>>Hello, everyone. Welcome to this cube conversation. I'm here in Palo Alto, California. I'm John furrier, host of the cube, and we have a great guest here. Barack Shuster. Who's in Tel-Aviv senior director of chief architect at bridge crew, a part of Palo Alto networks. He was formerly the co-founder of the company, then sold to Palo Alto networks Brock. Thanks for coming on this cube conversation. >>Thanks John. Great to be here. >>So one of the things I love about open source, and you're seeing a lot more of the trend now that talking about, you know, people doing incubators all over the world, having open source and having a builder, people who are starting companies, it's coming more and more, you you're one of them. And you've been part of this security open source cloud infrastructure infrastructure as code going back a while, and you guys had a lot of success. Now, open source infrastructure as code has moved up to the stack, certainly lot going down at the network layer, but developers just want to build security from day one, right? They don't want to have to get into the, the, the waiting game of slowing down their pipelining of code in the CIC D they want to move faster. And this has been one of the core conversations this year is how to make developers more productive and not just a cliche, but actually more productive and not have to wait to implement cloud native. Right. So you're in the middle of it. And you've got you're in, tell us, tell us what you guys are dealing with that, >>Right? Yeah. So I hear these needles working fast, having a large velocity of releases from many of my friends, the SRAs, the DevOps, and the security practitioners in different companies. And the thing that we asked ourselves three years ago was how can we simplify the process and make the security teams an enabler instead of a gatekeeper that blocks the releases? And the thing that we've done, then we understood that we should do is not only doing runtime scanning of the cloud infrastructure and the cloud native clusters, but also shift left the findings and fixings the remediation of security issues to the level of the code. So we started doing infrastructure is good. We Terraform Kubernetes manifests cloud formation, server less, and the list goes on and we created an open source product around it, named checkup, which has an amazing community of hundreds of contributors. Not all of them are Palo Alto employees. Most of them are community users from various companies. And we tried to and succeeded to the democratic side is the creation of policy as code the ability to inspect your infrastructure as code and tell you, Hey, this is the best practice that you should use consider using it before applying a misconfigured S3 bucket into production, or before applying a misconfigured Kubernetes cluster into your production or dev environment. And the goal, >>The goal, >>The goal is to do that from the ID from the moment that you write code and also to inspect your configuration in CGI and CD and in runtime. And also understand that if there is any drift out there and the ability to fix that in the source code, in the blueprint itself. >>So what I hear you saying is really two problems you're solving. One is the organizational policies around how things were done in a environment before all the old way. You know, the security teams do a review, you send a ticket, things are waiting, stop, wait, hurry up and wait kind of thing. And then there's the technical piece of it, right? Is that there's two pieces to that. >>Yeah, I think that one thing is the change of the methodologies. We understood that we should just work differently than what we used to do. Tickets are slow. They have priorities. You have a bottleneck, which is a small team of security practitioners. And honestly, a lot of the work is repetitive and can be democratized into the engineering teams. They should be able to understand, Hey, I wrote the code piece that provision this instance, I am the most suitable person as a developer to fix that piece of code and reapply it to the runtime environment. >>And then it also sets the table for our automation. It sets the table for policies, things that make things more efficient scaling. Cause you mentioned SRS are a big part of this to dev ops and SRE. Those, those folks are, are trying to move as fast as possible at scale, huge scale challenge. How does that impact the scale piece become into here? >>So both themes Esri's and security teams are about a link to deploying application, but new application releases into the production environment. And the thing that you can do is you can inspect all kinds of best practices, not only security, best practices, but also make sure that you have provision concurrencies on your serverless functions or the amount of auto-scaling groups is what you expect it to be. And you can scan all of those things in the level of your code before applying it to production. >>That's awesome. So good, good benefits scales a security team. It sounds like too as well. You could get that policy out there. So great stuff. I want to really quickly ask you about the event. You're hosting code two cloud summit. What are we going to see there? I'm going to host a panel. Of course, I'm looking forward to that as well. You get a lot of experts coming in there. Why are you having this event and what topics will be covered? >>So we wanted to talk on all of the shifts, left movement and all of the changes that have happened in the cloud security market since inception till today. And we brought in great people and great practitioners from both the dev ops side, the chaos engineering and the security practitioners, and everybody are having their opinion on what's the current status state, how things should be implemented in a mature environment and what the future might hold for the code and cloud security markets. The thing that we're going to focus on is all of the supply chain from securing the CCD itself, making sure your actions are not vulnerable to a shut injection or making sure your version control system are configured correctly with single sign-on MFA and having branch protection rules, but also open source security like SCA software composition analysis infrastructure as code security. Obviously Ron thinks security drifts and Kubernetes security. So we're going to talk on all of those different aspects and how each and every team is mitigating. The different risks that come with. >>You know, one of the things that you bring up when you hear you talking is that's the range of, of infrastructure as code. How has infrastructure as code changed? Cause you're, you know, there's dev ops and SRS now application developers, you still have to have programmable infrastructure. I mean, if infrastructure code is real realize up and down the stack, all aspects need to be programmable, which means you got to have the data, you got to have the ability to automate. How would you summarize kind of the state of infrastructure as code? >>So a few years ago, we started with physical servers where you carried the infrastructure on our back. I, I mounted them on the rack myself a few years ago and connected all of the different cables then came the revolution of BMS. We didn't do that anymore. We had one beefy appliance and we had 60 virtual servers running on one appliance. So we didn't have to carry new servers every time into the data center then came the cloud and made everything API first. And they bill and enabled us to write the best scripts to provision those resources. But it was not enough because he wanted to have a reproducible environment. The is written either in declarative language like Terraform or CloudFormation or imperative like CDK or polluted, but having a consistent way to deploy your application to multiple environments. And the stage after that is having some kind of a service catalog that will allow application developer to get the new releases up and running. >>And the way that it has evolved mass adoption of infrastructure as code is already happening. But that introduces the ability for velocity in deployment, but also new kinds of risks that we haven't thought about before as security practitioners, for example, you should vet all of the open source Terraform modules that you're using because you might have a leakage. Our form has a lot of access to secrets in your environment. And the state really contains sensitive objects like passwords. The other thing that has changed is we today we rely a lot on cloud infrastructure and on the past year we've seen the law for shell attack, for example, and also cloud providers have disclosed that they were vulnerable to log for shell attack. So we understand today that when we talk about cloud security, it's not only about the infrastructure itself, but it's also about is the infrastructure that we're using is using an open source package that is vulnerable. Are we using an open source package that is vulnerable, is our development pipeline is configured and the list goes on. So it's really a new approach of analyzing the entire software bill of material also called Asbell and understanding the different risks there. >>You know, I think this is a really great point and great insight because new opera, new solutions for new problems are new opportunities, right? So open source growth has been phenomenal. And you mentioned some of those Terraform and one of the projects and you started one checkoff, they're all good, but there's some holes in there and it's open source, it's free, everyone's building on it. So, you know, you have, and that's what it's for. And I think now is open source goes to the next level again, another generational inflection point it's it's, there's more contributors there's companies are involved. People are using it more. It becomes a really strong integration opportunity. So, so it's all free and it's how you use it. So this is a new kind of extension of how open source is used. And if you can factor in some of the things like, like threat vectors, you have to know the code. >>So there's no way to know it all. So you guys are scanning it doing things, but it's also huge system. It's not just one piece of code. You talking about cloud is becoming an operating system. It's a distributed computing environment, so whole new area of problem space to solve. So I love that. Love that piece. Where are you guys at on this now? How do you feel in terms of where you are in the progress bar of the solution? Because the supply chain is usually a hardware concept. People can relate to, but when you bring in software, how you source software is like sourcing a chip or, or a piece of hardware, you got to watch where it came from and you gotta track track that. So, or scan it and validate it, right? So these are new, new things. Where are we with? >>So you're, you're you're right. We have a lot of moving parts. And really the supply chain terms of came from the automobile industry. You have a car, you have an engine engine might be created by a different vendor. You have the wheels, they might be created by a different vendor. So when you buy your next Chevy or Ford, you might have a wheels from continental or other than the first. And actually software is very similar. When we build software, we host it on a cloud provider like AWS, GCP, Azure, not on our own infrastructure anymore. And when we're building software, we're using open-source packages that are maintained in the other half of the war. And we don't always know in person, the people who've created that piece. And we do not have a vetting process, even a human vetting process on these, everything that we've created was really made by us or by a trusted source. >>And this is where we come in. We help you empower you, the engineer, we tools to analyze all of the dependency tree of your software, bill of materials. We will scan your infrastructure code, your application packages that you're using from package managers like NPM or PI. And we scan those open source dependencies. We would verify that your CIC is secure. Your version control system is secure. And the thing that we will always focus on is making a fixed accessible to you. So let's say that you're using a misconfigured backup. We have a bot that will fix the code for you. And let's say that you have a, a vulnerable open-source package and it was fixed in a later version. We will bump the version for you to make your code secure. And we will also have the same process on your run time environment. So we will understand that your environment is secure from code to cloud, or if there are any three out there that your engineering team should look at, >>That's a great service. And I think this is cutting edge from a technology perspective. What's what are some of the new cloud native technologies that you see in emerging fast, that's getting traction and ultimately having a product market fit in, in this area because I've seen Cooper. And you mentioned Kubernetes, that's one of the areas that have a lot more work to do or being worked on now that customers are paying attention to. >>Yeah, so definitely Kubernetes is, has started in growth companies and now it's existing every fortune 100 companies. So you can find anything, every large growler scale organization and also serverless functions are, are getting into a higher adoption rate. I think that the thing that we seeing the most massive adoption off is actually infrastructure as code during COVID. A lot of organization went through a digital transformation and in that process, they have started to work remotely and have agreed on migrating to a new infrastructure, not the data center, but the cloud provider. So at other teams that were not experienced with those clouds are now getting familiar with it and getting exposed to new capabilities. And with that also new risks. >>Well, great stuff. Great to chat with you. I want to ask you while you're here, you mentioned depth infrastructure as code for the folks that get it right. There's some significant benefits. We don't get it. Right. We know what that looks like. What are some of the benefits that can you share personally, or for the folks watching out there, if you get it for sure. Cause code, right? What does the future look like? What does success look like? What's that path look like when you get it right versus not doing it or getting it wrong? >>I think that every engineer dream is wanting to be impactful, to work fast and learn new things and not to get a PagerDuty on a Friday night. So if you get infrastructure ride, you have a process where everything is declarative and is peer reviewed both by you and automated frameworks like bridge and checkoff. And also you have the ability to understand that, Hey, once I re I read it once, and from that point forward, it's reproducible and it also have a status. So only changes will be applied and it will enable myself and my team to work faster and collaborate in a better way on the cloud infrastructure. Let's say that you'd done doing infrastructure as code. You have one resource change by one team member and another resource change by another team member. And the different dependencies between those resources are getting fragmented and broken. You cannot change your database without your application being aware of that. You cannot change your load Bonser without the obligation being aware of that. So infrastructure skullduggery enables you to do those changes in a, in a mature fashion that will foes Le less outages. >>Yeah. A lot of people getting PagerDuty's on Friday, Saturday, and Sunday, and on the old way, new way, new, you don't want to break up your Friday night after a nice dinner, either rock, do you know? Well, thanks for coming in all the way from Tel-Aviv really appreciate it. I wish you guys, everything the best over there in Delhi, we will see you at the event that's coming up. We're looking forward to the code to cloud summit and all the great insight you guys will have. Thanks for coming on and sharing the story. Looking forward to talking more with you Brock thanks for all the insight on security infrastructures code and all the cool things you're doing at bridge crew. >>Thank you, John. >>Okay. This is the cube conversation here at Palo Alto, California. I'm John furrier hosted the cube. Thanks for watching.

