(upbeat music) >> Greetings from Los Angeles, Lisa Martin here with Dave Nicholson. We are on day three of the caves wall-to-wall coverage of KubeCon CloudNativeCon North America 21. We're pleased to welcome Mark Hinkle to the program, the co-founder and CEO of TriggerMesh. Mark welcome. >> Thank you, It's nice to be here. >> Lisa: Love the name. Very interesting TriggerMesh. Talk to us about what TriggerMesh does and what, when you were founded and what some of the gaps were that you saw in the market. >> Yeah, so TriggerMesh actually the Genesis of the name is in, cloud event, driven architecture. You trigger workloads. So that's the trigger and trigger mesh, and then mesh, we mesh services together, so cloud, so that's why we're called TriggerMesh. So we're a cloud native open source integration platform. And the idea is that, the number of cloud services are proliferating. You still have stuff in your data center that you can't decommission and just wholesale lift and shift to the cloud. So we wanted to provide a platform to create workflows from the data center, to the cloud, from cloud to cloud and not, and use all the cloud native design principles, but not leave your past behind. So that's, what we do. We're, very, we were cloud, we are cloud operators and developers, and we wanted the experience to be very similar to the way that DevOps folks are doing infrastructure code and deploying that we want to make it easy to do integration as code. So we follow the same design patterns, use the same domain languages, some of those tools like Hashi corpse, Terraform, and that that's what we do and how we go about doing it. >> Lisa: And when were you guys founded? >> September, 2018. >> Oh so your young, your three years young. >> Three years it's feels like 21 >> I bet. >> And startup years it's a lot has happened, but yeah, we my co-founder and I were former early cloud folks. We were at cloud.com worked through the OpenStack years and the CloudStack, and we just saw the pattern of, abstraction coming about. So first you abstract the hardware, then you abstract the operating system. And now at with the Kubernetes container, you know, evolution, you're abstracting it up to the application layer and we want it to be able to provide tooling that lets you take full advantage of that. >> Dave: So being founded in 2018, what's your perception of that? The shift that happened during the pandemic in terms of the drive towards cloud adoption and the demands for services like you provide? >> Mark: Yeah, I think it's a mixed blessing. So we, people became more remote. They needed to enable digital transformation. Biggest thing, I think that that for us is, you know, you don't go to the bank anymore. And the banking industry is doing, you know, exponentially more remote, online transactions than in person. And it's very important. So we decided that financial services is where we were going to start with first because they have a lot of legacy architecture. They have a lot of need to move to the cloud to have better digital experiences. And we wanted to enable them to, you know, keep their mainframes online while they were still doing cutting edge, you know, mobile applications, that kind of thing. >> Lisa: And of course the legacy institutions like the BFA's the Wells Fargo, they're competing with the fintechs who are much more nimble, much more agile and able to sort of disrupt the financial services industry. Was that part of also your decision to start in financial services? >> It was a little bit of luck because we started with our network and it turned out the, you know, we saw, we started talking to our friends early on, cause we're a startup and said, this is what we're going to do. And where it really resonated was PNC bank was our, one of our first customers. You know, another financial regulatory company was another one, a couple of banks in Europe. And we, you know, as we started talking about what we were doing, that we just gravitated there because they had the, the biggest need, even though everybody has the need, their businesses are, you know, critically tied to digital transformation. >> So starting with financial services. >> It's, it's counter intuitive, isn't it? >> It was counterintuitive, but it lends credibility to any other industry vertical that you're going to approach. >> Yeah, yeah it does. It's a, it's a great, they're going to be our hardest customers and they have more at stake than a lot of like transactions are millions and millions of dollars per hour for these folks. So they don't want to play around, they, they have no tolerance for failure. So it's a good start, but it's sort of like taking up jogging and running a marathon in your first week. It's very very grilling in that sense, but it really has made us a lot better and gave us a lot of insight into the kinds of things we need to do from not just functionality, but security and that kind of thing. >> Where are you finding these customers with respect to adoption of Kubernetes? Are they leading? Are they knowing we've got to get there eventually from an infrastructure perspective? >> So the interesting thing is Kubernetes is a platform for us to deliver on, so we, we don't require you to be a Kubernetes expert we offer it as a SaaS, but what happens is that the Kubernetes folks are the ones that we end up really engaging with earlier on. And I think that we find that they're in this phase of they're containerizing their apps, that's the first step. And then they're putting them on Kubernetes and then their next step is a security and integration path. So once she, I think they call it and this is my buzzword of the show day two operations, right? So they, they get to day two and then they have a security and an integration concern before they go live. So they want to be able to make sure that they don't increase their attack face. And then they also want to make sure that this newly deployed containerized infrastructure is as well integrated as the previous, you know, virtualized or even, you know, on the