(bright upbeat music) >> Welcome back everyone to theCUBE's live coverage here in Las Vegas for wall-to-wall coverage. It is re:Invent 2022, our 10th year with theCUBE. Dave and I started this journey 10 years ago here at re:Invent. There are two sets, here, a set upstairs. Great content, I'm here with Paul Gillin, my cohost. Paul's out reporting on the floor, doing some interviews. Paul, what do you think so far? It's pretty crazy activity going on here. >> Well, the activity hasn't declined at all. I mean here we are in day three of the show and it's just as busy out there as it was in day one. And there's just an energy here that you can feel, it's palpable. There is a lot of activity around developers, a lot around data. Which actually brings us a good segue into our next guest because one of the leaders in data management in the cloud is MariaDB. And John Bakke is the CRO at MariaDB, and here to talk to us about your cloud version and how open source is going for you. >> Yeah, thanks for having me. >> Paul: Thanks for joining us. >> To get the update on the product, what do you guys do on the relation to AWS? How's that going? Give us a quick update. >> In the relational database? >> No, no. The relationship with AWS >> Oh, with AWS? >> And SkySQL, what's the update? >> There's no relationship that we have that's more important than the AWS relationship. We're building our cloud, our premier cloud service called SkySQL on AWS. And they offer the best in class infrastructure for a SaaS company to build what they're building. And for us, it's a database service, right? And then beyond that, they help you from the business side, right? They try to get you lined up in the marketplace and make it possible for you to work best with customers. And then from a customer perspective, they're super helpful in not only finding prospective customers, but making that customer successful. 'Cause everybody's got a vested interest in the outcome. Right? >> Yeah, a little tongue twister there. Relational data-based relationship. We've got relational databases, we've got unstructured, data is at the center of the value proposition. Swami's keynote today and the Adam CEO's keynote, data and security dominated the keynotes >> John: Yes. >> and the conversations. So, this is real. The customers are really wanting to accelerate the developer experience, >> John: Yep. >> Developer pipe lining, more code faster, more horsepower under the hood. But this data conversation, it just never goes away. The world's keeping on coming around. >> John: It never goes away. I've been in this business for almost 30 years and we're still talking about the same key factors, right? Reliability, availability, performance, security. These things are pervasive in the data management because it's such a critical aspect to success. >> Yeah, in this case of SkySQL, you have both a transactional and an analytical engine in one. >> John: That's correct. >> Right? >> John: Yep. >> And that was a, what has the customer adoption been like of that hybrid, or I guess not a hybrid, but a dual function? >> Yeah. So the thing that makes that important is that instead of having siloed services, you have integrated data services. And a lot of times when you ask a question that's analytical it might depend on a transaction. And so, that makes the entire experience best for the developer, right? So, to take that further, we also, in SkySQL, offer a geospatial offering that integrates with all of that. And then we even take it further than that with distributed database with Xpand or ready to be Xpand. >> A lot of discussion. Geospatial announcement today on stage, just the diversity of data, and your experience in the industry. There's not the one database that rule them all anymore. There's a lot of databases out there. How are customers dealing with, I won't say database for all, 'Cause you need databases. And then you've got real time transactional, you got batch going on, you got streaming data, all kinds of data use cases now, all kind of having to be rolled together. What's your reaction? What's your take on the state of data and databases? >> Yeah, yeah, yeah. So when I started in this business, there were four databases, and now there's 400 databases. And the best databases really facilitate great application development. So having as many of those services in real time or in analytics as possible means that you are a database for everyone or for all users, right? And customers don't want to use multiple databases. Sometimes they feel like they're forced to do that, but if you're like MariaDB, then you offer all of those capabilities in an integrated way that makes the developer move faster. >> Amazon made a number of announcements this morning in the data management area, including geospatial support on RDS, I believe. How do you, I guess, coordinate yourself, your sales message with their sales message, given that you are partners, but they are competing with you in some ways? >> Yeah, there's always some cooperatition, I guess, that happens with AWS in the various product silos that they're offering their customers. For us, we're one of thousands of obviously partners that they have. And we're out there trying to do what our customers want, which is to have those services integrated, not glued together with a variety of different integration software. We want it integrated in the service so that it's one data provision, data capability for the application developer. It makes for a better experience for the developer in the end. >> On the customer side, what's the big activity? I mean, you got the on-premises database, you've got the cloud. When should a customer decide, or what's the signals to them that they should either move to the cloud, or change, be distributed? What are some of the forcing functions? What does the mark look like? >> Yeah, I've come a long way on this, but my opinion is that every customer should be in the cloud. And the reason simply is the economies that are involved, the pace of execution, the resilience and dependability of the cloud, Amazon being the leader in that space. So if you were to ask me, right now is the time to be in SkySQL because it's the premier data service in the cloud. So I would take my customer out of their on-prem and put them all in AWS, on SkySQL, if I could. Not everybody's ready for that, but my opinion is that the security is there, the reliability, the privacy, all of the things that maybe are legacy concerns, it's all been proven to be adequate and probably even better because of all of the economies of scale that you get out of being in the cloud just generally. >> Now, MariaDB, you started on-premise though. You still have a significant customer base on-premise. What, if anything are you doing to encourage them to migrate to the cloud? >> Well, so we have hundreds and hundreds of customers as MariaDB, and we weren't the first database company to put their database in the cloud, but watching it unfold helped us realize that we're going to put MariaDB in its best form factor in SkySQL. It's the only place you could get the enterprise version of MariaDB in a cloud service, right? So when we look at our customers on-prem, we're constantly telling them, obviously, that we have a cloud service. When they subscribe, we show them the efficiencies and the economies, and we do get customers that are moving. We had a customer go to Telefonica over in the UK that moved from an on-premise to manage their wifi services across Europe. And they're very happy. They were one of our very first SkySQL customers. And that has routinely proven itself to be a path towards not only a better operation for the customer, they're up more, they have fewer outages because they're not inflicting their own self wounds that they have in their own data center. They're running on world class infrastructure on world class databases. >> What are some of those self wounds? Is it personnel, kind of manual mistakes, just outages, reliability? What's the real cause, and then what's the benefit alternative in the cloud that is outside? >> Yeah. I mean, I think, when you repeat the same database implementation over and over on the infrastructure, it gets tested thousands and thousands of times. Whereas if I'm a database team and I install it once, I've tested it one time, and I can't account for all of the things that might happen in the future. So the benefit of the cloud is that you just get that repeat ability that happens and all of the sort of the kinks and bugs and issues are worked out of the system. And that's why it's just fundamentally better. We get 99.9999% uptime because all of those mistakes have been made, solved, and fixed. >> Fully managed, obviously. >> Yes. Right. >> Huge benefit. >> John: Right. >> And people are moving, it's just a great benefit. >> John: Yeah. >> So I'm a fan obviously. I think it's a great way to go. I got to ask about the security though, because big conversation here is security. What's the security posture? What's the security story to customers with SkySQL and MariaDB? >> Right, right, right. So we've taken the server, which was the initial product that MariaDB was founded upon, right? And we've come a long way over the several years that we've been in business. In SkySQL, we have SOC 2 compliance, for example. So we've gone through commercial certifications to make sure that customers can depend that we are following processes, we have technology in place in order to secure and protect their data. And in that environment, it is repeatable. So every time a customer uses our DBaaS infrastructure, databases a service infrastructure called SkySQL, they're benefiting from all of the testing that's been done. They go there and do that themselves, they would've to go through months and months of processes in order to reach the same level of protection. >> Now MariaDB is distributed by design. Is that right? >> Yes. So we have a distributed database, it's called Xpand, MariaDB Xpand. And it's an option inside of SkySQL. It's the same cost as MariaDB server, but Xpand is distributed. And the easiest way to understand what distributed database is is to understand what it is not first. What it is not is like every other cloud database. So most of the databases strangely in the cloud are not distributed databases. They have one single database node in a cluster that is where all of the changes and rights happen. And that creates a bottleneck in the database. And that's why there's difficulties in scale. AWS actually talked about this in the keynote which is the difficulty around multi writer in the cloud. And that's what Xpand does. And it spreads out the reads and the rights to make it scalable, more performant, and more resilient. One node goes down, still stays up, but you get the benefit of the consistency and the parallelization that happens in Xpand. >> So when would a customer choose Xpand versus SkySQL Vanilla? >> So we have, I would say a lot of times, but the profile of our customers are typically like financial services, trade stores. We have Samsung Cloud, 500,000 transactions per second in an expand cluster where they run sort of their Samsung cloud for their mobile device unit. We have many customers like that where it's a commercial facing website often or a service where the brand depends on uptime. Okay. So if you're in exchange or if you are a mobile device company or an IOT company, you need those databases to be working all the time and scale broadly and have high performance. >> So you have resiliency built in essentially? >> Yes, yeah. And that's the major benefit of it. It hasn't been solved by anybody other than us in the cloud to be quite honest with you. >> That's a differentiator for sure. >> It is a huge differentiator, and there are a lot of interested parties. We're going to see that be the next discussion probably next year when we come back is, what's the state of distributed database? Because it's really become really the tip of the spear with the database industry right now. >> And what's the benefits of that? Just quickly describe why that's important? >> Obviously the performance and the resilience are the two we just talked about, but also the efficiency. So if you have a multi-node cluster of a single master database, that gets replicated four times, five times over, five times the cost. And so we're taking cost out, adding performance in. And so, you're really seeing a revolution there because you're getting a lot more for a lot less. And whenever you do that, you win the game. Right? >> Awesome. Yeah, that's true. And it seems like, okay, that might be more costly but you're not replicating. >> That's right. >> That's the key. >> Replicating just enough to be resilient but not excessively to be overly redundant. Right. >> Yeah. I find that the conversation this year is starting to unpack some of these cloud native embedded capabilities inside AWS. So are you guys doing more around, on the customer side, around marketplace? Are you guys, how do people consume products? >> Yeah. It's really both. So sometimes they come to us from AWS. AWS might say, "Hey, you know what," "we don't really have an answer." And that's specifically true on the expand side. They don't really have that in their list of databases yet. Right. Hopefully, we'll get out in front of them. But they oftentimes come through our front door where they're a MariaDB customer already, right? There's over a hundred thousand production systems with MariaDB in the world, and hundreds of thousands of users of the database. So they know our brand, not quite as well as AWS, but they know our brand... >> You've got a customer base. >> We do. Right. I mean people love MariaDB. They just think it's the database that they use for application development all the time. And when they see us release an offering like Xpand just a few years ago, they're interested, they want to use that. They want to see how that works. And then when they take it into production and it works as advertised, of course, success happens. Right? >> Well great stuff, John. Great to have you on theCUBE. Paul, I guess time we do the Insta challenge here. New format on theCUBE, we usually say at the end, summarize what's most important story for you or show, what's the bumper sticker? We kind of put it around more of an Instagram reel. What's your sizzle reel? What's your thought leadership statement? 30 seconds >> John: Thought leadership. >> John? >> So the thought leadership is really in scaling the cloud to the next generation. We believe MariaDB's Xpand product will be the the technology that fronts the next wave of database solutions in the cloud. And AWS has become instrumental in helping us do that with their infrastructure and all the help that they give us, I think at the end of the day, when the story on Xpand is written, it's going to be a very fun ride over the next few years. >> John, thank you. CRO, chief revenue officer of MariaDB, great to have you on. >> Thank you. >> 34-year veteran or so in databases. (laughs) >> You're putting a lot of age on me. I'm 29. I'm 29 again. (all laugh) >> I just graduated high school and I've been doing this for 10 years. Great to have you on theCUBE. Thanks for coming on. >> Thanks guys. Yeah. >> Thanks for sharing. >> Appreciate it. >> I'm John Furrier with Paul Gillin here live on the floor, wall-to-wall coverage. We're already into like 70 videos already. Got a whole another day, finish out day three. Keep watching theCUBE, thanks for watching. We'll be right back. (calm music)

(intro upbeat music) >> TheCUBE presents UiPath Forward5, Brought to you by UiPath. >> Welcome to day two of Forward5 UiPath Customer Conference. You're watching theCUBE. My name is Dave Vellante. My co-host is David Nicholson. Yesterday, Dave, we heard about the extension into an enterprise platform. We heard about, from the two CEOs, a new go-to-market strategy. We heard from a lot of customers how they're implementing UiPath generally and automation, specifically, scaling, hyper-automation, and all the buzzwords you hear. Todd Foley is the CDO and CSO of Lydonia Technologies and Devika Saharya is the director of ERP and RPA at MongoDB. Folks, welcome to theCUBE. Thanks for taking time out of your busy day and coming on. >> Thank you Dave. >> Thank you so much. >> So let's start with the roles. So Devika, ERP and RPA. >> Yes. >> It's like peanut butter and jelly, or how do those things relate? What's your, what's your role? >> Absolutely. So I started at Mongo as an ERP manager, and you know, as we were growing, the one thing that came out of, you know, the every year goals for the company, one big goal that came out was how we have to scale. There are so many barriers to scale. How can we become a billion dollar company? What do we need to do? And when we started drilling down into, you know, different areas, we figured it out that people do a lot of stuff manually. It's like comparing sheets, you know, copying data from one place to the other, and so on and so forth. So one thing that we realized was we definitely need some kind of automation. At that time, we didn't know about automation, but we did our own market research and here we are. >> Let's automate. Yeah, right. (Devika laughs) Sounds easy. All right, thank you. Todd, CDO, Chief Data or Chief Dig, and CSO, I'm assuming Chief Data? >> Chief Data. >> And the Chief Information Security Officer. Tell us about Lydonia and also your role. >> Sure, Lydonia, we started just over three years ago. We looked at the RPA market. We saw great opportunity, but we also saw a challenge. We saw that a lot of people had deployed RPA but weren't getting the promised, you know, immediate ROI, rapid deployment that was out there. And when we looked at it, we saw that it really wasn't a technical challenge. Sometimes it was how technology was applied, but there were a lot of things that people were doing in their process and how they were treating RPA, often as if it were traditional technology that slowed them down. So we built our practice, our company, around the idea of being able to help people scale very quickly and drive that faster. And we're finding now with the RPA being pretty ubiquitous, that it's the one thing that's in the greatest demand among our clients. >> Okay, so you're the implementation partner for Mongo, is that right? >> We are. >> Okay, so relatively new. Very new actually, but a specialist. Why'd you choose Lydonia? >> So, that's an interesting question. When we came last year to UiPath Forward, we were looking for, you know, the right kind of people who can, you know, put us on track. We had the technology, we had everything in place, we did the POC, everybody liked it, but we didn't know how to, you know, basically go in that direction. We were missing that direction. And then we, you know, we were doing our homework here, we found, we accidentally stumbled with Lydonia, and I had follow up conversations with Todd, and they were just so tapered. I knew exactly what Todd was explaining me, and we knew we are, we are in safe hands. >> So, where did you start? >> So we, the first thing that we did was a POC for the finance side of business. And right after that POC, we realized that, you know, how much time people were actually investing manually, like things that were done in three to four days was turning into a 30 minute process. And that gave us, you know, the idea that we should start drilling down into different departments and try to find where there are, you know, areas where we can improve. And we did all of that. And then we met with Todd, and Todd explained that how his Reignite process works. So we took Reignite as our first step and, you know, took it from there. We chose one department, we worked with them. We had about 10 processes highlighted, thanks to Todd, he worked with them, and he literally drilled and nailed it down that what we need to do. And as of today, all those 10 are automated. >> Wow. Okay. >> Todd, does this interaction between Lydonia and MongoDB, as a customer, apply equally in the field when you're going out and talking to clients that might be running MongoDB, they might be customers of MongoDB, they may have financial applications that are backended with MongoDB, is there a synergy there that you've been able to gain? >> I think there is. I think there's one thing that's kind of unique about RPA, and that the traditional questions around integration and applicability aren't as important when you have a platform that can work with anything that people can use. I think also, you know, when we look at what we typically do with people, some of the things we see at Mongo are very common use cases you know, across all of our clients. So I, there's definitely the ability for us to take things we've done and have clients get leverage out of them. At the same time, the platform itself is, makes it different than a traditional model where, you know if somebody has worked in a particular area or built an automation for a particular application, there's some kind of utility to do it faster for another client. What we find is that that's not really the case. And that oftentimes we'll compete with people who use different tool sets than UiPath who have that kind of value story around having done it before, we come in and we do it twice as fast as they could. >> So you've, you're a veteran of complex integrations. >> Oh yeah. (Todd laughs) >> I know that from our paths have crossed in the past. So you're saying that in this world of RPA, that this tool set like UiPath as a platform, we've been talking a lot about the difference between being a tool set and being a platform. >> Right. >> That this platform can sort of hover above things without that same layer of complexity, or level of complexity, that you've experienced in the past. Because that speaks to the idea that UiPath, as a platform, is going to work moving forward in a big way. >> Exactly, right. I think we've seen for years and years that regardless of the type of development environment you're using, a developer's value sometimes is based on what reusable libraries they've created, what they have to cut and paste from their old code to be able to do things faster. The challenge with that is it has to be maintained, when things change, they've got to update those libraries. It's a value prop that's very high touch. With UiPath, they've created the ultimate in reusability. The platform, especially since they acquired cloud elements and built all of those API integrations into their platform. The platform maintains the reusability and the libraries in such a way where they're drag and drop from a development standpoint and you don't have to maintain them. It's the ultimate expression of reusability as a platform. >> Yeah, cloud elements, API automation, obviously a key pick by UiPath. Devika, what's the scale of your operation today? Like how many bots and where do you see it going? >> Yes. So we, we started with one bot. Last year we experimented a lot that, you know, we were just trying to make our footprint in the company, trying to understand that, you know, people understand what RPA is, what UiPath is. Initially we got a lot of pushback. We got a pushback from our security team as well, because they could not understand, you know, that what UiPath is and how secure it is. And we had to explain them that how we would host it over AWS, how we will work, how we will not save passwords, et cetera. When we did all of that and they got comfort, we started picking, you know, very small processes around to show, you know, people the capability of RPA and UiPath per se. When we did that, people started just coming with bigger processes, and one specific team that I can think of came that we do, you know, fuzzy logic in Excel, and we do it twice a week, but it takes a lot of time. We automated it, they run it daily, every single day, two times now. And the exponential growth that we saw just with that one automation was mind boggling. I couldn't believe that, you know. We were tracking our insights and we were like, oh my God, what happened? It just blew out of proportion. >> Okay. So then did you need more bots? Are you still running one bot, or? >> Nope. Now at the moment we have nine. >> Okay. >> And we are still looking to grow. >> Okay. So the initial friction, you said there was some, you know, concern, it was primarily security or were there others, people afraid they're going to lose their jobs? Was there any of that? >> There was no risk of losing the job. The major, you know, pushback was, one was from security, the other one was from different system owners because a lot of people were not sure why we want UI access, or why we want API access, and why are we accessing their systems? What type of information we are trying to gather out of their systems. Are we writing into their system? Because a lot of people have issues when we start saying that we will write or override data. So most of the processes that we are working around are either writing, comparing, and reading and comparing, and if it is writing, we take special permission that this is what we are going to do. >> So what did you have to do to get through the security mottle, a AWS SOC 2 report, did you have to show them the UiPath pen test? >> Absolutely. >> Did you have to change any of your processes? What was that sort of punch list like? >> Everything. >> Yeah. >> So we had to start from pen test. We had to start, we had to explain that UiPath is in the process of, you know, acquiring SOC. We also explained that how things are hosted on AWS. We had to, you know, bring our consultants in who explained that how on, on AWS, this will be a very secured way of doing things. And when we did our first process, which was actually for the auditors, which is, you know, interesting. >> Yeah. >> What we did was we did segregation of duties, which I think is very important in every field and every sphere we work in. So for example, the the writeup that we were building for auditors, we made sure that it is approved by a physical or a human, you know, and not everything is done by the bot. The biggest piece of the puzzle was writing, you know, because it was taking a lot of time. People were going into different systems, gathering information, putting it on Excel, and then you know, comparing and submitting it to PWC. >> When you say write, you mean any update to a system of record? >> Correct. >> Required some scrutiny? >> Some scrutiny, yes, yes. >> Okay, initially by a human until there was comfort level and then it's like these bots know what they're doing. >> Correct, correct. >> Okay. And now you're a NetSuite customer, correct? >> Yes. >> That's your ERP? >> That's right. >> Now we were talking about Oracle is going to acquire OCR capabilities. Will that, and we've been talking, Dave and I, a week about, okay well ServiceNow has, you know, RPA, and Salesforce, and SAP, et cetera. How will that affect your thinking