>> From theCUBE Studios in Palo Alto in Boston, bringing you data driven insights from theCUBE and ETR, This is "Breaking Analysis with Dave Vellante". >> Black Hat 22 was held in Las Vegas last week, the same time as theCUBE Supercloud event. Unlike AWS re:Inforce where words are carefully chosen to put a positive spin on security, Black Hat exposes all the warts of cyber and openly discusses its hard truths. It's a conference that's attended by technical experts who proudly share some of the vulnerabilities they've discovered, and, of course, by numerous vendors marketing their products and services. Hello, and welcome to this week's Wikibon CUBE Insights powered by ETR. In this "Breaking Analysis", we summarize what we learned from discussions with several people who attended Black Hat and our analysis from reviewing dozens of keynotes, articles, sessions, and data from a recent Black Hat Attendees Survey conducted by Black Hat and Informa, and we'll end with the discussion of what it all means for the challenges around securing the supercloud. Now, I personally did not attend, but as I said at the top, we reviewed a lot of content from the event which is renowned for its hundreds of sessions, breakouts, and strong technical content that is, as they say, unvarnished. Chris Krebs, the former director of Us cybersecurity and infrastructure security agency, CISA, he gave the keynote, and he spoke about the increasing complexity of tech stacks and the ripple effects that that has on organizational risk. Risk was a big theme at the event. Where re:Inforce tends to emphasize, again, the positive state of cybersecurity, it could be said that Black Hat, as the name implies, focuses on the other end of the spectrum. Risk, as a major theme of the event at the show, got a lot of attention. Now, there was a lot of talk, as always, about the expanded threat service, you hear that at any event that's focused on cybersecurity, and tons of emphasis on supply chain risk as a relatively new threat that's come to the CISO's minds. Now, there was also plenty of discussion about hybrid work and how remote work has dramatically increased business risk. According to data from in Intel 471's Mark Arena, the previously mentioned Black Hat Attendee Survey showed that compromise credentials posed the number one source of risk followed by infrastructure vulnerabilities and supply chain risks, so a couple of surveys here that we're citing, and we'll come back to that in a moment. At an MIT cybersecurity conference earlier last decade, theCUBE had a hypothetical conversation with former Boston Globe war correspondent, Charles Sennott, about the future of war and the role of cyber. We had similar discussions with Dr. Robert Gates on theCUBE at a ServiceNow event in 2016. At Black Hat, these discussions went well beyond the theoretical with actual data from the war in Ukraine. It's clear that modern wars are and will be supported by cyber, but the takeaways are that they will be highly situational, targeted, and unpredictable because in combat scenarios, anything can happen. People aren't necessarily at their keyboards. Now, the role of AI was certainly discussed as it is at every conference, and particularly cyber conferences. You know, it was somewhat dissed as over hyped, not surprisingly, but while AI is not a panacea to cyber exposure, automation and machine intelligence can definitely augment, what appear to be and have been stressed out, security teams can do this by recommending actions and taking other helpful types of data and presenting it in a curated form that can streamline the job of the SecOps team. Now, most cyber defenses are still going to be based on tried and true monitoring and telemetry data and log analysis and curating known signatures and analyzing consolidated data, but increasingly, AI will help with the unknowns, i.e. zero-day threats and threat actor behaviors after infiltration. Now, finally, while much lip service was given to collaboration and public-private partnerships, especially after Stuxsnet was revealed early last decade, the real truth is that threat intelligence in the private sector is still evolving. In particular, the industry, mid decade, really tried to commercially exploit proprietary intelligence and, you know, do private things like private reporting and monetize that, but attitudes toward collaboration are trending in a positive direction was one of the sort of outcomes that we heard at Black Hat. Public-private partnerships are being both mandated by government, and there seems to be a willingness to work together to fight an increasingly capable adversary. These things are definitely on the rise. Now, without this type of collaboration, securing the supercloud is going to become much more challenging and confined to narrow solutions. and we're going to talk about that little later in the segment. Okay, let's look at some of the attendees survey data from Black Hat. Just under 200 really serious security pros took the survey, so not enough to slice and dice by hair color, eye color, height, weight, and favorite movie genre, but enough to extract high level takeaways. You know, these strongly agree or disagree survey responses can sometimes give vanilla outputs, but let's look for the ones where very few respondents strongly agree or disagree with a statement or those that overwhelmingly strongly agree or somewhat agree. So it's clear from this that the respondents believe the following, one, your credentials are out there and available to criminals. Very few people thought that that was, you know, unavoidable. Second, remote work is here to stay, and third, nobody was willing to really jinx their firms and say that they strongly disagree that they'll have to respond to a major cybersecurity incident within the next 12 months. Now, as we've reported extensively, COVID has permanently changed the cybersecurity landscape and the CISO's priorities and playbook. Check out this data that queries respondents on the pandemic's impact on cybersecurity, new requirements to secure remote workers, more cloud, more threats from remote systems and remote users, and a shift away from perimeter defenses that are no longer as effective, e.g. firewall appliances. Note, however, the fifth response that's down there highlighted in green. It shows a meaningful drop in the percentage of remote workers that are disregarding corporate security policy, still too many, but 10 percentage points down from 2021 survey. Now, as we've said many times, bad user behavior will trump good security technology virtually every time. Consistent with the commentary from Mark Arena's Intel 471 threat report, fishing for credentials is the number one concern cited in the Black Hat Attendees Survey. This is a people and process problem more than a technology issue. Yes, using multifactor authentication, changing passwords, you know, using unique passwords, using password managers, et cetera, they're all great things, but if it's too hard for users to implement these things, they won't do it, they'll remain exposed, and their organizations will remain exposed. Number two in the graphic, sophisticated attacks that could expose vulnerabilities in the security infrastructure, again, consistent with the Intel 471 data, and three, supply chain risks, again, consistent with Mark Arena's commentary. Ask most CISOs their number one problem, and they'll tell you, "It's a lack of talent." That'll be on the top of their list. So it's no surprise that 63% of survey respondents believe they don't have the security staff necessary to defend against cyber threats. This speaks to the rise of managed security service providers that we've talked about previously on "Breaking Analysis". We've seen estimates that less than 50% of organizations in the US have a SOC, and we see those firms as ripe for MSSP support as well as larger firms augmenting staff with managed service providers. Now, after re:Invent, we put forth this conceptual model that discussed how the cloud was becoming the first line of defense for CISOs, and DevOps was being asked to do more, things like securing the runtime, the containers, the platform, et cetera, and audit was kind of that last line of defense. So a couple things we picked up from Black Hat which are consistent with this shift and some that are somewhat new, first, is getting visibility across the expanded threat surface was a big theme at Black Hat. This makes it even harder to identify risk, of course, this being the expanded threat surface. It's one thing to know that there's a vulnerability somewhere. It's another thing to determine the severity of the risk, but understanding how easy or difficult it is to exploit that vulnerability and how to prioritize action around that. Vulnerability is increasingly complex for CISOs as the security landscape gets complexified. So what's happening is the SOC, if there even is one at the organization, is becoming federated. No longer can there be one ivory tower that's the magic god room of data and threat detection and analysis. Rather, the SOC is becoming distributed following the data, and as we just mentioned, the SOC is being augmented by the cloud provider and the managed service providers, the MSSPs. So there's a lot of critical security data that is decentralized and this will necessitate a new cyber data model where data can be synchronized and shared across a federation of SOCs, if you will, or mini SOCs or SOC capabilities that live in and/or embedded in an organization's ecosystem. Now, to this point about cloud being the first line of defense, let's turn to a story from ETR that came out of our colleague Eric Bradley's insight in a one-on-one he did with a senior IR person at a manufacturing firm. In a piece that ETR published called "Saved by Zscaler", check out this comment. Quote, "As the last layer, we are filtering all the outgoing internet traffic through Zscaler. And when an attacker is already on your network, and they're trying to communicate with the outside to exchange encryption keys, Zscaler is already blocking the traffic. It happened to us. It happened and we were saved by Zscaler." So that's pretty cool. So not only is the cloud the first line of defense, as we sort of depicted in that previous graphic, here's an example where it's also the last line of defense. Now, let's end on what this all means to securing the supercloud. At our Supercloud 22 event last week in our Palo Alto CUBE Studios, we had a session on this topic on supercloud, securing the supercloud. Security, in our view, is going to be one of the most important and difficult challenges for the idea of supercloud to become real. We reviewed in last week's "Breaking Analysis" a detailed discussion with Snowflake co-founder and president of products, Benoit Dageville, how his company approaches security in their data cloud, what we call a superdata cloud. Snowflake doesn't use the term supercloud. They use the term datacloud, but what if you don't have the focus, the engineering depth, and the bank roll that Snowflake has? Does that mean superclouds will only be developed by those companies with deep pockets and enormous resources? Well, that's certainly possible, but on the securing the supercloud panel, we had three technical experts, Gee Rittenhouse of Skyhigh Security, Piyush Sharrma who's the founder of Accurics who sold to Tenable, and Tony Kueh, who's the former Head of Product at VMware. Now, John Furrier asked each of them, "What is missing? What's it going to take to secure the supercloud? What has to happen?" Here's what they said. Play the clip. >> This is the final question. We have one minute left. I wish we had more time. This is a great panel. We'll bring you guys back for sure after the event. What one thing needs to happen to unify or get through the other side of this fragmentation and then the challenges for supercloud? Because remember, the enterprise equation is solve complexity with more complexity. Well, that's not what the market wants. They want simplicity. They want SaaS. They want ease of use. They want infrastructure risk code. What has to happen? What do you think, each of you? >> So I can start, and extending to the previous conversation, I think we need a consortium. We need a framework that defines that if you really want to operate on supercloud, these are the 10 things that you must follow. It doesn't matter whether you take AWS, Slash, or TCP or you have all, and you will have the on-prem also, which means that it has to follow a pattern, and that pattern is what is required for supercloud, in my opinion. Otherwise, security is going everywhere. They're like they have to fix everything, find everything, and so on and so forth. It's not going to be possible. So they need a framework. They need a consortium, and this consortium needs to be, I think, needs to led by the cloud providers because they're the ones who have these foundational infrastructure elements, and the security vendor should contribute on providing more severe detections or severe findings. So that's, in my opinion, should be the model. >> Great, well, thank you, Gee. >> Yeah, I would think it's more along the lines of a business model. We've seen in cloud that the scale matters, and once you're big, you get bigger. We haven't seen that coalesce around either a vendor, a business model, or whatnot to bring all of this and connect it all together yet. So that value proposition in the industry, I think, is missing, but there's elements of it already available. >> I think there needs to be a mindset. If you look, again, history repeating itself. The internet sort of came together around set of IETF, RSC standards. Everybody embraced and extended it, right? But still, there was, at least, a baseline, and I think at that time, the largest and most innovative vendors understood that they couldn't do it by themselves, right? And so I think what we need is a mindset where these big guys, like Google, let's take an example. They're not going to win at all, but they can have a substantial share. So how do they collaborate with the ecosystem around a set of standards so that they can bring their differentiation and then embrace everybody together. >> Okay, so Gee's point about a business model is, you know, business model being missing, it's broadly true, but perhaps Snowflake serves as a business model where they've just gone out and and done it, setting or trying to set a de facto standard by which data can be shared and monetized. They're certainly setting that standard and mandating that standard within the Snowflake ecosystem with its proprietary framework. You know, perhaps that is one answer, but Tony lays out a scenario where there's a collaboration mindset around a set of standards with an ecosystem. You know, intriguing is this idea of a consortium or a framework that Piyush was talking about, and that speaks to the collaboration or lack thereof that we spoke of earlier, and his and Tony's proposal that the cloud providers should lead with the security vendor ecosystem playing a supporting role is pretty compelling, but can you see AWS and Azure and Google in a kumbaya moment getting together to make that happen? It seems unlikely, but maybe a better partnership between the US government and big tech could be a starting point. Okay, that's it for today. I want to thank the many people who attended Black Hat, reported on it, wrote about it, gave talks, did videos, and some that spoke to me that had attended the event, Becky Bracken, who is the EIC at Dark Reading. They do a phenomenal job and the entire team at Dark Reading, the news desk there, Mark Arena, whom I mentioned, Garrett O'Hara, Nash Borges, Kelly Jackson, sorry, Kelly Jackson Higgins, Roya Gordon, Robert Lipovsky, Chris Krebs, and many others, thanks for the great, great commentary and the content that you put out there, and thanks to Alex Myerson, who's on production, and Alex manages the podcasts for us. Ken Schiffman is also in our Marlborough studio as well, outside of Boston. Kristen Martin and Cheryl Knight, they help get the word out on social media and in our newsletters, and Rob Hoff is our Editor-in-Chief at SiliconANGLE and does some great editing and helps with the titles of "Breaking Analysis" quite often. Remember these episodes, they're all available as podcasts, wherever you listen, just search for "Breaking Analysis Podcasts". I publish each on wikibon.com and siliconangle.com, and you could email me, get in touch with me at david.vellante@siliconangle.com or you can DM me @dvellante or comment on my LinkedIn posts, and please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for theCUBE Insights powered by ETR. Thanks for watching, and we'll see you next time on "Breaking Analysis". (upbeat music)

