(upbeat music) >> Announcer: From downtown San Francisco, it's theCUBE. Covering RSA North America 2018. >> Welcome back everybody, Jeff Frick here, with theCUBE. We're at RSA Conference 2018 in downtown San Francisco, 40,000 plus people, it's a really busy, busy, busy conference, talking about security, enterprise security and, of course, a big, new, and growing important theme is cloud and how does public cloud work within your security structure, and your ecosystem, and your system. So we're excited to have an expert in the field, who comes from that side. He's Tim Jefferson, he's a VP Public Cloud for Barracuda Networks. Tim, great to see you. >> Yeah, thanks for having me. >> Absolutely, so you worked for Amazon for a while, for AWS, so you've seen the security from that side. Now, you're at Barracuda, and you guys are introducing an interesting concept of public cloud firewall. What does that mean exactly? >> Yeah, I think from my time at AWS, one of my roles was working with all the global ISVs, to help them re-architect their solution portfolio for public cloud, so got some interesting insight into a lot of the friction that enterprise customers had moving their datacenter security architectures into public cloud. And the great biggest friction point tend to be around the architectures that firewalls are deploying. So they ended up creating, if you think about how a firewall is architected and created, it's really designed around datacenters and tightly coupling all the traffic back into a centralized policy enforcement point that scales vertically. That ends up being a real anti-pattern in public cloud best practice, where you want to build loosely coupled architectures that scale elastically. So, just from feedback from customers, we've kind of re-architected our whole solution portfolio to embrace that, and not only that, but looking at all the native services that the public cloud IaaS platforms, you know, Amazon, Azure, and Google, provide, and integrating those solutions to give customers the benefit, all the security telemetry you can get out of the native fabric, combined with the compliance you get out of web application and next-generation firewall. >> So, it's interesting, James Hamilton, one of my favorite people at AWS, he used to have his Tuesday Nights with James Hamilton at every event, very cool. And what always impressed me every time James talked is just the massive scale that Amazon and the other public cloud vendors have at their disposal, whether it's for networking and running cables or security, et cetera. So, I mean, what is the best way for people to take advantage of that security, but then why is there still a hole, where there's a new opportunity for something like a cloud firewall? >> I think the biggest thing for customers to embrace is that there's way more security telemetry available in the APIs that the public cloud providers do than in the data plane. So most traditional network security architects consider network packets the single source of truth, and a lot of the security architecture's really built around instrumenting in visibility into the data plane so you can kind of crunch through that, but the reality is the management plane on AWS and Azure, GCP, offer tremendous amount of security telemetry. So it's really about learning what all those services are, how you can use the instrument controls, mine that telemetry out, and then combine it with control enforcement that the public cloud providers don't provide, so that kind of gives you the best of both worlds. >> It's interesting, a lot of times we'll hear about a breach and it'll be someone who's on Amazon or another public cloud provider, and then you see, well they just didn't have their settings in the right configuration, right? >> It's usually really kind of Security 101 things. But the reality is, just because it's a new sandbox, there's new rules, new services, you know, and engineers have to kind of, and the other interesting thing is that developers now own the infrastructures they're deploying on. So you don't have the traditional controls that maybe network security engineers or security professionals can build architectures to prevent that. A developer can inadvertently build an app, launch it, not really think about security vulnerabilities he put in, that's kind of what you see in the news. Those people kind of doing basic security misconfigurations that some of these tools can pick up programmatically. >> Now you guys just commissioned a survey about firewalls in the cloud. I wonder if you can share some of the high-level outcomes of that survey. What did you guys find? >> Yeah, it's similar to what we're chatting. It's just that, I think, you know, over 90% of enterprise customers acknowledge the fact that there's friction when they're deploying their datacenter security architectures, specifically network security tools, just because of the architectural friction and the fact that, it's really interesting, you know, a lot of those are really built because everything's tightly coupled into them, but in the public cloud, a lot of your policy enforcement comes from the native services. So, for instance, your segmentation policy, the route tables actually get put into the, when you're creating the networking environment. So the security tools, a network security tool, has to work in conjunction with those native services in order to build architectures that are truly compliant. >> So is firewall even the right name anymore? Should it have