about adopting UiPath? >> I don't think it should matter because I think all these systems kind of coexist in a bigger ecosystem, you know, and I also feel that all these systems have their own plus points and minus points. Not one system in, per se, can do everything within a company. So it could be that, for example, NetSuite might be very strong for financials in the space we are in, but not extremely good around sales and marketing. So for that company chose Salesforce. So you know, you have those smaller smaller multiple systems that build into a bigger ecosystem, right. And I think the other piece of the puzzle is that UiPath helps bridge that gap between these systems. You know, it could happen that certain things can get integrated, certain things cannot because of the nature of business, the nature of work that the teams are trying to do. And I think UiPath is leveraging that gap, you know, and putting, you know, those strings together. >> As you scale - >> Mm hmm. >> How will, and Todd I presume you're going to assist in this process, but how will you decide what processes to prioritize, and is that a process driven decision? Is it data led? Both? If so, what kind of data? Can you describe how you guys are going to approach that? >> Yep. Todd, would you like to take that first before I start? >> Sure, yeah. >> Maybe some best practices and then we can maybe get specific to Mongo. >> Absolutely. Our guidance is always that it should be a business decision, right? And it should be data driven, based on a business defined metric around the business case for that particular automation. Our guidance to customers is don't automate it unless you know why you're automating it, and what the value is. We see sometimes there are challenges with people being able to articulate the business case for an automation, and it can almost always be resolved by having that business case be the first step, and qualifying and identifying an automation candidate. >> And how does that apply to Mongo? Do you, where are you thinking about scaling, in your opinion? >> It's interesting because, you know, initially we thought that we will, you know, explore one area in MongoDB. And the other thing that we did was we did road shows. So because we had to create some awareness in the company that we have UiPath there's something called bots. There's something called, you know, automation that we can do, so we created a presentation with small demos inside it and, you know, circulated it within the company. Different departments tried to explain what we can achieve. And based off of that, you know, we came up with a laundry list of all the automations that different departments needed. And out of that, you know, we started doing the business case, the value, you know, trying to come up with complexity, effort. We did a full estimation matrix and based off of that we came, okay, these are the top 20 that we should build first. And as soon as we built those top 20, we saw a skyrocket, you know, growth and - >> And you're looking for hard dollars, right? >> Yes, yes. Absolutely. >> Okay, just to be clear. >> Devika, I think Mongo also is great at taking a data driven approach to looking at their program. Do you want to share how you do that? >> Yes, absolutely. So one thing that we were very sure was we have to talk in terms of numbers because that's the only solid way to see growth. And what we did was, you know, we got insights, we started doing full metrics in terms of dollar saved, hour saved, and we are trying to track how every process is impacting, you know, in the grand scheme of things. Like say for example, for finance, are we shortening the close cycle in any shape or form by doing these two or three automations that we are doing? And I'm happy to report that we have really shortened our close cycle from where we started. >> Your quarter end or month end close. >> Correct, yes. >> Daily? You at the daily close yet, (all laugh) or the "John Chambers"? >> Drive everyone nuts. First I have to say, I could feel the audience sort of smiling as they see, as they hear from MongoDB, disruptor of legacy databases being cautious in their internal approach to change. As everyone else is. >> Exactly, yeah. >> But Todd, just sort of, double clicking on this idea of kind of stove pipes of capabilities in the RPA space. I mean OCR, being added to NetSuite, I'm not sure if that's the greatest example, but the point is Lydonia will work with all of those technologies to synthesize something. Is that correct? Or are you a UiPath only? >> Both. So we exclusively use UiPath with our customers. We don't use other RPA platforms. >> Okay. >> And we don't because, not because we can't, but because we don't believe that anything else is going to be as quick or as effective. Also, it's the only platform that is as broad and comprehensive as it needs to be to deliver outcomes to our customers. We have partnerships with other companies that have gaps where UiPath isn't currently playing, but the number of companies and the number of gaps has shrunk down to almost nothing these days. And we're well placed as UiPath continues to grow their platform to take advantage of that and leverage that to deliver outcomes to customers. >> It was a great story of starting small, being careful. >> Yes. >> And prudent, from a security standpoint, especially as a public company. And then it sounds like there's virtually unlimited opportunity. >> Yes, absolutely, absolutely. >> For you guys. Great story, thank you very much for sharing it. Appreciate it. >> Thank you. >> All right, good luck. All right, thank you for watching. Keep it right there. Dave Nicholson and Dave Vellante will be back from UiPath Forward5 from the Venetian in Las Vegas. Be right back. (upbeat music playing)

(upbeat music) >> Hello, everyone. Welcome back to theCUBE's presentation of the AWS Startup Showcase. This is season two, episode four of the ongoing series covering the exciting startups from the AWS ecosystem. And talking about cybersecurity. I'm your host, John Furrier. Excited to have two great guests. Ed Casmer, founder and CEO of Cloud Storage Security, back CUBE alumni, and also James Johnson, AVP of Research and Development at iPipeline. Here to talk about cloud storage security antivirus on S3. James, thanks for joining us today. >> Thank you, John. >> Thank you. >> So the topic here is cloud security, storage security. Ed, we had a great CUBE conversation previously, earlier in the month. Companies are modernizing their apps and migrating the cloud. That's fact. Everyone kind of knows that. >> Yeah. >> Been there, done that. Clouds have the infrastructure, they got the OS, they got protection, but the end of the day, the companies are responsible and they're on the hook for their own security of their data. And this is becoming more permanent now that you have hybrid cloud, cloud operations, cloud native applications. This is the core focus right now in the next five years. This is what everyone's talking about. Architecture, how to build apps, workflows, team formation. Everything's being refactored around this. Can you talk about how organizations are adjusting and how they view their data security in light of how applications are being built and specifically around the goodness of say S3? >> Yep, absolutely. Thank you for that. So we've seen S3 grow 20,000% over the last 10 years. And that's primarily because companies like James with iPipeline are delivering solutions that are leveraging this object storage more and above the others. When we look at protection, we typically fall into a couple of categories. The first one is, we have folks that are worried about the access of the data. How are they dealing with it? And so they're looking at configuration aspects. But the big thing that we're seeing is that customers are blind to the fact that the data itself must also be protected and looked at. And so we find these customers who do come to the realization that it needs to happen, finding out, asking themselves, how do I solve for this? And so they need lightweight, cloud native built solutions to deliver that. >> So what's the blind spot? You mentioned there's a blind spot. They're kind of blind to that. What specifically are you seeing? >> Well so, when we get into these conversations, the first thing that we see with customers is I need to predict how I access it. This is everyone's conversation. Who are my users? How do they get into my data? How am I controlling that policy? Am I making sure there's no east-west traffic there, once I've blocked the north-south? But what we really find is that the data is the key packet of this whole process. It's what gets consumed by the downstream users. Whether that's an employee, a customer, a partner. And so it's really, the blind spot is the fact that we find most customers not looking at whether that data is safe to use. >> It's interesting. When you talk about that, I think about all the recent breaches and incidents. "Incidents," they call them. >> Yeah. >> They've really been around user configurations. S3 buckets not configured properly. >> Absolutely. >> And this brings up what you're saying, is that the users and the customers have to be responsible for the configurations, the encryption, the malware aspect of it. Don't just hope that AWS has the magic to do it. Is that kind of what you're getting at here? Is that the similar, am I correlating that properly? >> Absolutely. That's perfect. And we've seen it. We've had our own customers, luckily iPipeline's not one of them, that have actually infected their end users because they weren't looking at the data. >> And that's a huge issue. So James, let's get in, you're a customer partner. Talk about your relationship with these guys and what's it all about? >> Yeah, well, my pipeline is building a digital ecosystem for life insurance and wealth management industries to enable the sale of life insurance to under-insured and uninsured Americans, to make sure that they have the coverage that they need, should something happen. And our solutions have been around for many years. In a traditional data center type of an implementation. And we're in process now of migrating that to the cloud, moving it to AWS, in order to give our customers a better experience, a better resiliency, better reliability. And with that, we have to change the way that we approach file storage and how we approach scanning for vulnerabilities in those files that might come to us via feeds from third parties or that are uploaded directly by end users that come to us from a source that we don't control. So it was really necessary for us to identify a solution that both solved for these vulnerability scanning needs, as well as enabling us to leverage the capabilities that we get with other aspects of our move to the cloud and being able to automatically scale based on load, based on need, to ensure that we get the performance that our customers are looking for. >> So tell me about your journey to the cloud, migrating to the cloud and how you're using S3 specifically. What led you to determine the need for the cloud based AV solution? >> So when we looked to begin moving our applications to the cloud, one of the realizations that we had is that our approach to storing certain types of data was a bit archaic. We were storing binary files in a database, which is not the most efficient way to do things. And we were scanning them with the traditional antivirus engines that would've been scaled in traditional ways. So as our need grew, we would need to spin up additional instances of those engines to keep up with load. And we wanted a solution that was cloud native and would allow us to scan more dynamically without having to manage the underlying details of how many engines do I need to have running for a particular load at a particular time and being able to scan dynamically. And also being able to move that out of the application layer, being able to scan those files behind the scenes. So scanning in, when the file's been saved in S3, it allows us to scan and release the file once it's been deemed safe rather than blocking the user while they wait for that scan to take place. >> Awesome. Well, thanks for sharing that. I got to ask Ed, and James, same question next. It's, how does all this factor in to audits and self compliance? Because when you start getting into this level of sophistication, I'm sure it probably impacts reporting workflows. Can you guys share the impact on that piece of it? The reporting? >> Yeah. I'll start with a comment and James will have more applicable things to say. But we're seeing two things. One is, you don't want to be the vendor whose name is in the news for infecting your customer base. So that's number one. So you have to put something like this in place and figure that out. The second part is, we do hear that under SOC 2, under PCI, different aspects of it, there are scanning requirements on your data. Traditionally, we've looked at that as endpoint data and the data that you see in your on-prem world. It doesn't translate as directly to cloud data, but it's certainly applicable. And if you want to achieve SOC 2 or you want to achieve some of these other pieces, you have to be scanning your data as well. >> Furrier: James, what's your take? As practitioner, you're living it. >> Yeah, that's exactly right. There are a number of audits that we go through where this is a question that comes up both from a SOC perspective, as well as our individual customers who reach out and they want to know where we stand from a security perspective and a compliance perspective. And very often this is a question of how are you ensuring that data that is uploaded into the application is safe and doesn't contain any vulnerabilities. >> James, if you don't mind me asking, I have to kind of inquire because I can imagine that you have users on your system but also you have third parties, relationships. How does that impact this? What's the connection? >> That's a good question. We receive data from a number of different locations from our customers directly, from their users and from partners that we have as well as partners that our customers have. And as we ingest that data, from an implementation perspective, the way we've approached this, there's a minimal impact there in each one of those integrations. Because everything comes into the S3 bucket and is scanned before it is available for consumption or distribution. But this allows us to ensure that no matter where that data is coming from, that we are able to verify that it is safe before we allow it into our systems or allow it to continue on to another third party whether that's our customer or somebody else. >> Yeah, I don't mean to get in the weeds there, but it's one of those things where, this is what people are experiencing right now. Ed, we talked about this before. It's not just siloed data anymore. It's interactive data. It's third party data from multiple sources. This is a scanning requirement. >> Agreed. I find it interesting too. I think James brings it up. We've had it in previous conversations that not all data's created equal. Data that comes from third parties that you're not in control of, you feel like you have to scan. And other data you may generate internally. You don't have to be as compelled to scan that although it's a good idea, but you can, as long as you can sift through and determine which data is which and process it appropriately, then you're in good shape. >> Well, James, you're living the cloud security, storage security situation here. I got to ask you, if you zoom out and not get in the weeds and look at the board room or the management conversation. Tell me about how you guys view the data security problem. I mean, obviously it's important. So can you give us a level of how important it is for iPipeline and with your customers and where does this S3 piece fit in? I mean, when you guys look at this holistically, for data security, what's the view, what's the conversation like? >> Yeah. Well, data security is critical. As Ed mentioned a few minutes ago, you don't want to be the company that's in the news because some data was exposed. That's something that nobody has the appetite for. And so data security is first and foremost in everything that we do. And that's really where this solution came into play, in making sure that we had not only a solution but we had a solution that was the right fit for the technology that we're using. There are a number of options. Some of them have been around for a while. But this was focused on S3, which we were using to store these documents that are coming from many different sources. And we have to take all the precautions we can to ensure that something that is malicious doesn't make its way into our ecosystem or into our customers' ecosystems through us. >> What's the primary use case that you see the value here with these guys? What's the aha moment that you had? >> With the cloud storage security specifically, it goes beyond the security aspects of being able to scan for vulnerable files, which is, there are a number of options and they're one of those. But for us, the key was being able to scale dynamically without committing to a particular load whether that's under committing or overcommitting. As we move our applications from a traditional data center type of installation to AWS, we anticipated a lot of growth over time and being able to scale up very dynamically, literally moving a slider within the admin console, was key to us to be able to meet our customer's needs without overspending, by building up something that was dramatically larger than we needed in our initial rollout. >> Not a bad testimonial there, Ed. >> I mean, I agree. >> This really highlights the applications using S3 more in the file workflow for the application in real time. This is where you start to see the rise of ransomware other issues. And scale matters. Can you share your thoughts and reaction to what James just said? >> Yeah. I think it's critical. As the popularity of S3 has increased, so has the fact that it's an attack vector now. And people are going after it whether that's to plant bad malicious files, whether it's to replace code segments that are downloaded and used in other applications, it is a very critical piece. And when you look at scale and you look at the cloud native capability, there are lots of ways to solve it. You can dig a hole with a spoon, but a shovel works a lot better. And in this case, we take a simple example like James. They did a weekend migration, so they've got new data coming in all the time, but we did a massive migration 5,000 files a minute being ingested. And like he said, with a couple of clicks, scale up, process that over sustained period of time and then scale back down. So I've said it before, I said it on the previous one. We don't want to get in the way of someone's workflow. We want to help them secure their data and do it in a timely fashion that they can continue with their proper processing and their normal customer responses. >> Frictionless has to be key. I know you're in the marketplace with your antivirus for S3 on the AWS. People can just download it. So people are interested, go check it out. James, I got to ask you and maybe Ed can chime in over the top, but it seems so obvious. Data. Secure the data. Why is it so hard? Why isn't this so obvious? What's the problem? Why is it so difficult? Why are there so many different solutions? It just seems so obvious. You know, you got ransomware, you got injection of different malicious payloads. There's a ton of things going on around the data. Why is, this so obvious? Why isn't it solved? >> Well, I think there have been solutions available for a long time. But the challenge, the difficulty that I see, is that it is a moving target. As bad actors learn new vulnerabilities, new approaches and as new technology becomes available, that opens additional attack vectors. >> Yeah. >> That's the challenge, is keeping up on the changing world including keeping up on the new ways that people are finding to exploit vulnerabilities. >> And you got sensitive data at iPipeline. You do a lot of insurance, wealth management, all kinds of sensitive data, super valuable. This brings me up, reminds me of the Sony hack Ed, years ago. Companies are responsible for their own militia. I mean, cybersecurity is no government help for sure. I mean, companies are on the hook. As we mentioned earlier at the top of this interview, this really is highlighted that IT departments have to evolve to large scale cloud, cloud native applications, automation, AI machine learning all built in, to keep up at the scale. But also from a defense standpoint. I mean, James you're out there, you're in the front lines, you got to defend yourself basically, and you got to engineer it. >> A hundred percent. And just to go on top of what James was saying is, I think there, one of the big factors and we've seen this. There's skill shortages out there. There's also just a pure lack of understanding. When we look at Amazon S3 or object storage in general, it's not an executable file system. So people sort of assume that, oh, I'm safe. It's not executable. So I'm not worried about it traversing my storage network. And they also probably have the assumption that the cloud providers, Amazon is taking care of this for them. And so it's this aha moment. Like you mentioned earlier, that you start to think, oh it's not about where the data is sitting per se. It's about scanning it as close to the storage spot. So when it gets to the end user, it's safe and secure. And you can't rely on the end user's environment and system to be in place and up to date to handle it. So it's that really, that lack of understanding that drives some of these folks into this. But for a while, we'll walk into customers and they'll say the same thing you said, John. Why haven't I been doing this for so long? And it's because they didn't understand that it was such a risk. That's where that blind spot comes in. >> James, it's just a final note on your environment. What's your goals for the next year? How's things going over there on your side? How you look at the security posture? What's on your agenda for the next year? How are you guys looking at the next level? >> Yeah. Well, our goal as it relates to this is to continue to move our existing applications over to AWS to run natively there. Which includes moving more data into S3 and leveraging the cloud storage security solution to scan that and ensure that there are no vulnerabilities that are getting in. >> And the ingestion, is there like a bottlenecks log jams? How do you guys see that scaling up? I mean, what's the strategy there? Just add more S3? >> Well, S3 itself scales automatically for us and the cloud storage solution gives us leverage to pull to do that. As Ed mentioned, we ingested a large amount of data during our initial migration which created a bottleneck for us. As we were preparing to move our users over, we were able to make an adjustment in the admin console and spin up additional processes entirely behind the scenes and broke the log jam. So I don't see any immediate concerns there, being able to handle the load. >> The term cloud native and hyperscale native, cloud native, one cloud's hybrid. All these things are native. We have antivirus native coming soon. And I mean, this is what we're basically doing is making it native into the workflows. Security native. And soon there's going to be security clouds out there. We're starting to see the rise of these new solutions. Can you guys share any thoughts or vision around how you see the industry evolving and what's needed? What's working and what's needed? Ed, we'll start with you. What's your vision? >> So I think the notion of being able to look at and view the management plane and control that has been where we're at right now. That's what everyone seems to be doing and going after. I think there are niche plays coming up. Storage is one of them, but we're going to get to a point where storage is just a blanket term for where you put your stuff. I mean, it kind of already is that. But in AWS, it's going to be less about S3. Less about work docs, less about EVS. It's going to be just storage and you're going to need a solution that can span all of that to go along with where we're already at the management plane. We're going to keep growing the data plane. >> James, what's your vision for what's needed in the industry? What's the gaps, what's working, and where do you see things going? >> Yeah, well, I think on the security front specifically, Ed's probably a little bit better equipped to speak to them than I am since that his primary focus. But I see the need for just expanded solutions that are cloud native that fit and fit nicely with the Amazon technologies. Whether that comes from Amazon or other partners like Cloud Storage Security to fill those gaps. We are focused on the financial services and insurance industries. That's our niche. And we look to other partners like Ed to help be the experts in these areas. And so that's really what I'm looking for, is the experts that we can partner with that are going to help fill those gaps as they come up and as they change in the future. >> Well, James, I really appreciate you coming on, sharing your story and I'll give you the final word. Put a quick, spend a minute to talk about the company. I know Cloud Storage Security is an AWS partner with the security software competency and is one of I think 16 partners listed in the competency and the data category. So take a minute to explain what's going on with the company, where people can find more information, how they buy and consume the products. >> Okay. >> Put the plug in. >> Yeah, thank you for that. So we are a fast growing startup. We've been in business for two and a half years now. We have achieved our security competency as John indicated. We're one of 16 data protection security competent ISV vendors globally. And our goal is to expand and grow a platform that spans all storage types that you're going to be dealing with and answer basic questions. What do I have and where is it? Is it safe to use? And am I in proper control of it? Am I being alerted appropriate? So we're building this storage security platform, very laser focused on the storage aspect of it. And if people want to find out more information, you're more than welcome to go and try the software out on Amazon marketplace. That's basically where we do most of our transacting. So find it there. Start of free trial. Reach out to us directly from our website. We are happy to help you in any way that you need it. Whether that's storage assessments, figuring out what data is important to you and how to protect it. >> All right, Ed. Thank you so much. Ed Casmer, founder and CEO of Cloud Storage Security. And of course James Johnson, AVP of Research and Development, iPipeline customer. Gentlemen, thank you for sharing your story and featuring the company and the value proposition, certainly needed. This is season two, episode four. Thanks for joining us. Appreciate it. >> Casmer: Thanks John. >> Okay. I'm John Furrier. That is a wrap for this segment of the cybersecurity season two, episode four. The ongoing series covering the exciting startups from Amazon's ecosystem. Thanks for watching. (upbeat music)

