(soft upbeat music) (crowd chattering) >> Over the past 18 to 24 months, chief information security officers have dramatically changed their priorities. They had to, to support the remote work trend. So things like endpoint security, cloud security, and in particular identity and access management became top of mind. And a whole shift occurred. And we're going to talk about that today. Hi everybody, this is Dave Vellante and you're watching theCUBE. We're here at AWS re:Invent 2021. Katie Curtin-Mestre is here. She's the vice president of marketing at CyberArk and Bar Lavie senior product manager at Cloud Identity and Security. Bar, sorry for botching your name, but folks welcome to theCUBE, great to see you. >> Glad to be here. >> Great to hear. >> So Katie, upfront I talked about some of those trends. It's been a hugely dramatic shift away from this kind of traditional approaches to cyber. What are some of the trends that CyberArk has seen? >> Well, Bar is going to take the first part of this. >> Great, just go on. (Bar laughing) >> Yeah, so one trait that we are seeing is that cloud migration projects accelerate as organization turbocharged digital transformation. Is they're a looking to take advantage off the agility and operational efficiency of the cloud providers. Some of the concerns that I can think about one of those is the reducing the potential loss of data that is caused due to the excessive access to resources. And the other one is provision secure and scalable access to resources. And the third one would be implementing least privilege for all type of identity whether if it's a human identity or non-human identity. >> And on that end Dave, we recently commissioned a survey with the Cloud Security Alliance. We co-sponsored a survey and found that 94% of respondents said that securing human permissions was a top security challenge and machine identities weren't far behind at 77%. Another challenge that we're hearing from our customers is the need to secure the secrets used by applications. So we're really excited by today's news from AWS. They announced some new capabilities with a code guru called Secret Detector that helps to find unsecured secrets in applications. And the other concern that we're hearing from our customers is the need to monitor and audit the activity of all of their cloud identities. This is really important to help their security operation teams with their investigations and also to meet audit and compliance requirements. >> So the definition of identity is now more encompassing and includes like you say machines, right? It's not just people anymore. Of course we've seen, you know, phishing has always been problematic. It's escalated daily, right? We get phished. I mean, are we going to see the day where we finally get rid of passwords? Is that even possible? But maybe we could talk a little bit about sort of identity, how identity is evolving, this notion of zero trust. Zero trust used to be a Password. So, maybe Bar you could talk a little bit about what you're seeing in terms of identity access management. Maybe privileged access management are those things coming together? How does CyberArk think about those things? >> You going to take this one Katie >> Well, what CyberArk sees is we definitely see a trend where access management and privileged access management are coming together. Security teams are struggling too many security tools and they're really looking to standardize on a small handful of vendors and get more bank for their buck from their security investment. So we're definitely seeing that trends of unified platforms across access and privileged access management to secure any identity, whether human or machine from kind of like your standard workforce identity, to those who have highly privileged access. >> I don't know if you've ever, ever seen that chart. I think Optiv puts it out. It's consultancy. And it's this eye chart. It's a taxonomy of all the different security I have published at a number of times. it's mind boggling. So CSOs, SecOps teams they have to manage all this complexity, all these different tools and you ask CSOs what's your biggest challenge? They'll tell you lack of skills. We just can't find people. We can't train them fast enough. So what's CyberArk working on? What are some of the key initiatives that you guys are focused on that people should know about? >> Well, one of the things that we're working on is actually, and we see a greater adoption of it is something that was actually started as an initiative within our innovation lab. It's a CyberArk Clouding Titles Manager, which help to detect and remediate excessive permissions to cloud resources for any type of identity. I mentioned before the both human and non-human. Which are the something that you were looking to to secure. Another solution that we see a great adoption is our circuit ranger which helps organization to re remove the necessity of having a hard-coded credentials within application. It can be either traditional applications for their own premise or even cloud native applications. And peg this also into your CI CD pipeline. And we are actually innovating in these type of area with AWS as well. So this is one of the great things that we were doing. Also we're investing on a new solution for just-in-time access for cloud VMs and cloud consoles. And all of these solutions that I've mentioned and more to that are part of our identity security platform which came to provide you with the suite of solution to apply least privilege and secure access to any type of resource from any device for any type of identity. >> So is that best practice? I mean, if you had to, you know, advise a customer on best practice in identity, how should they think about that? Where should they start? >> Well, on the best practices front we recently published an ebook with AWS. And it's focused on the shared responsibility model and foundational best practices for securing cloud access. And it's all part of an initiative that CyberArk has, which is our identity security blueprint. Which guides customers on how best to move forward with their identity security initiatives. >> So where do they start? First of all how do they get that is it a security website or? >> It's available on our website and we detailed some of the steps that that customers can take. For example, one of the steps that we recommend to our customers is to limit the use of the root account and also to very much lock down the root account to