiterating, your learning, you're always constantly getting knocked down, standing back up. so this is what innovation is, it can be fun and also grueling at the same time. >> Yeah, so how we deal with what's new beyond our like software process, we have a well-defined process that everything gets churned into. Government is really good about giving us notice about when stuff's going into effect, so we always have target dates that we're going toward. But, in terms of what's next in terms of our software, we have this interesting culture within our organization, everyone wants to improve everything, I think it's called a Kaizen culture, just people are looking at stuff they want to improve it, and so our process allows for anyone to throw something on the backlog. It will get prioritized and put around, but we're allowing all of our engineers to say, hey we want to do this, and you know, putting it into an open forum where, you know, we might not do it but we have the discussion, and we have all the channels to have those discussions and, like most technology companies or technology focused companies, we spend a lot of time talking about technologies, and making those decisions. >> You guys really have the cultural ethos but the people to bate and then commit. >> And that's one of my, you know, recommendations for any company trying to move to cloud native or Kubernetes is, always, you have to have your evangelists, on your team, because you can't expect people who have been doing it one way forever to instantly be onboard. You need some sort of technical evangelist whether that's outside company, it works best, I think, if it's someone you've hired, or someone in your organization who's preaching the gospel of Kubernetes or cloud native. >> Spark Labs, Lauren's company's doing a lot of that work, but that really nails it, I mean, you got to just, it's not a technical issue, per se-- >> Exactly. >> We're hearing that all through the show here. What's on your wish list, what is the holiday's want to bring for you? If you could throw your wish list out there, and you can, a magic wand, crystal ball >> EKS, if Amazon would respond to our request. >> Okay, we just had AG on yesterday, he said it's coming >> It's coming. >> He said, months, >> Did he say months, I thought it was a few months, So maybe >> We'll check the transcripts. >> Alright >> Yeah, it wasn't tomorrow. >> That's alright. >> And that's one of our, that's our scar tissue right? We're doing this ourself, you know, there's this huge control board and we got people, you know, doing the knobs and things and we're relatively small, you know, we're a small engineering organization so we're doing a lot of this ourselves where we can abstract a lot of that work out to a cloud provider that we are already on. >> Well it's going to be good reps for you guys as this thing gets abstracted away, you're going to have a great core competencies in Kubernetes, I think that is a notable thing there. >> Austin: For sure. >> One of the things on my wish list, I was speaking to Jace and Josh Burkus and a lot of the core contributors in Kubernetes at the Contributors Summit, I kind of realized that I would love to see a coordinated cross cutting after, either on part of the CNCF or on part of The Kubernetes Project proper, to have a proactive security, I wouldn't call it a working group, I guess a SIG, a Special Interest Group. It would be, I know that we can deal with zero day issues really, really quickly. For example, the Azure host path mapping issue that was a few months ago, but right now it's kind of on the responsibility of each SIG to implement whatever security looks like to them individually, which is great, it means there are people thinking about security, that makes me sleep better at night. But, seeing some coordination around that and kind of driving towards, okay we have this tool that seems to be changing the game, how are we going to change the game with security? Like is there a way to look at that and even, 'cause authentication and authorization have been around since more than one user used a terminal in the 1960's and 70's. But, even with this new step of admission controllers, where we have more fine grain control around how stuff gets into the cluster. I think it would be great to look at what a coordinated cloud native security effort would look like. >> I think that's great, I mean we've been talking to a lot of vendors here and a lot of folks that have projects, and we bring security every single time and they kind of have an answer, but they really don't. >> They body swerve you, we've got this we've got that. >> Or you're the developer and you have to build it in yourself, so I totally agree with that recommendation I think it's fabulous. >> Yeah, Kubernetes is making so many things simpler at certain levels. Now, if we can focus those efforts at making security simple for people, because they're security experts, they can put their two cents in >> Lauren: Let's build it in and not block it on. >> Build it in and not expect every developer to know. >> Zach: Don't bolt it on, build it in. >> Build it from the beginning, there are all kinds of new ways. The fact there is no perimeter with the cloud brings up, really kind of throws everyone for a loop because you have to go to the chipset down, I mean what Google got, I think is a very interesting approach, they're trying to push forward this multilayer approach from chip to kernel to OS to app, interesting. They've got, managing through all their security, they've got android, I mean spear phishing is a huge problem right now, we're seeing and a lot of enterprises we talk to are like, well, it's like the firewalls and VPN's like that's old school, they need to modernize that so this is going to get them thinking about that. So great, hey guys, thank you for coming on and sharing your feedback-- >> Thank you. >> And your data and your place and how you are architected on AWS and your work with Kubernetes. Congratulations. >> Thank you. >> Cube coverage here in Copenhagen. It's theCUBE's coverage at Kubecon 2018. We'll be back with more after this short break.