(upbeat music) >> Hello and welcome to theCUBE's presentation of the AWS Startup Showcase. This is season two, episode four of the ongoing series covering the exciting hot startups from the AWS ecosystem. Here we're talking about cybersecurity in this episode. I'm your host, John Furrier here we're excited to have CUBE alumni who's back Snehal Antani who's the CEO and co-founder of Horizon3.ai talking about exploitable weaknesses and vulnerabilities with autonomous pen testing. Snehal, it's great to see you. Thanks for coming back. >> Likewise, John. I think it's been about five years since you and I were on the stage together. And I've missed it, but I'm glad to see you again. >> Well, before we get into the showcase about your new startup, that's extremely successful, amazing margins, great product. You have a unique journey. We talked about this prior to you doing the journey, but you have a great story. You left the startup world to go into the startup, like world of self defense, public defense, NSA. What group did you go to in the public sector became a private partner. >> My background, I'm a software engineer by education and trade. I started my career at IBM. I was a CIO at GE Capital, and I think we met once when I was there and I became the CTO of Splunk. And we spent a lot of time together when I was at Splunk. And at the end of 2017, I decided to take a break from industry and really kind of solve problems that I cared deeply about and solve problems that mattered. So I left industry and joined the US Special Operations Community and spent about four years in US Special Operations, where I grew more personally and professionally than in anything I'd ever done in my career. And exited that time, met my co-founder in special ops. And then as he retired from the air force, we started Horizon3. >> So there's really, I want to bring that up one, 'cause it's fascinating that not a lot of people in Silicon Valley and tech would do that. So thanks for the service. And I know everyone who's out there in the public sector knows that this is a really important time for the tactical edge in our military, a lot of things going on around the world. So thanks for the service and a great journey. But there's a storyline with the company you're running now that you started. I know you get the jacket on there. I noticed get a little military vibe to it. Cybersecurity, I mean, every company's on their own now. They have to build their own militia. There is no government supporting companies anymore. There's no militia. No one's on the shores of our country defending the citizens and the companies, they got to offend for themselves. So every company has to have their own military. >> In many ways, you don't see anti-aircraft rocket launchers on top of the JP Morgan building in New York City because they rely on the government for air defense. But in cyber it's very different. Every company is on their own to defend for themselves. And what's interesting is this blend. If you look at the Ukraine, Russia war, as an example, a thousand companies have decided to withdraw from the Russian economy and those thousand companies we should expect to be in the ire of the Russian government and their proxies at some point. And so it's not just those companies, but their suppliers, their distributors. And it's no longer about cyber attack for extortion through ransomware, but rather cyber attack for punishment and retaliation for leaving. Those companies are on their own to defend themselves. There's no government that is dedicated to supporting them. So yeah, the reality is that cybersecurity, it's the burden of the organization. And also your attack surface has expanded to not just be your footprint, but if an adversary wants to punish you for leaving their economy, they can get, if you're in agriculture, they could disrupt your ability to farm or they could get all your fruit to spoil at the border 'cause they disrupted your distributors and so on. So I think the entire world is going to change over the next 18 to 24 months. And I think this idea of cybersecurity is going to become truly a national problem and a problem that breaks down any corporate barriers that we see in previously. >> What are some of the things that inspired you to start this company? And I loved your approach of thinking about the customer, your customer, as defending themselves in context to threats, really leaning into it, being ready and able to defend. Horizon3 has a lot of that kind of military thinking for the good of the company. What's the motivation? Why this company? Why now? What's the value proposition? >> So there's two parts to why the company and why now. The first part was what my observation, when I left industry realm or my military background is watching "Jack Ryan" and "Tropic Thunder" and I didn't come from the military world. And so when I entered the special operations community, step one was to keep my mouth shut, learn, listen, and really observe and understand what made that community so impressive. And obviously the people and it's not about them being fast runners or great shooters or awesome swimmers, but rather there are learn-it-alls that can solve any problem as a team under pressure, which is the exact culture you want to have in any startup, early stage companies are learn-it-alls that can solve any problem under pressure as a team. So I had this immediate advantage when we started Horizon3, where a third of Horizon3 employees came from that special operations community. So one is this awesome talent. But the second part that, I remember this quote from a special operations commander that said we use live rounds in training because if we used fake rounds or rubber bullets, everyone would act like metal of honor winners. And the whole idea there is you train like you fight, you build that muscle memory for crisis and response and so on upfront. So when you're in the thick of it, you already know how to react. And this aligns to a pain I had in industry. I had no idea I was secure until the bad guy showed up. I had no idea if I was fixing the right vulnerabilities, logging the right data in Splunk, or if my CrowdStrike EDR platform was configured correctly, I had to wait for the bad guys to show up. I didn't know if my people knew how to respond to an incident. So what I wanted to do was proactively verify my security posture, proactively harden my systems. I needed to do that by continuously pen testing myself or continuously testing my security posture. And there just wasn't any way to do that where an IT admin or a network engineer could in three clicks have the power of a 20 year pen testing expert. And that was really what we set out to do, not build a autonomous pen testing platform for security people, build it so that anybody can quickly test their security posture and then use the output to fix problems that truly matter. >> So the value preposition, if I get this right is, there's a lot of companies out there doing pen tests. And I know I hate pen tests. They're like, cause you do DevOps, it changes you got to do another pen test. So it makes sense to do autonomous pen testing. So congratulations on seeing that that's obvious to that, but a lot of other have consulting tied to it. Which seems like you need to train someone and you guys taking a different approach. >> Yeah, we actually, as a company have zero consulting, zero professional services. And the whole idea is that build a true software as a service offering where an intern, in fact, we've got a video of a nine year old that in three clicks can run pen tests against themselves. And because of that, you can wire pen tests into your DevOps tool chain. You can run multiple pen tests today. In fact, I've got customers running 40, 50 pen tests a month against their organization. And that what that does is completely lowers the barrier of entry for being able to verify your posture. If you have consulting on average, when I was a CIO, it was at least a three month lead time to schedule consultants to show up and then they'd show up, they'd embarrass the security team, they'd make everyone look bad, 'cause they're going to get in, leave behind a report. And that report was almost identical to what they found last year because the older that report, the one the date itself gets stale, the context changes and so on. And then eventually you just don't even bother fixing it. Or if you fix a problem, you don't have the skills to verify that has been fixed. So I think that consulting led model was acceptable when you viewed security as a compliance checkbox, where once a year was sufficient to meet your like PCI requirements. But if you're really operating with a wartime mindset and you actually need to harden and secure your environment, you've got to be running pen test regularly against your organization from different perspectives, inside, outside, from the cloud, from work, from home environments and everything in between. >> So for the CISOs out there, for the CSOs and the CXOs, what's the pitch to them because I see your jacket that says Horizon3 AI, trust but verify. But this trust is, but is canceled out, just as verify. What's the product that you guys are offering the service. Describe what it is and why they should look at it. >> Yeah, sure. So one, when I back when I was the CIO, don't tell me we're secure in PowerPoint. Show me we're secure right now. Show me we're secure again tomorrow. And then show me we're secure again next week because my environment is constantly changing and the adversary always has a vote and they're always evolving. And this whole idea of show me we're secure. Don't trust that your security tools are working, verify that they can detect and respond and stifle an attack and then verify tomorrow, verify next week. That's the big mind shift. Now what we do is-- >> John: How do they respond to that by the way? Like they don't believe you at first or what's the story. >> I think, there's actually a very bifurcated response. There are still a decent chunk of CIOs and CSOs that have a security is a compliance checkbox mindset. So my attitude with them is I'm not going to convince you. You believe it's a checkbox. I'll just wait for you to get breached and sell to your replacement, 'cause you'll get fired. And in the meantime, I spend all my energy with those that actually care about proactively securing and hardening their environments. >> That's true. People do get fired. Can you give an example of what you're saying about this environment being ready, proving that you're secure today, tomorrow and a few weeks out. Give me an example. >> Of, yeah, I'll give you actually a customer example. There was a healthcare organization and they had about 5,000 hosts in their environment and they did everything right. They had Fortinet as their EDR platform. They had user behavior analytics in place that they had purchased and tuned. And when they ran a pen test self-service, our product node zero immediately started to discover every host on the network. It then fingerprinted all those hosts and found it was able to get code execution on three machines. So it got code execution, dumped credentials, laterally maneuvered, and became a domain administrator, which in IT, if an attacker becomes a domain admin, they've got keys to the kingdom. So at first the question was, how did the node zero pen test become domain admin? How'd they get code execution, Fortinet should have detected and stopped it. Well, it turned out Fortinet was misconfigured on three boxes out of 5,000. And these guys had no idea and it's just automation that went wrong and so on. And now they would've only known they had misconfigured their EDR platform on three hosts if the attacker had showed up. The second question though was, why didn't they catch the lateral movement? Which all their marketing brochures say they're supposed to catch. And it turned out that that customer purchased the wrong Fortinet modules. One again, they had no idea. They thought they were doing the right thing. So don't trust just installing your tools is good enough. You've got to exercise and verify them. We've got tons of stories from patches that didn't actually apply to being able to find the AWS admin credentials on a local file system. And then using that to log in and take over the cloud. In fact, I gave this talk at Black Hat on war stories from running 10,000 pen tests. And that's just the reality is, you don't know that these tools and processes are working for you until the bad guys have shown. >> The velocities there. You can accelerate through logs, you know from the days you've been there. This is now the threat. Being, I won't say lazy, but just not careful or just not thinking. >> Well, I'll do an example. We have a lot of customers that are Horizon3 customers and Splunk customers. And what you'll see their behavior is, is they'll have Horizon3 up on one screen. And every single attacker command executed with its timestamp is up on that screen. And then look at Splunk and say, hey, we were able to dump vCenter credentials from VMware products at this time on this host, what did Splunk see or what didn't they see? Why were no logs generated? And it turns out that they had some logging blind spots. So what they'll actually do is run us to almost like stimulate the defensive tools and then see what did the tools catch? What did they miss? What are those blind spots and how do they fix it. >> So your price called node zero. You mentioned that. Is that specifically a suite, a tool, a platform. How do people consume and engage with you guys? >> So the way that we work, the whole product is designed to be self-service. So once again, while we have a sales team, the whole intent is you don't need to have to talk to a sales rep to start using the product, you can log in right now, go to Horizon3.ai, you can run a trial log in with your Google ID, your LinkedIn ID, start running pen test against your home or against your network against this organization right now, without talking to anybody. The whole idea is self-service, run a pen test in three clicks and give you the power of that 20 year pen testing expert. And then what'll happen is node zero will execute and then it'll provide to you a full report of here are all of the different paths or attack paths or sequences where we are able to become an admin in your environment. And then for every attack path, here is the path or the kill chain, the proof of exploitation for every step along the way. Here's exactly what you've got to do to fix it. And then once you've fixed it, here's how you verify that you've truly fixed the problem. And this whole aha moment is run us to find problems. You fix them, rerun us to verify that the problem has been fixed. >> Talk about the company, how many people do you have and get some stats? >> Yeah, so we started writing code in January of 2020, right before the pandemic hit. And then about 10 months later at the end of 2020, we launched the first version of the product. We've been in the market for now about two and a half years total from start of the company till present. We've got 130 employees. We've got more customers than we do employees, which is really cool. And instead our customers shift from running one pen test a year to 40, 50 pen test. >> John: And it's full SaaS. >> The whole product is full SaaS. So no consulting, no pro serve. You run as often as you-- >> Who's downloading, who's buying the product. >> What's amazing is, we have customers in almost every section or sector now. So we're not overly rotated towards like healthcare or financial services. We've got state and local education or K through 12 education, state and local government, a number of healthcare companies, financial services, manufacturing. We've got organizations that large enterprises. >> John: Security's diverse. >> It's very diverse. >> I mean, ransomware must be a big driver. I mean, is that something that you're seeing a lot. >> It is. And the thing about ransomware is, if you peel back the outcome of ransomware, which is extortion, at the end of the day, what ransomware organizations or criminals or APTs will do is they'll find out who all your employees are online. They will then figure out if you've got 7,000 employees, all it takes is one of them to have a bad password. And then attackers are going to credential spray to find that one person with a bad password or whose Netflix password that's on the dark web is also their same password to log in here, 'cause most people reuse. And then from there they're going to most likely in your organization, the domain user, when you log in, like you probably have local admin on your laptop. If you're a windows machine and I've got local admin on your laptop, I'm going to be able to dump credentials, get the admin credentials and then start to laterally maneuver. Attackers don't have to hack in using zero days like you see in the movies, often they're logging in with valid user IDs and passwords that they've found and collected from somewhere else. And then they make that, they maneuver by making a low plus a low equal a high. And the other thing in financial services, we spend all of our time fixing critical vulnerabilities, attackers know that. So they've adapted to finding ways to chain together, low priority vulnerabilities and misconfigurations and dangerous defaults to become admin. So while we've over rotated towards just fixing the highs and the criticals attackers have adapted. And once again they have a vote, they're always evolving their tactics. >> And how do you prevent that from happening? >> So we actually apply those same tactics. Rarely do we actually need a CVE to compromise your environment. We will harvest credentials, just like an attacker. We will find misconfigurations and dangerous defaults, just like an attacker. We will combine those together. We'll make use of exploitable vulnerabilities as appropriate and use that to compromise your environment. So the tactics that, in many ways we've built a digital weapon and the tactics we apply are the exact same tactics that are applied by the adversary. >> So you guys basically simulate hacking. >> We actually do the hacking. Simulate means there's a fakeness to it. >> So you guys do hack. >> We actually compromise. >> Like sneakers the movie, those sneakers movie for the old folks like me. >> And in fact that was my inspiration. I've had this idea for over a decade now, which is I want to be able to look at anything that laptop, this Wi-Fi network, gear in hospital or a truck driving by and know, I can figure out how to gain initial access, rip that environment apart and be able to opponent. >> Okay, Chuck, he's not allowed in the studio anymore. (laughs) No, seriously. Some people are exposed. I mean, some companies don't have anything. But there's always passwords or so most people have that argument. Well, there's nothing to protect here. Not a lot of sensitive data. How do you respond to that? Do you see that being kind of putting the head in the sand or? >> Yeah, it's actually, it's less, there's not sensitive data, but more we've installed or applied multifactor authentication, attackers can't get in now. Well MFA only applies or does not apply to lower level protocols. So I can find a user ID password, log in through SMB, which isn't protected by multifactor authentication and still upon your environment. So unfortunately I think as a security industry, we've become very good at giving a false sense of security to organizations. >> John: Compliance drives that behavior. >> Compliance drives that. And what we need. Back to don't tell me we're secure, show me, we've got to, I think, change that to a trust but verify, but get rid of the trust piece of it, just to verify. >> Okay, we got a lot of CISOs and CSOs watching this showcase, looking at the hot startups, what's the message to the executives there. Do they want to become more leaning in more hawkish if you will, to use the military term on security? I mean, I heard one CISO say, security first then compliance 'cause compliance can make you complacent and then you're unsecure at that point. >> I actually say that. I agree. One definitely security is different and more important than being compliant. I think there's another emerging concept, which is I'd rather be defensible than secure. What I mean by that is security is a point in time state. I am secure right now. I may not be secure tomorrow 'cause something's changed. But if I'm defensible, then what I have is that muscle memory to detect, respondent and stifle an attack. And that's what's more important. Can I detect you? How long did it take me to detect you? Can I stifle you from achieving your objective? How long did it take me to stifle you? What did you use to get in to gain access? How long did that sit in my environment? How long did it take me to fix it? So on and so forth. But I think it's being defensible and being able to rapidly adapt to changing tactics by the adversary is more important. >> This is the evolution of how the red line never moved. You got the adversaries in our networks and our banks. Now they hang out and they wait. So everyone thinks they're secure. But when they start getting hacked, they're not really in a position to defend, the alarms go off. Where's the playbook. Team springs into action. I mean, you kind of get the visual there, but this is really the issue being defensible means having your own essentially military for your company. >> Being defensible, I think has two pieces. One is you've got to have this culture and process in place of training like you fight because you want to build that incident response muscle memory ahead of time. You don't want to have to learn how to respond to an incident in the middle of the incident. So that is that proactively verifying your posture and continuous pen testing is critical there. The second part is the actual fundamentals in place so you can detect and stifle as appropriate. And also being able to do that. When you are continuously verifying your posture, you need to verify your entire posture, not just your test systems, which is what most people do. But you have to be able to safely pen test your production systems, your cloud environments, your perimeter. You've got to assume that the bad guys are going to get in, once they're in, what can they do? So don't just say that my perimeter's secure and I'm good to go. It's the soft squishy center that attackers are going to get into. And from there, can you detect them and can you stop them? >> Snehal, take me through the use. You got to be sold on this, I love this topic. Alright, pen test. Is it, what am I buying? Just pen test as a service. You mentioned dark web. Are you actually buying credentials online on behalf of the customer? What is the product? What am I buying if I'm the CISO from Horizon3? What's the service? What's the product, be specific. >> So very specifically and one just principles. The first principle is when I was a buyer, I hated being nickled and dimed buyer vendors, which was, I had to buy 15 different modules in order to achieve an objective. Just give me one line item, make it super easy to buy and don't nickel and dime me. Because I've spent time as a buyer that very much has permeated throughout the company. So there is a single skew from Horizon3. It is an annual subscription based on how big your environment is. And it is inclusive of on-prem internal pen tests, external pen tests, cloud attacks, work from home attacks, our ability to harvest credentials from the dark web and from open source sources. Being able to crack those credentials, compromise. All of that is included as a singles skew. All you get as a CISO is a singles skew, annual subscription, and you can run as many pen tests as you want. Some customers still stick to, maybe one pen test a quarter, but most customers shift when they realize there's no limit, we don't nickel and dime. They can run 10, 20, 30, 40 a month. >> Well, it's not nickel and dime in the sense that, it's more like dollars and hundreds because they know what to expect if it's classic cloud consumption. They kind of know what their environment, can people try it. Let's just say I have a huge environment, I have a cloud, I have an on-premise private cloud. Can I dabble and set parameters around pricing? >> Yes you can. So one is you can dabble and set perimeter around scope, which is like manufacturing does this, do not touch the production line that's on at the moment. We've got a hospital that says every time they run a pen test, any machine that's actually connected to a patient must be excluded. So you can actually set the parameters for what's in scope and what's out of scope up front, most again we're designed to be safe to run against production so you can set the parameters for scope. You can set the parameters for cost if you want. But our recommendation is I'd rather figure out what you can afford and let you test everything in your environment than try to squeeze every penny from you by only making you buy what can afford as a smaller-- >> So the variable ratio, if you will is, how much they spend is the size of their environment and usage. >> Just size of the environment. >> So it could be a big ticket item for a CISO then. >> It could, if you're really large, but for the most part-- >> What's large? >> I mean, if you were Walmart, well, let me back up. What I heard is global 10 companies spend anywhere from 50 to a hundred million dollars a year on security testing. So they're already spending a ton of money, but they're spending it on consultants that show up maybe a couple of times a year. They don't have, humans can't scale to test a million hosts in your environment. And so you're already spending that money, spend a fraction of that and use us and run as much as you want. And that's really what it comes down to. >> John: All right. So what's the response from customers? >> What's really interesting is there are three use cases. The first is that SOC manager that is using us to verify that their security tools are actually working. So their Splunk environment is logging the right data. It's integrating properly with CrowdStrike, it's integrating properly with their active directory services and their password policies. So the SOC manager is using us to verify the effectiveness of their security controls. The second use case is the IT director that is using us to proactively harden their systems. Did they install VMware correctly? Did they install their Cisco gear correctly? Are