a different name, because really, we always think, all right, firewall was like a wall. And now it's really more like this layered risk management approach. >> There's definitely a belief, you know, among especially the cloud security evangelists, to make sure people don't think in terms of perimeter. You don't want to architect in something that's brittle in something that's meant to be truly elastic. I think there's kind of two, you know the word firewall is expanding, right, so more and more customers are now embracing web application firewalls because the applications are developing are port 80 or 443, they're public-facing web apps, and those have a unique set of protections into them. And then next-generation firewalls still provide ingress/egress policy management that the native platforms don't offer, so they're important tools for customers to use for compliance and policy enforcement. They key is just getting customers to understand thinking through specifically which controls they're trying to implement and then architect the solutions to embrace the public cloud they're playing in. So, if they're in Azure, they need to think about making sure the tools they're choosing are architected specifically for the Azure environment. If they're using AWS, the same sort of thing. Both those companies have programs where they highlight the vendors that have well-architected their solutions for those environments. So Barracuda has, you know, two security competencies, there's Amazon Web Services. We are the first security vendor for Azure, so we were their Partner of the Year. So the key is just diving in, and there's no silver bullet, just re-architecting the solutions to embrace the platforms you're deploying on. >> What's the biggest surprise to the security people at the company when they start to deploy stuff on a public cloud? There's obviously things they think about, but what do they usually get caught by surprise? >> I think it's just the depth and breadth of the services. There's just so many of them. And they overlap a little bit. And the other key thing is, especially for network security professionals, a lot of the tools are made for software developers. And they have APIs and they're tooling is really built around software development tools, so if you're not a software developer, it can be pretty intimidating to understand how to architect in the controls and especially to leverage all these native services which all tie together. So it's just bridging those two worlds, you know, software development and network security teams, and figuring out a way for them to collaborate and work together. And our advice to customers have been, we've seen comical stories for those battles between the two. Those are always fun to talk about, but I think the best practice is around getting, instead of security teams saying no, I think everybody's trying to get culturally around how do I say yes. Now the burden can be back to the software development teams. The security teams can say, here the list of controls that I need you to cover in order for this app to go live. You know, HIPAA or PCI, here are these compliance controls. You guys chose which tools and automation frameworks work as part of your CI/CD pipeline pr your development pipeline, and then I'll join your sprints and you guys can show incrementally how we're making progress to those compliance. >> And how early do they interject that data in kind of a pilot program that's on its way to a new production app? How early do the devs need to start baking that in? >> I think it has to be from day zero, because as you embrace and think through the service, and the native services you're going to use, depending on which cloud provider, each one of those has an ecosystem of other native services that can be plugged in and they all have overlapping security value, so it's kind of thinking through your security strategy. And then you can be washed away by all the services, and what they can and can't do, but if you just start from the beginning, like what policies or compliance frameworks, what's our risk management posture, and then architect back from that. You know, start from the end mine and then work back, say hey, what's the best tool or services I can instrument in. And then, it may be, starting with less cloudy tools, you know, just because you can instrument in something you know, and then as you build up more expertise, depending on which cloud platform you're on, you can sort of instrument in the native services that you get more comfortable with then. So it's kind of a journey. >> You got to start from the beginning. Bake it in from the zero >> Got to be from the zero. >> It's not a build-on anymore. All right Tim, last question. What are we looking forward to at RSA this week? >> I'm very cloud-biased, you know, so I'm always looking at the latest startups and how creative people are about rethinking how to deploy security controls and just kind of the story and the pulse around the friction with public cloud security and seeing that evolve. >> All right, well I'm sure there'll be lots of it. It never fails to fascinate me, the way that this valley keeps evolving and evolving and evolving. Whatever the next big opportunity is. All right, he's Tim Jefferson, I'm Jeff Frick, thanks for stopping by. You're watching theCUBE. We're at RSAC 2018 in San Francisco. Thanks for watching. (upbeat techno music)