server infrastructure that they had before. >> So TriggerMesh, doesn't solely work in the containerized world, you're, you're sort of you're bridging the divide. >> Mark: Yes. >> What percentage of the workloads that you're seeing are the result of modernization migration, as opposed to standing up net new application environments in Kubernetes? Do you have a sense for that? >> I think we live in a lot in the brown field. So, you know, folks that have an existing project that they're trying to bridge to it versus the Greenfield kind of, you know, the, the huge wins that you saw in the early cloud days of the Netflix and the Twitter's Dwayne scale. Now we're talking to the enterprises who have, you know, they have existing concerns. So I would say that it's, it's mostly people that are, you know, very few net new projects, unless it's a modernization and they're getting ready to decommission an old one, which is. >> Dave: So Brownfield financial services. You just said, you know, let's just, let's just go after that. >> You know, yeah. I mean, we had this dart forward and we put up buzzwords, but no, it was, it was actually just, and you know, we're still finding our way as far as early on where we're open source folks. And we did not open source from day one, which is very weird when everybody's new, your identity is, you know, I worked, I was the VP of marketing for Linux foundation and no JS and all these open source projects. And my co-founder and I are Apache committers. And our project wasn't open yet because we had to get to the point where it could be open and people could be productive in the use and contribution. And we had to staff up engineers. And now I think this week we open-sourced our entire platform. And I think that's going to open up, you know, that's where we started because it was not necessarily the lowest hanging fruit, but the profitable, less profitable, lowest hanging fruit was financial services. Now we are letting our code out into the wild. And I think it'll be interesting to see what comes back. >> So you just announced that this week TriggerMesh integration platform as an open source project here at KubeCon, what's been some of the feedback? >> It's all been positive. I haven't heard anything negative. We did it, so we're very, very, there's a very, the culture around open source is very tough. It's very critical if you don't do it right. So I think we did a good job, we used enough, we used a OSI approved. They've been sourced, licensed the Apache software, a V2 license. We hired someone who was well-respected in the DevREL world from a chef who understands the DevOps sort of culture methodologies. We staffed up our engineers who are going to be helping the free and open source users. So they're successful and we're betting that that will yield business results down the road. >> Lisa: And what are the two I see on your website, two primary use cases that you guys support. Can you dig into details on that? >> So the first one is sort of a workflow automation and a really simple example of that is you have a, something that happens in one cloud. So for example, you take a picture on your phone and you upload it and it goes to Amazon and there is a service that wants to identify what's in that picture. And once you put it on the line and the internship parlance, you could kick off a workflow from TensorFlow, which is artificial intelligence to identify the picture. And there isn't a good way for clouds to communicate from one to the other, without writing custom blue, which is really what, what we're helping to get rid of is there's a lot of blue written to put together cloud native applications. So that's a workflow, you know, triggering a server less function is the workflow. The other thing is actually breaking up data gravity. So I have a warehouse of data, in my data center, and I want to start replicating some portion of that. As it changes to a database as a service, we can based on an event flow, which is passive. We're not, we're not making, having a conversation like you would with an API where there's an event stream. That's like drinking from the fire hose and TriggerMesh is the nozzle. And we can direct that data to a DBaaS. We can direct that data to snowflake. We can direct that data to a cloud-based data lake on Microsoft Azure, or we can split it up, so some events could go to Splunk and all of the events can go to your data lake or some of those, those things can be used to trigger workloads on other systems. And that event driven architecture is really the design pattern of the individual clouds. We're just making it multi-cloud and on-prem. >> Lisa: Do you have a favorite customer example that you think really articulates that the value of that use case? >> Mark: Yeah I think a PNC is probably our, well for the, for the data flow one, I would say we have a regular to Oracle and one of their customers it was their biggest SMB customer of last year. The Oracle cloud is very, very important, but it's not as tool. It doesn't have the same level of tooling as a lot of the other ones. And to, to close that deal, their regulatory customer wanted to use Datadog. So they have hundreds and hundreds of metrics. And what TriggerMesh did was ingest the hundreds and hundreds of metrics and filter them and connect them to Datadog so that, they could, use Datadog to measure, to monitor workloads on Oracle cloud. So that, would be an example of the data flow on the workflow. PNC bank is, is probably our best example and PNC bank. They want to do. I talked about infrastructure code integration is code. They want to do policy as code. So they're very highly regulatory regulated. And what they used to do is they had policies that they applied against all their systems once a month, to determine how much they were in compliance. Well, theoretically if you do that once a month, it could be 30 days before you knew where you were out of compliance. What we did was, we provided them a way to take all of the changes within their systems and for them to a server