(upbeat music) >> From our studios in the heart of Silicone Valley, Palo Alto, California, Nick is a Cube conversation. >> Hello, and welcome to the Palo Alto Cube Studios, I'm John Furrier, host of the Cube. We're here for great Cube conversation with Gilad Bracha who's a distinguished engineer at Shape Security, has a legacy in the programming world, one of the early folks working on Java, a variety of other great things: Small Talk, Newspeak, a variety of programming accomplishments. A legend in the industry, thanks for coming on. >> Well, thanks for having me, it's a pleasure to be here. >> You know, one of the things we always talk about on the Cube is how I work for a company, they do this, they do this great, here's our differentiator, here's our advantage, a lot of marketing speak, and then we also do a lot of interviews around disruption, around cloud computing, getting to DevOps, network effect, changes of network, moving packets around store and compute, all the benefits of cloud computing but we don't really talk about the underlying languages that are driving all the changes and this is something that you're an expert in and I want to get your thoughts on this because, you know, computer science is at an all time high. You can't go to Berkeley, you see what's going on at Berkeley, the number one major is computer science, the data classes, dreams of starting a company, but computer science is changing a lot. More people are coding but does that mean there still more computer science going on? So, a lot of people are trying to understand where the future is going to be and underneath it all is the programming languages themselves. >> Yeah, well-- >> Your thoughts on computer science and the languages out there. >> So, too much to say. But computer science is a lot, there are trends and there's a lot of emphasis now on machine learning and things like that. And it's interesting because that affects, which language you use can make these tasks a lot easier or a lot harder. And we've, you see certain languages being picked up for that purpose and new languages being done for numerical stuff like Julia, people are using R, God forbid and it's really interesting to see that. To me, it's interesting because there's a whole set of languages, the APL family of languages which really go back to the early 60s. But they're just phenomenally designed for these kind of large arrays of data for doing mathematical operations in parallel on large arrays or multi-dimensional arrays, essentially, tensors, back before that word was used in programming. And there's huge potential for doing better in terms of programming with those things. So that is one new, not new but area that's been kind of coming alive again. >> Yeah. >> That's really cool. >> You know, it's interesting, too, you bring up a point. We were talking before we came on camera about Lisp and all these other cool science out there. With, now, the advent of unlimited compute with cloud and, now, kind of new connected devices, a lot of the old science is coming back into vogue because of some of the use cases. I mean, I remember when I graduated college in the 80s, we had departments that were actually called data processing departments. And they used data processing, that's what they did, they processed data. That's the number one use case today is processing data. So, a lot of the old is coming back because it's relevant in this new era. So, I got to ask you, what is your favorite science and computer science that you think is relevant? You mentioned APL, what concepts, we TensorFlow with Google, things like that coming back, you see machine learning and AI, these are not new concepts. >> Well, some of them, I mean-- >> What's your thoughts? >> Machine learning, definitely, there have been breakthroughs in the past, I don't know, 10, 15 years and but the basis of it, the beauty of this is the basis of this is the real hardcore math in calculus and statistics, that stuff is golden and wherever it applies throughout the universe and you look at reasoning about these things and it comes up again. That's the root of it all. Making it so that you can manipulate things closer to level you can with math is really challenge for programming languages, so that you don't spend your life dealing with, sort of, irrelevant, boring details, oh, this has to be lowercase, that has to be tab, this tool doesn't work on that operating system. Most of our effort as software engineers goes, we're dealing with junk, really, and we should try and abstract over that and get over that. >> What are some of the exciting things that get you excited for programming language because there's a lot more excitement, a lot more opportunities now; you're seeing you can stand up software very quickly these days, and so there's some really quick and dirty ways to get software written with languages. Some want more principle-based design languages that have all the integrated components. What's the trade-off, what are some of the things you like around the new trends? >> So I'll give you something that meets both of the criteria that is both very principled but actually makes it much easier to put something together. One of my favorite new things that have come in the past few years is a thing called Elm which is a language, essentially, the main application, so far, has been to build websites, essentially, UI that's targeting a website but it is a functional programming language but it is much more approachable than the traditional academic stuff, even though the ideas are basically the same, but they're very well engineered. Actually, better engineered in many respects than a lot of the traditional stuff that you see like the Haskells and OCamls and stuff. And it started for the web, so it's a different game but it's a joy to use, it has great error messages, it has a time traveling debugger which is one of my favorite hobby horses, so you can actually go back and roll the computation back to where a problem occurred. And that, kind of, is interesting because it meets both of those points. >> Talk about this live programming, you mentioned rolling back and this is around live programming. >> Yeah. >> This is an exciting area. >> Oh, yeah. >> Your thoughts on live programming because we're seeing collaboration where I can have a screen open. I saw a demo at Amazon Reinvent last year or year before where people can be in different parts of the world or different offices in the same building and coding the same, I get the collaboration piece but there's also live programming languages that have built-in compile that's changing the old ways of debugging. Your thoughts. >> Right, so, definitely, that is something that people who have a heritage in small talk or Lisp, kind of, remember those systems or, if they're very lucky, still get to use them. And the thing is that most program languages don't have that level of interactivity when you work with them as a developer because there is too much of a feedback loop between when you actually specify what you want to happen by writing code and when you actually see what actually happen when you run your code and it typically doesn't do remotely what you wanted it to. That feedback loop is too long 'cause you have to go through compiles and bills and whatever, and the idea of live programming is to shorten that so that you, ideally, instantly see you change something and you can see the output and the output gets changed accordingly and you don't have to wait and, in particular, you don't have to go and rerun your program, get to the same point where you were, especially when you're debugging, right? That's the beauty of fix and continue debugging which is sort of a small but important piece of live programming where you can basically go and change a function and, immediately, proceed with the computation. You don't have to restart, you don't have to get to where you were, recreate the state, make sure the heap is in the same thing and that just, A, it's productive, it saves time. It's just a joy to watch and play with this thing, it's much more tactile, you actually feel-- >> It's faster, too, you don't have to, all the steps involved, classic debugging, restart, do it all over again. >> It's faster and it's less error prone 'cause those steps, you make mistakes, you went through all these steps and you forgot one thing or whatever or you did something wrong and didn't notice and you chased some, you know, went on a wild goose chase trying to figure out a bug, so it really is a huge H to product, a huge help to productivity and it's just so much fun to work with these systems. >> Well, I got to get this question for you while you're here because I get this question all the time and it's common. A lot of the young kids want to program, they see the future, they know that coding is a good skill to have. What's your advice to parents out there or kids, whether they're in elementary, or high school, or college, that might have a focus on, say, you know, I'm a neuroscience major or I'm doing this but I want to learn how to code? What's your advice for how to learn how to code because I've seen, oh, learn Java, I'm like, okay-- >> God, no. >> Not really my first choice. >> Eat spinach. Do 50 push-ups. No, it's not that comfortable. >> No, no. >> Java's not my first choice for recomm-- >> It's also 50 push-ups and spinach are better for you. Java is actually possibly damaging, at an early age, you should not be doing that. >> Doing Java, in particular? >> No, no. >> Why is that, it's just too complex? >> Because it's a lot of irrelevant boiler plate. It's a lot of stuff that should've been obsolete before and will be obsolete by the time you, hopefully, get to work for real and it's painful and if you aren't really into it, it'll just turn you off of the whole field. >> What's going to get someone excited, is it Elm, is it gaming, is it some sort of-- >> Yeah, so, Elm is good because you can run it, you don't need much setup, you can run in a web browser. I'm a Smalltalker and I still love the Smalltalk systems and they're still, overall, is a complete programming experience, they're still unmatched. Except for list machines which are kind of hard to come by. And so, I'd focus on those-- >> People tend to talk about Python, they talk about some of these languages. If someone's going to tinker around, what's going to be the addictive, if someone's going to-- >> So, people get addicted to all kinds of things but I would-- >> In terms of a good-- >> I tend to avoid the mainstream. People tend to latch on to the mainstream because they think it's a good career move or whatever. My advice is, you get good, learn the fundamentals in the cleanest way possible, then the mainstream stuff will be easy, rather than focusing on it, 'cause there's so much irrelevant detail in those systems and the programming experience is not that great. So, try something a little less meaty, closure is a lisp that you can use and there's closure script as a version that runs on the web. Try Elm. Try Smalltalk. >> And all these languages, they can actually produce something of value? >> Yeah, they can definitely, I think, still 70% of the world's container traffic is still run by a Smalltalk application. >> Really, I did not know that. >> Yeah, well, few people do. In Smalltalk, you find that that sort of heyday, in some sense, for commercial applications was in the 90s or 80s, whatever, but replacing those applications, a typical story is, someone says, ah, we should use Java 'cause everybody's using Java and we can get lots of programmers and they spend a lot of money and the new application doesn't work 'cause they can't actually rebuild the thing they built in Smalltalk at any reasonable cost, at any reasonable reliability. So, there are a lot of those systems out there, Morgan Stanley's still running Capital, their Smalltalk system for managing money. So, yeah, you can certainly build things. >> Well, Gilad, I love your commentary here, so I love that you're not shy to hold back. I've got to get your thoughts on cryptocurrency and the Blockchain world. >> Oh, dear. >> A lot of different languages, you got Ethereum, you have, some say, oh, I'm going to use Linux. If you're using Java, we're going to import it in, Javascript supports it, so there's been kind of like this, every kind of crypto currency, Blockchain, has their own language for decentralized applications. Your general thoughts on this. >> So, there's a need for, to slow down and be more careful, all right. Ethereum lost God knows how much money. I've heard quotes but I don't know if it's 50 million or 150 million but a fair amount of money due to problems that were classical distributed programming problems and could have been avoided by, essentially, more careful design of language in the system. There's a pressure now to turn things out in a hurry, right? In the old days, these systems took years and years of research in their little corner and, now, everybody has to do something too fast and that hurts. And, often, it's people who don't have the expertise and the background 'cause there's lots of research on all kinds of problems and smart people get snippets of those and they don't quite know what they're doing. And I don't think there's a cure for that because the incentives are there but that's why we're seeing these problems. >> So be careful, the message is be careful. >> Be careful. >> But they're rushing, all this cash is rolling in, they got to have some language. >> Sure, as long it's not their 150 million dollars that they lost, that's fine, but someone was probably upset. >> And, by the way, the security problem was software-error based. >> Most of them are. >> So, this transitions into Shape Security where you're not working as a distinguished engineer, working on some hard problems. I know it's pretty confidential but you guys do power 200 million iOS apps, this is from the PR statement. >> Probably more by now but yeah. >> Past 24 hours, you blocked more than two billion fraudulent login attempts, two million legitimate attempts. Essentially, defending intrusion detects and seems to be the company's value properties, but I don't want to get too much into the company because you're, obviously, on the engineering side. But security from a programming language side is software and people. >> Mm-hm. >> Right, software gets bugs. >> And people make them worse. >> And people make mistakes. >> People make them worse. >> Yeah. >> This is the central process problem in security. Your thoughts in computer science. >> So, most of the time, I mean, Shape does real security and this is fascinating to me but, most of the time, I've been looking at security at the programming language level because, you know, still, I think 70% of intrusions often, not the intrusions but, basically, these big software fiasco security problems get down to array buffer overflows. Which is ridiculous 'cause this is problem that was solved decades ago. Why are we still dealing with this? That's because, you know, programming language design, the whole approach to security, access control lists, whatever, there was another approach which was capability-based. And these two grew up together in the 60 and the world, as typically, it makes the wrong choices, it takes what seems appealing in the short term and not what is sort of a more thorough thing. So, object capabilities is a really interesting way of looking at this thing. There are people working on putting some of this into Javascript so that you could use it somehow. Great work by Mark Miller and company at Agoric. I'll do a shout-out to them. So, I've usually been on that side of things, but real