>> Narrator: Live from Las Vegas, it's theCUBE. Covering AWS reInvent 2017, presented by AWS, Intel, and our ecosystem of partners. >> Okay, welcome back everyone, this is theCUBE's exclusive coverage, live, in Las Vegas, 45,000 people here on the ground, for Amazon Web Services reInvent 2017. Their annual conference. Our fifth year doing it, I got two sets, two cubes, a lot of action. Day two of three days of wall to wall coverage. My next guest, Tom Kemp, CEO, of Centrify, security company out of California in Silicon Valley, leader in identity based security in the cloud, on-prem, big business growing, fast growing startup in the area. Good to see you. >> Yeah it's great to be here again. >> Security has been Amazon's kryptonite for many years. They've done their work, their paying their dues, they're checking the boxes. Certainly we see that on the federal side, public sector. Great success, Teresa Carlson, has done an amazing job. It's been fun watch her go from an outcast to, in the marketplace, "Ah, we don't trust the cloud", to winning. They've done the work. Security, you've gotta do the work. >> Yeah, I mean, they've done a great job of evangelizing the shared responsibiloty model where they clearly identify, "Hey, this is what we do", and then, "This is what the customer needs to do." So it's actually a very nice model that they offer that vendors such as us can slot into. >> And they move so fast but again, security is one of those things, you can't fake it til you make it. Right? (Tom laughs) You can't make it til you make it. Which means, it's hard. What are you guys doing with Amazon now? What's your story here for Centrify? >> Yeah, we're doing a couple of things. So the first thing is that we do privilege management. I mean the reality is is that the keys to the kingdom are in the AWS console in terms of the billing systems, firing up servers, shutting down servers et cetera. A lot of the more recent hacks have been because people have gotten the access to those keys of those systems as well. So we help lockdown the AWS environment and then we also help lockdown the actual servers being deployed on EC2. We provide multifactor authentication et cetera. The other thing that we do is and what we announced just the other day is we've actually moved our platform over to AWS. So before we ran on at Azure, can I say that at this, ah? >> John: That's fine. >> It's okay, yeah, just joking. >> All fair in love and sharing the cloud. >> So now we have a production cloud on AWS and we've also integrated in the marketplace. So there's SaaS billing that people can get as well, which actually is a very unique thing that AWS offers that the other cloud providers don't do. >> Alright, so I gotta ask you, obviously, to me, super exciting show because some of the announcements are really kind of cool and sexy, and some are under the hood geeky, like Lambda. And then you got the cool AI stuff happening, whether it's VR, AR, or recognition, all these cool machine learning, democratized toolkits. So does this help you? I mean Lambda server lists is a dream for a developer. Just, "Oh my God, I don't have to worry about anything. "What's a local host? "I don't need to know what a load balancer is." Does that help you guys or not? >> Yeah it does, I mean the reality is is that the amount of servers and applications, be it server or server-less, the amount of applications, the users that are connecting to it, it just adds more to the potential complexity. And we can, through the power of identity, provide a control plane to give people identity driven security and really allow people to move-- >> But it doesn't replace us. My point is, I guess, if you're locking down servers, this is a value right? >> Yeah. >> EC2 instances. But if the developers aren't using EC2 instances 'cause it's server-less. Are you guys transparent, are you abstracted away? >> So we also then, then integrate into the application and then help facilitate security for the actual users themselves. But look the reality of the situation is is that people are always gonna have a hybrid environment. They still have on-premises, which users have to access that environment. They're gonna have the cloud environment. And it's gonna be heterogenous. So AWS is a clear leader in the cloud but you're also gonna have Azure, Google, and then the SaaS applications as well, which are gonna be used in conjunction with the custom applications people are building. So the one constant-- >> I've been saying, I've been saying this for years, the specialty cloud is a big market. Oracle's a specialty cloud, Microsoft's a specialty cloud, 'cause they have apps for them. They can be different clouds. Multi-cloud is what's coming, would you agree? >> Yeah, and the reality is as companies go through digital transformation they're gonna open up more and more of their applications to more and more users. They're gonna be more and more devices, and that's just gonna lead to identity sprawl, more and more passwords that people have to deal with as well. And that's why in a world in which-- >> How bad is that problem? 