>> Welcome back, everyone, to our next segment here at SiliconANGLE hosted Druva Live event here in Palo Alto. Our next segment, hosting Matt Morgan and David Cordell for the understand the customer journey that the CMO of Druva and David Cordell customer. Matt, welcome back. Good to see you again. >> Matt: It's good to see you, John. >> So, take us through the customer journey. >> Okay, if you were to think about data protection, using legacy terms, you really think mostly about backup. And you think about the idea that if I just make a copy of the data and keep it in some storage apparatus, I've kind of protected my data. When you move to data management as a service, you turn that whole thing on its ear. First, let's talk about data protection. You can protect all of your end points. I don't care if the end points are on the land, or they're deep in the field, connected up to the Cloud through a WiFi connection, you can protect all of them. By collecting that data and protecting it, you can ensure that no matter what happens, people can get access to that information. Second, your servers. In remote offices, where there's DM ware proliferation, if you will. Often, most organizations don't even go through the hassle of trying to protect those servers, they just give up, and they go unprotected. With data management as a service, you can wrap data, Druva's solution inside those servers, and back those up directly to the Cloud. That data will coexist with the end points. And also, importantly, the move to Cloud apps. People move to Office 365, they move to Jace Waye, they move to Salesforce, they've got box folders. They think that data is protected and what they find is, over time, when data is lost, it's gone. And Druva can back that up as well, bringing all that together. So, our customer journey starts with protection. But what happens after protection is where it gets really interesting because that data's together and it's inside the Cloud, you actually can govern that data. So, now, legal teams can have access to all of that data if needed. You have the opportunity to manage it from a governance prospective. You have the opportunity to ensure that you're in compliance on that data, and with GDPR, that's becoming such a big deal. >> And that's the service piece, though, is adopting. Talk about how that is accelerating and where this connects. >> Oh, absolutely. The Yaza service is what makes the whole thing magical. If you think about how people can protect their data when all they have to think about is connecting to Druva. You can protect all of that data, right? You don't have to think about well, I need to build yet another architecture on Prim, I got to go buy yet another appliance. Oh wait, that appliance is full, I got to buy another one. Oh wait, the hard drives are over three years old. I got to refresh the, all of that goes away. Now, as a service, they just connect. I'm connected, I'm done. Three years, do I have to refresh? No, I don't have to do anything. It's all right there. And the third part, though, when you start looking at the customer journey is where it gets super, super interesting. We've been able to wrap machine learning around this data. And by having it all, this one data set and having machine learning algorithms, you can evolve customers to data intelligence. >> David, do you see Cloud as the center of your data protection strategy, or as an extension of your data protection strategy? >> Well, we see Druva as the center of our data protection and management strategy. The Cloud offers, even though there's consolidation, there's still pitfalls and a lot of management that you have to deal with. Druva is able to simplify this and give us an easy solution. >> What's the key to their success in your opinion? >> Key to success in my opinion is that, well the ease of use, the ease of implementation, the security that's route behind it, and the backing that a lot of people just don't see. In setting it up, it literally is just minutes, going from professional services, within 30 minutes you're set up and ready to roll. It's taken the pressure off of our legacy systems, you know, we have set up new environments but the legacy data is still a problem for us, and they've been able to determine what is good data and what is not. Druva's been able to help us determine, based on governance and the intelligence that's being provided. >> Great and Matt, I mean, they're using Druva as a center of their data protection strategy to Cloud, versus an extension as some people may look at it, why is this pattern relevant? Is it a pattern and what does it mean because this journey is one that a lot of people are on right now because, with the Cloud, there's no walls, there's no perimeter. It's a completely different paradigm shift and how you think about IT. From an architectural standpoint, it's not the same data protection game as it used to be. You guys have this as a service. So, what does it mean to be at the center of the data protection strategy, and is this pattern consistent with what you're saying? >> So, we've got 4000 customers on the platform now and David's story is a story I hear all the time. The idea that I can simply protect my data through a simple connection to the Cloud, and that's it, nothing else to do. I got a single pane of glass. I can access that data if something goes wrong I can pull that data down. That is a complete game change if you think about how people used to have to architect a system to be able to protect their data. Think about that, buying the equipment, wiring up the network, getting the