security, there's a lot more to it, that's just one small layer of things and, above that, there's all the humans and the multiple systems they build. The configurations, they're just mistakes, the things that happen through social engineering about which, basically, I don't know much about but I will say that making things simpler is key because that's why people make mistakes. Things are too complicated. Every piece of the system has some bunch of clever engineers who really think it through and make it really sophisticated but when you compose these, it becomes, no one understands, a thing that no one understands what's going on and we need to simplify. My work is to try to simplify at that programming language level which the typical languages people use are too complex. >> And this is really where the software always has holes in it and you just got to be on top of it and make it tight, as it were. >> Right, basically, you can't understand the consequences when you have too many moving parts, as it were, too many constructs in the programming language. The composition is endless and you can't, it's very hard to foresee how they're going to interact and what someone will come up with, eventually. Oh, you could use this to attack that. Or, this crates this bad scenario that people don't notice. And, really, there's no remedy to that. You can work and you should be careful, you should test things, you should verify, if you can, formally, but if you just try and keep it simple, clean abstractions that are very simple and composed well, you will simply avoid, by definition, most of these problems. >> Final talk track around open source. It's been well-documented that proprietary software that's funded by companies when kind of stopped and innovating, kind of, dies on the vine. Open source is great, got leverage, you get out in the open, yeah, it's great. So, open source has been growing like a weed over the past couple decades and, recently, it's been phenomenal. The open source people say, oh, security is better in open source. At the same time, you bring up the notion of language security and those programming languages. How do you see that rectifying itself? How is the security paradigm with open source going to be stabler? What do companies need to do because open source is being used everywhere. >> Open source is used everywhere for good reason but open source is not, by itself, a magic thing, right. It's still, you get problems, open source is also open to malicious contributors, to problems, and the systems are too big for, even though there are code reviews and everything, so it's a double-edged sword, in some respects and sometimes the quality just suffers. These are social organization and each one is different and they have problems, so I don't know that that is, it's good that you shine light on something, it tends to purify it, and certainly that's a great strength of open source that you cant have things buried in there that you don't know. By the same token, it is not a panacea because the other thing is someone has to fund this somehow. All the open source models have to find somewhere to keep this going. So it's a more complicated thing to pull off. >> Especially with all these appliances now, okay, which version of Linux are you running, do I review the code? How do people ensure the security know that whether it's an appliance, or a device, or phone, or anything and it doesn't have some sort of back door or security vulnerability? >> Well, backdoor, I don't-- >> Backdoor, side door. >> Or just code-- >> This is a conspiracy theory. >> Or poor code. >> Poor code, well, poor code, you know, the open source is full of poor code is the truth. And the other thing is that, one problem with the open source is it also makes it easier for people to attack it because they can see how it's engineered. So, there is a reason that secure systems tend to, actually, maintain a certain level of secrecy. So I wouldn't go overboard on the open source ideology that it's inherently more secure. It has the advantage that you can see what you're getting. It has the disadvantage that everyone, including your adversaries, can see that. >> You don't know that going in, buyer beware kind of philosophy. >> Yes. >> And so, ultimately, you need to trust, like, it always comes down to trust at some level 'cause there's no way you're going to verify the software or the hardware, the bits, the you know. You can have problems in the hardware, this is a big problem nowadays, actually, with certain vendors. I don't want to get into those political footballs but-- >> Yeah, super micro. >> Yeah, and so, you really have to see who, you do have to take a risk in who do you trust. Who has a reputation, who is responsible for things that have worked? And there are no easy answers and it's beyond my pay grade. >> Let me get your thoughts on Capital One because we know that story, as of this week and they're on an Amazon estuary bucket, firewall filtering failed, someone just stumbled into it. I mean, the person that hacked it wasn't like, probably, a famous hacker, she was bragging on Twitter and message groups like, saying, hey, I just got in. So, door's open, keys are running in the car, walked right to the safe, safe was open. >> So, I don't know anything about that incident specifically and, I mean, beyond what you and I have read on the web or somewhere-- >> That's a human error. >> But they're usually there's always, almost always human error involved. It's also why you need, sort of, it's like countermeasures, right, and counter, counter, countermeasures. You simply have to monitor, right? So that when something, when you have an intrusion, you check it, now, that's not easy but there are lots of clever things that people are doing. You can have security as an afterthought. It's really hard. That's generally the problem is that people don't think about it early enough. >> Final question before we break: What's the human problem that you see most with developers? 'Cause if humans make mistakes, which they do, what's the common mistake developers, programmers make when coding that could be avoided with just a little bit sharper focus? >> Well, it's not about focus but I'd say null pointer exceptions are the biggest, like, after array buffers, they're the other, Tony Hoare called it billion dollar mistake in 1980 in his award speech, I think. And we're talking now, it's probably a trillion dollars, right? And this is something that can be mechanically checked by the programming language and it's probably the number bang-for-a-buck feature that you might throw in. >> Just say no to null? >> Yeah. >> That's the philosophy. >> Yeah. >> Gilad, thanks for coming on the Cube, appreciate the conversation. >> Thank you very much. >> I'm John Furrier, here in Palo Alto at the Cube Studios. This has been a Cube Conversation, thanks for watching. (upbeat music)

>> from our studios in the heart of Silicon Valley, Palo Alto, California It is a cute conversation. >> Welcome to this cube competition here at the Palo Alto Cube Studios. I'm John for a host of the Cube. Were here a special guests to keep alumni investor An entrepreneur who do Sudhakar, would you Good to see you again, John. Always a pleasure. You've been on as an entrepreneur, founder. As an investor, you're always out. Scour in the Valley was a great conversation. I want to get your thoughts as kind of a guest analyst on this segment around the state of the Union for Enterprise Tech. As you know, we covering the price tag. We got all the top enterprise B to B events. The world has changed and get reinvent coming up. We got VM World before that. The two big shows, too to cap out this year got sprung a variety of other events as well. So a lot of action cloud now is pretty much a done deal. Everyone's validating it. Micro cells gaining share a lot of growth areas around cloud that's been enable I want to get your thoughts first. Question is what are the top growth sectors in the enterprise that you're seeing >> papers. Thank you for having me. It's always a pleasure talking to you over the years. You and me have done this so many times. I'm learning a lot from you. So thank you. You are so yeah, I think Let's dig into the cloud side and in general market. So I think that there are 34 areas that I see a lot that's happening a lot. Cloud is still growing, a lot 100% are more growth and cloud and dog breeders. And what is the second? I see, a lot of I T services are close services. This includes service management. The areas that service now isn't They're >> still my ops was Maybe >> they opt in that category. E I said With management, the gutter is coming with the new canticle a service management. So they're replacing idea some with a different. So that's growing 800% as a category tourist. RP according to again, the industry analysts have seen that it's going at 65 to 70% so these three areas are going a lot in the last one that I see a lot of user experience. Can you build? It's like it's a 20,000,000,000 market cap, something. So if you let it out, it's a cloud service Management services RP user experience cos these are the four areas I see a lot dating all the oxygen rest. Everybody is like the bread crumbs. >> Okay, and why do you think the growth in our P A. So how's the hype? Is it really what? What is going on in our pee, In your opinion, >> on the rumors I'm hearing or there is some companies are already 1,000,000,000 revenue run great wise. That's a lot in our piece. So it's not really a hype that really so that if you look and below that, what's happening is I'd be a Companies are automating automation. The key for here is if I can improve the user experience and also automate things. RPS started doing screen scraping right in their leaders, looking at any reservations supply chain any workflow automation. So every company is so complex. Now somebody has to automate the workflow. How can you do this with less number of people, less number, resources, and improve the productivity >> coming? R P A. Is you know, robotic process automation is what it stands for, but ultimately it's software automation. I mean, it's software meets cloud meets automation. It seems to be the big thing. That's also where a I can play a part. Your take on the A I market right now. Obviously, Cloud and A I are probably the two biggest I think category people tend to talk about cloud and a eyes kind of a big kind of territories. RPG could fall under a little bit of bulls, but what you take on a guy, >> Yeah, so I think if you look at our pier, I actually call the traditional appears to be historical legacy. Wonders and R P companies are doing a good job to transform themselves to the next level, right? But our pianist Rocky I score. It's no longer the screen skipping tradition, making the workflow understanding. So there are new technology called conversational Rp. There's actually a separate market. Guys been critical conversation within a Can I talk to in a dialogue manner like what you experienced Instagram are what using what's up our dialogue flow? How can I make it? A conversational RPS is a new secretary is evolving it, but our becomes have done a good job. They leave all their going out. A >> lot has been has great success. We've been covering them like a blanket on a single cube. Um, I got it. I got to get your take on how this all comes into the next generation modern era because, um, you know, we're both been around the block. We've seen the waves of innovation. The modern error of clouds certainly cloud one Dato Amazon. Now Microsoft has your phone. Google anywhere else really goes. Dev Ops, The devil's movement cloud native amazing, create a lot of value continues to do well, but now there's a big culture on cloud 2.0, what is your definition of cloud two point? Oh, how do you see Cloud 2.0, evolving. But >> I like the name close to party. I think it's your third. It is going to continue as a trained. So look, throw two point with eyes. I don't know what it will be, but I can tell you what it should be and what it can have. Some other things that should do in the cloud is cloud is still very much gun to human beings. Lot of develops people. Lot of human being The next addition to a daughter should have things done programmatically I don't need tens of thousands off Assad ease and develops people. So back to your air, upside and everything. Some of those things should become close to become proactive. I don't want to wait until Amazon. Easter too is done. If I'm paying him is on this money. Amazon should be notifying me when my service is going to be done. The subsidy eaters They operated Chlo Trail Cloudwatch Exeter. But they need to take it to a notch level. But Amazon Azure. >> So making the experience of deploying, running and building APS scalable. Actually, that's scales with Clavet. Programmable kind of brings in the RPI a mean making a boat through automation edge of the network is also interesting. Comes up a lot like Okay, how do you deal with networking? Amazons Done computing storage and meet amazing. Well, cloud and networking has been built in, I guess to me, the trend of networking kicks in big because now it's like, OK, if you have no perimeter, you have a service area with I o t. >> There's nothing that >> cloud to point. It has to address riel time programming ability. Things like kubernetes continues to rise. You're gonna need to have service has taken up and down automatically know humans. So this >> is about people keep on fur cloak. What should be done before the human in the to rate still done. It develops. People are still using terror from lot of scripting. Lot of manual. Can you automata? That's one angle The second angle I see in cloud 2.0 is if you step back and say What, exactly? The intrinsic properties of Claude Majors. It's the work floor. It's automation, but it's also able to do it. Pro, actually. So what I don't have to raise if I'm playing club renders this much money. Tell me what outrageous are happening. Don't wait until outage happens. Can you predict voted? Yes, they have the capability to women. It should be Probably steal it. No, not 100%. So I want to know what age prediction. I wonder what service are going down. Are notified the user's that will become a a common denominator and solutions will be start providing, even though you see small startups doing this. Eventually they become features all these companies, and they'll get absorbed by the I called his aircraft carriers. You have Masson agile DCP. They're going to absorb all this, a ups to the point that provide that as the functionality. >> Yeah, let's get the consolidation in second. I want to get your thoughts on the cloud to point because we really getting at is that there's a lot of white space opportunity coming in. So I gotta ask you to start up. Question as you look at your investor, prolific investor in start ups. Also, you're an entrepreneur yourself. What >> is? >> They have opportunities out there because we'll get into the big the big whales Amazon, who were building and winning at scale. So embarrassed entry or higher every day, even though it's open sources, They're Amazons, betting on open source. Big time. We had John Thompson talk about that. That was excessive. Something Nutella. And so what? What if I was a printer out there? Would what do I do? I mean, is there Is there any real territory that I could create a base camp on and make money? >> That's plenty. So there's plenty of white faces to create. Look, first of all your look at what's catering, look at what's happening. IBM is auto business in service management, CSL itself to Broadcom. BMC is sold twice to private companies. Even the CEO got has left our war It is. Then you have to be soldiers of the Micro Focus. The only company that's left is so it's not so in that area, you can create plenty of good opportunities. That's a big weight. >> Sensors now just had a bad quarter. So actually, clarity will >> eventually they're gonna enough companies to go in that space. That play that's based can support 23 opportunities so I can see a publicly traded company in service. No space in next five years. My production is they'll be under company will go a p o in the service