>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019. Brought to you by Amazon Web service is and its ecosystem partners. >> Welcome back. Everyone were accused Live coverage here in Boston, Massachusetts, for AWS reinforce. First inaugural conference runs security. I'm Jeffrey. David Lot there. Next guest is Dan Hubbard, CEO of lacework. I've started at a Mountain View, California. Great to have you on. Thanks for joining us. >> Thanks. Thanks for having me. >> So, you know, reinvent was developers Reinforces. Kind of like, si SOS coding security cloud and intersecting with security. This is a new kind of show. What's your take on? >> Super impressed so far? I mean, there's about 1000 people here, you know, way have literally hundreds of demos lined up in the booth s oh, really impressed so far. First impressions. >> It's a good move for Amazon. Do. Ah, security conference. Don't you think I mean >> really smart, Really smart. It's a lot more about defending than a lot of security conference about offense and vulnerabilities and how to find kind of holes and weak cracks. This is really about how do we defend you know, our security in the cloud >> Talk about your company. Your mission? You guys air started going after a hot space. Si SOS or CEO spending Talk to They want a new breed of supplier service provider. Certainly cloud a p. I is gonna be critical in all of this. So you start to see really smart platform thinking systems, thinking around companies around the security challenge and opportunity. What? What do you guys do? Explain what you guys? >> Yes, we really believed you know, this new wave of cloud I s and pass really needs a new architecture. It's a whole new architecture from a 90 perspective. So we need a new architect from a security perspective. And the great thing about the operating model is you could do a wide set of things and then go deep in the areas that are really important. So at least work does we allow you to secure? I asked. Past service is with compliance configuration host and container security. There's one platform that kind of wraps across all of those >> different targeting developers, right? So they don't have to think about security all the time. Is that the poor thing? >> Yeah, definitely. Eso in almost every case. Security is unlocking the budget. However, Dev Ops is involved, Dev Ops is involved from an influence. But, you know, it used to be that developers would ask security for permission. Now security's going back to developers and asking for permission to security >> infrastructure. He said that with the architecture is gonna be different because the the the I t. Is changing. So cloud security needs a new architecture. One of the fundamentals of that architecture and how is it different from security on prim? >> So I think it has to be SAS. So it's gotta be delivered multi cloud from the cloud. You know, we're gonna secure the cloud. It really should be from the cloud, their business models, that should be different. It's almost always a subscription is not perpetual models. You know you're annually re occurring your revenue. You're always keeping your customers happy and you're always innovating. The pace of innovation has to be really quick because the pace of the cloud is moving at such a dramatic speed. >> So that the those kind of business oriented you know, that's kind of a different definition of architecture. Technically, is it a fundamental do over Or is it fundamentally similar? >> Wolf. You know, there's some of the tenants which are the same, you know, we need to get visibility. That's very similar. You know, we have controls needed have auditing. We need to find threats. However, the way you do it is very different. So you don't own the hardware, you don't own the racks, you don't own the network. You gotta get used to that. You gotta live above the responsibility line. You have to fit within their infrastructure. So what that means is you need to be very happy. I friendly because we're sucking a lot of data on Amazon were pulling in configuration cloudtrail data, and you'll have to be able to deploy inside their infrastructures. We support things like kubernetes things like docker or we also interoperate things like bare metal and you know, in the AM eyes themselves, what >> problem you guys solve. Every startup has that cultural doctor, and they sometimes you weave into a market and also you get visibility into into a key value proper. What's the key problem that you saw? What's the benefit >> so that the key value we solve is if you are in the cloud or migraine in the cloud. We give you compliance configuration and threat protection across all your clowns. So, irrespective of which cloud you live in or operate in, we give you one central threat detection engine and that which gives you visibility but also gives you compliance and controls into that. >> So Amazon has this, you know she had responsibility model. They're they're protecting the compute, the storage, the database and customers are responsible for the end points. The operating system, the data, etcetera, etcetera. And Amazon certainly has tools. Help them. What is fuzzy to me sometimes is you know where eight of us leaves off. Where ecosystem partners like you guys come in. You obvious have to keep moving fast to your point. Absolute. Can you help us sort of squint through that maze? >> Sure. Yeah. I mean, the easiest way that I can explain it is if you could configure it, you have to secure everything. Below is the providers responsibility. That said, there are different areas where things are kind of peeking through the responsibility lines. So what I see is a world where there's not 50 security vendors that you've bought like in premise or traditional data center, but your Inter operating with a provider. So you know, the big three providers open source and then a solution like ours. So it's more about how do we interoperate there together? But what we do is we sit actually right within your container on the host themselves with an agent, and then we suck in there a p I. So technically, it's a little bit different. >> So the threat of containers is an interesting topic, right? You're spinning him up. It makes V M v ems look like child's play. Yeah, So are you using specific techniques, toe? So the fake out the bad guys make it. You're raising the bar on them and their cost using sort of algorithms to do that