less cluster. And they codified all of these policies into server less functions and TriggerMesh is triggering their policies as code. So upon change, they're getting almost real-time updates on whether or not they're in compliance or not. And that's a huge thing. And they're going to, they have, within their first division, we worked with, you know, tens of policies throughout PNC. They have thousands of policies. And so that's really going to revolutionize what they're able to do as far as compliance. And that's a huge use case across the whole banking system. >> That's also a huge business outcome. >> Yes. >> So Mark, where can folks go to learn more about TriggerMesh, maybe even read about more specifically about the announcement that you made this week. >> TriggerMesh.com is the best way to get an overview. The open source project is get hub.com/triggermesh/trigger mesh. >> Awesome Mark, thank you for joining Dave and me talking to us about TriggerMesh, what you guys are doing. The use cases that you're enabling customers. We appreciate your time and we wish you best of luck as you continue to forge into financial services and other industries. >> Thanks, it was great to be here. >> All right. For Dave Nicholson, I'm Lisa Martin coming to you live from Los Angeles at KubeCon and CloudNativeCon North America 21, stick around Dave and I, will be right back with our next guest.

>> Hey, welcome back everybody. Jeff Frick here with the CUBE. We're in Palo Alto, California at the Chertoff's event, "Security in the Boardroom." And again, this is an event about elevating the security conversation beyond speeds and feeds and in-points and IOT and ever-increasing attack surfaces, and really, how do we elevate it into the boardroom discussion, because that's where it needs to be before they wake up on Monday morning and see their company's name in the newspaper, which is when you don't want to have your first conversation. So we're excited to have our next guest. He's Joe Gottlieb, the Senior Vice President of Corporate Development for Sailpoint. Joe, welcome. >> Thank you, good to be here, Jeff. >> Absolutely, so for people who aren't familiar with Sailpoint, why don't you give us a quick overview. >> Sure, so Sailpoint helps large enterprises control who has access to what. So at the end of the day, all the access that you need to do your job should fall into what your role is in the company, and what projects you're working on, and for many companies, that's not what is proactively being delivered. You're accumulating a set of things based upon who you ask, who you know, and a lot of inadvertent accumulation of things that you might need or you might not need. So we help companies put that under lock and key and under control, make sure that there's a process for who should approve your access. How can we empower you quickly when you start your job? How can we transfer you to a new role if you move jobs? And most importantly, oftentimes, how do we take away things very systematically when you leave the company? So that's what we do in a nutshell. >> So I would imagine, before you get there, it's a hodgepodge of spreadsheets and Google Docs and all types of assorted random things. >> You bet, for the average large company, this is a manual effort, and it is just not systematic, which it has to be. What you have when you don't have a systematic effort here that's filtered by business approvals and work flow processes is a cumulated surface area that need not be available to the attacker. We want to narrow that surface area by narrowing your access to only that's what's needed and keep it pruned as you evolve with your role in the company. >> It seems like there's so much low-hanging fruit, about just doing what you should be doing, just doing it and so many people don't apply patches, they don't systematically take people out of things when they leave the company. All these things that seem relatively simple on the surface from the outside, but in fact, in a large organization, are not simple by any stretch of the imagination. >> It's so true. In security in particular, it's a really hard job but consistency and patience and methodic progress is really, really key. I liken it to the quality movement that we experienced in manufacturing over two decades ago. We started measuring, we started being consistent, we started thinking about what is the root cause of this or that and how can we continually make ourselves a bit better every time period. And so that's what some of the basics are all about, and governance is a big part of that. >> Okay, so you just got off a panel. And the event here is really focused about the boardroom conversation, so let's just jump into that. You made an interesting conversation from the board about a portfolio approach, which is only natural since you're a corp dev guy, thinking of portfolio strategies. So how should they think about the portfolio? I haven't heard anyone discuss their tools in a portfolio strategy method. >> So, let's zoom out on the context here. Boards are trying to provide governance. They need wisdom to provide governance. If they don't understand security at all, how can they be wise about it? So there's definitely a really, really strong push to get the board being more proactive about demanding the right levels of security and being shown the data that they can have for how security is being applied. I look at security portfolio management as a great way to step out of the Fudd domain, where we have vendors selling us technologies that we don't understand and most of the people talking to us don't even understand, and into a domain where there is less of a bet on prevention, which we know isn't going to happen, and more of a bet on monitoring a response, governance, which is just going back to the source and making sure people have the right access, and education, helping end users understand what that phishing attack would look like, actually going through testing and really accumulating awareness of what to avoid. Because we know