appliance hot, getting access to the appliance. Is my, are my end points in my server? In my Cloud apps, are they able to communicate? I mean, all of these things that used to be kind of the big ah-ha, they all go away with Druva. You just simply connect to the service and off you go. Right, so the conversation that you've had about the simplicity angle is kind of the gateway drug to why you get started. But the limitations to it aren't there, right, so people start saying, "Wow if it's that easy, "I can do more than just the end points. "I can start doing my service. "I can do more than just three or four of my servers, "why don't I just do all my servers." Right? I mean, this is the conversation that I'm hearing. Maybe you can comment some more on that. >> Well, there's a lot more too it than I think, than just that but that's dead on. What we were seeing is resources. So when you talk about whether it's hardware or software resources, there's also employee resources. Getting those all lined up is very difficult. So, if we were looking at a product, in house, so if we're going to bring on Prim, it would probably take about four to six months to be able to roll it out because you have to plan. It's like you said, the architect that sits behind it. >> Like in an appliance, using an appliance or something? >> In an appliance, yeah. >> That's all that works got to be vetted, all that stuff, is that kind of the (laughs) that's a problem. >> We're also facing federal regulations. We have Homeland Security and the Coast Guard, comes down to us and say, "Okay, these are the regulations "that you're going to follow, "and we'll do these applications "and do these appliances meet those standards?" In some cases, no. In other cases, kind of sort of. Well, we found with Druva, that if you look at HIPAA sought to FedRAMP Ready. These are things that are really important to us, especially our SESO team. Yeah the go Clouds key. I got to ask about the security, you mentioned Coast Guard. First thing goes off in my head is, you know, they would want security because you've got a lot of stuff going in and out of the port in New Orleans, you know. I want to make sure that there's no hacking going on. What's the security angle look like on this? >> So, there is... So, the security is really good. They, we do face a lot of attacks and stuff. It comes in from all angles. Like I said, with a lot of the back end, it's at the, what is it, the sublayer. That to me is really important. So, you have your normal encryption, which everyone'll tell you, alright we're going to do from point A to point B are encrypted. Now when I start asking questions about back end encryption most companies can not answer. Or we need to find another engineer. Well, we're not sure, we'll get back to you. So, Druva is able get on the phone and start asking the questions, alright how do your sub systems communicate? How is the encryptions done on it? What type of encryption is done on it? >> Dave: They had tech jobs, they had security jobs. >> Yeah. >> So, people have a black hole, "Oh, I'll get back to you." Which means they don't have much. >> Exactly and so with Druva it was, you know, there were several conversations but they were usually real short and 10 minute conversations. Alright, you know, can you answer this for me? So, as they come up, it was easy to reach back out to Druva, and say, "Okay, what about this?" And, I mean, they got an answer back. They didn't have to wait for anyone else, they didn't have to wait for a call back, so it was really convenient for me and my SESO team. >> Matt, what's the impact to the market place 'cause, I mean, basically a lot of the stuff that is emerging, ransomware, is a huge issue. You've got obviously security, from the participants moving in and out of the Cloud, whether they're customers and/or attackers. It's got to work so you have to deal with a lot of the stuff, how do you guys make that work? And then you got to have the comfort to the customer, saying operationally you're going to be solid. >> Well, I think that the Cloud providers have done us a wonderful service, right, they have been out evangelizing the move to the Cloud. Druva doesn't have to have that conversation anymore. It's now part of the life blood of any IT organization. The Cloud is reality so now we're able to come in and say, "How can you maximize that investment." Right? So, take ransomware for a moment. I'm really glad you brought that up. This year, there were two massive ransomware attacks. We've seen 600% increase in ransomware attacks overall this year, and we did an incredible survey that showed an enormous amount of penetration within the Fortune 500. People were losing their data. In this last attack, what was really scary, you didn't have the option to pay the bitcoin. Or if you did pay the bitcoin, they didn't bother to send you the key to get your data back so it was more like a whiteware attack, not a ransomware attack. >> I think ransomware attacks are underestimated, people don't understand how severe this is. Because not only are you down, and you are hijacked, if you will, for the ransom, for the security. Look at the impact of the business. I mean, HBO is a real public example recently. I mean, this is a real threat to the business model to these companies. It's not like a check box on security anymore. Not only you need to check the box but you got to really have a bulletproof strategy. >> Yeah, it's not a nice to have, right? It used to think that maybe ransomware