spin up, spin him down. You know, like the shell game of asking you. >> What we do is we get baked right into your infrastructure every single time you deploy and run through C I c d. A new container or a new app were baked in there and what we're doing, we're looking all your applications, processes the network traffic and then we look for that no one bad and the unknown bad based off of that. >> So it's native security in the container at the point of creation. Not a not an afterthought. Correct. Yep, >> What? Your take on kubernetes landscape? Obviously, pretty much everyone's kind of consolidate around that from a de facto standard. That's good news, wouldn't it? Koen ETS does is all kinds of stateless state full applications that becomes, like service mess conversation. You got all kinds of services that could land out there, automating all these things these sources were being turned on turned off in real time. >> It's >> a log it >> all. It's incredible. I think Cos. Is the fastest growing enterprise open source project ever. You know where every customer we talked to is either in the midst of migrating migrate or just thinking about it. That said, the world is looking to go multi cloud. But most customers today have, ah, a combination of in premise bare metal am eyes kubernetes containers. What we're doing is we give you visibility into your coup Bernays infrastructure. So we talk pods, nodes, clusters, name spaces and we allow you to secure the management plane. Any communication between those So it's really critical when you're deploying those from a security perspective that you know what's happening. The ephemeral nature of it is very different from regular security to you need to answer questions like what happened for 10 minutes during this time from six months ago, and that's really hard with traditional >> tools, really are. And that's really gonna with automation plays in Talk about the journey of where your customers are going out because we're seeing a progression kind of categorically three kind of levels. I really wanted to go to the cloud. I really want to convince you that cloud every aspiration. Yeah, not realistic, but it's on their plans. Then you've got people who go out and do it gets stuck in the mud. The wheels are spinning culturally, whatever's going on and then full on cloud native hard core Dev ops, eaten glass, spit nails, just kicking ass and taking names right? So you get the leaders. People are kind of in the middle, and then people jumping in. Where do you guys see your benefit? What are some of the challenges? How do you guys >> think it's a super dynamic marketplace? Because what's happening is every big company that may not be fully cloud native, is buying companies that are cloud native. So then they become the sexy new way to deploy, and then they start figure out how to deploy their there. So one of the trains were seeing is core centralized. Security is becoming governance and tooling, and then they're distributing the security function within the AP teams themselves. And that model seems to work really well because you've got security practitioners baked within the Dev Ops team. But then you've got a governing roll with tooling, centralized tooling from there. That said, depending on the customer or the prospect, it's all over the place. You know, many sisters, you're scratching their heads saying, No, you know, I don't know what's going over the cloud guys. They've got a different group that's running it. They're trying to figure out how do I just get visibility? I know my name's you know, I'm the one they're gonna come after if there's a problem. So it's really all over the place >> for your service. So you're baking it in creatively into the container. >> Yep, it doesn't matter. >> You're aware, if you will. >> It is a matter of urine premise or not. Containers or not, we worked across all of them. >> Was that the hook for your sort of original idea? Your business plan? Your investors you've raised, I think 32,000,000. You got 70 employees. What was that hook? What attracted the investment Community >> Theory journal? Idea was, if you're deployed in the cloud and you have a breach, how do you know you had a breach? Things that happen to come and go very quickly. All the data's encrypted on the network. I don't have full visibility on the network itself. So that was the original idea. How would I go back in time kind of time machine to find out what happened then? Way originally supported eight of us and it was really about visibility within 80 bus infrastructure. Then kubernetes happened. Now the big hook really is amazing containers. Am I using kubernetes? And then how do I make sure I'm compliant and then following best practices and then that breach that breach scenario still definitely happens. Everybody tries the service before they buy it. They're almost always finding out problems along the way. >> What did kubernetes do for you guys? That made a consensus step, function, change or what you guys were doing? Was it because they had the dynamic nature of the service's was orchestration? What specifically was the benefit? >> I think the orchestration, the single management plane from a security perspective, is one of the big things. You get access to that one brain, if you will. You have access to everything. Obviously, the ephemeral workload is big that it was enforcement kubernetes with service messes. Things like pot security policies allows us to hook a P eyes in a way that you can actually write enforcement versus a firewall or some of these old school ways of killing packets. >> Yes, you got a cloud native approach. Kubernetes comes along. It's aligns with your sort of philosophy and >> architectural, and we run today's ourselves. So our entire infrastructure is based off of kubernetes. We were kubernetes user very early on, so, you know, we just take the things that we learn to our customers. >> So here's a quote from a seesaw. I won't say his or her name, but I want to get your reaction to it when talking about dealing with suppliers, looking for the new generation of like what you guys are doing you got, I would put you in the new classification of emerging suppliers. This is the message to all the suppliers in the room. I happen to be in there having a P I and don't have its suck because you eyes shifting to a p a u ie Focus is shifting to FBI focus. So we are evaluating every