that's the easiest way to get started. Every attack starts with a phishing attack that compromises an end-user point in-station, and then moves laterally to the good stuff. That portfolio view allows the board to start understanding how we're not making a bunch of hopeful bets on prevention that is elusive, and we're actually making some balanced bets around the pieces of the puzzle that we know can give us immediate returns and we can measure against the returns. >> Now what about the scale of the bets? We've talked about this with a few of the other guests that came on, 'cause again I liken it to insurance. You'd add some, you could be probably over-insured. There's not infinite resources, so there's always a ying and yang on how much do we invest and then what came up in the kickoff this morning and then how do we measure success? Because obviously success would be no problems, but you probably need a much softer way to measure success. >> Very true. So this came up earlier in the discussion, and that is you've got to get the board thinking about a risk posture, where there are tradeoffs. You can't ask them, you can't use Fudd on the board. You're going to freak 'em out. You have to say, "This is what I have to do "to enable this business to operate at this velocity." And if they don't want that risk, here's the velocity that they ought to be operating within because we are less exposed at that velocity. And so translating it into these sorts of terms that the board understands in the world of business. They're well experienced in advising you on how to operate your business. They've thought about travel risks. They've thought about plant closure risks. And they've thought about employee lawsuit risks. Translate security into risks that they can also understand and then present your measurements and your investment trade-offs in that context. That's what the best practice appears to be. It's still really hard, and so here's the knock: you can have all that great thinking and still struggle because of the degree of difficulty here. You just have to keep at it. >> Now unfortunately, the CISO on the agenda at the board meeting was down toward the end of the day and just before him was the CMO and the Head of Sales and Operations and they're like, "We got to go, we got to go, it's digital transformation. "We got to go, we got to go, competitors are going like crazy. "Speed, speed, speed, digital transformation." That's what you beat us up about last quarter. So as people are trying to really evolve their companies, they're trying to move to a more digital platform, they're innovate faster, they're trying to enable more people in the company to have access to the data, and access to the tools so they can innovate faster. How does that then bang up when he sits down and the CISO stands up? >> So, digital transformation is an opportunity. For me, it's just code for reinventing business around customer engagement, for many companies that have direct relationships to their customers in a broad form, at least it's that for them. That means there's an investment elasticity opportunity. And so building security into that velocity we talked about, or the mode of digital transformation that you're going to deliver is really, really key. It's less about defending security as a horizontal utility that is generic and hard to place within the context of that digital transformation, that customer engagement, that velocity of business, it's that latter scenario. Actually, one of the folks of the panel that I was on, Debbie from PNC Bank, made a great point. She talks about security as part of the brand, part of the brand prompts. We want people to trust our brand. And so more and more, I would argue that the monetization and the maturation of the attack life cycle, and the ability to take customer records and sell them, has forced us to realize that's a distinct business risk. So losing all of our customer data is a huge business risk that business people now understand and you can equip them to reduce that risk with good security measures. While you're doing digital transformation, you have an opportunity to bake it in. So now, you can suddenly say, "Hey look! "We can fit that into the overall architecture." You want it to be a collaborative part of the new design, versus an overlay, which has typically been the approach, when we've automated business on top of IT and then wrapped security around that. >> It's funny, you're the first person that's ever really tied security to trust and trust to brand, because there's always an ongoing conversation about, "Do brands matter? "What is a brand? "How are brands defined "in an increasingly competitive world?" So, is security in that context, table stakes or is it a competitive advantage? >> Well, let me ask you a question. How's Yahoo's brand today? >> Not so good. >> After repeated losses, right, I could name plenty. The circumstance and the experience, and our ability to absorb that experience frankly through a lot of reporting, has helped us to know what we're up against. What are the downsides? That's just education. I think that's the good part of Fudd, when things are reported accurately and we understand that these things have happened, even if we learn a bit later, that's very necessary for us to say, "This is what needs to be done." Just like anything else. When transportation evolved and we reinvented business at the speed of our new transportation in the way we collaborate, that was an impact. We now have to continue to think about business as being more digital and has to be more secure. >> Well, Joe, this has been a great conversation and the other thing you nailed, you're the first person that has ever talked about digital transformation as redefining your business process around customer engagement. That is spectacular. >> Wow. >> Thanks for sharing that, we'll use that. >> Good stuff. >> Alright. Thanks for stopping by. >> You bet. >> He's Joe Gottlieb, I'm Jeff Frick, you're watching the CUBE. We'll catch you next time, thanks for watching.