they patching right? And then the third are for the companies that are lucky to have their own internal pen test and red teams where they use us like a force multiplier. So if you've got 10 people on your red team and you still have a million IPs or hosts in your environment, you still don't have enough people for that coverage. So they'll use us to do recon at scale and attack at scale and let the humans focus on the really juicy hard stuff that humans are successful at. >> Love the product. Again, I'm trying to think about how I engage on the test. Is there pilots? Is there a demo version? >> There's a free trials. So we do 30 day free trials. The output can actually be used to meet your SOC 2 requirements. So in many ways you can just use us to get a free SOC 2 pen test report right now, if you want. Go to the website, log in for a free trial, you can log into your Google ID or your LinkedIn ID, run a pen test against your organization and use that to answer your PCI segmentation test requirements, your SOC 2 requirements, but you will be hooked. You will want to run us more often. And you'll get a Horizon3 tattoo. >> The first hits free as they say in the drug business. >> Yeah. >> I mean, so you're seeing that kind of response then, trial converts. >> It's exactly. In fact, we have a very well defined aha moment, which is you run us to find, you fix, you run us to verify, we have 100% technical win rate when our customers hit a find, fix, verify cycle, then it's about budget and urgency. But 100% technical win rate because of that aha moment, 'cause people realize, holy crap, I don't have to wait six months to verify that my problems have actually been fixed. I can just come in, click, verify, rerun the entire pen test or rerun a very specific part of it on what I just patched my environment. >> Congratulations, great stuff. You're here part of the AWS Startup Showcase. So I have to ask, what's the relationship with AWS, you're on their cloud. What kind of actions going on there? Is there secret sauce on there? What's going on? >> So one is we are AWS customers ourselves, our brains command and control infrastructure. All of our analytics are all running on AWS. It's amazing, when we run a pen test, we are able to use AWS and we'll spin up a virtual private cloud just for that pen test. It's completely ephemeral, it's all Lambda functions and graph analytics and other techniques. When the pen test ends, you can delete, there's a single use Docker container that gets deleted from your environment so you have nothing on-prem to deal with and the entire virtual private cloud tears itself down. So at any given moment, if we're running 50 pen tests or a hundred pen tests, self-service, there's a hundred virtual private clouds being managed in AWS that are spinning up, running and tearing down. It's an absolutely amazing underlying platform for us to make use of. Two is that many customers that have hybrid environments. So they've got a cloud infrastructure, an Office 365 infrastructure and an on-prem infrastructure. We are a single attack platform that can test all of that together. No one else can do it. And so the AWS customers that are especially AWS hybrid customers are the ones that we do really well targeting. >> Got it. And that's awesome. And that's the benefit of cloud? >> Absolutely. And the AWS marketplace. What's absolutely amazing is the competitive advantage being part of the marketplace has for us, because the simple thing is my customers, if they already have dedicated cloud spend, they can use their approved cloud spend to pay for Horizon3 through the marketplace. So you don't have to, if you already have that budget dedicated, you can use that through the marketplace. The other is you've already got the vendor processes in place, you can purchase through your existing AWS account. So what I love about the AWS company is one, the infrastructure we use for our own pen test, two, the marketplace, and then three, the customers that span that hybrid cloud environment. That's right in our strike zone. >> Awesome. Well, congratulations. And thanks for being part of the showcase and I'm sure your product is going to do very, very well. It's very built for what people want. Self-service get in, get the value quickly. >> No agents to install, no consultants to hire. safe to run against production. It's what I wanted. >> Great to see you and congratulations and what a great story. And we're going to keep following you. Thanks for coming on. >> Snehal: Phenomenal. Thank you, John. >> This is the AWS Startup Showcase. I'm John John Furrier, your host. This is season two, episode four on cybersecurity. Thanks for watching. (upbeat music)

(upbeat intro music) >> Hello, everyone. Welcome back to theCube's presentation of the AWS Startup Showcase. This is season two, episode four, of the ongoing series covering the exciting startups from the a AWS ecosystem. Talk about cybersecurity. I'm your host, John Furrier. Here, excited to have two great guests. Ed Casmer, Founder & CEO of Cloud Storage Security. Back, Cube alumni. And also James Johnson, AVP of Research & Development, iPipeline here. Here to talk about Cloud Storage Security, antivirus on S3. Gents, thanks for joining us today. >> Thank you, John. >> Thank you. >> So, the topic here is cloud security, storage security. Ed, we had a great Cube conversation previously, earlier in the month. You know, companies are modernizing their apps and migrating to the cloud. That's fact. Everyone kind of knows that. Been there, done that. You know, clouds have the infrastructure, they got the OS, they got protection. But, the end of the day, the companies are responsible and they're on the hook for their own security of their data. And this is becoming more preeminent now that you have hybrid cloud, cloud operations, cloud-native applications. This is the core focus right now. In the next five years. This is what everyone's talking about. Architecture, how to build apps, workflows, team formation. Everything's being refactored around this. Can you talk about how organizations are adjusting, and how they view their data security in light of how applications are being built and specifically, around the goodness of say, S3? >> Yep, absolutely. Thank you for that. So, we've seen S3 grow 20,000% over the last 10 years. And that's primarily because companies like James with iPipeline, are delivering solutions that are leveraging this object storage more and above the others. When we look at protection, we typically fall into a couple of categories. The first one is, we have folks that are worried about the access of the data. How are they dealing with it? So, they're looking at configuration aspects. But, the big thing that we're seeing is that customers are blind to the fact that the data itself must also be protected and looked at. And, so, we find these customers who do come to the realization that it needs to happen. Finding out like how asking themselves, "How do I solve for this?" And, so, they need lightweight, cloud-native built solutions to deliver that. >> So, what's the blind spot? You mentioned there's a blind spot. They're kind of blind to that. What specifically are you seeing? >> Well, so when we get into these conversations, the first thing that we see with customers is, "I need to predict how I access it." This is everyone's conversation. "Who are my users? How do they get into my data? How am I controlling that policy? Am I making sure there's no east-west traffic there, once I've blocked the north-south?" But, what we really find is that the data is the key packet of this whole process. It's what gets consumed by the downstream users. Whether that's an employee, a customer, a partner. And, so, it's really the blind spot is the fact that we find most customers not looking at whether that data is safe to use. >> It's interesting. You know, when you talk about that, I think about like all the recent breaches and incidents. "Incidents" they call them. >> Yeah. >> They're really been around user configurations. S3 buckets not configured properly. And this brings up what you're saying, is that the users and the customers have to be responsible for the configurations, the encryption, the malware aspect of it. Don't just hope that AWS has the magic to do it. Is that kind of what you're getting at here? Is that the similar? Am I correlating that properly? >> Absolutely. That's perfect. And, and we've seen it. We've had our own customers, luckily, iPipeline's not one of them, that have actually infected their end users, because they weren't looking at the data. >> Yeah. And that's a huge issue. So, James, let's get in, you're a customer-partner. Talk about your relationship with these guys and what's it all about? >> Yeah. Well, iPipeline is building a digital ecosystem for life insurance and wealth management industries to enable the sale of life insurance to underinsured and uninsured Americans, to make sure that they have the coverage that they need should something happen. And, our solutions have been around for many years in a traditional data center type of an implementation. And, we're in process now of migrating that to the cloud, moving it to AWS. In order to give our customers a better experience, better resiliency, better reliability. And, with that, we have to change the way that we approach file storage and how we approach scanning for vulnerabilities in those files that might come to us via feeds from third parties, or that are uploaded directly by end users that come to us from a source that we don't control. So, it was really necessary for us to identify a solution that both solved for these vulnerability scanning needs, as well as enabling us to leverage the capabilities that we get with other aspects of our move to the cloud. Being able to automatically scale based on load, based on need. To ensure that we get the performance that our customers are looking for. >> So, tell me about your journey to the cloud, migrating to the cloud, and how you're using S3. Specifically, what led you to determine the need for the cloud-based AV solution? >> Yeah. So, when we looked to begin moving our applications to the cloud, one of the realizations that we had is that our approach to storing certain types of data, was a bit archaic. We were storing binary files in a database, which is not the most efficient way to do things. And, we were scanning them with the traditional antivirus engines, that would've been scaled in traditional ways. So, as our need grew, we would need to spin up additional instances of those engines to keep up with load. And we wanted a solution that was cloud-native, and would allow us to scan more dynamically without having to manage the underlying details of how many engines do I need to have running for a particular load at a particular time, and being able to scan dynamically and also being able to move that out of the application layer, being able to scan those files behind the scenes. So, scanning in, when the file's been saved in S3. It allows us to scan and release the file once it's been deemed safe, rather than blocking the user while they wait for that scan to take place. >> Awesome. Well, thanks for sharing that. I got to ask Ed and James, same question. And next is, how does all this factor into audits and self-compliance? Because, when you start getting into this level of sophistication, I'm sure it probably impacts reporting, workflows. Can you guys share the impact on that piece of it? The reporting. >> Yeah, I'll start with a comment, and James will have more applicable things to say. But, we're seeing two things. One, is you don't want to be the vendor whose name is in the news for infecting your customer base. So, that's number one. so you have to put something like this in place and figure that out. The second part is, we do hear that under SOC 2, under PCI, different aspects of it, there are scanning requirements on your data. Traditionally, we've looked at that as endpoint data and the data that you see in your on-prem world. It doesn't translate as directly to cloud data, but, it's certainly applicable. And if you want to achieve SOC 2 or you want to achieve some of these other pieces, you have to be scanning your data as well. >> James, what's your take? As practitioner, you're living it. >> Yeah. That's exactly right. There are a number of audits that we go through, where this is a question that comes up both from a SOC perspective, as well as our individual customers, who reach out, and they want to know where we stand from a security perspective and a compliance perspective. And, very often, this is a question of "How are you ensuring that the data that is uploaded into the application is safe and doesn't contain any vulnerabilities?" >> James, if you don't mind me asking. I have to kind of inquire, because I can imagine that you have users on your system, but also you have third parties, relationships. How does that impact this? What's the connection? >> That's a good question. We receive data from a number of different locations. From our customers directly, from their users, and from partners that we have, as well as partners that our customers have. And, as we ingest that data, from an implementation perspective, the way we've approached this, there's minimal impact there in each one of those integrations, because everything comes into the S3 bucket and is scanned before it is available for consumption or distribution. But, this allows us to ensure that no matter where that data is coming from, that we are able to verify that it is safe before we allow it into our systems or allow it to continue on to another third party, whether that's our customer or somebody else. >> Yeah. I don't mean to get in the weeds there, but it's one of those things where, you know, this is what people are experiencing right now. You know, Ed, we talked about this before. It's not just siloed data anymore. It's interactive data. It's third party data from multiple sources. This is a scanning requirement. >> Agreed. I find it interesting, too. I think James brings it up. We've had it in previous conversations, that not all data's created equal. Data that comes from third parties that you're not in control of, you feel like you have to scan and other data you may generate internally. You don't, have to be as compelled to scan that, although it's a good idea. But it's, you can kind of, as long as you can sift through and determine which data is which, and process it appropriately, then you're in good shape. >> Well, James. You're living the cloud security storage security situation, here. I got to ask you if you zoom out, not get in the weeds, and look at kind of the boardroom or the management conversation. Tell me about how you guys view the data security problem. I mean, obviously it's important, right? So, can you give us a level of, you know, how important it is for iPipeline and with your customers and where does this S3 piece fit in? I mean, when you guys look at this holistically, for data security, what's the view? What's the conversation like? >> Yeah. Well, data security is critical. As Ed mentioned a few minutes ago, you don't want to be the company that's in the news because some data was exposed. That's something that nobody has the appetite for. And, so, data security is, first and foremost, in everything that we do. And that's really where this solution came into play and making sure that we had not only a solution, but, we had a solution that was the right fit for the technology that we're using. There are a number of options. Some of them have been around for a while. But this is focused on S3, which we were using to store these documents that are coming from many different sources. And, you know, we have to take all the precautions we can to ensure that something that is malicious doesn't make its way into our ecosystem or into our customers' ecosystems through us. >> What's the primary use case that you see the value here with these guys? What's the "aha" moment that you had? >> With the Cloud Storage Security, specifically, it was really, it goes beyond the security aspects of being able to scan for vulnerable files, which is there are a number of options and, and they're one of those. But for us, the key was being able to scale dynamically without committing to a particular load, whether that's under committing or over committing. As we move our applications from a traditional data center type of installation to AWS, we anticipated a lot of growth over time. And being able to scale up very dynamically, you know, literally moving a slider within the admin console was key to us, to be able to meet our customer's needs without overspending. By building up something that was, dramatically larger than we needed in our initial rollout. >> Not a bad testimonial there, Ed. I mean. >> I agree. >> This is really highlights the applications using S3 more in the file workflow for the application in real time. This is where you start to see the rise of ransomware, other issues and scale matters. Can you share your thoughts and reaction to what James just said? >> Yeah, I think it's critical. I mean, as the popularity of S3 has increased, so has the fact that it's an attack vector now, and people are going after it. Whether that's to plant bad, malicious files, whether it's to replace code segments that are downloaded and used in other applications, it is a very critical piece. And when you look at scale, and you look at the cloud-native capability, there are lots of ways to solve it. You can dig a hole with a spoon, but a shovel works a lot better. And, in this case, you know, we take a simple example like James. They did a weekend migration, so, they've got new data coming in all the time. But, we did a massive migration. 5,000 files a minute being ingested. And, like he said, with a couple of clicks, scale up, process that over a sustained period of time, and then scale back down. So, you know, I've said it before. I said it on the previous one. We don't want to get in the way of someone's workflow. We want to help them secure their data and do it in a timely fashion, that they can continue with their proper processing and their normal customer responses. >> Yeah. Friction always has to be key. I know you're in the marketplace with your antivirus, for S3 on AWS. People can just download it. So, people are interested, go check it out. James, I got to ask you, and maybe Ed can chime in over the top, but, it seems so obvious. Data. Secure the data. Why is it so hard? Why isn't this so obvious? What's the problem? Why is it so difficult? Why are there so many different solutions? It just seems so obvious. You know, you got ransomware, you got injection of different malicious payloads. There's a ton of things going around around the data. Why is this? This is so obvious. Why isn't it solved? >> Well, I think there have been solutions available for a long time. That the challenge, the difficulty that I see is, that it is a moving target. As bad actors learn new vulnerabilities, new approaches. And as new technology becomes available, that opens additional attack vectors. That's the challenge. Is keeping up on the changing world. Including keeping up on the new ways that people are finding to exploit vulnerabilities. >> Yeah. And you got sensitive data at iPipeline. You do a lot of insurance, wealth management, all kinds of sensitive data, super valuable. You know, just brings me up, reminds me of the Sony hack, Ed, years ago. You know, companies are responsible for their own militia. I mean, cybersecurity, there's no government help for sure. I mean, companies are on the hook, as we mentioned earlier at the top of this interview. This really is highlighted that, IT departments and are, have to evolve to large scale cloud, you know, cloud-native applications, automation, AI machine learning all built in, to keep up at the scale. But, also, from a defense standpoint, I mean, James, you're out there, you're in the front lines. You got to defend yourself, basically, and you got to engineer it. >> A hundred percent. And just to go on top of what James was saying is, I think they're one of the big factors, and we've seen this. There's skill shortages out there. There's also just a pure lack of understanding. When we look at Amazon S3 or object storage in general, it's not an executable file system. So, people sort of assume that, "Oh, I'm safe. It's not executable. So, I'm not worried about it traversing my storage network." And they also probably have the assumption that the cloud providers, Amazon, is taking care of this for 'em. And, so, it's this "aha" moment, like you mentioned earlier. That you start to think, "Oh, it's not about where the data is sitting, per se, it's about scanning it as close to the storage spot. So, when it gets to the end user, it's safe and secure. And you can't rely on the end users' environment and system to be in place and up to date to handle it. So, it's that really, that lack of understanding that drives some of these folks into this, but for a while, we'll walk into customers and they'll say the same thing you said, John. "Why haven't I been doing this for so long?" And, it's because they didn't understand that it was such a risk. That's where that blind spot comes in. >> James, it's just a final note on your environment. What's your goals for the next year? How's things going over there in your side? How do you look at the security posture? What's on your agenda for the next year? How do you guys looking at the next level? >> Yeah, well, our goal as it relates to this is, to continue to move our existing applications over to AWS, to run natively there, which includes moving more data into S3 and leveraging the cloud storage security solution to scan that and ensure that it's, that there are no vulnerabilities that are getting in. >> And the ingestion? Is there like a bottlenecks, log jams? How do you guys see that scaling up? I mean, what's the strategy there? More, just add more S3? >> Well, S3 itself scales automatically for us and, the Cloud Storage Solution gives us levers to pull to do that. As Ed mentioned, we ingested a large amount of data during our initial migration, which created a bottleneck for us, as we were preparing to move our users over. We were able to, you know, make an adjustment in the admin console and spin up additional processes entirely behind the scenes and broke the log jam. So, I don't see any immediate concerns there. Being able to handle the load. >> You know, the term cloud-native and, you know, hyperscale-native, cloud-native, OneCloud, it's hybrid. All these things are native. We have anti-virus native coming soon. And I mean, this is what we're. You're basically doing is making it native into the workflows. Security native, and soon there's going to be security clouds out there. We're starting to see the rise of these new solutions. Can you guys share any thoughts or vision around how you see the industry evolving and what's needed, what's working and what's needed? Ed, we'll start with you. What's your vision? >> So, I think the notion of being able to look at and view the management plane and control that, has been where we're at right now. that's what everyone seems to be doing and going after. I think there are niche plays coming up, storage is one of them. But, we're going to get to a point where storage is just a blanket term for where you put your stuff. I mean, it kind of already is that, but, in AWS, it's going to be less about S3, less about work docs, less about EVS. It's going to be just storage and you're going to need a solution that can span all of that, to go along with where we're already at at the management plane. We're going to keep growing the data plane. >> James, what's your vision for what's needed in the industry? What's the gaps? What's working? And where do you see things going? >> Yeah, well, I think on the security front, specifically, Ed's probably a little bit better equipped to speak to them than I am. Since that's his primary focus. But I see the need for just expanded solutions that are cloud-native, that fit and fit nicely with the Amazon technologies, Whether that comes from Amazon or other partners like Cloud Storage Security, to fill those gaps. We're focused on, you know, the financial services and insurance industries. That's our niche. And we look to other partners, like Ed, to help be the experts in these areas. And so that's really what I'm looking for is, you know, the experts that we can partner with that are going to help fill those gaps as they come up and as they change in the future. >> Well, James, I really appreciate you coming on sharing your story. Ed, I'll give you the final word. Put a quick, spend a minute to talk about the company. I know Cloud Storage Security is an AWS partner, with the Security Software Competency. And is one of, I think, 16 partners listed in the competency and data category. So, take a minute to explain, you know, what's going on with the company, where people can find more information, how they buy and consume the products. >> Okay. >> Put the plug in. >> Yeah, thank you for that. So, we are a fast growing startup. We we've been in business for two and a half years, now. We have achieved our Security Competency. As John indicated, we're one of 16 data protection, Security Competent ISV vendors, globally. And, our goal is to expand and grow a platform that spans all storage types that you're going to be dealing with. And answer basic questions. "What do I have and where is it? Is it safe to use?" And, "Am I in proper control of it? Am I being alerted appropriately?" You know, so we're building this storage security platform, very laser-focused on the storage aspect of it. And, if people want to find out more information, you're more than welcome to go and try the software out on Amazon Marketplace. That's basically where we do most of our transacting. So, find it there, start a free trial, reach out to us directly from our website. We are happy to help you in any way that you need it, whether that's storage assessments, figuring out what data is important to you, and how to protect it. >> All right, Ed, thank you so much. Ed Casmer. Founder & CEO of Cloud Storage Security and of course James Johnson, AVP Research & Development, iPipeline customer. Gentlemen, thank you for sharing your story and featuring the company and the value proposition. It's certainly needed. This is season two, episode four. Thanks for joining us. Appreciate it. >> Thanks, John. >> Okay. I'm John Furrier. That is a wrap for this segment of the cybersecurity, season two, episode four. The ongoing series covering the exciting startups from Amazon's ecosystem. Thanks for watching. (gentle outro music)