supplier on their eight b. I's your reaction to that? >> I absolutely agree. So there's two levels of AP eyes. One is you have to interrupt it with the guys from the providers in order to get the data properly. Right. That's a big, big component. Others, you have to have a P eyes for your consumers. You can't automate without a P I. So that's really critical. That said, I will disagree a little bit on the u X and Y aspect. If you are triaging data, it's really important that you have the right data at the right time and visualizing that data in a ways. It's pretty important. >> How real is multi cloud, in your opinion, I mean, everybody's talking about multi cloud Ah la times we've said multi cloud. It's none of us a symptom of multi vendor. But increasingly it could be a strategy in terms of your thinking about your total available market, your market opportunity. How real is it when you're conversations with Coast? >> It's very really. We were really surprised. We first started supporting eight of us, and then we had a G, C, P and Azure together. Now we have a core principle that everything we build has to be parody across all the clouds. And we had a huge uptick across G, C, P and as your very early. So we were really surprised. What we were surprised about was, it's not portable workloads. So it's not about taking one application distributed across multi cloud. That's kind of fiction. That doesn't happen very often. It's either you bought a company that's in another cloud or use a past service in another cloud, or you have just two totally disparate applications in a large company. They just happen to be in different clouds in the data's in different places. They don't need to interoperate, so it's so it's just a little different, but we're seeing kind >> of horses for courses as well, right? Some clouds may be better for data oriented. >> Here's your point early, and we've heard this in some of the sea. So conversations em and becomes a big factor because they get new teams in new culture and they might have different cloud approaches. But I totally agree with you on that. I would say I would even go more further and saying It's absolute fiction between multi Cloud because it's just got a latent seizes on the connections, whether they're direct connections are not welcome on the factor. So I've always said, and I kind of believe in I'd love to get your thoughts on. It is the workload should dictate to the infrastructure which clouded should you know, and go with one cloud for that. If it makes sense on, then use multi cloud across workloads and low can handle a better cloud. Cloud Cloud selection. Be joined by the workload. >> Yeah, it's certainly from an out >> the other way around. >> Yeah, it's certainly from application perspective. You want a silo? It, you know, probably there. I think what's interesting about a lot of the work each provider is doing in security a lot people ask. Well, you know, why don't I just use all my provider security tools. And the answer is they got some great tools. You should use those for sure, but there is a bunch of technology above that you can use. And then you got a span across multiple clouds. What you don't want is three different AP eyes for security across every single cloud. That's gonna be a major pain or >> have to stitch. And that's where you guys come in. Absolutely. >> What's your take on this show? Reinforce against inaugural show. Love to go. The knuckle shows they don't have a 2nd 1 because they were there. Yeah, reinvent you made a calm before we came on. Reinvents started out. We were there early on as well. There's developers. Yeah, it wasn't a lot of fanfare. In fact, you could wander around Andy Jazz. It wasn't crowded. It all great, great time. That was younger. Now Amazons gotten much stronger. Bigger? What's the vibe here? Is that developers for security? Is it si SOS? Is it? What's your read on the makeup and the focus of the attendees? >> So I think it's it's a little bit of a mix of both, which I think is good you know, I've met a number of developers or what I would call kind of new breed security engineers. These are engineers that arm or interested in? How does the cloud work an inter operate? And how do you secure that versus, like reverse engineering malware with assembler, which you know a lot of the other places there really about the threats? And what of the threats and how specific or those This is really a little bit more about? How do we up our game from from a security perspective in this New World order, which is really >> get plowed. Very agile, very fast, yet horizontally scalable, elastic, all the goodness of cloud Final question developers Bottom line is developers continue to code and do the things, whether it's a devil's culture of having a hack a phone and testing new things, that which is how things roll now, getting into productions hard. What's the developers impact to security? Is the trend coming out of the show that security baked in enough to think about it like how configuration management took that track and Dev Ops took that away? You mentioned that earlier you figure you can secure it yet. So similar track for security going the way of automation. What's your? >> It's a lot of automation is gonna be critical for sure. And then it's gonna be a combination of Security and Dev ops together, you know, Call it DEP SEC Ops, code security engineer. Whatever you want to call it, it's definitely a combination of both. Security people are going away, that's for sure. You know, we're still gonna need security experts. And focus is just a critical aspect about this. >> Dan, Thanks for the insight coming on here. Reinforced. Take a quick second. Give a plug for your company. What you guys looking to do? Your hiring? What's going on? The company? >> Sure lacework. We're gonna help you protect all your workloads, Your configuration. Compliance in the cloud regardless of which cloud way are hiring websites lacework dot com and way love Thio culture Their cultures great, Very fast moving very fast paced, very modern way live and breathe by the success of our customers It's a subscription business. So now we have to continue innovating and renewing. Our customers >> got smart probably to get dealing combination containers. Thanks for coming on. Your coverage here live in Boston. General David, Want to stay tuned for more live coverage after this short break