management space. Same things would happen. Rp, Rp vendors won't get acquired A little cleared enough work for automation. They become the next day because of the good. I can see a next publicly traded company. What happened in the 80 operations? Patriotism Probably. Computer company Pedro is doing really well. Watch it later. Don't. They're going to go public next. So that area also, you see plenty of open record companies in a UPS. >> So this is again back to the growth areas. Cloud hard to compete on Public Cloud. Yes, the big guys are out there. There's a cloud enablers, the people who don't have the clouds. So h p tried to do a cloud hp They had to come out, they'll try to cloud couldn't do It s a P technically is out there with a cloud. They're trying to be multi cloud. So you have a series of people who made it an oracle still on the fence. They still technically got a cloud, but it's really more Oracle and Oracle. So they're kind of stuck in the middle between the cloud and able nervous. The Cloud player. If you're not a cloud player large enterprise, what is the strategy? Because you got HP, IBM, Cisco and Dell. >> So I don't know. You didn't include its sales force in that If I'm Salesforce, I want sales force to get in. They have a sales cloud marketing cloud commerce code. Mark is not doing anything in the area of fighting clothes. They cannot go from 100,000,000,000 toe, half a trillion trillion market cap. Told I D. They have to embrace that and that's 100% growth area. You know, people get into this game at some point. It'll be is already hard and 50,000,000,000 market cap. Then that leaves. What is this going to do? Cisco has been buying more security software assets, but they don't wanna be a public company, their hybrid club. But they have to figure out How can they become an arms dealer in escape and by ruining different properties off close services? And that's gonna happen. And I've been really good job by acquiring Red Heart. So I think some place really figuring out this what is happening. But they have to get in the gaming club they have to do. Other service management have begun and are here. They have to get experience. None of these guys have experienced in this day and age that you killed and who are joining the workforce. They care for Airbnb naked for we work. They care for uber. They care for Netflix. It is not betting unders. So if I'm on the border, Francisco, I'm not talking about experience That's a problem to me. Hey, tree boredom is not talking about that. That's what if I'm I know Mark is on the board. Paramount reason. But Mark is investing in all the slack. Cos then why is it we are doing it either hit special? Get a separate board member. They should get somebody else. >> Why? He wouldn't tell. You have to move. Maybe. I don't know. We don't talk about injuries about that. But I want to get back to this experience thing because experience has become the new expectation. Yes, that's been kind of a design principle kind of ethos. Okay, so let's take that. The next little younger generation, they're consuming Airbnb. They're using the serious like their news and little chunks be built a video service for that. So things are changing. What is? I tease virgin as the consumption is a product issue. So how does I t cater to these new experience? What are some of those experiences? I >> think all of them. But I think I d for Social Kedrick, every property, every product should figure out how to offer to the young dreamers how they were contributed offer to the businesses on the B two baby to see. So the eye has to think every product or not. Should I start thinking about how my user should consume this and how should out for new experiences and how they want to see this in a new way, right? It's not in the same the same computer networking. How can a deluded proactively How can a dealer to a point where people can consume it and make other medications so darn edition making? That's where the air comes in. Don't wait for me toe. Ask the question. Suggest it's like Gmail auto complete. Every future should be thinking through problem. Still, what can I do to improve the experience that changes the product? Management's on? And that's what I'm looking at, companies who are thinking like that connection and see Adam Connection security. But that has to happen in the product. >> I was mentioning the people who didn't have clouds HP, IBM, Cisco and Dell you through sales force in there, I kind of would think sales were six, which is technically a cloud. They were cloud before cloud was even cloud. They built basically oracle for the cloud that became sales force. But you mentioned service now. Sales force. You got adobe, You got work day. These are application clouds. So they're not public clouds per se they get Amazon Web service is, you know, at Adobe runs on AWS, right? A lot of other people do. Microsoft has their own cloud, but they also have applications as well. Office 3 65 So what if some of these niche cloud these application clouds have to do differently? Because if you think about sales force, you mentioned a good point. Why isn't sales were doing more? People generally don't like Salesforce. You think that it's more of a lock inspect lesson with a wow. They've done really innovative things. I mean, I don't People don't really tend to talk about sales force in the same breath as innovation. They talk about Well, we run sales for us. We hate it or we use it and they never really break into these other markets. What's your take on them? >> I think Mark has done a good job to order. Yes, acquiring very cos it has to start from the top and at the market. His management team should say, I want to get in a new space. He got in tow. Commerce. Claudia got into marketing. He has to know, decide to get into idea or not. Once he comes out, he's really taken because today, science. What is below the market cap? Com Part of it'll be all right. If I am sales force, I need to go back down. Should I go after service? No. Industry should go after entire 80 services industry. Yes or no, But they have to make a suggestion. Something with Toby Toby is not gonna be any slower. They will get into. I decide. They're already doing the eyesight and experience. They're king of experience. Their king off what they're doing. Marketing site. They will expand. Writing. >> What does something We'll just launched a platform. Yes, that's right. The former executive from IBM. That's an interesting direction. They all have these platforms. Okay, so I got together to the Microsoft Amazon, Um, Google, the big clouds and then everybody else. A lot of discussion around consolidation. A lot of people say that the recession's coming next year. I doubt that. No, nos. The consolidation continues to happen. You can almost predict that. But where do you see the consolidation of you got some growth areas as you laid out cloud I t service is our p a experience based off where looks like where's the consolidation happening? If growth is happening, they're words to tell. >> It was happening. Really Like I see a lot in cyber security. I'm in Costa Rica, live in public. You have the scaler, the whole bunch of companies. So the next level of cos you always saw Sisko Bart, do your security followed has been buying aggressively companies. So secret is already going to a lot of consolidation. You're not seeing other people taking it, but in the I T services industry, you'll start seeing that you're already seeing that in the community space. That game is pretty much over right. Even the ember barred companies, even Net are barred companies and the currency. So I think console is always going to happen. People are picking up the right time. It's happening across the board. It's a great time to be an entrepreneur creator value. They come this public. So it's like I think it's cannot anymore very time. Look to your point where the decision happens or not. Nobody can predict. But if a chance now, it's best time to raise money. Build a company. >> Well, we do. I think the analysis, at least from my perspective, is looking at all the events we go to is the same theme comes up over and over. And Andy Jassy this heat of a tigress always talks about Old Garden new Guard. I think there's two sides of the streets developing old way in a new way, and I think the modern architect of the modern era of computer industry is coming, and it looks a lot different than it. Waas. So I think the consolidate is happening on those companies that didn't make the right bets, either technically or business model wise, for they took on too much technical debt and could not convert over to the cloud world or these really robust software environment. So I think consolidations from just just the passing of holder >> seems pretty set up for a member of the first men. First Main Computing was called mainframe Era, then, with clients Herrera and Kim, the club sodas 6 2009 13 years old, the new Errol called. Whatever the name, it will be something with a n mission in India that things would be so automated. That's what we have new area of computing, So that's I would like to see. So that's a new trick, this vendetta near turn. So even though we go through this >> chance all software software sales data 11. Yeah, it's interesting. And I think the opportunity, for starters is to build a new brands. His new branch would come out. Let's take an example of a company that but after our old incumbent space dying market share not not very attractive from a VC standpoint. From market space standpoint, Zoom Zoom went after Web conferencing, and they took on WebEx and portability. And they did it with a very simple formula. Be fast, be cloud native and go after that big market and just beat them on speed and simple >> experience. They give your greatest experience just on the Web, conferencing it and better than sky better than their backs better than anybody else in that market. Paid them with reward. Thanks, Vic. He had a good >> guy and he's very focused. He used clouds. Scale took the value proposition of WebEx. Get rid of all the other stuff brought its simple to video conference. And Dr Mantra is one >> happening. The A applying to air for 87 management. A ops A customer surveys. >> So this is what our Spurs could do. They can target big markets debt and go directly at either a specific differentiation. Whether it's experience or just a better mouse trap in this case could win, >> right? And one more thing we didn't talk about is where their underpants go after is the area number. Many of these abs are still enterprise abs. Nobody really focused on moving this enterprise after the club. Hollis Clubbers are still struggling with the thing. How can I move my workload number 10%. We're closing the club 90% still on track. So somebody needs to figure out how to migrate these clouds to the cloud really seamlessly. The Alps are gonna be born in the cloud club near the apse. So how do you address truckload in here? So there's enough opportunity to go after enterprise applications clouded your application. Yeah, >> I mean, I do buy the argument that they will still be on premises activity, but to your point will be stealing massive migration to the cloud either sunsetting absent being born the cloud or moving them over on Prem All in >> all the desert I keep telling the entree and follow the money. When there is a thing you look for it Is there a big market? Are people catering there? If people are dying and the old guard is there to your point and is that the new are you? God will happen. And if you can bet on the new guard in your experience, market will reward you. >> Where is the money? Follow the money. Worse. What do we follow? Show me where it is. Tell me where it is >> That all of the clothes, What is the big I mean, if you're not >> making money in the club for the cloud, you are a fool right now. If there any company on making out making in the club as a CEO, a board member, you need to think through it. Second automation whether you go r p a IittIe automation here to make money on, said his management. Whether it's from customer service to support the operation, you got to take the car. Start off it if you are Jesse ever today and you're not making birds that cementing. I see it mostly is that still don't want to take it back. They want to build empires. The message to see what's right, Nice. Either you do it or get out. Get the job to somebody that >> I hold a lot of sea cells and prayer. Preparing for reinforce Amazon's new security cloud security conference and overwhelmingly response from the sea. So's chief security officer is we are building stacks internally. When I asked him about multi cloud, you know what they said? Multi cloud is B s. I said, Why? Because Well, we have a secondary cloud, but I don't want to fork my development team. I want to keep my people focused on one cloud. It's Amazon. Go Amazon. It's azure. We stay with Azure. I don't wanna have three development teams. So this a trend to keep the stack building internally. That means they're investing in building their own text. Axe your thoughts on that >> look, I mean, that's again. There's no one size fits all. There will be some CEOs who want to have three different silos. Some people have a hard, gentle stack like I've seen companies. Right now. They write, the court wants it, compiles, and it's got an altar cloth. That's a new irritability you're not. We locate a stack for each of them. You're right. The court order to users and NATO service is but using the same court base. That's the whole The new startups are building it. If somebody's writing it like this, that's all we have. Thing is the CEO. So there's that. The news he always have to think through. How can you do? One court works on our clothes? >> Great. You do. Thank you for coming on again. Always great to get your commentary. I learned a lot from you as well. Appreciate it. I gotta ask the final question as you go around the VC circles. You don't need to mention any names you can if you want, but I want to get a taste of the market size of rounds, Seed Round A and B. What are hot rounds? What sizes of Siri's am seeing? Maur? No. 10,000,000? 15,000,000? Siri's >> A. >> Um >> Siri's bees are always harder to get than Siri's. A seeds. I always kind of easier. What's your take on the hot rounds that are hot right now. And what's the sizes of the >> very good question? So I'm in the series the most easy one, right? Your concept. But the seed sizes went up from 200 K to know mostly drones are 1,000,000 2 1,000,000 Most city says no oneto $10,000,000. So if you're a citizen calmly, you're not getting 10 to 15. Something's wrong because that become the norm because there's more easy money. It also helps entrepreneurs. You don't have to look for money. See, this beast are becoming $2025 $5,000,000 pounds, Siri sees. If you don't raise a $50,000,000 then that means you're in good company. So the minimum amount of dries 50,000,000 and CDC Then after that, you're really looking for expansions. $100,000,000 except >> you have private equity or secondary mortgage >> keys, market valuations, all the rent. So I tell entrepreneurs when there is an opportunity, if you have something, you can command the price. So if you're doing a serious be a $20,000,000 you should be commanding $100,000,000.150,000,000 dollars, 2,000,000 evaluations right if you're not other guys are getting that you're giving too much of your company, so you need to think through all of that. >> So serious bees at 100,000,000 >> good companies are much higher than that. That'll be 1 52 100 And again, this is a buyer's market. The underpinnings market. So he says, more money in the cash. Good players they're putting. Whether you have 1,000,000 revenue of 5,000,000 revenue, 10,000,000 series is the most hardest, but its commanding good premium >> good time to be in our prayers were with bubble. Always burst when it's a bite, mark it on the >> big money. Always start a company >> when the market busts. That's always my philosophy. Voodoo. Thanks for coming. I appreciate your insight. Always as usual. Great stuff way Do Sudhakar here on the Q investor friend of the Cube Entrepreneur, I'm John for your Thanks >> for watching. Thank you.