(upbeat music) >> Hey everyone, welcome to this CUBE conversation. I'm John Furrier, your host of theCUBE here in Palo Alto, California. We've got Sam Kassoumeh, co-founder and chief operating office at SecurityScorecard here remotely coming in. Thanks for coming on Sam. Security, Sam. Thanks for coming on. >> Thank you, John. Thanks for having me. >> Love the security conversations. I love what you guys are doing. I think this idea of managed services, SaaS. Developers love it. Operation teams love getting into tools easily and having values what you guys got with SecurityScorecard. So let's get into what we were talking before we came on. You guys have a unique solution around ratings, but also it's not your grandfather's pen test want to be security app. Take us through what you guys are doing at SecurityScorecard. >> Yeah. So just like you said, it's not a point in time assessment and it's similar to a traditional credit rating, but also a little bit different. You can really think about it in three steps. In step one, what we're doing is we're doing threat intelligence data collection. We invest really heavily into R&D function. We never stop investing in R&D. We collect all of our own data across the entire IPV force space. All of the different layers. Some of the data we collect is pretty straightforward. We might crawl a website like the example I was giving. We might crawl a website and see that the website says copyright 2005, but we know it's 2022. Now, while that signal isn't enough to go hack and break into the company, it's definitely a signal that someone might not be keeping things up to date. And if a hacker saw that it might encourage them to dig deeper. To more complex signals where we're running one of the largest DNS single infrastructures in the world. We're monitoring command and control malware and its behaviors. We're essentially collecting signals and vulnerabilities from the entire IPV force space, the entire network layer, the entire web app player, leaked credentials. Everything that we think about when we talk about the security onion, we collect data at each one of those layers of the onion. That's step one. And we can do all sorts of interesting insights and information and reports just out of that thread intel. Now, step two is really interesting. What we do is we go identify the attack surface area or what we call the digital footprint of any company in the world. So as a customer, you can simply type in the name of a company and we identify all of the domains, sub domains, subsidiaries, organizations that are identified on the internet that belong to that organization. So every digital asset of every company we go out and we identify that and we update that every 24 hours. And step three is the rating. The rating is probabilistic and it's deterministic. The rating is a benchmark. We're looking at companies compared to their peers of similar size within the same industry and we're looking at how they're performing. And it's probabilistic in the sense that companies that have an F are about seven to eight times more likely to experience a breach. We're an A through F scale, universally understood. Ds and Fs, more likely to experience a breach. A's we see less breaches now. Like I was mentioning before, it doesn't mean that an F is always going to get hacked or an A can never get hacked. If a nation state targets an A, they're going to eventually get in with enough persistence and budget. If the pizza shop on the corner has an F, they may never get hacked because no one cares, but natural correlation, more doors open to the house equals higher likelihood someone unauthorized is going to walk in. So it's really those three steps. The collection, we map it to the surface area of the company and then we produce a rating. Today we're rating about 12 million companies every single day. >> And how many people do you have as customers? >> We have 50,000 organizations using us, both free and paid. We have a freemium tier where just like Yelp or a LinkedIn business profile. Any company in the world has a right to go claim the score. We never extort companies to fix the score. We never charge a company to see the score or fix it. Any company in a world without paying us a cent can go in. They can understand what we're seeing about them, what a hacker could see about their environment. And then we empower them with the tools to fix it and they can fix it and the score will go up. Now companies pay us because they want enterprise capabilities. They want additional modules, insights, which we can talk about. But in total, there's about 50,000 companies that at any given point in time, they're monitoring about a million and a half organizations of the 12 million that we're rating. It sounds like Google. >> If you want to look at it. >> Sounds like Google Search you got going on there. You got a lot of search and then you create relevance, a score, like a ranking. >> That's precisely it. And that's exactly why Google ventures invested in us in our Series B round. And they're on our board. They looked and they said, wow, you guys are building like a Google Search engine over some really impressive threat intelligence. And then you're distilling it into a score which anybody in the world can easily understand. >> Yeah. You obviously have page rank, which changed the organic search business in the late 90s, early 2000s and the rest is history. AdWords. >> Yeah. >> So you got a lot of customer growth there potentially with the opt-in customer view, but you're looking at this from the outside in. You're looking at companies and saying, what's your security posture? Getting a feel for what they got going on and giving them scores. It sounds like it's not like a hacker proof. It's just more of a indicator for management and the team. >> It's an indicator. It's an indicator. Because today, when we go look at our vendors, business partners, third parties were flying blind. We have no idea how they're doing, how they're performing. So the status quo for the last 20 years has been perform a risk assessments, send a questionnaire, ask for a pen test and an audit evidence. We're trying to break that cycle. Nobody enjoys it. They're long tail. It's a trust without verification. We don't really like that. So we think we can evolve beyond this point in time assessment and give a continuous view. Now, today, historically, we've been outside in. Not intrusive, and we'll show you what a hacker can see about an environment, but we have some cool things percolating under the hood that give more of a 360 view outside, inside, and also a regulatory compliance view as well. >> Why is the compliance of the whole third party thing that you're engaging with important? Because I mean, obviously having some sort of way to say, who am I dealing with is important. I mean, we hear all kinds of things in the security landscape, oh, zero trust, and then we hear trust, supply chain, software risk, for example. There's a huge trust factor there. I need to trust this tool or this container. And then you got the zero trust, don't trust anything. And then you've got trust and verify. So you have all these different models and postures, and it just seems hard to keep up with. >> Sam: It's so hard. >> Take us through what that means 'cause pen tests, SOC reports. I mean the clouds help with the SOC report, but if you're doing agile, anything DevOps, you basically would need to do a pen test like every minute. >> It's impossible. The market shifted to the cloud. We watched and it still is. And that created a lot of complexity, not to date myself. But when I was starting off as a security practitioner, the data center used to be in the basement and I would have lunch with the database administrator and we talk about how we were protecting the data. Those days are long gone. We outsource a lot of our key business practices. We might use, for example, ADP for a payroll provider or Dropbox to store our data. But we've shifted and we no longer no who that person is that's protecting our data. They're sitting in another company in another area unknown. And I think about 10, 15 years ago, CISOs had the realization, Hey, wait a second. I'm relying on that third party to function and operate and protect my data, but I don't have any insight, visibility or control of their program. And we were recommended to use questionnaires and audit forms, and those are great. It's good hygiene. It's good practice. Get to know the people that are protecting your data, ask them the questions, get the evidence. The challenge is it's point in time, it's limited. Sometimes the information is inaccurate. Not intentionally, I don't think people intentionally want to go lie, but Hey, if there's a $50 million deal we're trying to close and it's dependent on checking this one box, someone might bend a rule a little bit. >> And I said on theCUBE publicly that I think pen test reports are probably being fudged and dates being replicated because it's just too fast. And again, today's world is about velocity on developers, trust on the code. So you got all kinds of trust issues. So I think verification, the blue check mark on Twitter kind of thing going on, you're going to see a lot more of that and I think this is just the beginning. I think what you guys are doing is scratching the surface. I think this outside in is a good first step, but that's not going to solve the internal problem that still coming and have big surface areas. So you got more surface area expanding. I mean, IOT's coming in, the Edge is coming fast. Never mind hybrid on-premise cloud. What's your organizations do to evaluate the risk and the third party? Hands shaking, verification, scorecards. Is it like a free look here or is it more depth to it? Do you double click on it? Take us through how this evolves. >> John it's become so disparate and so complex, Because in addition to the market moving to the cloud, we're now completely decentralized. People are working from home or working hybrid, which adds more endpoints. Then what we've learned over time is that it's not just a third party problem, because guess what? My third parties behind the scenes are also using third parties. So while I might be relying on them to process my customer's payment information, they're relying on 20 vendors behind the scene that I don't even know about. I might have an A, they might have an A. It's really important that we expand beyond that. So coming out of our innovation hub, we've developed a number of key capabilities that allow us to expand the value for the customer. One, you mentioned, outside in is great, but it's limited. We can see what a hacker sees and that's helpful. It gives us pointers where to maybe go ask double click, get comfort, but there's a whole nother world going on behind the firewall inside of an organization. And there might be a lot of good things going on that CISO security teams need to be rewarded for. So we built an inside module and component that allows teams to start plugging in the tools, the capabilities, keys to their cloud environments. And that can show anybody who's looking at the scorecard. It's less like a credit score and more like a social platform where we can go and look at someone's profile and say, Hey, how are things going on the inside? Do they have two-factor off? Are there cloud instances configured correctly? And it's not a point in time. This is a live connection that's being made. This is any point in time, we can validate that. The other component that we created is called an evidence locker. And an evidence locker, it's like a secure vault in my scorecard and it allows me to upload things that you don't really stand for or check for. Collateral, compliance paperwork, SOC 2 reports. Those things that I always begrudgingly email. I don't want to share with people my trade secrets, my security policies, and have it sit on their exchange server. So instead of having to email the same documents out, 300 times a month, I just upload them to my evidence locker. And what's great is now anybody following my scorecard can proactively see all the great things I'm doing. They see the outside view. They see the inside view. They see the compliance view. And now they have the holy grail view of my environment and can have a more intelligent conversation. >> Access to data and access methods are an interesting innovation area around data lineage. Tracing is becoming a big thing. We're seeing that. I was just talking with the Snowflake co-founder the other day here in theCUBE about data access and they're building a proprietary mesh on top of the clouds to figure out, Hey, I don't want to give just some tool access to data because I don't know what's on the other side of those tools. Now they had a robust ecosystem. So I can see this whole vendor risk supply chain challenge around integration as a huge problem space that you guys are attacking. What's your reaction to that? >> Yeah. Integration is tricky because we want to be really particular about who we allow access into our environment or where we're punching holes in the firewall and piping data out out of the environment. And that can quickly become unwieldy just with the control that we have. Now, if we give access to a third party, we then don't have any control over who they're sharing our information with. When I talk to CISOs today about this challenge, a lot of folks are scratching their head, a lot of folks treat this as a pet project. Like how do I control the larger span beyond just the third parties? How do I know that their software partners, their contractors that they're working with building their tools are doing a good job? And even if I know, meaning, John, you might send me a list of all of your vendors. I don't want to be the bad guy. I don't really have the right to go reach out to my vendors' vendors knocking on their door saying, hi, I'm Sam. I'm working with John and he's your customer. And I need to make sure that you're protecting my data. It's an awkward chain of conversation. So we're building some tools that help the security teams hold the entire ecosystem accountable. We actually have a capability called automatic vendor discovery. We can go detect who are the vendors of a company based on the connections that we see, the inbound and outbound connections. And what often ends up happening John is we're bringing to the attention to our customers, awareness about inbound and outbound connections. They had no idea existed. There were the shadow IT and the ghost vendors that were signed without going through an assessment. We detect those connections and then they can go triage and reduce the risk accordingly. >> I think that risk assessment of vendors is key. I was just reading a story about this, about how a percentage, I forget the number. It was pretty large of applications that aren't even being used that are still on in companies. And that becomes a safe haven for bad actors to hang out and penetrate 'cause they get overlooked 'cause no one's using them, but they're still online. And so there's a whole, I called cleaning up the old dead applications that are still connected. >> That happens all the time. Those applications also have applications that are dead and applications that are alive may also have users that are dead as well. So you have that problem at the application level, at the user level. We also see a permutation of what you describe, which is leftover artifacts due to configuration mistakes. So a company just put up a new data center, a satellite office in Singapore and they hired a team to go install all the hardware. Somebody accidentally left an administrative portal exposed to the public internet and nobody knew the internet works, the lights are on, the office is up and running, but there was something that was supposed to be turned off that was left turned on. So sometimes we bring to company's attention and they say, that's not mine. That doesn't belong to me. And we're like, oh, well, we see some reason why. >> It's his fault. >> Yeah and they're like, oh, that was the contractor set up the thing. They forgot to turn off the administrative portal with the default login credentials. So we shut off those doors. >> Yeah. Sam, this is really something that's not talked about a lot in the industry that we've become so reliant on managed services and other people, CISOs, CIOs, and even all departments that have applications, even marketing departments, they become reliant on agencies and other parties to do stuff for them which inherently just increases the risk here of what they have. So there inherently could be as secure as they could be, but yet exposed completely on the other side. >> That's right. We have so many virtual touch points with our partners, our vendors, our managed service providers, suppliers, other third parties, and all the humans that are involved in that mix. It creates just a massive ripple effect. So everybody in a chain can be doing things right. And if there's one bad link, the whole chain breaks. I know it's like the cliche analogy, but it rings true. >> Supply chain trust again. Trust who you trust. Let's see how those all reconcile. So Sam, I have to ask you, okay, you're a former CISO. You've seen many movies in the industry. Co-founded this company. You're in the front lines. You've got some cool things happening. I can almost imagine the vision is a lot more than just providing a rating and score. I'm sure there's more vision around intelligence, automation. You mentioned vault, wallet capabilities, exchanging keys. We heard at re:Inforce automated reasoning, metadata reasoning. You got all kinds of crypto and quantum. I mean, there's a lot going on that you can tap into. What's your vision where you see SecurityScorecard going? >> When we started the company, the rating was the thing that we sold and it was a language that helped technical and non-technical folks alike level the playing field and talk about risk and use it to drive their strategy. Today, the rating just opens the door to that discussion and there's so much additional value. I think in the next one to two years, we're going to see the rating becomes standardized. It's going to be more frequently asked or even required or leveraged by key decision makers. When we're doing business, it's going to be like, Hey, show me your scorecard. So I'm seeing the rating get baked more and more the lexicon of risk. But beyond the rating, the goal is really to make a world a safer place. Help transform and rise the tide. So all ships can lift. In order to do that, we have to help companies, not only identify the risk, but also rectify the risk. So there's tools we build to really understand the full risk. Like we talked about the inside, the outside, the fourth parties, fifth parties, the real ecosystem. Once we identified where are all the Fs and bad things, will then what? So couple things that we're doing. We've launched a pro serve arm to help companies. Now companies don't have to pay to fix the score. Anybody, like I said, can fix the score completely free of charge, but some companies need help. They ask us and they say, Hey, I'm looking for a trusted advisor. A Sherpa, a guide to get me to a better place or they'll say, Hey, I need some pen testing services. So we've augmented a service arm to help accelerate the remediation efforts. We're also partnered with different industries that use the rating as part of a larger picture. The cyber rating isn't the end all be all. When companies are assessing risk, they may be looking at a financial ratings, ESG ratings, KYC AML, cyber security, and they're trying to form a complete risk profile. So we go and we integrate into those decision points. Insurance companies, all the top insurers, re-insurers, brokers are leveraging SecurityScorecard as an ingredient to help underwrite for cyber liability insurance. It's not the only ingredient, but it helps them underwrite and identify the help and price the risk so they can push out a policy faster. First policy is usually the one that's signed. So time to quote is an important metric. We help to accelerate that. We partner with credit rating agencies like Fitch, who are talking to board members, who are asking, Hey, I need a third party, independent verification of what my CISO is saying. So the CISO is presenting the rating, but so are the proxy advisors and the ratings companies to the board. So we're helping to inform the boards and evolve how they're thinking about cyber risk. We're helping with the insurance space. I think that, like you said, we're only scratching the surface. I can see, today we have about 50,000 companies that are engaging a rating and there's no reason why it's not going to be in the millions in just the next couple years here. >> And you got the capability to bring in more telemetry and see the new things, bring that into the index, bring that into the scorecard and then map that to potential any vulnerabilities. >> Bingo. >> But like you said, the old days, when you were dating yourself, you were in a glass room with a door lock and key and you can see who's two folks in there having lunch, talking database. No one's going to get hurt. Now that's gone, right? So now you don't know who's out there and machines. So you got humans that you don't know and you got machines that are turning on and off services, putting containers out there. Who knows what's in those payloads. So a ton of surface area and complexity to weave through. I mean only is going to get done with automation. >> It's the only way. Part of our vision includes not attempting to make a faster questionnaire, but rid ourselves of the process all altogether and get more into the continuous assessment mindset. Now look, as a former CISO myself, I don't want another tool to log into. We already have 50 tools we log into every day. Folks don't need a 51st and that's not the intent. So what we've done is we've created today, an automation suite, I call it, set it and forget it. Like I'm probably dating myself, but like those old infomercials. And look, and you've got what? 50,000 vendors business partners. Then behind there, there's another a hundred thousand that they're using. How are you going to keep track of all those folks? You're not going to log in every day. You're going to set rules and parameters about the things that you care about and you care depending on the nature of the engagement. If we're exchanging sensitive data on the network layer, you might care about exposed database. If we're doing it on the app layer, you're going to look at application security vulnerabilities. So what our customers do is they go create rules that say, Hey, if any of these companies in my tier one critical vendor watch list, if they have any of these parameters, if the score drops, if they drop below a B, if they have these issues, pick these actions and the actions could be, send them a questionnaire. We can send the questionnaire for you. You don't have to send pen and paper, forget about it. You're going to open your email and drag the Excel spreadsheet. Those days are over. We're done with that. We automate that. You don't want to send a questionnaire, send a report. We have integrations, notify Slack, create a Jira ticket, pipe it to ServiceNow. Whatever system of record, system of intelligence, workflow tools companies are using, we write in and allow them to expedite the whole. We're trying to close the window. We want to close the window of the attack. And in order to do that, we have to bring the attention to the people as quickly as possible. That's not going to happen if someone logs in every day. So we've got the platform and then that automation capability on top of it. >> I love the vision. I love the utility of a scorecard, a verification mark, something that could be presented, credential, an image, social proof. To security and an ongoing way to monitor it, observe it, update it, add value. I think this is only going to be the beginning of what I would see as much more of a new way to think about credentialing companies. >> I think we're going to reach a point, John, where and some of our customers are already doing this. They're publishing their scorecard in the public domain, not with the technical details, but an abstracted view. And thought leaders, what they're doing is they're saying, Hey, before you send me anything, look at my scorecard securityscorecard.com/securityrating, and then the name of their company, and it's there. It's in the public domain. If somebody Googles scorecard for certain companies, it's going to show up in the Google Search results. They can mitigate probably 30, 40% of inbound requests by just pointing to that thing. So we want to give more of those tools, turn security from a reactive to a proactive motion. >> Great stuff, Sam. I love it. I'm going to make sure when you hit our site, our company, we've got camouflage sites so we can make sure you get the right ones. I'm sure we got some copyright dates. >> We can navigate the decoys. We can navigate the decoys sites. >> Sam, thanks for coming on. And looking forward to speaking more in depth on showcase that we have upcoming Amazon Startup Showcase where you guys are going to be presenting. But I really appreciate this conversation. Thanks for sharing what you guys are working on. We really appreciate. Thanks for coming on. >> Thank you so much, John. Thank you for having me. >> Okay. This is theCUBE conversation here in Palo Alto, California. Coming in from New York city is the co-founder, chief operating officer of securityscorecard.com. I'm John Furrier. Thanks for watching. (gentle music)