would attack a dummy that would click on a link in an email. Well, reality is that everyone is going to make a mistake and no matter what parameter security you have, somebody is not, don't call them a dummy, someone's going to accidentally click on something and bam, the ransomware is in your firewall. So, with Druva, you don't have to worry about it. Your data will be protected. It's not just going to be protected, it's going to be protected in the Cloud, which is a separate area. There's no way the ransomware is going to crawl to the Cloud to encrypt that data. And with our machine learning tech, we're going to see the first encryption so we're going to alert you so you have early detection. We call it anomaly detection, giving you the opportunity to make sure you can recover all of that data. >> If a friend asked you, "Hey, what's the journey like "with Druva and how do you expect it to go forward? "How would you describe that journey?" >> Oh, easy. Simplicity. Moving to Druva was an easy decision. So, if someone was coming to me and asks me, you know, they wanted to find out what about Druva products. It's easy, get in touch with them. Come up with a list of questions and start drilling 'em. I was actually pretty rough in one of the meetings with Druva. (chattering) >> What did you do, did you grill them on the technical? Was it more of a, you know, I mean, what was the key drill down points for you? >> For me, it's technical. So, there's a couple of aspects, we did see a couple ransomware. It took us a while to recover. So that was during the fact but mostly when I was drilling Druva, it was all technical. Like I said, though, they we're firing back the answers as fast as I was firing the questions. So, just be prepared. The one thing that, as you touched on with the ransomware, the other nice thing about it is that you can step back through your recovery points and see, okay, this is exactly what happened. So there is the analytic piece of it and the machine learning is absolutely sweet. So a lot of times, I actually-- >> Host: For instance are critical. >> Yes, so I get the alert and so when I get things, you know, I'm a technical CTO. I'm going to go and start looking at things so it's really convenient for me to start going back and stepping through, okay, now I see it. So, besides all the alerts, and what you're telling me, I now see the exact same thing, so it's easy to act on. >> And going forward, how do you see that journey progressing? What are the things that you anticipate that you'll be dealing with as CTO, technical CTO, what are the things that are on the horizon for you that you're going to, you're looking down the barrel of? Is it more ransomware, is it more expansion, what's the strategy look like? >> Oh, we're seeing the strangest attacks forever. So, right now, there's shipping. Shipping is being attacked left and right. It's been going on for several months. We actually brought a company in that provides networking and solutions for ships themselves for the liners. So, they show us the computer system that's on the ship. So, I start asking again about security and draw blanks. So, in working with, actually the Maritime Port Security Information Sharing Organization out of the Gulf of Mexico. It's a lot of awareness. A lot of it is education, not only for in-users, but for IT. So to be able to start stepping back through the backup is top-notch. >> Huge story, I love the drill down on that. I'm sure the infrastructure and the evolution, they've got to modernize their fleets, technically speaking. >> They do and a lot of them are looking to the United States that are coming from overseas as a driver. Yeah, so, what we're seeing again is through ships. We are seeing some ransomware come across. There's, I guess, what was it, in Russia they had a rail attack. Well, recently the Port of New Orleans has acquired a public belt of New Orleans. So that will fall under our jurisdiction soon as well. So, it's like, alright, what kind of attacks are we going to be seeing from this? So, a lot of it is the swishing system but the majority, I know the Coast Guard, a recent activity that we had was all on phishing. So, a lot of it today is through phishing but we're going to start seeing more out of the IOT. We've seen a couple of good cell phone attacks. But back to the IOT, there was attacks that, they weren't organized. They weren't professionals doing the attacks. They're coming and it's going to be rough when they hit. >> It won't hurt any service here, that's the whole point of the Cloud, Matt, for this customer journey. Having that center of strategy gives you a lot of flexibility. >> Yeah, I think the idea of leveraging all the security that has now been hardened into public Cloud providers, Azure and AWS. You can inherit all of that as part of the solution. And then all the work that we have done to layer on top of that, gives you further assurances. But there's nothing like just having your data replicated entirely off-site, in the Cloud. And when we talk about replication, we actually do that several times over so you're in the situation where you have redundancy. And I think that that's of value as well. >> Good to have technical chops. Customer insurance have to be simple. That's kind of a basic concept but tried and true business model, making things simple and elegant. Congratulations. Thanks for spending the time sharing this story today. I appreciate it. Right back, more special coverage here at theCUBE. Thanks for watching.