>> from our studios in the heart of Silicon Valley, Palo Alto, California. It is a cute conversation. >> Everyone. Welcome to this Special Cube conversation here at the Palo Alto Cube Studios. I'm John for a host of Cuba here. Moritz man is the head of the product management team at Open Systems A G. Great to see you again. Thanks for coming in. >> Hey, John. Thanks for having me. >> So last time we spoke, you had your event in Las Vegas. You guys are launching. You have a new headquarters here in Silicon Valley. Opened up this past spring. Congratulations. Thank you. >> Yeah, it's a great, great venue to start, and we set foot on the Silicon Valley ground. So to make our way to >> I know you've been super busy with the new building and rolling out, expanding heavily here in the Valley. But you guys were in the hottest area that we're covering Security Cloud security on premise, security. The combination of both has been the number one conversation pretty much in the cloud world right now. Honestly, besides a normal cloud, native cloud I t hybrid versus multi cloud out. See, that continues to be the discussion I think there's no more debate around multi cloud in hybrid public clouds. Great people gonna still keep their enterprises. But the security equation still is changing this new requirements. What's the latest that you guys are seeing with respect to security? >> Yeah. So, John, what we see is actually that cloud adoption had happens at different speeds. So you have usually the infrastructure of the service. Adoption would happens in a quite controlled way because there's a lift in shift. Do you have your old data center? You you take it and you transferred into azure I W S O G C P. But then there's also uncontrolled at option, which is in the SAS space. And I think this is where a lot off data risk occur, especially the wake off GDP are on where we see that this adoption happens. Maurin a sometimes control, but sometimes in a very uncontrolled way, >> explain that the uncontrolled and controlled expansion of of how security and multi cloud and cloud is going because this interesting control means this this plan's to do stuff uncontrolled means it's just by other forces explain uncontrolled versus controls >> eso controlled specifically means the IittIe team takes as a project plan and aches servers and workloads and moves them in a controlled fashion or in a dedicated project to the cloud. But what happened in the business world of business I t is actually did use those share content at any time with any device at any at any time and in all locations. So this is called the Mobile Enterprise on the Cloud First Enterprise. So it means that the classical security perimeter and the controls in that are my past, actually, by the path of least resistance or the shortest path >> available. And this is the classic case. People use Dropbox with some, you know, personal things. They're at home, they're at work, a p I based software. That's what you're getting at the >> and the issue of this is that that the data that has bean, like contained an pera meters where, you know, as it Caesar, where your data is. This has bean deployed too many edge devices, too many mobile devices, and it's get it gets shared, a nun controlled way. >> We'll get a couple talk tracks would like to drill down on that, because I think this is the trend. We're seeing a pea eye's dominant. The perimeter on the infrastructure has gone away. It's only getting bigger and larger. You got I, O. T and T Edge just and the networks are controlled and also owned by different people. So the packets of moving on it that's crazy so that that's the reality. First, talk track is the security challenge. What is the security challenge? How does a customer figure out what to do from an architectural standpoint when they're dealing with hybrid and multi cloud? So first of >> all, um, customers or BC enterprises try need to re think their infrastructure infrastructure centric view off the architecture's. So the architecture that had been built around data send us needs to become hybrid and multi cloud aware. So that means they need to define a new way off a perimeter, which is in cloud but also in the covering. Still the old, so to say, legacy hyper data center set up, which has the data still in the old data center and at the same time, they need to open up and become the cloud themselves, so to say, and but still draw a perimeter around their data and they users and not and their applications and not so much anymore around the physical infrastructure. >> So taking, changing their view of what a security product is, Is that really what you're getting at? >> Yeah, So the issues with the product point solution was that they fixed a certain part off off a tactile issue. So if you take a firewall in itself, firewall back then it was like a entry door to a big building, and you could could decide who comes out goes in. Now. If the the kind of the walls of the building are vanishing or arm or more FIC, you need to come over the more integrated concept. So having these stacked appliance and stacked security solutions trying to work together and chain them doesn't work anymore. So we think and we see that, >> Why is that? Why doesn't it work? Because in >> the end, it's it's it's hardly two to operate them. Each of those points solutions have their own end off life. They have their own life cycle. They have their own AP eyes. They have their own TCO, as all that needs to be covered. And then there's the human aspect where you have the knowledge pools around >> those technologies. So as an enterprise you have to content to continuously keep the very scar security experts to maintain content continues the depreciating assets running right, >> and they're also in it. We weren't built for tying into a holistic kind of platform. >> Yeah, What we see is that that enterprises now realize we have data centers and it's not accepted reality that you can abstracted with the cloud. So you have You don't own your own servers and buildings anymore. So you have a PAX model to subscribe to Cloud Service is and we think that this has to happen to security to so shift from cap ex to our pecs and the same way also for operational matters >> securities. The service is a crepe is a small I want to ask you on that front you mentioned mobile users. How do you secure the mobile uses when they use cloud collaboration? Because this is really what uses expect, and they want How do you secure it? >> So be secured by by actually monitoring the data where it actually gravitates, and this is usually in the cloud. So we enforce the data that is in transit through, ah, proxies and gators towards the cloud from the endpoint devices, but also then looking by AP eyes in the cloud themselves to look for threats, data leakage and also sandbox. Certain activities that happened. There >> are the next talk talk I want to get into is the expansion to hybrid and multi cloud so that you guys do from a product standpoint, solution for your customers. But in general, this is in the industry conversation as well. How how do you look at this from a software standpoint? Because, you know, we've heard Pat Gelsinger of'em were talking about somewhere to find Data Center S d n. Everything's now software based. You talk about the premiere goes away. You guys were kind of bring up a different approaches. A software perimeter? Yeah, what is the challenge for expanding to multi cloud and hybrid cloud? >> So So the challenge for enterprise and customers we talked to is that they have to run their old business. Gardner once called it by motile business, and it's still adopting not one cloud, but we see in our surveys. And this is also what market research confirms is that customers end up with 2 to 3 loud vendors. So there were will be one or two platforms that will be the primary to their major majority of applications and data gravity. But they will end up and become much more flexible with have running AWS, the old Davis Center. But it was the G, C, P and Azure, or Ali Baba glowed even side by side, right tow cover the different speeds at what their own and the price runs. And >> so I gotta ask you about Cloud Needed was one of the things that you're bringing up that just jumps in my head. And when I got to ask, because this is what I see is a potential challenge. It might be a current challenges when you have kubernetes growing such a rapid rate. You see the level of service is coming online much higher rate. So okay, people, mobile users, they're using the drop boxes, the boxes and using all these FBI service's. But that's just those wraps. As a hundreds and thousands of micro service is being stood up and Tauron down in there, you guys are taking, I think, an approach of putting a perimeter software premieres around these kinds of things, but they get turned on enough. How do you know what's clean? It's all done automatically, so this is becoming a challenge. So is this what you guys mean when you say software perimeter that you guys could just put security around things at any time? Is that explain this? >> Yeah, So? So if you talk about the service match so really mashing cloudy but native functions, I think it's still in the face where it's, I would say, chaos chaotic when you have specific projects that are being ramped up them down. So we draw a perimeter in that specific contact. So let's say you have You're ramping up a lot off cloud a function AWS. We can build a pyramid around this kind off containment and look especially for threats in the activity locks off. The different component is containers, but from from a design perspective, this needs to be, uh, we need to think off the future because if you look at Mike soft on AWS strategy, those containers will eventually move Also back to the edge. Eso were in preparing that to support those models also cover. Bring these functions closer back again to the edge on We call that not any longer the when, ej but it will become a cloud at at actually. So it's not an extension of the land that comes to the data. It's actually the data and the applications coming back to the user and much closer. >> Yeah. I mean, in that case, you could define the on premises environment has an edge, big edge, because this is all about moving, were close and data around. This is what the new normal is. Yeah, So okay, I gotta ask the next question, which is okay, If that's true, that means that kubernetes becomes a critical part of all this. And containers. How do you guys play with that at all? >> So we play with us by by actually looking at data coming from that at the moment. We're looking at this from a from a data transit perspective. We But we will further Maur integrate into their eighties AP eyes and actually become part off the C I C D. Process that building then actually big become a security function in approval and rolling out a cannery to certain service mesh. And we can say, Well, this is safe for this is unsafe This is, I think, the eventual goal to get there. But But for now, it's It's really about tracking the locks of each of those containers and actually having a parent her and segmentation around this service mash cloud. So to say, >> I think you guys got a good thing going on when you talk about this new concept that's of softer to find perimeter. You can almost map that to anything you get. Really think everything has its own little perimeter workload. Could be moving around still in these three secure. So I gotta ask on the next talk Trek is this leads into hybrid cloud. This is the hottest topic. Hybrid cloud to me is the same as multi cloud. Just kind of get together a little bit different. But hybrid cloud means you're operating both on premises and in the cloud. This is becoming a channel most si si SOS Chief admission Security officers. I don't want to fork their teams and have multiple people coding different stacks. They don't want the vendor lock in, and so you're seeing a lot of people pulling back on premises building their own stacks, deploying in the cloud and having a seamless operation. What is your definition of hybrid? Where do you see hybrid going? And how important is it? Have a hybrid strategy. >> So I think the key successfactors of a hybrid strategy is that standards standardization is a big topic. So we think that a service platform that to secure that like the SD when secure service platform rebuilt, needs to be standardized on operational level, but also from a baseline security and detection level. And this means that if you run and create your own work, those on Prem you need to have the same security and standard security and deployment standard for the clout and have the seamless security primary perimeter and level off security no matter where these these deployments are. And the second factor of this is actually how do you ensure a secure data transfer between those different workloads? And this is where S T win comes into play, which acts as a fabric together with when backbone, where we connect all those pieces together in a secure fashion >> where it's great to have you on the Q and sharing your insight on the industry. Let's get into your company. Open systems. You guys provide an integrated solution for Dev Ops and Secure Service and Security Platform. Take a minute to talk about the innovations that you guys were doing because you guys talk a lot about Casby. Talk a lot about integrated esti when but first define what Casby is for. The audience doesn't know what Casby is. C. A S B. It's kicked around all of the security conscious of your new to security. It's an acronym that you should pay attention to so defined casby and talk about your solution. >> Eso casby isn't theory. Aviation means cloud access security we broker. So it's actually becoming this centralized orchestrator that that allows and defines access based on a trust level. So saying, um, first of all, it's between networks saying I have a mobile workforce accessing SAS or I s applications. Can't be it in the middle to provide security and visibility about Where's my data moving? Where's married? Where do I have exposure off off GDP, our compliance or P C. I or he power risks And where is it exposed to, Which is a big deal on it's kind of the lowest level to start with, But then it goes further by. You can use the Casby to actually pull in data that that is about I s were close to toe identified data that's being addressed and stored. So are there any incidentally, a shared data artifacts that are actually critical to the business? And are they shared with extra resource is and then going one step further, where we then have a complete zero trust access model where we say we know exactly who can talkto which application at any time on give access to. But as everything this needs to be is in embedded in an evolution >> and the benefit ultimately goes to the SAS applications toe, have security built in. >> That's the first thing that you need to tackle. Nowadays, it's get your sass, cloud security or policy enforced on, but without disrupting service on business on to actually empower business and not to block and keep out the business >> can make us the classic application developer challenge, which is? They love to co they love the build applications, and what cloud did with Dev Ops was abstracted away the infrastructure so that they didn't have to do all this configuration. Sister. Right? APs You guys air enabling that for security? >> Exactly. Yeah. So coming back to this multi protein product cloud would, which is not keeping up anymore with the current reality and needs of a business. So we took the approach and compared death ops with a great service platform. So we have engineers building the platform. That's Integrated Security Service Platform, which promotes Esti Wen managed Detection response and Caspi Service is in one on the one platform which is tightly integrated. But in the in the customer focus that we provide them on or Pecs model, which is pretty, very predictable, very transparent in their security posture. Make that a scalable platform to operate and expand their business on. >> And that's great. Congratulations. I wanna go back for the final point here to round up the interview for the I T. Folks watching or, um, folks who have to implement multi cloud and hybrid cloud they're sitting there could be a cloud architect that could be an I T. Operations or 90 pro. They think multi cloud this in hybrid club. This is the environment. They have to get their arms around. How? What >> should they >> be thinking about? Around multi cloud and hybrid cloud. What is it, really? What's the reality now? What >> should they be considering for evaluation? What are some of the key things that that should be on their mind when they're dealing with hybrid cloud and all the opportunity around it? >> So I think they're they're like, four key pieces. Oneness. Um, they think they still have to start to think strategic. So what? It's a platform and a partner That helps them to plan ahead for the next 3 to 5 years in a way that they can really focus on what their business needs are. This is the scalability aspect. Secondly, it's a do. We have a network on security, our architecture that allows me to grow confidently and go down different venues to to actually adopt multi clouds without worrying about the security implication behind it. Too much, uh, and to implement it. And third is have this baseline and have this standardized security posture around wherever the data is moving, being at Mobil's being it SAS or being on Prem and in clouds workloads, the fourth pieces again, reading, thinking off where did you spend most of my time? Where do I create? Create value by by defining this framework so it really can create a benefit and value for the enterprise? Because if you do it not right your not right. You will have a way. You will end up with a an architecture that will break the business and not accelerated. >> Or it's made head of product that open systems here inside the Cube studios. Um, great job. Must love your job. You got the keys. A lot of pressure. Security being a product. Head of product for security companies. A lot of pressure before we wrap up. Just give a quick plug for the company. You guys hiring you have a new office space here in Redwood City. Looks beautiful. Give a quick shared play for the company. >> Yeah. So open systems the great company to work with. We're expanding in the U. S. On also, Amy, uh, with all the work force. So we're hiring. So go on our website. We have a lot off open positions, exciting challenges in a growth or into workspace. Andi. Yeah. As you said, security at the moment, it's one of the hottest areas to be in, especially with all the fundamental changes happening in the enterprise and architecture. I d landscape. So yeah, >> and clouds securing specifically. Not just in point. The normal stuff that people used to classify as hot as hot as Hades could be right now. But thanks for coming on. Strong insights. I'm jumping with Cuba here in Palo Alto with more Morris Man is the head of product management for open systems. Thanks for watching.