(upbeat music) >> Man: We're good. >> Hey everyone. Welcome back to theCube's live coverage of AWS Summit NYC. We're in New York City, been here all day. Lisa Martin, John Furrier, talking with AWS partners ecosystem folks, customers, AWS folks, you name it. Next up, one of our alumni, rejoins us. Please welcome Anshu Sharma the co-founder and CEO of Skyflow. Anshu great to have you back on theCube. >> Likewise, I'm excited to be back. >> So I love how you guys founded this company. Your inspiration was the zero trust data privacy vault pioneered by two of our favorites, Apple and Netflix. You started with a simple question. What if privacy had an API? So you built a data privacy vault delivered as an API. Talk to us, and it's only in the last three and a half years. Talk to us about a data privacy vault and what's so unique about it. >> Sure. I think if you think about all the key challenges we are seeing in our personal lives when we are dealing with technology companies a lot of anxiety is around what happens to my data, right? If you want to go to a pharmacy they want to know not just your health ID number but they want to know your social security number your credit card number, your phone number and all of that information is actually useful because they need to be able to engage with you. And it's true for hospitals, health systems. It's true for your bank. It's true for pretty much anybody you do business with even an event like this. But then question that keeps coming up is where does this data go? And how is it protected? And the state of the art here has always been to keep kind of, keep it protected when it's in storage but almost all the breaches, all the hacks happen not because you've steal somebody's disc, but because someone enters through an API or a portal. So the question we asked was we've been building different shapes of containers for different types of data. You don't store your logs in a data warehouse. You don't store your analytical data in a regular RDBMS. Similarly, you don't store your passwords and usernames you store them in identity systems. So if PI is so special why isn't it a container that's used for storing PII? So that's how the idea of Pii.World came up. >> So you guys just got a recent funding, a series B financing which means for the folks out there that don't know the inside baseball, must people do, means you're doing well. It's hard to get that round of funding means you're up and growing to the right. What's the differentiator? Why are you guys so successful? Why the investment growth, what's the momentum driver? >> So I think in some ways we took one of the most complex problems, data privacy, like half the people can't even describe like, does data privacy mean like I have to be GDPR compliant or does it actually mean I'm protecting the data? So you have multiple stakeholders in any company. If you're a pharma company, you may have a chief privacy officer, a data officer, this officer, that officer, and all of these people were talking and the answer was buy more tools. So if you look around behind our back, there's probably dozens of companies out there. One protecting data in an API call another protecting data in a database, another one data warehouse. But as a CEO, CTO, I want to know what happens to my social security number from a customer end to end. So we said, if you can radically simplify the whole thing and the key insight was you can simplify it by actually isolating and protecting this data. And this architecture evolved on its own at companies like Apple and other places, but it takes dozens of engineers for those companies to build it out. So we like, well, the pattern will makes sense. It logically kind is just common sense. So instead of selling dozens of tools, we can just give you a very simple product, which is like one API call, you know, protect this data... >> So like Stripe is for a plugin for a financial transaction you plug it into the app, similar dynamic here, right? >> Exactly. So it's Stripe for payments, Twilio for Telephony. We have API for everything, but if you have social security numbers or pan numbers you still are like relying on DIY. So I think what differentiated us and attracted the investors was, if this works, >> It's huge. every company needs it. >> Well, that's the integration has become the key thing. I got to ask you because you mentioned GDPR and all the complexities around the laws and the different regulations. That could be a real blocker in a wet blanket for innovation. >> Anshu: Yes. >> And with the market we're seeing here at, at your Summit New York, small event. 10,000 people, more people here than were at Snowflake Summit as an example. And they're the hottest company in data. So this small little New York event is proven that that world is growing. So why should this wet blanket, these rules slow it down? How do you balance it? 'Cause that's a concern. If you checking all the boxes you're never actually building anything. >> So, you know, we just ran into a couple of customers who still are struggling with moving from the data center to AWS Cloud. Now the fact that here means they want to but something is holding them back. I also met the AI team of Amazon. They're doing some amazing work and they're like, the biggest hindrance for them is making customers feel safe when they do the machine learning. Because now you're opening up the data sets to more people. And in all of those cases your innovation basically stops because CSO is like, look you can't put PII in the cloud unprotected. And with the vault architecture we call it privacy by architecture. So there's a term called privacy by design. I'm like what the, is privacy by design, right? >> John: It's an architecture. (John laughing) >> But if you are an architecture and a developer like me I was like, I know what architecture is. I don't know what privacy by design is. >> So you guys are basically have that architecture by design which means foundational based services. So you're providing that as a service. So other people don't have to build the complex. >> Anshu: Exactly. >> You know that you will be Apple's backend team to build that privacy with you you get all that benefit. >> Exactly. And traditionally, people have had to make compromises. If you encrypt the data and secure it, then you can't use it. Using a proprietary polymorphic encryption technology you can actually have your cake and eat it to. So what that means for customers is, if you want to protect data in Snowflake or REDshare, use Skyflow with it. We have integrations to databases, to data lakes, all the common workflow tools. >> Can you give us a customer example that you think really articulates the value of what Skyflow is delivering? >> Well, I'll give you two examples. One in the FinTech space, one in the health space. So in the FinTech space this is a company called Nomi Health. They're a large payments processor for the health insurance market. And funnily enough, their CTO actually came from Goldman Sachs. He actually built apple card. (John laughing) Right? That if we all have in our phones. And he saw our product and he's like, for my new company, I'm going to just use you guys because I don't want to go hire 20 engineers. So for them, we had a HIPAA compliant environment a PCI compliant environment, SOC 2 compliant environment. And he can sleep better at night because he doesn't have to worry what is my engineer in Poland or Ukraine doing right now? I have a vault. I have rules set up. I can audit it. Everything is logged. Similarly for Science 37, they run clinical trials globally. They wanted to solve data residency. So for them the problem was, how do I run one common global instance? When the rules say you have to break everything up and that's very expensive. >> And so I love this. I'm a customer. For them a customer. I love it. You had me at hello, API integration. I love it. How much does it cost? What's it going to cost me? How do I need to think about my operationalizing? 'Cause I know with an API, I can do that. Am I paying by the usage, by the drink? How do I figure out? >> So we have programs for startups where it's really really inexpensive. We get them credits. And then for enterprises, we basically have a platform fee. And then based on the amount of data PII, we charge them. We don't nickel and dime the customers. We don't like the usage based model because, you don't know how many times you're going to hit an API. So we usually just based on the number of customer records that you have and you can hit them as many time as you want. There's no API limits. >> So unlimited record based. >> Exactly. that's your variable. >> Exactly. We think about you buying odd zero, for example, for authentication you pay them by the number of active users you have. So something similar. >> So you run on AWS, but you just announced a couple of new GTM partners, MuleSoft and plan. Can you talk to us about, start with MuleSoft? What are you doing and why? And the same with VLA? >> Sure. I mean, MuleSoft was very interesting customers who were adopting our products at, you know, we are buying this product for our new applications but what about our legacy code? We can't go in there and add APIs there. So the simplest way to do integration in the legacy world is to use an integration broker. So that's where MuleSoft integration came out and we announced that. It's a logical place for you to swap out real social security numbers with, you know, fake ones. And then we also announced a partnership with SnowFlake, same thing. I think every workload as it's moving to the cloud needs some kind of data protection with it. So I think going forward we are going to be announcing even more partnerships. So you can imagine all the places you're storing PII today whether it's in a call center solution or analytics solution, there's a PII story there. >> Talk about the integration aspect because I love the momentum. I get everything makes secure the customers all these environments, integrations are super important to plug into. And then how do I essentially operate you on my side? Do I import the records? How do you connect to my environment in my databases? >> So it's really, really easy when you encrypt the data and use Skyflow wall, we create what is called a format preserving token, which is essentially replacing a social security number with something that looks like an SSN but it's not. So that there's no schema changes involved. You just have to do that one time swap over and then in terms of integrations, most of these integrations are prebuilt. So Snowflake integration is prebuilt. MuleSoft integration is prebuilt. We're going to announce some new ones. So the goal is for off the table in platforms like Snowflake and MuleSoft, we prebuilt all the integrations. You can build your own. It takes about like a day. And then in terms of data import basically it's the same standard process that you would use with any other data store. >> Got to ask you about data breaches. Obviously the numbers in 2021 were huge. We're seeing so much change in the cyber security landscape ransomware becoming a household word, a matter of when but not if... How does Skyflow help organizations protect themselves or reduce the number of breaches so that they are not the next headline? >> You know, the funny thing about breaches is again and again, we see people doing the same mistakes, right? So Equifax had a breach four years ago where a customer portal, you know, no customer support rep should have access to a 100 million people's data. Like is that customer agent really accessing 100 million? But because we've been using legacy security tools they either give you access or don't give you access. And that's not how it's going to work. Because if I'm going to engage with the pharmacy and airline they need to be able to use my data in multiple different places. So you need to have fine grain controls around it. So I think the reason we keep getting breaches is cybersecurity industry is selling, 10s of billions of dollars worth of tools in the name of security but they cannot be applied at a fine grain level enough. I can't say things like for my call center agent that's living in Phoenix, Arizona they can only verify last four digits, but the same call center worker in Philippines can't even see that. So how do you get all that granular control in place? Is really why we keep seeing data breaches. So the Equifax breach, the Shopify breach the Twitter breaches, they're all the same. Like again and again, it's either an inside person or an external person who's gotten in. And once you're in and this is the whole idea of zero trust as you know. Once you're in, you can access all the data. Zero trust means that you don't assume that you actually isolate PII separately. >> A lot of the cybersecurity issues as you were talking about, are people based. Somebody clicking on something or gaining access. And I always talk to security experts about how do you control for the people aspect besides training, awareness, education. Is Skyflow a facilitator of that in a way that we haven't seen before? >> Yeah. So I think what ends up happening is, people even after they have breaches, they will lock down the system that had the breach, but then they have the same data sitting in a partner database, maybe a customer database maybe a billing system. So by centralizing and isolating PII in one system you can then post roles based access control rules. You can put limitations around it. But if you try to do that across hundreds of DS bases, you're just not going to be able to do it because it's basically just literally impossible, so... >> My final question for you is on, for me is you're here at AWS Summits, 10,000 people like I said. More people here than some big events and we're just in New York city. Okay. You actually work with AWS. What's next for you guys as you got the fresh funding, you guys looking for more talent, what's your next mountain you're going to climb? Tell us what's next for the company. Share your vision, put a plug in for the company. >> Well, it's actually very simple. Today we actually announced that we have a new chief revenue officer who's joining us. Tammy, she's joined us from LaunchDarkly which is it grew from like, you know, single digits to like over nine digits in revenue. And the reason she's joining Skyflow is because she sees the same inflection point hitting us. And for us that means more marketing, more sales, more growth in more geographies and more partnerships. And we think there's never been a better time to solve privacy. Literally everything that we deal with even things like rove evade issues eventually ties back into a issue around privacy. >> Lisa: Yes. >> AWS gets the model API, you know, come on, right? That's their model. >> Exactly. So I think if you look at the largest best companies that have been built in the last 20 years they took something that should have been simple but was not. There used to be Avayas of the world, selling Telephony intel, Twilio came and said, look an API. And we are trying to do the same to the entire security compliance and privacy industry is to narrow the problem down and solve it once. >> (indistinct) have it. We're going to get theCube API. (Lisa laughing) That's what we're going to do. All right. >> Thank you so much. >> Awesome. Anshu, thank you for joining us, talking to us about what's new at Skyflow. It sounds like you got that big funding investment. Probably lots of strategic innovation about to happen. So you'll have to come back in a few months and maybe at next reinvent in six months and tell us what's new, what's going on. >> Last theCube interview was very well received. People really like the kind of questions you guys asked. So I love this show and I think... >> It's great when you're a star like you, you got good market, great team, smart. I mean, look at this. I mean, what slow down are we talking about here? >> Yeah. I don't see... >> There is no slow down on the enterprise. >> Privacy's hot and it's incredibly important and we're only going to be seeing more and more of it. >> You can talk to any CIO, CSO, CTO or the board and they will tell you there is no limit to the budget they have for solving the core privacy issues. We love that. >> John: So you want to move on to building? >> Lisa: Obviously that must make you smile. >> John: You solved a big problem. >> Thank you. >> Awesome. Anshu, thank you again. Congrats on the momentum and we'll see you next time and hear more on the evolution of Skyflow. Thank you for your time. >> Thank you. >> For John furrier, I'm Lisa Martin. You're watching theCube live from New York City at AWS Summit NYC 22. We'll be right back with our next guest. So stick around. (upbeat music)

(gentle music) >> Welcome back to theCUBE's continuous coverage of AWS re:Invent 2021. I'm your host, Lisa Martin. We are running one of the industry's most important and largest hybrid tech events of the year with AWS and its ecosystem partners. We have two live sets, two remote sites, and over a hundred guests on the program talking about the next decade in cloud innovation. I'm pleased to welcome Jon Bakke, Chief Revenue Officer from Maria DB as my next guest. Jon, welcome to the program. >> Thanks for having me, Lisa. >> Talk to me a little bit about MariaDB. What makes it unique? What differentiates it? What gaps in the market does it address? >> Yeah, so we have a lot of passion here at MariaDB because we are, at the end of the day, we're the backbone of services used by people everyday, all over the world. In fact, you might not realize that, but you've probably hit a MariaDB database in the past 60 minutes. It's true. For example, if you're using a Samsung mobile phone, we provide data services for the Samsung cloud. In fact, we've provided services for 5G networks all over the globe. And so at the end of the day, we actually process trillions of transactions per day. And I think that's really cool. >> Awesome. Talk to me a little bit about the key problems. You mentioned Samsung. Big fan, lots of Samsung devices in the house. Talk to me about some of the key problems that MariaDB SkySQL specifically solves for customers. What are they coming to you, looking for them, looking for help for? >> Yeah, so we launched SkySQL and AWS earlier this year. It's become wildly popular. And so SkySQL overcome some of the limitations of the cloud. 1.0, 2.0 era. In fact, we went from having zero customers to a slew of customers in just a short period of time. There are a ton of pent up demand from MariaDB and distributed SQL in particular, and that's our Xpand product. And where Samsung uses Xpand is, they use it to store data for the phones, just like, you might if you're an iPhone user on the iCloud, they have the Samsung cloud. So what we do is we provide expanding database services for them, for a large user base across the globe. And they do that because they just can't get the scale out of some of the community databases that are offered by the major CSPs. >> And obviously that scale is critical. We've seen so much change in the last year and a half, two years with growth, with acceleration to cloud acceleration of digital. Talk to me about what you seen as the CRO of the company from a customer lens perspective. How has the last 20 months really affected acceleration, adoption, of Maria's technologies? >> Yeah, so, I'm a geek at heart. I grew up in the database business. In fact, I've been in the database business for 30 years and during the last 20 months during the pandemic, and even before that, companies like MariaDB strive to create a beautiful database and what it really is a beautiful database. It's a database that is flushed with features that make applications work. Lightweight, portable, and fast for the cloud, but still reliable and familiar so that application developers can use it for multiple workloads. So when it comes to the database industry, we're still going after those characteristics and we provide world-class support. My team just rocks it for our customers. And it's really important to them to get that. And at the end of the day, our costs while at the end of the day, we're the least expensive. So it really is a beautiful database and we're very proud of it. >> Beautiful database that's the least expensive. That sounds like music to probably a lot of companies ears. Talk to me about where it went. Obviously AWS, you mentioned SkySQL was launched earlier this year on AWS? >> That's correct. Yep. >> Talk to me a little bit more about the capabilities there, the partnership that Maria and AWS have, what you bring to your customers. >> Yeah, so we have a great partnership with AWS. They provide a tremendous levels of support to help startups like MariaDB get going satisfactory and everything about their go-to market strategy to make enabled partners like us. But we have a customer that is, well, they're a major trading application on the internet and they were an AWS customer, right? So they were an existing AWS customer, but they were struggling with some of the community databases in AWS to find that scale and that elasticity that they were looking for on their platform. So enter MariaDB Xpand, where we can scale a relational database out far and wide to make it possible for a customer like that. Who's really pushing the limits of what a database needs to do to remain an AWS customer. So in this particular case, we worked with AWS to land them on SkySQL and use Xpand, a distributed database technology. So we went together and that's a really great story for everybody. >> Talk to me about some of the technical requirements, as we've seen so much change in the last 20 months, as I said, but so much growth and scale and needs are changing so dynamically. What are some of the key technical requirements of the database to keep up with that? And how does MariaDB exhibit those? >> Yeah, that's a great question. So in distributed SQL, in particular, which I see as sort of the next wave of database, particularly in the cloud, right? The database needs to leverage familiar application paradigms like relational and document databases do and connection protocols so that existing applications connect to those. But at the end, they have to be highly scalable for the cloud by design and highly available in the cloud by design. Xpand just screams. It's really fast. It's really reliable. And transactional integrity is inherent to the architecture. So our customers love it. And so really, what's not to love about a database that does all of those things? >> What's not to love about a beautiful database? That speed. I mean, the speed is critical. I think one of the many things that we've learned in the last interesting couple of years of our lives is that real time is no longer a nice to have, right? Nobody wants a less data, slower. That ability to deliver real-time data, real-time analytics is critical for businesses in any company as we're seeing. And you're probably seeing this as a CRO, every company becoming a software company, or leaning to. >> Absolutely, yeah. Some of our biggest customers are major SAS providers. So if you work for a business that is using ServiceNow, one of the largest SAS companies in the world, you're using MariaDB every day, billions and billions of transactions by service, now on an hourly basis and it's all in the cloud. So when we look at how we've evolved to this point, we're offering services to companies big and small, we're being tested by companies like ServiceNow and their infrastructure on a regular basis. >> What are some of the trends that you're seeing as we... And 22 months or so in this pandemic, what are some of the market trends that you're seeing from a scalability perspective? And what is it that a distributed SQL database can deliver to help customers meet those trends? >> Well, certainly, I think when you look at what is a good database for the cloud in the future, it really does need to have the features that make applications work. So you had mentioned analytical databases and transactional databases. One thing that is inherent to our strategy, is the ability to use hybrid approach to transactional and analytical because a lot of applications are both at the end of the day. And why use two different databases in order to get there? Right? Our database is lightweight and fast. It's portable. It's reliable and familiar to the customer and versatile in the workload. So those are the things that are trending at the conclusion of sort of this year going into next year, as we roll out more technology in subsequent versions, we'll just enhance those capabilities, make it possible for even more and more workloads to find their way into SkySQL. >> And talk about the adoption of cloud, the acceleration. We've been talking about that a lot in the last year and a half about the acceleration of digital transformation, the acceleration to cloud. It was so critical for so many businesses, especially if you think of the SAS adoption, the collaboration tools, but what are some of the things that you're seeing? How are you helping customers on that migration journey? >> Yeah. So migration is a key element there. there are customers leading older proprietary database technology. There are customers trying to enhance their cloud experience and go from the early cloud databases up to more modern architectures. And so migration is a constant activity that we work with our customers on. And so over the years, just as a matter of course, we've become better and better at getting database workloads from proprietary, older databases, even other open source databases onto MariaDB, so that we can consume those workloads and get those in the cloud and make them work for customers better than they ever have before. >> And I'm curious as the Chief Revenue Officer, how your customer conversations have evolved in the last year or so, where is cloud database security? Where are those things with respect to the level of conversations that you're having with customers? And is that conversation going up the stack? >> Yeah, so the security has always been a key cornerstone of the database industry, really, when you think about it, database is information assurance and confidentiality is a key tenant to information security and information assurance in general. So it's always an ever present in the discussion. MariaDB is enhancing its list of compliance that we've gone through, like SOC 2, we're on the precipice of that. We've got ISO certifications and we have US Department of Defense install guys that are secure for a MariaDB. All sorts of activity around that, to make it possible for customers to standardize on MariaDB. We have customers that have taken out every ounce of their legacy, relational database, the older incumbents, and replace that with lighter weight MariaDB, because we have the security qualifications, but we also meet their functional needs and their information assurance needs. And so that's whats made us really successful. >> In addition to compliance, you talked about this database being beautiful. You described what you meant by that, but also you said least expensive. So I'm wondering from a business outcome perspective, are customers all across the board, reducing TCO, leveraging MariaDB? >> Absolutely. And in cases where we displace a proprietary database, the TCO can reduce by as much as 90%. And so it's very attractive to customers that are looking for the next wave. Not only do we take them to a lower cost, but we bring them to a more modern multi-cloud architecture. So AWS is our primary focus for certain in this conversation but also just generally because there's such a huge install base. But they do like the option of being able to say, "Hey, I can use this database on any cloud. It works everywhere. And the vendor that makes it is supporting it in all environments." So for us, that's a huge strong point in terms of what makes our business run. >> And we're seeing so much, we're talking so much about Hybrid, Hybrid IT, Hybrid Cloud, Hybrid work from anywhere environments. So I imagine MariaDB runs on, obviously AWS, but Azure, Google cloud platform, so that customers that are in that multi-cloud world and those that will be can take advantage of the services. >> That's correct. So Azure is in our near term pipeline or roadmap for the cloud, but we're already present in GCP and we're available in other clouds as well. >> Excellent. So talk to me a little bit about what customers can do. Can they test out MariaDB? Can they test out SkySQL, Xpand? If so, where do they go? How do they get their hands on it? >> Right, so existing AWS customers, they can get to SkySQL on the AWS marketplace, right? It's incredibly easy. AWS customers go to the marketplace. They can find us by doing a search. But not to be outdone, there are customers that aren't on AWS and they can come to MariaDB.com. You can start SkySQL there and select AWS as the deployment cloud and try it for free. It's super cool. It's really easy. >> I'm just curious. What's the typical deployment time from the free trial POC to deployment? What do you normally see from a time distinct band perspective? >> Oh yeah, customers are up and running with a live database in just a few minutes. >> Minutes? >> Yep. >> Minutes up to 90% TCO. Big business outcomes there that affect every business in every industry. John, we appreciate you coming on, talking to us about MariaDB, the solutions that you offer, and how you're partnering with AWS and where folks can go to get started. >> Thank you. >> He's Jon Bakke. I'm Lisa Martin. You're watching theCUBE's continuous coverage of AWS re:Invent 2021. Stick around, more coverage coming up next. (peaceful music)

