>> Announcer: Live from Las Vegas, it's theCUBE! Covering AWS re:Invent 2019. Brought to you by Amazon Web Services and Intel, along with it's ecosystem partners. >> Welcome inside Live here at the Sands as we continue our coverage of AWS re:Invent 2019 on theCUBE, day three. Always an exciting time I think to get a summary of what's happened here. Dave Vellante, John Walls, we're joined by a couple of gentlemen from Immuta, Steven Touw who's a co-founder and CTO. Steve, good to see you. >> Yeah thanks for having me. >> John Walls: And Rob Lancaster, who's the GM of Cloud at Immuta. Rob, thanks for joining us as well. >> Great to be here. >> First off, let's talk about Immuta a little bit. You're all about governance right? You're trying to make it simple, easy, taking out the complexity. But for those at home who might not be too familiar with your company, tell us a little bit about you. >> Yeah so the company started out, our roots are in the U.S. intelligence community. So we had been dealing with access and control issues for data for years and we said to ourselves, "Hey this product has to be useful for non-IC customers. "This problem has to exist." And with the advent of all these privacy regulations like CCPA, GDPR and of course HIPPA's been around for a long time, really our goal was to bring a product to the market that makes it easy to govern access to data in a way that you don't have to be technical to do it, you don't have to understand how to write SQL statements, you don't have to be a system administrator. We really bring together three personas, the users that want to get access to the data, legal compliance that needs to understand how the rules are being enforced or even enforce them themselves, and then of course the data owners and the DBAs who need to expose the data. So usually those three personas are at odds with one another, we bring them together in our platform and allow them to work together in a way that's compliant and also accelerates their data analytics. >> Could we talk a little bit about why this is such a problem? Because it is a big problem and especially today and in the cloud and we'll get into that, but you've got data lakes, data oceans now, you got data coming in, all types of data. Might be internal transaction data, it might be stuff in your data warehouse. And the organization say, "Well I want some other data. "I want to bring in maybe some social data." So certain data is, everybody can have access to. Certain data not everybody can have access to. And it's not necessarily just a security problem, edicts of my organization that need to be enforced. So first of all, is that sort of, the problem that you're solving? And maybe you can double-click on that a little bit. >> Yeah sure, so the market has evolved and is evolving. You allude to data lakes, I think you can point to the immersion of Hadoop, as a distributed infrastructure as kind of the original data lakes, or the most recent data lakes, where you can store all your data and run analytics on all your data, and now with the advent, with the emergence of Cloud you've effectively got very low, if not zero cost storage, and the ability to throw an unlimited amount of compute at the data. That, kind of in conjunction with heightened awareness for consumer data privacy and risk associated with data, has created a market for data governance beyond kind of the course-grained access controls that people have been using on their databases for decades now. >> Yeah I mean Hadoop really got it all started. You're right and despite all it's problems, it had some real epiphany-like technical innovations, but one of the things that it didn't worry about at the time was governance. So whose responsibility is this? Is it the CISO? That is essentially trying to build out a new cloud stack to provide security, privacy, governance and what does that stack look like? >> Rob: Go ahead. >> Yeah so it depends, it's actually pretty interesting that different organizations have tackled this different ways. So we have CISOs that maintain this. In other organizations we've got the legal compliance teams that want to do this but maybe don't have the technical chops. And the CISO doesn't necessarily know all the privacy rules that need to be enforced, so it's kind of moving into this world where security is about keeping the bad guys out and black or white access, like you either can see the data or you won't, but with privacy controls it gets into this gray area where there's a lot of technical complexity and there's a lot of legal complexity. So the organizations struggle with this 'cause you've got to play in that gray area where it's not just like I said, black and white. The analogy we use is, security is like a light switch, you're either in or you're out. With privacy controls you need to anonymize the data, you need to do privacy by design. It's like a dimmer switch where you want to play in that gray area and allow some utility out of the data but also protect privacy at differing levels of whatever you're doing analytically. So this can be challenging for an organization to wrestle with because it's not as, I would argue it's not as black and white as it is with security. >> Your question is in many cases it's the business that's running really fast and that is building these data lakes because they want to get value out of their data and the CISO or the compliance or risk officers are the ones that are telling them to slow down. So our product that Steve set up caters to both parties. It checks the boxes for risk, but it also enable the business to get utility out of their data lake. >> It's a very complicated situation because you've got this corpus of data that's organic and constantly changing and you have, you mentioned GDPR, you've got California now, every state's going to have it's own regulations so you've got to be able to sort of adjudicate that. And can you talk about, I mean obviously I've interviewed Matt Carroll, we covered you guys so I know a little bit about you, but can you talk about your tech in terms of it's ability? You've got a capability to do really granular level understanding and governance policies, can you describe that a little bit? >> Yeah sure, so when we talk about privacy controls, these are things like way beyond just table-level access. So instead of saying, "Hey you have access to this table or not," or even, "You have access to this column or not," you've got to go deeper than that, you've got to be able to make rows disappear based on what people are doing. So for example, we have financial institution customers that are using us for all their trading data and only some traders can see some trade desks and we manage all that dynamically. We're not making anonymized copies of data. Everything happens at query time, and depending on what compute you're using that all works differently, but then at the column level we're able to do these anonymization techniques like we could make numeric data less specific, we could use techniques like k-anonymization that allows analysts to analyze the data but ensures that small groups that exist in that data won't reveal someone's true identity. And we have techniques like differential privacy, which provides mathematical guarantees of privacy. So for example, one of our manufacturing customers set aside, these are the four analytical use cases that we're using our data for and under GDPR we want different levels of privacy associated to those use