(inspirational music) >> Hi everybody, this is, Dave Vellante, from our Palo Alto Cube studios. Welcome to this Cube conversation with two gentlemen from Datrium. Tushar Agarwal is the Director of Product Management, and Sazzala Reddy is the CTO and co-founder of Datrium. We're going to talk about disaster recovery. Disaster recovery has been a nagging problem for organizations and IT organizations for years. It's complex, it's expensive, it's not necessarily reliable, it's very risky to test, and Datrium has announced a product called CloudShift. Now, Datrium is a company who creates sets of data services, particularly for any cloud, and last year introduced a backup in archiving on AWS. We've written about that, we've profiled that. Gentlemen welcome to the Cube, >> Good to see you. >> Thank you. >> Good to be here. >> Thank you (mumbles). >> So tell us about, CloudShift. >> Yeah, sure, great. So if you kind of step back and look at our journey starting with Cloud DVX, which was what we announced last year, our end goal has been to simplify infrastructure for customers and eliminate any access infrastructure that they need, starting with Cloud DVX, which addressed the backup part of it Where the customers do not need to keep a dedicated off-site backup anymore and extending that with CloudShift, which now brings it to a DR context and makes the economics so phenomenal that they don't need to keep a DR site anymore just waiting for a disaster to happen. So, CloudShift, at very beginnings, is a sort of a multi-year journey where we bring the ability to do workload mobility orchestration across an on-premises DVX system to a DVX running in the cloud, leveraging Cloud DVX backups, so that customers can do just-in-time DR. >> Sazzala, I talked earlier about some of problems with DR, and let's talk about what you see. I mean, I've talked to customers who've set up three sites, put in a fireproof box, I mean all kinds of just really difficult challenges and solutions. What are you seeing in, terms of some of the problems and challenges that customers are facing, and how are you addressing this? >> Yeah, so like you said, I don't think I've heard anybody saying my DR plan is awesome. (Laughing) or it works, or I'm enjoying this thing. It's a very fearful situation because when things go down, that's when everyone is watching you, and then that's when the fear comes in, right? So, we built kind of a. We built our service, CloudShift service. It's very easy to use, firstly, step one. And the reason, the other goals, kind of, so, if you click a button, you want to just (mumbles) to some new place, right? But to make that really work well, what are the customers, I mean, if I was a customer, what would I think about? I want the same experience no matter where I moved, right? But it has to be seamlessly like, you know, I don't have to change my tool sets, I have the same operational consistency, that's got number one, and number two is that, does it really work when I click the button, is it going to work? So if you go to Amazon, it'll convert VMs. That's a different experience completely, right? So how do you make that experience be likely foolproof? It will work fundamentally. So we've done lot of things like no conversion of VMs. And the second one is that we have built-in compliance checks. Every half an hour it checks itself to see that the whole plan is compliant. You know that when actually there is a problem it'll actually, the compliance actually has caught the issues before hand. And the third one is that, you can do schedule testing. That you can set up schedules and say know what test it every month for me. So that you know. And test it, give a report to you saying okay it's all this, all looking good for you. So that's kind of things you maybe do to make sure that it's going to be foolproof, guaranteed DR success when you initially have to hit the button. >> Yeah and just to add to that. I think, if you look at a DR equation for a customer it's really two things. I'm paying a lot for it. What can I do to address that problem? And will it work when I need it to work, right? I think it's really fundamentally those two problems. And cloud gives us a great way to address the cost equation because now you got an infrastructure that is truly on tank, can be truly on demand. And so you don't really keep those resources running unless you have to, unless you have a test event or you have the actual DR event. On the will it work when I want it to work, Cloud has typically had a lot of challenges that's a lot of outline, right? You have VMs that are going from a VMware infrastructure to an Amazon infrastructure which means those washing machines now need to be running in a different format. You don't have a simple, single-user interface to manage those two environments where you have an Amazon console at one end and a VMware recenter on the other. And then thirdly, you have this data mobility problem where you don't have the data going across a consistent, common architecture. And so we sort of solve all these problems collectively by making DR just in time because we only spin up those resources when they need to be there in the cloud. There is no VM conversion because we are building this, leveraging the benefits of VMware Cloud in AWS. There is a common single pane of glass to manage this infrastructure. And there is a tremendous amount of speed in data mobility and a tremendous amount of economics in the way that we store that data in a de-duplicated compressed way all the time so it kind of checks off the cost equation and it checks out the fact that it actually works when it needs to work. >> So, let's unpack that a little bit. So normally what I would have is a remote site and that site has resources there. It's got hardware and software and building and infrastructure hopefully far enough away from whether it's an earthquake zone or a hurricane or whatever it is and it sits there as an underutilized asset. Now maybe there's some other things that I can do with it, but if it's my DR site, it's just sitting there as insurance. >> Right. >> That's one problem. >> The other problem is testing, DR testing is oftentimes very risky. A lot of customers we talk to don't want to test because they might fail over and then they go to fail back and oops, there's a problem. And what am I going to do? Am I going to stop running my business? So maybe talk about how you address some of those challenges. >> So I think yes, that's true. We heard people like spent half a million dollars in testing DR and never be able to come back from it. Like that's a lot of money and a lot of (mumbles) and then you can't come back is a completely different business problem. So you know, more than just having the DR site, there's like expanse and maintenance, but the other problem is that when you add something, new workloads, you have to add more work. It would kind of change. It would kind of beget new licenses, get new new other, like you know more and more things. So all of this actually is a fundamental problem but if you go to the cloud, just-in-time on-demand thing is amazing because you are only paying for the backups which is you need to do. If you cannot lose it, there are backups. You need backups fundamentally to be on another site because if ransomware hits you, you need to be able to go back in time so you need copies of deep copies to be in another place. And so the thing about just-in-time DR is that you pay for the backups, sure. It's very cost-effective with us, but you only pay for the services for running your applications for the two weeks you have a problem and then when you're done with it, you're done with paying that. So it's a difference with paying everyday versus paying for insurance. Sometimes insurance pays for those kind of things. It's very cost effective. >> Okay, so I'm paying Datrium for the service. Okay, I get that. And I'm paying a little bit, let's say, for instance it's running on Amazon, a little bit for S3, got to pay for S3 and I'm only paying for the EC2 resource when I'm using that resource. (crosstalk) It's like serverless for DR. >> It actually goes beyond that, Dave, right? >> Actually I like that word that you used. You should probably use that. >> Absolutely because I think it's not just the EC2 part but if you look at a total cost of ownership equation of a data center, right, you're looking at networking, you're looking at software, you're looking at compute, you're looking at people managing that infrastructure all the time, you're looking at power cooling and so I think by having this just-in-time data center that gets spun up and you have to do nothing, literally, you just have to click a button. That saves you know a tremendous amount. That's a transformational economics situation right there where you can simply go ahead and eliminate a lot of time, a lot of energy, a lot of costs that customers pay and have to deal with to just keep that DR site running across the board. >> Mm hm. >> Let me give one more savings note. So let's say you had 100 terabytes and you failed over, so when you're done with two weeks' testing, only one terabyte changed. Are you going to bring back everything or are you going to bring only one terabyte? It's a fundamental underlying technology thing. If you don't have dedupe over the wire, you'll bring back everything 100 terabytes. You're going to pay for the digress cost and ultimately it'll be too slow for you to bring it all back. So what you really want is underlying technology which has dedupe over the wire. We call it global dedupe that you can only move back what's changed and it's fast. One terabyte moving there is not that bad, right? Otherwise you'd end up moving everything back which is kind of untenable again. So you have to make all these things happen to make DR really successful in the cloud. >> So you're attacking the latency issues. >> Latency and bestly 100 terabyte moving from one place to the other, it'll take a long time because the vanpipe is only that much and you're paying for the egress cost. >> We always joke the smartest people in Silicon Valley are working on solving the speed of light problem. >> That's right so if you look at data, if you're going to move from one place to the other. First of all, data has gravity, it doesn't want to move, right? So that's one fundamental problem. So how do you build a antigravity device to actually fix that problem, right? So if you leap forward, global dedupe is here where you can transfer only what's changed to the other side. That really defeats light speed, right? And then, both ways, moving it here and moving it there. Without having this van deduplication technology, I think you will be paying a significant amount of time and money, so then it becomes untenable. If you can't really move it fast, then it's like people don't do it anymore. >> And in the typical Datrium fashion, it's just there. It just works. (crosstalk) >> I think that's such a good point, Dave, because if you look at traditional DR solutions today, the challenge is that there are a collection of software and services and hardware from multiple vendors. And that's not such a bad thing. I think the challenge that that causes is the fact that you don't have the ability to do an end-to-end, closed loop verification of your DR plan. You know the DR orchestration software does not know whether the VM that I'm supposed to protect actually has a snapshot on the storage array on which its protecting it, right, and so that, in many ways, leads to a lot of risk to customers and it makes the DR plans very fragile because you know, you set a plan on day one and then let's say three months down the line, you know, something got changed in the system and that wasn't caught by the DR orchestration software because it's unlinked. It doesn't have the same visibility into the actual storage system. The advantage we get with the integrated, built-in backup in DR system is that we can actually verify that the virtual machine that you're supposed to protect actually has all the key ingredients that are needed for a successful DR across the stack as well as in target fader ware site. >> It's kind of the perfect use case, a perfect use case for the cloud and I think, you know, there's something even more here is that because of the complexity of the IT infrastructure around DR and the change management challenges that you talked about, the facilities management challenges that all of the sudden an organization becomes, they're in the DR business and they don't want to be in the DR business. (crosstalk) >> Show no value, I mean, really it's not really adding significantly. It's not improving organization. >> That's actually true and I think the way we have tried to tackle that problem, Dave, is kind of going back to the whole premises of this multi-cloud data services. We will make DR, you know, as simple as possible and what we really enable for them to do is to not have to worry about installing any software, not have to worry about upgrading any software, managing any software. It's a, you know, service that they can just enter their DR plans into. It's very intelligent because it's integrated very well with the DVX system. And they can schedule testing. They don't even have to click a button to actually do a plan failover and in case of an actual event, it's just a single click. It's conveniently checked all the time so you kind of take away a lot of the hassles and a lot of the worry and a lot of the risks and make it truly simple, give them a (mumbles) software as a service experience. >> So I'm kind of racking my brain here. Is there anything out there like this that provides an on-demand DR SaaS? >> I don't know of any actually. >> Yeah, I think, so if you you kind of look at the landscape, Sazzala is right, actually there is none and there a few solutions from leading providers that focus on instantiation of a virtual machine on native AWS, but they don't enter the challenge that they have to convert a virtual machine from a VMware virtual machine to an Amazon AMI and that doesn't always work. Secondly, you know, if you run into that kind of a problem, can you really call it true DR because in case of a DR, you want that virtual machine to come up and run and be a valid environment as against just a test-of-use case. >> So the other one is that backup vendors can't do this. Generally, they traditionally can probably, but I think because they are one day behind, they backup once a day, so you can't do DR if you are one day behind. DR wants to be like, okay, I am five minutes behind, I can recover my stuff, right? And then primary vendors like Pure, for example, like whole flash vendors, they focused on just running it, not about backup, but you need the backups to actually make it successful so that you can go back in time if you have ransomware. So you need a combination of both primary and backup and the ability to have it running in the service in the cloud. That's why you need all these pieces to work together. >> So you talked about ransomware a couple of times. Obviously, DR, ransomware, maybe talk a little bit more about some of the other use cases beyond DR. >> So I think that kind of goes back to why we decided to name this feature CloudShift, right? If you think about a traditional DR solution, you would call it something like DR Orchestrator, right, but that's not really the full vision for this product. DR is one of the very important use cases and we talked about how we do that phenomenally well than other solutions out there but what this solution really enables customers to do is actually look at true workload mobility between on-prem and cloud and look at interesting use cases such as ransomware protection. And the reason why we are so great at ransomware protection is because we are an indicated primary and backup from a restart points perspective and in a ransomware situation, you can't really go back to a restart point that's, you know, a day before or two days before. You really want to go down to as many points as you want and because we have this very efficient way of storing these restart points or snapshots in Cloud DVX, you have the ability to instantiate or run a backup which is from sufficiently long time ago, which gives you a great amount of ransomware protection and it's completely isolated from your on-prem copy of that data. >> Let me add one more point to that. So if you just go beyond the DR case, from a developer perspective, right, from a company perspective, developers want a flexible infrastructure to like try new stuff and try new experiments in terms of building new applications for the business, they can try it in the cloud with our platform. And when they're done, for three months, they'll like, you know, have the, because they figured out okay this is how it's going to work, this is how much (mumbles) I need, it's more elastic there. When they're done testing it, whatever they built it, they can click a button with our CloudShift and move it all back on-prem and then now you kind of have it more secure and in an environment you want to. >> Alright, guys, love to see the evolution of your data services, you know, from backup, now DR, other use cases. Congratulations on CloudShift and thanks for explaining it to us. >> Thank you very much. >> Pleasure being here. >> Okay, thanks for watching, everybody. This is Dave Vellante from our Palo Alto Cube studios. We'll see you next time. (inspiring music)