(upbeat music) >> Welcome to the Q3 AWS Startup Showcase. I'm Lisa Martin. I'm pleased to welcome Knox Anderson, the VP of Product Management, from Sysdig, to the program. Knox, welcome. >> Thanks for having me, Lisa. >> Excited to uncover Sysdig. Talk to me about what you guys do. >> So Sysdig, we are a secure DevOps platform, and we're going to really allow customers to secure the entire lifecycle of an application from source to production. So give you the ability to scan IAC for security best practices, misconfiguration, help you facilitate things like image scanning as part of the build process, and then monitor runtime behavior for compliance or threats, and then finish up with incident response, so that you can respond to and recover from incidents quickly. >> What are some of the main challenges that you're solving and have those changed in the last 18 months? >> I'd say the main challenge people face today is a skills gap with Kubernetes. Everyone wants to use Kubernetes, but the amount of people that can operate those platforms is really difficult. And then getting visibility into the apps, that's running in those environments is also a huge challenge. So with Sysdig, we provide just an easy way to get your Kubernetes clusters instrumented, and then provide strong coverage for threat detection, compliance, and then observability for those environments. >> One of the things that we've seen in the last 18 months is a big change in the front landscape. So, I'm very curious to understand how you're helping customers navigate some of the major dynamics that are going on. >> Yeah, I'd say, the adoption of cloud and the adoption of Kubernetes have, have changed drastically. I'd say every single week, there's a different environment that has a cryptomining container. That's spun up in there. Obviously, if the price of a Bitcoin and things like that go up, there's more and more people that want to steal your resources for mining. So, we're seeing attacks of people pulling public images for Docker hub onto their clusters, and there's a couple of different ways that we'll help customers see that. We have default Falco rules, better vetted by the open source community to detect cryptomining. And then we also see a leading indicator of this as some of the metrics we, we collect for resource abuse and those types of things where you'll see the CPU spike, and then can easily identify some workload that could have been compromised and is now using your resources to mine Bitcoin or some other alt-coin. >> Give me a picture of a Sysdig customer. Help me understand the challenges they had, why they chose you and some of the results that they're achieving. >> Yeah, I used to say that we were very focused on financial services, but now everyone is doing Kubernetes. Really where we get introduced to an organization is they have their two or three clusters that are now in production and I'm going through a compliance audit, or it's now a big enough part of my estate that I need to get security for this Kubernetes and cloud environment. And, so we come in to really provide kind of the end-to-end tools that you would need for that compliance audit or to meet your internal security guidelines. So they'll usually have us integrated within their Dev pipelines so that developers are getting actionable data about what they need to do to make sure their workloads are as secure as possible before they get deployed to production. So that's part of that shift, left mindset. And then the second main point is around runtime detection. And that's where we started off by building our open source tool Falco, which is now a CNCF project. And that gives people visibility into the common things like, who's accessing my environment? Are there any suspicious connections? Are my workloads doing what they expected? And, those types of things. >> Since the threat landscape has changed so much in the last year and a half, as I mentioned. Are the conversations you're having with customers changing? Is this something at the C-suite or the board level from a security and a visibility standpoint? >> I think containers and Kubernetes and cloud adoption under the big umbrella of digital transformation is definitely at board level objective. And then, that starts to trickle down to, okay, we're taking this app from my on-prem data center, it's now in the cloud and it has to meet the twenty security mandates have been meeting for the last fifteen years. What am I going to do? And so definitely there's practitioners that are coming in and picking tools for different environments. But, I would definitely say that cloud adoption and Kubernetes adoption are something that everyone is trying to accelerate as quickly as possible. >> We've seen a lot of acceleration of cloud adoption in the last eighteen months here, right? Now, something that I want to get into with you is the recent executive order, the White House getting involved. How is this changing the cybersecurity discussion across industries? >> I really like how they kind of brought better awareness to some of the cybersecurity best practices. It's aligned with a lot of the NIST guidance that's come out before, but now cloud providers are picking, private sector, public sector are all looking at this as kind of a new set of standards that we need to pay attention to. So, the fact that they call out things like unauthorized access, you can look at that with Kubernetes audit logs, cloud trail, a bunch of different things. And then, the other term that I think you're going to hear a lot of, at least within the federal community and the tech community, over the next year, is this thing called an 'S bomb', which is for, which is a software bill of materials. And, it's basically saying, "as I'm delivering software to some end user, how can I keep track of everything that's in it?" A lot of this probably came out of solar winds where now you need to have a better view of what are all the different components, how are those being tracked over time? What's the life cycle of that? And, so the fact that things like S bombs are being explicitly called out is definitely going to raise a lot of the best practices as organizations move. And then the last point, money always talks. So, when you see AWS, Azure, Google all saying, we're putting 10, 10 billion plus dollars behind this for training and tooling and building more secure software, that's going to raise the cybersecurity industry as a whole. And so it's definitely driving a lot of investment and growth in the market. >> It's validation. Absolutely. Talk to me about some of the, maybe some of the leading edges that you're seeing in private sector versus public sector of folks and organizations who are going alright, we've got to change. We've got to adopt some of these mandates because the landscape is changing dramatically. >> I think Kubernetes at auction goes hand in hand with that, where it's a declarative system. So, the way you define your infrastructure and source code repost is the same way that runs in production. So, things like auditing are much easier, being able to control what's in your environment. And then containers, it's much easier to package it once and then deploy it wherever you want. So container adoption really makes it easier to be more secure. It's a little tricky where normally like you move to something that's bleeding edge, and a lot of things become much harder. And there's operational parts that are hard about Kubernetes. But, from a pure security perspective, the apps are meant to do one thing. It should be easy to profile them. And so definitely I think the adoption of more modern technology and things like cloud services and Kubernetes is a way to be more secure as you move into these environments. >> Right? Imagine a way to be more secure and faster as well. I want to dig in now to the Sysdig AWS partnership. Talk to me about that. What do you guys do together? >> AWS is a great partner. We, as a company, wouldn't be able to deliver our software without AWS. So we run our SAS services on Amazon. We're in multiple regions around the globe. So we can deliver that to people in Europe and meet all the GDPR requirements and those kinds of things. So from a, a vendor partnership perspective, it's great there. And then on a co-development side, we've had a lot of success and a fun time working with the Fargate team, Fargate is a service on Amazon, that makes it easier for you to run your containers without worrying about the underlying compute. And so they faced the challenge about a year and a half ago where customers didn't want to deploy on Fargate because they couldn't do deeper detection and incident response. So we worked together to figure out different hooks that Amazon could provide to open source tools like Falco or commercial products like Sysdig. So then customers could meet those incident response needs, and those detection needs for Fargate. And really, we're seeing more and more Fargated option as kind of more and more companies are moving to the cloud. And, you don't want to worry about managing infrastructure, a service like Fargate is a great place to get started there. >> Talk to me a little bit about your joint. Go to mark. Is there a joint go-to-market? I should say. >> Yeah, we sell through the AWS marketplace. So customers can procure Sysdig software directly though AWS. It'll end up on your AWS bill. You can kind of take some of your committed spend and draw it down there. So that's a great way. And then we also work closely with different solutions architects teams, or people who are more boots on the ground with different AWS customers trying to solve those problems like PCI-compliance and Fargate, or just building a detection and response strategy for EKS and those types of things. >> Let's kind of shift gears now and talk about the role of open source, in security. What is Sysdig's perspective? >> Yeah, so the platform, open source is a platform, is something that driving more and more adoption these days. So, if you look at like the fundamental platform like Kubernetes, it has a lot of security capabilities baked in there's admission controllers, there's network policies. And so you used to buy a firewall or something like that. But with Kubernetes, you can enforce services, service communication, you put a service mesh on top of that, and you can almost pretend it's a WAF sometimes. So open source is building a lot of fundamental platform level security, and by default. And then the second thing is, we're also seeing a rise of just open source tools that traditionally had always come from commercial products. So, there's things like OPA, which handle authorization, which is becoming a standard. And then there's also projects like Falco, that provide an easy way for people to do IDS use cases and auditing use cases in these environments. >> Last question for you. Talk to me about some of the things that you're most excited about. That's coming down here. We are at, this is the, our Q3 AWS Startup Showcase, but what are some of the things that you're most excited about in terms of being able to help customers resolve some of those challenges even faster? >> I think there's more and more Kubernetes standardization that's going on. So a couple of weeks ago, Amazon released EKS Anywhere, which allows companies who still have an on-prem footprint to run Kubernetes locally the same way that they would run it in the cloud. That's only going to increase cloud adoption, because once you get used to just doing something that matches the cloud, the next question you're going to answer is, okay, how fast can I move that to the cloud? So that's something I'm definitely really excited about. And then, also, the different, or AWS is putting a lot of investment behind tools like security hub. And we're doing a lot of native integrations where we can publish different findings and events into security hubs, so that different practitioners who are used to working in the AWS console can remediate those quickly without ever kind of leading that native AWS ecosystem. And that's a trend I expect to see more and more of over time, as well. >> So a lot of co-innovation coming up with AWS. Where can folks go to learn more information? Is there a specific call to action that you'd like to point them to? >> The Sysdig blog is one of the best sources that I can recommend. We have a great mixture of technical practitioner content, some just one-oh-one level, it's, I'm starting with container security. What do I need to know? So I'd say we do a good job of touching the different areas and then really the best way to learn about anything is to get hands-on. We have a SAS trial. Most of the security vendors have something behind a paywall. You can come in, get started with us for free and start uncovering what's actually running in your infrastructure. >> Knox, let's talk about the secure DevOps movement. As we see that DevOps is becoming more and more common, how is it changing the role of security? >> Yeah, so a lot of traditional security requirements are now getting baked into what a DevOps team does day-to-day. So the DevOps team is doing things like implementing IAC. So your infrastructure is code, and no changes are manually made to environments anymore. It's all done by a Terraform file, a cloud formation, some code that's representing what your infrastructure looks at. And so now security teams, or sorry, these DevOps teams have to bake security into that process. So they're scanning their IAC, making sure there's not elevated privileges. It's not doing something, it shouldn't. DevOps teams, also, traditionally, now are managing your CI/CD Pipeline. And so that's where they're integrating scanning tools in as well, to go in and give actionable feedback to the developers around things like if there's a critical vulnerability with a fix, I'm not going to push that to my registry. So it can be deployed to production. That's something a developer needs to go in and change. So really a lot of these kind of actions and the day-to-day work is driven by corporate security requirements, but then DevOps has the freedom to go in and implement it however they want. And this is where Sysdig adds a lot of value because we provide both monitoring and security capabilities through a single platform. So that DevOps teams can go into one product, see what they need for capacity planning, chargebacks, health monitoring, and then in the same interface, go in and see, okay, is that Kubernetes cluster meeting my SOC 2 controls? How many images have my developers submitted to be scanned over the past day? And all those kinds of things without needing to learn to how to use four or five different tools? >> It sounds to me like a cultural shift almost in terms of the DevOps, the developers working with security. How does Sysdig help with that? If that's a cultural shift? >> Yeah, it's definitely a cultural shift. I see some people in the community getting angry when they see oh we're hiring for a Head of DevOps. They're like DevOps is a movement, not a person. So would totally agree with that there, I think the way we help is if you're troubleshooting an issue, if you're trying to uncover what's in your environment and you are comparing results across five different products, it always turns into kind of a point the finger, a blame game. There's a bunch of confusion. And so what we think, how we help that cultural shift, is by bringing different teams and different use cases together and doing that through a common lens of data, user workflows, integrations, and those types of things. >> Excellent. Knox, thank you for joining me on the program today, sharing with us, Sysdig, what you do, your partnership with AWS and how customers can get started. We appreciate your information. - Thank you. For Knox Anderson. I'm Lisa Martin. You're watching the cube.

(upbeat music) >> Hey everyone, I'm John Furrier with The Cube, we're here in Palo Alto, California for a remote interview and session for The Cube presents AWS startup showcase, the next big thing in AI security in life sciences. I'm John Furrier. We're here with a great segment on cloud. Next big thing in Cloud with Chaos Search, Thomas Hazel, Chief Technology and Science Officer of Chaos Search joined by Jeremy Foran, the head of data analytics, the bad boy of data analyst as they say, but BAI communications, Jeremy Thomas, great to have you on. >> Great to be here. >> Pleasure to be here. >> So we're going to be talking about applying large scale log analytics to building the future of the transit industry. Obviously Telco's a big part of that, smart cities, you name the use case self-driving trucks, cars, you name it, everything's now edge. That the edge is super valuable, it's a new kind of last mile if you will, it's moving fast, it's mobile. This is a huge deal. Let's get into it, Thomas. What's this big story around this, this session? >> Well, we provide unique ability to take all that edge data and drive it into a data lake offering that we provide data analytics, both in logs, BI and coming out with ML there this year into next. So our unique play is transforming customers' cloud outer storage into an analytical platform. And really, I think with BIA is a log analytics specifically where, you know there's a lot of data streams from all those devices going into a lake that we transform their lake into analytics for driving, I guess, operational analysis. >> You know, Jeremy, I remember back in the day, I'm old enough to remember when the edge was the remote switch or campus hub or something. And then even on the Telco side, there was no wifi back in 2000 and you know, someone was driving in a car and you got any signal, you're lucky. Now you got, you know, no perimeter you have unlimited connectivity everywhere. This has opened up more of an Omni channel data problem. How do you see that world? Because you still got more devices pushing out at this edge and it's getting super local, right? Even on the body, even on people in the car. So certainly a lot of change on the infrastructure side. What does that pose for data challenge? >> Yeah, I, I would say that, you know users always want more, more bandwidth, more performance and that requires us to create more systems that require more complexity to deliver that user experience that we're, we're very proud of. And with that complexity means, you know exponentially more data. And so one of the wifi networks we offer in the Toronto subway system, T-connect, you know we see a 100-200,000 unique users a day and you can imagine just the amount of infrastructure to support that so that everyone has a seamless experience and can get their news and emails and even stream media while they're waiting for the subway. >> So you guys provide state of the art infrastructure for cell, wifi, broadcast, radio, IP networks, basically I mean, I call it the smart city kind of go-to. But that's basically anything involving kind of that edge piece. This is a huge thing. So as smart cities are on the table, which and you seeing 5G being called more of an enterprise app where there's feeding large dense areas of people this is now a new modern version of what I would call the, the smart city blueprint. What's changed in your mind on this whole modernization of this smart city infrastructure concept? What's new? What's cutting edge? >> Yeah. I would say that, you know there was an explosion of data and a lot of our insights aren't coming from one system anymore. It's coming from collecting data from all of the different pieces, the different infrastructure whether that's your fiber infrastructure or your wireless infrastructure, and then to solve problems you need to correlate data across those systems. So we're seeing more and more technologies that allow you to do that correlation. And that's really where we're finding tons of value, right? >> Thomas, take us through what you guys do as a, as a, as a product, a value proposition, the secret sauce, and and why I'm here with Jeremy? Why is this conversation important for the folks watching? What's the connection between Chaos Search and BAI communication? >> Well, it's data, right? And lots of it. So our unique platform allows people like Jeremy to stream all this data, right? In you know, today's world terabytes go to petabytes really easily, billions go to trillion really easily, and so providing the analysis of that data for their operations is challenging particularly based on technology and architectures that have been around for a long time. So what we do here at Chaos Search is the ability for BIA to stream all these devices, all these services into one centralized data lake on their cloud outer storage, where we connect to that cloud outer storage and transform it into an analytical database to do, in this case log analytics and do it seamlessly, easily where a new workload a new stream just streams into that lake. And we, as a service take over, we discover we index it and publish well-known open API and visualization so that they can focus on their business, not all the operational data pipeline, database and data engineering type work that again, at these types of scales is is frankly a nightmare. >> You know, one of the things that we've always observed on The Cube when you see new things come out that are really cool groundbreaking products like you guys are doing it's always a challenge to manage the cost and complexity of bringing in the new. So Jeremy, take us through this tech stack here because you know, it's, sometimes it might be unwieldy just in from a tech stack perspective, nevermind the business logic or the business processes that got to be either unwound or changed. Can you take us through the IT stack that's critical to support your, your area? >> Yeah, absolutely. So with all the various different equipment you know, to provide our public wifi and and our desks, carrier agnostic, LT and 5G networks, you know, we need to be able to adhere to PCI compliance and ISO 27,000, so that, you know, requires us to keep a tremendous amount of our data. And the challenge we were facing is how do we do that cost effectively, and not have to make any sort of compromises on how we do that? A lot of times you'll find you don't know the value of your data today until tomorrow. An example would be COVID. You know, we, when we were storing data two years ago we weren't planning for a pandemic, but now that we were able to retain that data and look back we can see a tremendous amount of value with trying to forecast how our systems will recover when things get back to normal. And so when I met Thomas and we were sort of talking about how we were going to solve some of these data retention problems, he started explaining to me their compression in some of the performance metrics of their profession. And, you know, I said, oh, middle out compression. And it was a bit, it's been a bit of a running joke between me and him and I'm sure others, but it's incredibly impressive the amount of data we're able to store at the kind of cost, right? >> What, what problem does, did he solve for you? Because I mean, these guys, honestly, you know the startups have a lot and the Cloud's enabling more value now, we're seeing this, but when you look at this what was your, what was your core problem that you had? >> Yeah, so we, when you we want to be able to, I mean, primarily this is for our CIS log server. And CIS long servers today aren't what they were 10, 15 years ago where you just sort of had a machine and if something broke you went and looked, right? Now, they're very complex, that data is feeding to various systems and third-party software. So, you know, we're actively looking for changes in patterns and we have our, you know security teams auditing these from, for penetration testing and such. And then the getting that data to S3 so that we could have it in case, you know, for two, three years of storage. Well, the problem we were facing is all of that all of these different systems we needed to feed and retain data, we couldn't do that on site. We wanted to do use S3 but when we were doing some projections, it's like, we, we don't really have the budget for all of these places. Meeting Thomas and, and working with Chaos Search, you know, using their compression brought those costs down drastically. And then as we've been working with them the really exciting thing is they we're bringing more and more features to that surface or offering. So, you know, first it was just storing that data away. And now we're starting to build solutions off of that sitting in storage. So that's where it gets really exciting because you know, there, it's nothing to start getting anomaly detection off those logs, which, you know originally it was just, we need to store them in case somebody needs them two, three years from now. >> So Thomas Thomas, if I get this right then what I'm hearing is obviously I've put aside the complexity and the governing side the regulations for a minute just generally. Data retention as, as a key value proposition and having data available when you need it and then to do that and doing it in a very cost-effective simple way. It sounds like what you guys are offering. Is that right? >> Yeah, I mean, one key aspect of our solution is retention, right? Those are a lot of the challenges, but at the same time we provide real time notification like a classic log analytic type platform, alerting, monitoring. The key thing is to bringing both those worlds together and solving that problem. And so this, you know, middle in middle out, well, to be frank, we created a new technology called what we call Chaos Index that is a database index that is wonderfully small as as we're indicating, but also provides all the