use federated identities whenever possible. And Bar already alluded to some of the other best practices that we recommend. Such as removing hard-coded credentials from secrets. Another best practice that we really recommend to our customers is to have a consistent set of controls across their entire estate. Both from on-premises to the cloud. And this really helps to reduce complexity by having a unified and consistent set of security controls. And in fact one of our customers who is one of the world's largest convenience chains. They're using CyberArk to secure the credentials both for their on-premise servers and their AWS EC2 instances. And they're also using us as well to secure the credentials used by applications in the CI CD pipeline. So getting to those consistent controls is another best practice we highly recommend. >> So, consistent identity across your state, whether it's on-prem or in the cloud. And then also you've referenced CI CD a couple of times. So it's it's developer friendly? Are you're designing security in as opposed to a bolt on after the fact? And then you mentioned root accounts access. Is that where privilege access management comes in? Are we going to treat everybody as privileged access? Or how do you deal with machines? You mentioned hard-coded? Like some machines are hard-coded. Like I would imagine a lot of these internet cameras are exposures. How do you deal with all that? I mean, do you just have to cycle through and modernize your fleet of machines? Are there ways in which CyberArk can help sort of anticipate that or defend against that? >> Well, CyberArk can help on, on multiple fronts. Of course you need to secure the root account but that's just only one example of needing to secure a privilege access. And one thing that customers need to understand is that now going forward, any identity can have privilege access at any point in time, because at any point and time, you yourself could have access to a highly sensitive system or have access to highly sensitive data. So with CyberArk we help our customers understand which of their applications and infrastructure have the most sensitive data and then work with them to secure the access to that data whether that access be a human access or machine or programmatic access. >> So what are the customer implications of all this? I mean pre pandemic, you know, this whole zero trust thing with password. Now it's like fundamental premise. You don't trust to verify. What are the customer implications as we enter this new era ransomware through the roof, the adversaries are well funded highly capable. They're living off the land, they're island hopping. They're, doing self forming malware. It's a new world, right? So what are the customer implications? What should they be thinking about? You know, they don't have unlimited budget. So what's the advice? >> Well, eventually at the end of the day, there are all kinds of best practices of how to applies security. I think that both AWS have their own best practices and CyberArk has also our own best practices calling the blueprint which help organization to focus on to crown jewel on the most important stuff. And then going deeper and lower within each and every initiative. And on each and every level, try to investigate what you're trying to protect and what kind of security mechanisms can be applied in order to protect both access and maintaining that no one whether if it's internal or external attacker can gain access to it. >> Yup, I think the other implication for customers and you already alluded to it is really to continue to move forward with their zero trust initiatives. I think that that is a foundational going forward. Now that remote work is kind of the defacto norm and we can no longer rely on the traditional network perimeter. And so in this new environment securing your identities is the new perimeter. So that's an important implication for customers. And then another one that I would mention is that security teams need to work more closely with their dev and dev ops counterparts to bacon security earlier. It really can't be that security is brought in after the fact. Security very much needs to shift left and be included in the very early stages of application development before an application comes to production. >> I mean, I think it's that last point but all good points. The last point was a huge theme at CubeCon this year. That notion of shift left developers, you've mentioned the CI CD pipeline several times. I mean I think that is, you know, especially when you think about machines and the edge and IoT. I used to say all the time, you know that you used to put a moat around the castle, build a wall, protect the queen. Well, the queen has left the castle. But now with the pandemic, we've seen the effects of that. And as I say, the adversaries are seeing huge opportunities. Well-funded super sophisticated. It's like it makes Stuxnet look like a kindergarten. I know that was still >> That's scary. still pretty sophisticated. But I mean, look at what we saw with the government hack and solar winds, you know huge huge. But if we can talk to CSOs about that, they're like, you know, that's, we have to move fast. But they don't have unlimited budget, right? Cybersecurity is their number one initiative in terms of priorities. But then they have all these other things to fund. They have to fund a forced march to digital transformation, machine learning and AI, they're migrating to the cloud. They're driving automation. They're modernizing their application portfolio. So, security is still number one, isn't it? So it's a good business that you're in. >> Yes, and we really want to work with our CSOs so they can get the most investment out of what they're putting into CyberArk and the rest of their strategic security vendors. Because as you mentioned there's a talent shortage. So anything that we can do as vendors to make it easier for them to use our products and get more value from our solutions, is something that's really important. >> And automation is part of the answer but it's not the only answer, right? You got to follow the NIST framework and follow these best practices and keep fighting the fight. Guys. Thanks so much for coming on theCUBE. It was great to have you. I'd love to have you back. >> Thanks for having us. >> Thank you for having us. >> All right. Our pleasure. All right, this is Dave Vellante for theCUBE. You're watching our coverage of AWS re:Invent 2021. (gentle upbeat music)