cases. So they could do that all with Immuta. So they could say, "When I'm doing this "I want these columns to be anonymized to this level "and these rows to disappear, but if I'm doing something, "maybe more critical, which our consumers have consented to "you know there's less privacy controls." And that all happens dynamically so the analysts could actually switch context of what they're doing and get a different view of the data and all of that is audited so we understand why someone's doing what they're doing and when they're running queries we can associate those queries to purpose. >> We've talked about customers of course and they're adapting right, to a new world? How are you adapting? I mean what are you learning about, in terms of policy regulation and governance, what have you, you said you came out of the intelligence community, high bar there right? >> Steven Touw: Yeah. >> So what have you done to evolve as a company and what are you, as the headlights basically for these folks, what are you seeing change that is going to require a lot of shift on the other side? >> Yeah so, I don't know if you have thoughts. >> I mean it's a great question but there's really two parts to it, there's what are we doing? But, what is the market doing as well, right? So if you think about when we got started, even a year ago people understood the technology, they thought it was cool but maybe a little nichey for government or financial services or maybe healthcare because there's well understood regulation, these vertical regulation. Even over the past year with kind of this increasing or heightened awareness for consumer data privacy, not just driven by CCPA and GDPR but kind of this, call it the Facebook Effect right? Cambridge Analytica has created this awareness within the general population for what are these organizations actually doing with my data? Before it was okay 'cause you give your data to Google and you get a better search result and you're okay with that but now they may be using your data for their own profit in different ways so this has created this rising tides effect for the overall market and we talk a lot about organizations using something like Immuta to protect their highly sensitive data. I like to think of it is their most valuable data, which may be highly sensitive but it also could be the crown jewels, trading data for a bank for example. So it's become about extracting value and operational benefit from data, whereas the risk offices are trying to lock it down in many cases. >> So, there's definitely a big problem and people are becoming more aware of it. I want to talk about where you guys fit into this whole cloud ecosystem. There's a sea change now, there's this sort of, this new cloud coming into play. It's not just about infrastructure anymore. I'll give you some examples, you got all these data lakes, maybe you got Redshift running, Snowflake's another one, you've now got this data exchange where you can bring data right in the Cloud bring in all different types of data, you're bringing in some AML and AI and it's all, really again, a complicated situation. So I see you guys as fitting in there and real need but can you describe where you fit in the ecosystem, what your relationship is with AWS, how do I engage with you? >> Yeah absolutely, so a core part of our value is that we are heterogeneous in terms of the environment that we support. We support a hybrid estate so the architecture of the product is fully microservices based so we can run on PRIM as well as on Cloud, on any Cloud, we support effectively any popular database system or analytical tool. So think of us as a data abstraction layer across a hybrid environment, so we're here because AWS is obviously the big boy in the market, they have market share, this is a strategic relationship for us. We're working very deeply with AWS field teams, particularly around some of their verticals, the verticals that align to our business and at the end of the day we're trying to define a category. It's a similar category that we've had for decades but with all the changes that are happening in data and regulation and infrastructure what we're trying to do is raise the level of awareness for the fact that Immuta has actually solved the problem that many of these risk officers are struggling with today. >> Yeah and from a, diving a little on the technical side of that answer is that we are, think of us as the way to enforce policy in the Cloud. We consider ourselves a Cloud-first software vendor. And you don't necessarily want one point solution in Redshift or another point solution on your on-premise Cloudera instance, whatever it may be where you're using your data and running analytics, you need to abstract the policies out into a consistent layer and then have them be enforced across whatever you're using. So you might be using Cloudera today and then you switch to Databricks tomorrow, that shouldn't be a hard change from you from a policy perspective. You just re-point Immuta at Databricks and all your policies are still working like they used to so it gives you this flexibility now to use all these different services that AWS provides 'cause as was stated in the keynote on Tuesday, there's no one database solves all. You're always going to be using a heterogenous set of compute to do your job in analytics so you need a consistent way to enforce policies across all of that. >> That's a great point. I mean I don't know if you saw the Vanguard guy today in the keynote, he basically said, "We rip down, or tore down our big data infrastructure "moved it to the Cloud, spun up EMR." I mean there's a perfect example of, you got to bring your governance with you. You can't have to rebuild that whole stack. Are you in the Marketplace yet? >> Steve and Rob: Yes. >> You are, great, awesome. >> Yeah we launched a managed version of Immuta over the summer on AWS Marketplace. We'll be launching a second one shortly and it's really, the offering that we have out there is really geared toward, for lack of a better term, democratizing data governance. It's actually free up to the fifth user so any organization can deploy Immuta in under 30 minutes through Marketplace and start protecting their data. >> That's great, we had Dave McCann on yesterday, he runs the Marketplace, he was telling us just now, private offers for every marketplace, so ICV, so that's from. Last question I have is, how do you see this all playing out? You got GDPR, remember you talked about California regulations, there's a technology component, any predictions you guys want to share? What's your telescope say? >> All data will be regulated data eventually. So if you're not thinking about that now you need to. So, at least that's our theory, obviously, so we think it's critical that you're doing that from day one instead of day 365 and in your migration strategy. And if you're not thinking about that it's going to potentially bite you in the ass. >> Yeah you're right, I mean Web 2.0 was the wild, wild west, there was no privacy, there was no regulation, GDPR started to get people focused on that and it's now a whole new world. >> Gentlemen thank you, appreciate the time and best of luck. I know you said you had the big launch this summer but good things are ahead no doubt. >> For sure, thank you. >> Thank you. >> Dave Vellante: Thanks guys. >> Back with more coverage here on theCUBE. You're watching AWS re:Invent 2019. We are live and we're in Las Vegas. (upbeat tones)