>> Hey, welcome back everyone. We're here live in the Palo Alto Cube studios for our special digital live event sponsored by CA Technologies. I'm here with Peter Burris, Head of Research Wikibon.com, General Manager of Research for SiliconANGLE Media. Peter, you gave the Keynote this morning along with Sudip Datta talking about analytics. Interesting connection. Dave has been around for a while but now it's more instrumental. CA's had analytics, and monitoring for a while, now it's more instrumental. That seems to be the theme we're seeing here with the research that you're representing and your insight around digital business. Some of the leading research on the topic. Your thoughts on how they connect, what should users know about the connection between data and business, CA analytics and data? >> I think two things, John, first off as I kind of mentioned number one is that more devices are going to be more instrumental to the flow of, to the information flow to the data flows are going to create business value, and that's going to increase the need for greater visibility into how each of these things work together individually, but increasingly it's not just about having individual devices or individual things up and running or having visibility into them. You have to understand how they end up interacting with each other and so the whole modern anthropology becomes more important. We need to start finding ways of improving the capability of monitoring while at the same time simplifying it is the only way that we're going to achieve the goal of these increasingly complex infrastructures that nonetheless consistently deliver the business value that the business requires and customers expect. >> It's been interesting, monitoring has been around for awhile, you can monitor this, you can monitor that, you can kind of bring it all together in a database, but as we move to the cloud and you're seeing internet or things as you pointed out, there's a real connection here and the point that I wanted to talk about is, you mentioned the internet as a computer. Okay, which involves, system software kind of thinking, Let's tease that out. I want to unpack that concept because if the internet now is the platform that everyone will be basing and reimagining their business around, how do companies need to figure this out because this is on everyone's mind because it might miss the fact that it costs a hell of a lot of cash just to move stuff from the edge to the cloud or even just architectural strategies. What's that importance of the internet as a computer? >> Well, the notion of internet scale computing has been around for quite sometime. And the folks who take that kind of systems approach to things, may of them are sitting within 50 miles of where we sit right here. In fact, most of them. So, Google looks at the internet as a computer, that it can process. Facebook sees things the same way. So, if you look at some of these big companies that are actually thinking about internet scale computing, any service, any data, anytime, anywhere, then that thinking has started to permeate, certainly Silicon Valley. And in my conversations with CIO's, they increasingly want to think the same way. What is it, what, how do I have to think about my business relative to all of the available resources that are out there so I can have my company think about gaining access to a service wherever it might be. Gaining access to data that would be relevant to my company, wherever it might be. Appropriately moving the data, minimizing the amount of data that I have to move. Moving the events to the data when necessary. So, the, this is, in many respects the architectural question in IT today. How do we think about the way we weave together all these possible resources, possible combinations into something that sustains, sustainably delivers business value in a coherent manageable, predictable way? >> It's interesting, you and I have both seen many waves of innovation going back to the mini computer mainframe days and there used to be departments called data processing and this would be departments that handle analytics and monitoring. But now we're in a new era, a modern era where everything can be instrumented which elevates the notion of a department into a holistic perspective. You brought this up in your talk during the Keynote where it said data has to permeate throughout the organization whether it's IOT edge or wherever, so how do companies move from that department mindset, oh, the department handles the data warehouse or analytics, to a much more strategic, intelligent system? >> Well, that's an interesting question, John. I think it's one of the biggest things a business, you're going to have to think about. On the one hand, our expectations, we will continue to see a department. And the reason why that is, but not in a way that's historically been thought about, one of the reasons why that is, is because the entire business is going to share claims against the capabilities of technology. Marketing's going to lay a claim to it. Sales is going to lay claim to it. Manufacturing and finance are going to lay claims to it. And those claims have to be arbitrated. They have to be negotiated. So there will be a department, a group that's responsible for ensuring that the fundamental plant, the fundamental capabilities of the business are high quality and up and running and sustained. Having said that, the way that that is manifest is going to be much faster, much more local, much more in response to customer needs which often will break down functional type barriers. And so it's going to be this interesting combination of, on the one hand for efficiency and effectiveness standpoint, we're going to sustain that notion of a group that delivers while at the same time, everybody in the business is going to be participating more clearly in establishing the outcomes and how technology achieves those outcomes. It's very dynamic world and we haven't figured out how it's all going to come together. >> Well, we're seeing some trends, now you're seeing the marketing departments and these other departments taking some of that core competence that used to be kind of outsourced to the IT departments so analytics are moving in and data science and so you're seeing the early signs of that. I think modern analytics that CA was talking about was interesting, but I want to get your thoughts on the data value piece cause this is another billion dollar question or gazillion dollar question. Where is the value in the data? And from your research in the impact of digital business, where's the value come from? And how should companies think about extracting that value? >> Well, the value, first off, when we talk about the value of data we perhaps take a little license with the concept. And by that I mean, software to a computer scientist is data. It happens to be the absolutely most structured data you can possibly have. It is data that is so tightly structured that it can actually execute. So we bring software in under that rubric of the value of data. That's one way. The data is the basis for software and how we think about the business actually having consequential actions that are differentiated, increasing the digital world. One of the most important things, ultimately, about data is that unlike virtually every other asset that I can think about, money, labor, materials, all of those different types of assets are dominated by the economics of scarcity. You and I are sitting here having a conversation. I'm not running around and walking my dog right now. I can only do one thing with my time. I may have in my mind, thinking, but I can't create value at the same moment that I'm talking to you. I mean, we can create value here, I guess. Same thing if you have a machine and the machine is applied to pull a wire of a certain diameter, it's not pulling a wire of a different diameter. So these are all assets or sources that are dominated by scarcity. Data's different because the characteristics of data, the things that make data so unique and so interesting is that the same data can be applied to a lot of things at the same time. So we're talking about an asses that can actually amplify business value if it's appropriately utilized. And I think this is one of the, on the one hand, one of the reasons why data is often regarded, it's disposable, is because, oh I can just copy it or I can just do this with it or I can do that with it. It just goes away, it's ephemeral. But on the other hand, why leading businesses and a lot of these digital native companies, but increasing the other companies are now recognizing that with data as an asset, that kind of a thinking, you can apply the same data to a lot of different pursuits at the same time and quite frankly, that's what our customers want to see. Our customers want to see their requests, their needs be matched to capabilities, but also be used to build better products in the future, be used to ensure that the quality of the services that they're getting is high. That their needs are being met, their needs are being responded to. So they want to see data being applied to all these different uses. It's an absolutely essential feature in the future of digital business. >> And you've got to monitor in order to understand it. And for the folks watching, Peter had a great description in his Keynote, go check that video out around the elements of the digital business, how it's all working together. I'll let you go look at that. My final question for you is, you mention in your Keynote, the Wikibon private, true private cloud report. One of the things that's interesting in that graph, again on the Keynote he did present the slide, it's also on Wikibon.com if you're a member of the research subscription. It shows that actually the on premise assets are super valuable and that there's going to be a decline in labor, non differentiated labor or operational labor over the next six, seven years, around 1.6 billion dollars, but it shifts. And I think this was your point. Can you just explain in a little deeper way, the importance of that statistic because what it shows is, yes, automations coming. Whether it's analytics or machine learning and what not, but the value's shifting. Can you talk about that? >> Yeah, the very nature of the work that's performed within what we today call IT operations is shifting. It always has been. So when I was running around inside an IT organization, I remember some of the most frenetic activity that I saw was tape jockeys. We don't have too many tape jockeys in the world anymore, we still have tape, but we don't have a lot of tape jockeys anymore. So the first thing it suggests is that the very nature of the IT work that's going to be performed is going to change over the next few years. It's going to change largely in response to the fact that as folks recognize the value of the data and acknowledge that the placement of data to the event is going to be crucial to achieving that event within the envelope of time that that event requires. That ultimately the slow motion of dev op, which is still a maturing, changing, not broadly adopted set of concepts will start to change the nature of the work that we perform within that shared IT organization we were talking about a second ago. But the second thing it says is that we are going to be called upon to do a lot more work within an IT organization. A digital business is utilizing technology to perform a multitude of activities and that's just going to explode over the course of the next dozen years. So we have this combination of the works going to change, the amount of work that has, that's going to be performed by this group is going to expand dramatically, which means ultimately the only way out of this is the tooling is going to improve. So we expect to see significant advances in the productivity of an individual within an IT organization to support, sustain a digital business. And that's why we start to see some of the down tick in the cost of labor within IT. It's more important, more works going to be performed, but it's pretty clear that the industries now focus on improving that tooling and simplifying the way that that tooling works together. >> And having intelligence. >> Having intelligence, but also simplifying how it works together so it becomes more coherent. That's where we're going to need to improve these new levels of productivity. >> Real quick to end this segment, quickly talk about how CA connects to this because you know, they have modern analytics, they have modern monitoring strategies, the four pillars that you talked about. How do they connect into your research that you're talking about? >> Well I think one of the biggest things that a CIO is going to have to understand over the course of the next few years and we talked about a couple of them is, that this new architecture is not fully baked yet. We don't know what the new computing model is going to look like exactly. You know, not every business is Google. So Google's got a vision of it. Amazon's got a vision of it. But not every business is of those guys. So a lot of work on what is that new computing model? A second thing is this notion of ultimately where is or how is an IT organization going to deliver value? And it's clear that you're not going to deliver value by optimizing a single resource. You're going to deliver value by looking at all of these resources holistically and understand the inner connections and the interplay of these resources and how they achieve the business outcomes. So when I think about CA, I think of two things. First off, it is a company that has been at the vanguard of understanding how IT operations has worked, is working, and will likely continue to work as it evolves. And that's an important thing for a technology company that's serving IT operations to have. The second thing is, CA's core message, CA's tech core message now is evolving from just best of breed to how these things are going to come together. So the notion of modern moddering is to improve the visibility into everything as a holistic whole going back to that notion of, it's not just one device, it's how all devices holistically come together and the moddering fabric that we put in place has to focus on that and not just the productivity of any one piece. >> It's like an early day's test lick, it only gets better as they have that headroom to grow. Peter Burris head of research at Wikibon.com here, for one-on-one conversations, part of the cloud and modern analytics for digital business. Be back with more one-on-one conversations after this short break.