'Cause that's a huge problem, at least in my mind. Identity sprawl, explain what that is and how bad is it? And what are the consequences if it's not fixed? >> Well look the reality is 80% of breaches nowadays involve compromised credentials. I mean we had the whole election, Podesta, the DNC, the recent hack of HBO, you had Sony. It always tied into people stealing credentials and people having too many credentials, sharing credentials, et cetera. So the problem that we face as consumers in terms of having too many user names and passwords has now entered into the actual enterprise and we're now in a situation that, yeah, there's an app for that but that means that there's a password for that. So IT is having a hard time controlling who can access what while end users are just dealing with too many user names and passwords as well. So you have identity sprawl, it's difficult to provision access. And then now you have IoT coming onboard and those devices need an identity unto themselves. And probably the thing that excites me most about some of today's announcements is what AWS is doing with IoT. Some pretty cool stuff. >> I mean I think IoT is the trend, AI and IoT, because, to me the data center, and this might be a little bit over the top, but I'll say it anyway. I think private cloud is real, the way Wikibon talks about it but it's still cloud and the cloud looks at these endpoints as edge devices. So a data center is just an IoT device, a big one. >> Yeah. >> Or, a series of devices connected to the network which connect to the cloud. I mean if it's operating as a cloud what's the difference? Private and public. >> Yeah, no, I, I, I-- >> IoT has gotta be connected. That's where identity could be helpful. >> Identity, I mean, 'cause look, every device has an identity beyond just an IP address. I mean some of the attacks have even taken over IoT devices and then pointed them against websites and brought those websites down as well. So users have multiple identities. Devices have identities unto themselves so you've got this kinda n-by-m, you know, situation where you multiply the number of users times the number of devices, and we're told digital transformation, more and more users are coming online connecting to applications. So I think that's a, it's just a great market to be in. >> Tom, great to have you on theCUBE, congratulations on your business growth. What's your secret sauce? We'll end this segment by you just taking a minute to describe to the folks watching why are you doing so good, what's your secret sauce, what are the tailwinds for you, why the success? >> Well the tailwinds are, first of all, identity has become the top attack vector. It's now involved, compromised credentials stolen at NEs is now involved in over 80% of all breaches. And the other tailwind is the whole move to the cloud that just says, introduces password sprawl. And we're very unique in the market in that we can secure both end users and their identities but we can also secure the privileged accounts that are built into the infrastructures of service. The AWS, EC2, IAM-- >> John: The critical resources. >> Yeah, and we do this in a hybrid environment. So, yes, people are aggressively moving to the cloud but you know and I know that still, what, 70, 80% of IT is still on-prem, and it's gonna be a mixed hybrid environment. And we offer both software and cloud services to secure both end users as well as privileged accounts in that environment. >> Alright, the bottom line, the AWS cloud phenomenon. Describe it in a sentence. >> In a sentence? Oh, it's just, the complete consolidation of all IT in a single platform. I mean, it's amazing that every year they announce another couple a hundred new brand new services as well. So it's just like a phenomena that I've never seen before in terms of a vendor aggressively able to come out with new capabilities and deliver more and more features. >> Cloud as an operating system that's what I always say. And I can see it coming together, and they're staying on their track. I gotta give Andy Jassy credit, even though I busted his chops by putting the Gartner slide on there, because that's old guard technically, doesn't match his presentation, so he's gotta fix that. They stay on their line, they're not wavering. They are mission focused. Changing the game, adding value for customers. >> And they're thinking about new app scenarios and I think it was brilliant that, take IoT, there's so many different flavors of operating systems for IoT. They're saying, "Hey, we're gonna come out "with a standard operating system "that you can leverage. "And we're gonna provide device management, "and we're gonna tie it back into the platform." So they're gonna capture the, they're trying to capture the edge. And the good news is stuff like that does provide opportunities for vendors such as Centrify. >> And they surround themselves with a great ecosystem. You guys are doing great in there. I know you're growing but you're soon to be bigger. But Intel, they're doing great with Intel. Intel gets a lift off this, more compute, everywhere. >> Absolutely. >> So even if they, they kind of have to split some of the business, whatever they do, who knows what happens there but Intel wins with this scenario. Amazon's not trying to eat the whole pie, they're sharing. They're sharing the wealth. And they do it, in the case of security again I go back to their shared responsibility model. It provides a great framework where it makes it very easy for vendors such as ourselves to say, "We play here, here, and here." So it makes it great to partner with and the ability for them to actually have SaaS based applications in their marketplace as well. And that's powerful, and no other of the cloud guys have a similar concept. Yeah, you could put AMIs on infrastructure as a service but to actually have a cloud based service tied into the billing system of AWS is incredibly powerful. We're very excited about being a part of that. >> And we will keep an eye on them on the open source side, certainly that's an area we're watching very carefully. Hey the developers love Amazon and that's a good thing. Now the enterprise love Amazon, public sector loves Amazon. Who doesn't love Amazon Web Services? We'll be following that very closely over the course of the next few months and next year, 2018. Of course live here in here in Las Vegas is AWS reInvent 2017. Back with more coverage after this short break. (upbeat electronic music)