features that makes Cloud object storage, high performance. And so the idea is that use this lake offering to store all your data in a cost effective way but our service allows you to analyze it both in a long retention perspective as well as real-time perspective and bringing those two worlds together is so key because typically you have Silo Solutions and whether it's real-time at scale or retention scale the cost complexity and time to build out those solutions I know Jeremy knows also, well, a lot of folks come to us to solve those problems because you know when you're dealing with, you know terabytes and up, you know these things get complicated and to be frank, fall over quite often. >> Yeah. Let me, let me just ask you the question that's probably on everyone's mind who's watching and you guys probably have both heard this many times, because a lot of people just throw the data lake solution around like it's, you know why they whitewash their kind of old legacy solutions with data lake, store it on data lake. It's been called a data swamp. So people are fearful that, okay. I love this idea of a data lake, who doesn't like throwing data into a repository, having it available at will with notifications, all this secret magic beans that just magically create value. But I doubt that, I don't want to turn into a data swamp. So Thomas and Jeremy, talk about that, that concern. How do you mitigate that? How do you talk to that? Because if done properly, there's huge value in having a control plane or some sort of data system that is going to be tied in with signals and just storage retention. So I see the value. How do you manage the concern that people might say, Hey, I don't want to date a swamp? >> Yeah, I'll jump into that. So, you know, let's just be frank, Hadoop was a great tool for a very narrow scenario. I think that data swamp came out because people were using the tooling in an incorrect way. I've always had the belief that data lakes are the future. You just have the right to have the right service the right philosophy to leverage it. So what we do here at Chaos Search is we allow you to organize it, discover it, automatically index that data so that swamp doesn't get swampy. You know, when you stream data into your lake how do you organize it, such that it's has a nice stream? How do you transform that data into a value? So with our service we actually start where the storage begins, not a end point, not an archive. So we have tooling and services that keep your lake from being swampy to be, to be clear. And, but the key value is the benefits of the lake, the cost effectiveness, the reliability, security, the scale, those are all the benefits. The problem was that no one really made cloud offer storage a first-class citizen and we've done that. We've dressed the swamp nature but provided all the value of analysis. And that cost metrics, that scale. No one can touch cloud outer storage, it just, you can't. But what we've done is cracked the code of how you make it analytical. >> Jeremy, I want to get your thoughts on this too, on your side I mean, as a practitioner and customer of, of of these solutions, you know, the concern is am I missing anything? And I've been a big proponent of data retention for many, many years. You know, Dave Alondra in our Cube knows all know that I bang on the table all the time, store your data, be a data hoarder, because it's going to come back and be valuable. Costs are going down so I'm a big fan of data retention. But the fear might be on, what am I missing? Because machine learning starts to come in down the road you got AI, the more data you have that's accessible in real time, the more machine learning is effective. Do you, do you worry about missing anything or do you just store everything? >> We, we store everything. Sometimes it's, it's interesting where the value and insights come from your data. Something that see, might seem trivial today down the road offers tremendous, tremendous value. So one of the things we do is provide because we have wifi in the subway infrastructure, you know taking that wifi data, we can start to understand the flow of people in and out of the subway network. And we can take that and provide insights to the rail operators, which get them from A to B quicker. You know, when we built the wifi it wasn't with the intention of getting Torontonians across the city faster. But that was one of the values that we were able to get from the data in terms of, you know, Thomas's solution, I think one of the reasons we we engaged him in the first place is because I didn't believe his compression. It sounded a little too good to be true. And so when it was time to try them out, you know all we had to do was ship data to an S3 bucket. You know, there's tons of, of solutions to do that. And, and data shippers right out of the box. It took a few, you know, a few minutes and then to start exploring the data was in Cabana, which is or their dashboard, which is, you know, an interface that's easy to use. So we were, you know, within a two days getting the value out of that data that we were looking for which is, you know, phenomenal. We've been very happy. >> Thomas, sounds like you've got a great, great testimonial here and it's not like an easy problem that he's living in there. I mean, I think, you know, I was mentioning this earlier and we're going to get into it now. There's regulations and there's certain compliance issues. First of all, everyone has this now problem now, it's not just within that space. But just the technical complexities of packets moving around I got on my wifi and the stop here, I'm jumping over here, and there's a ton of data it's all over the place, it's totally unstructured. So it's a tough, tough test for you guys, Chaos Search. So yeah, it's almost like the Mount Everest of customer testimonials. You've got to, it's a big, it's a big use case here. How does this translate to other clients? And talk about this governance and security controls because I know this highly regulated and you got there's penalties involved on his side of the world and Telco, the providers that have these edge devices there's actually penalties and, and whatnot so, not just commercial, it's maybe a, you know risk management, but here there's actually penalties. >> Absolutely. So, you know centralizing your data has a real benefit of of not getting in trouble, right? So you have one place, you store one place that's a good thing, but what we've done and this was a key aspect to our offering is we as Chaos, Chaos Search folks, we don't own the customer's data. We don't own BIA's data. They own the data. They give us access rights, very standard way with Cloud App storage roll on policies from Amazon, read only access rights to their data. And so not owning a customer's data is a big selling point not only for them, but for us for compliance regulatory perspective. So, you know, unlike a lot of solutions where you move the data into them and now they are responsible, actually BIA owns everything. We, they provide access so that we could provide an analysis that they could turn off at any point in time. We're also SOC 2 type 1 and type 2 compliant you got to do it, you know, in this, this world, you know when we were young we ran at this because of all of these compliance scenarios that we will be in, but, you know, the long as short of it is, we're transient service. The storage, cloud storage is the source of truth where all data resides and, you know, think about it, it's architecturally smart, it's cost effective, it's secure, it's reliable, it's durable. But from a security perspective, having the customer own their own data is a big differentiation in the market, a big differentiation. >> Jeremy, talk about on your end the security controls surrounding the log management environments that span across countries with different regulations. Now you've got all kinds of policy dimensions and technical dimensions and topology dimensions. >> Yeah, absolutely. So how we approach it is we look at where we have offerings across the globe and we figure out what the sort of highest watermark level of adherence we need to hit. And then we standardize across that. And by shipping to S3, it allows us to enforce that governance really easily and right to Tom's point you know, we manage the data, which is very important to us and we don't have to be worried about a third party or if we want to change providers years down the road. Although I don't think anyone's coming out with 81% compression anytime soon (laughs). But yeah, so that's, for us, it's about meeting those high standards and having the technologies that enable us to do it. And Chaos Search is a very big part of that right now. >> All right let me ask you a question, for the folks watching that are like really interested in this topic, what would you say to them when evaluating Chaos Search obviously, your use case is complex, but so are others as enterprises start to have an edge, obviously the security posture shifts, everything shifts. There's no more perimeter and the data problem becomes acute to them. So the enterprises are going to start seeing what you've been living for in your world. What's your advice to people watching? >> My advice would be to give them a try. You know, it's it's has been really quite impressive. The customer service has been hands-on and we've been getting, you know, they've been under-promising and over-delivering, which when you have the kind of requirements to manage solutions in these very complex environment, cloud local, you know various data centers and such, you know that kind of customer service is very important, right? It enables us to continue to deliver those high quality solutions. >> So Thomas give us the, the overview of the secret sauce. You've got a great testimonial here. You got people watching, what's different now in the world that you're going after, what wave are you on? Talk to the people who are watching this and saying, okay why Chaos Search? Why are you relevant? Obviously there's some cool things you're doing. I love that. What's cool, and what's relevant and why what's in it for them if they work with you? >> Yeah. So you know, that that whole Silicon Valley reference actually got that from my patent attorney when we were talking. But yeah, no, we, we, you know, focus on if we can crack this code of making data, one a face small, store small, moves small, process small. But then make it multimodal access make it virtual transformation. If we could do that, and we could transform cloud outer storage into a high-performance medical database all these heavy, heavy problems, all that complexity that scaffolding that you build to do these type of scales would be solved. Now what we had to focus on and this has been my, I guess you say life passion is working on a new data representation. And that's our secret sauce that enables a new architecture a new service that where the customer folks on their tooling, their APIs, their visualizations that they know and love, what we focus is on taking that data lake, and again, to transform it into an analytical database, both for log analytics think of like elastic search replacement, as well as a BI replacement for your SQL warehousing database. And coming out later this year into 2022, ML support on one representation. You don't have the silo your information you don't have to re index your data, both. So elastic search CQL and actually ML TensorFlow actions on the exact same representation. So think about the data retention, doing some post analysis on all those logs of data, months, years, and then maybe set up some triggers if you see some anomaly that's happening within your service. So you think about it, the hunt with BI reporting, with predictive analysis on one platform. Again, it sounds a little unicorn, I agree with Jeremy, maybe it didn't sound true but it's been a life's work. So it didn't happen overnight. And you know, it's eight years, at least in the in the making, but I guess the life journey in the end. >> Well, you know, the timing is great. You know, all the database geeks out there who have been following the data industry know that, you know there's a good point for structured data but when you start getting into mechanisms and they become a bottleneck or a blocker to innovation, you know you starting to see this idea of a data lake being let the data kind of form, let it be. You know, I hate the word control plane but more of a, a connective tissue between systems is become an interesting thing. So now you can store everything so you know, no worries there, no blind spots and then let the magic of machine learning in the future, come around. So Jeremy, with that, I got to ask you since you're the bad boy of data analytics at BAI communications head of data analytics, what does that, what do you look for in the future as you start to set this up because I can almost imagine and connecting the dots here in the interview, you got the data lake you're storing everything, which is good. Now you have to create more insights and get ahead of the curve and provide some prescriptive and automated ways to do things better. What's your vision? >> First I would just like to say that, you know when astrophysicists talk about, you know, dark dark energy, dark matter, I'm convinced that's where Thomas is hiding the ones and zeros to get that compression, right? I don't don't know that to be fact but I know it to be true. And then in terms of machine learning and these sort of future technologies, which are becoming available you know, starting from scratch and trying to build out you know, models that have value, you know that takes a fair amount of work. And that landscape keeps changing, right? Being able to push our data into an S3 bucket and then you know, retain that data and then get anomaly detection on top of it. That's, I mean, that's something special and that unlocks a lot of ability for you know, our teams to very easily deliver anomaly detection, machine learning to our customers, without having to take on a lot of work to understand the latest and greatest in machine learning. So, I mean, it's really empowering to our team, right? And, and a tool that we're going to. >> Yeah, I love and I love the name, Chaos Search, Thomas. I got to say, you know it brings up the inside baseball around chaos monkey which everyone knows was a DevOps tool to create kind of day two simulate day two operations and disruptions in DevOps. But what you're really getting at is your whole new architecture that's beyond DevOps movement, it's like next gen architecture. Talk about that to the people watching who have a lot of legacy and want to transform over to a more enabling platform that's going to give them some headroom for their data. What, what do you say to them? How do they get started? What, how should they, how what's their mindset? What they, what are some first principles you can share? >> Well, you know, I always start with first principles but you know, I like to say we're the next next gen. The key thing with the Chaos Search offering is you can start today with B, without even Chaos Search. Stream your data to S3. We're going to make hip and cool data lakes again. And actually it's a, Google it now, data lakes are hip and cool. So start streaming now, start managing your data in a well-formed centralized viewpoint with security governance and cost effectiveness. Then call Chaos Search shop, and we'll make access to it easily, simply to ultimately solve your problems. The bug whether your security issue, the bug, whether it's more performance issues at scale, right? And so when workloads can be added instantaneously in your data lake it's, it's game changing it's mind changing. So from the DevOps folks where, you know, you're up all night trying to say, how am I going to scale from terabyte, you know one today to 50 terabytes, don't. Stream it to S3. We'll take over, we'll worry about that scale pain. You worry about your job of security, performance, operations, integrity. >> That really highlights the cloud scale the value proposition as, as apps start to be using data as an input, not just as a a part of a repo repo, so great stuff. Thomas, thanks for sharing your life's work and your technology magic. Jeremy, thanks for coming on and sharing your use cases with us and how you are making it all work. Appreciate it. >> Thank you. >> My pleasure. >> Okay. This is The Cubes, coverage and presenting AWS this time showcase the next big thing here with Chaos Search. I'm John Furrier, your host. Thanks for watching. (upbeat music)

(upbeat electronic music) >> Hello, everyone. Welcome to theCUBE's presentation of the AWS Startup Showcase. The Next Big Thing in AI, Security, and Life Sciences. In this segment, we feature Orca Security as a notable trend setter within, of course, the security track. I'm your host, Dave Vellante. And today we're joined by Gil Geron. Who's the co-founder and Chief Product Officer at Orca Security. And we're going to discuss how to eliminate cloud security blind spots. Orca has a really novel approach to cybersecurity problems, without using agents. So welcome Gil to today's sessions. Thanks for coming on. >> Thank you for having me. >> You're very welcome. So Gil, you're a disruptor in security and cloud security specifically and you've created an agentless way of securing cloud assets. You call this side scanning. We're going to get into that and probe that a little bit into the how and the why agentless is the future of cloud security. But I want to start at the beginning. What were the main gaps that you saw in cloud security that spawned Orca Security? >> I think that the main gaps that we saw when we started Orca were pretty similar in nature to gaps that we saw in legacy, infrastructures, in more traditional data centers. But when you look at the cloud when you look at the nature of the cloud the ephemeral nature, the technical possibilities and disruptive way of working with a data center, we saw that the usage of traditional approaches like agents in these environments is lacking, it actually not only working as well as it was in the legacy world, it's also, it's providing less value. And in addition, we saw that the friction between the security team and the IT, the engineering, the DevOps in the cloud is much worse or how does that it was, and we wanted to find a way, we want for them to work together to bridge that gap and to actually allow them to leverage the cloud technology as it was intended to gain superior security than what was possible in the on-prem world. >> Excellent, let's talk a little bit more about agentless. I mean, maybe we could talk a little bit about why agentless is so compelling. I mean, it's kind of obvious it's less intrusive. You've got fewer processes to manage, but how did you create your agentless approach to cloud security? >> Yes, so I think the basis of it all is around our mission and what we try to provide. We want to provide seamless security because we believe it will allow the business to grow faster. It will allow the business to adopt technology faster and to be more dynamic and achieve goals faster. And so we've looked on what are the problems or what are the issues that slow you down? And one of them, of course, is the fact that you need to install agents that they cause performance impact, that they are technically segregated from one another, meaning you need to install multiple agents and they need to somehow not interfere with one another. And we saw this friction causes organization to slow down their move to the cloud or slow down the adoption of technology. In the cloud, it's not only having servers, right? You have containers, you have manage services, you have so many different options and opportunities. And so you need a different approach on how to secure that. And so when we understood that this is the challenge, we decided to attack it in three, using three periods; one, trying to provide complete security and complete coverage with no friction, trying to provide comprehensive security, which is taking an holistic approach, a platform approach and combining the data in order to provide you visibility into all of your security assets, and last but not least of course, is context awareness, meaning being able to understand and find these the 1% that matter in the environment. So you can actually improve your security posture and improve your security overall. And to do so, you had to have a technique that does not involve agents. And so what we've done, we've find a way that utilizes the cloud architecture in order to scan the cloud itself, basically when you integrate Orca, you are able within minutes to understand, to read, and to view all of the risks. We are leveraging a technique that we are calling side scanning that uses the API. So it uses the infrastructure of the cloud itself to read the block storage device of every compute instance and every instance, in the environment, and then we can deduce the actual risk of every asset. >> So that's a clever name, side scanning. Tell us a little bit more about that. Maybe you could double click on, on how it works. You've mentioned it's looking into block storage and leveraging the API is a very, very clever actually quite innovative. But help us understand in more detail how it works and why it's better than traditional tools that we might find in this space. >> Yes, so the way that it works is that by reading the block storage device, we are able to actually deduce what is running on your computer, meaning what kind of waste packages applications are running. And then by con combining the context, meaning understanding that what kind of services you have connected to the internet, what is the attack surface for these services? What will be the business impact? Will there be any access to PII or any access to the crown jewels of the organization? You can not only understand the risks. You can also understand the impact and then understand what should be our focus in terms of security of the environment. Different factories, the fact that we are doing it using the infrastructure itself, we are not installing any agents, we are not running any packet. You do not need to change anything in your architecture or design of how you use the cloud in order to utilize Orca Orca is working in a pure SaaS way. And so it means that there is no impact, not on cost and not on performance of your environment while using Orca. And so it reduces any friction that might happen with other parties of the organization when you enjoy the security or improve your security in the cloud. >> Yeah, and no process management intrusion. Now, I presume Gil that you eat your own cooking, meaning you're using your own product. First of all, is that true? And if so, how has your use of Orca as a chief product officer help you scale Orca as a company? >> So it's a great question. I think that something that we understood early on is that there is a, quite a significant difference between the way you architect your security in cloud and also the way that things reach production, meaning there's a difference, that there's a gap between how you imagined, like in everything in life how you imagine things will be and how they are in real life in production. And so, even though we have amazing customers that are extremely proficient in security and have thought of a lot of ways of how to secure the environment. Ans so, we of course, we are trying to secure environment as much as possible. We are using Orca because we understand that no one is perfect. We are not perfect. We might, the engineers might, my engineers might make mistakes like every organization. And so we are using Orca because we want to have complete coverage. We want to understand if we are doing any mistake. And sometimes the gap between the architecture and the hole in the security or the gap that you have in your security could take years to happen. And you need a tool that will constantly monitor your environment. And so that's why we are using Orca all around from day one not to find bugs or to do QA, we're doing it because we need security to our cloud environment that will provide these values. And so we've also passed the compliance auditing like SOC 2 and ISO using Orca and it expedited and allowed us to do these processes extremely fast because of having all of these guardrails and metrics has. >> Yeah, so, okay. So you recognized that you potentially had and did have that same problem as your customer has been. Has it helped you scale as a company obviously but how has it helped you scale as a company? >> So it helped us scale as a company by increasing the trust, the level of trust customer having Orca. It allowed us to adopt technology faster, meaning we need much less diligence or exploration of how to use technology because we have these guardrails. So we can use the richness of the technology that we have in the cloud without the need to stop, to install agents, to try to re architecture the way that we are using the technology. And we simply use it. We simply use the technology that the cloud offer as it is. And so it allows you a rapid scalability. >> Allows you allows you to move at the speed of cloud. Now, so I'm going to ask you as a co-founder, you got to wear many hats first of a co-founder and the leadership component there. And also the chief product officer, you got to go out, you got to get early customers, but but even more importantly you have to keep those customers retention. So maybe you can describe how customers have been using Orca. Did they, what was their aha moment that you've seen customers react to when you showcase the new product? And then how have you been able to keep them as loyal partners? >> So I think that we are very fortunate, we have a lot of, we are blessed with our customers. Many of our customers are vocal customers about what they like about Orca. And I think that something that comes along a lot of times is that this is a solution they have been waiting for. I can't express how many times I hear that I could go on a call and a customer says, "I must say, I must share. "This is a solution I've been looking for." And I think that in that respect, Orca is creating a new standard of what is expected from a security solution because we are transforming the security all in the company from an inhibitor to an enabler. You can use the technology. You can use new tools. You can use the cloud as it was intended. And so (coughs) we have customers like one of these cases is a customer that they have a lot of data and they're all super scared about using S3 buckets. We call over all of these incidents of these three buckets being breached or people connecting to an s3 bucket and downloading the data. So they had a policy saying, "S3 bucket should not be used. "We do not allow any use of S3 bucket." And obviously you do need to use S3 bucket. It's a powerful technology. And so the engineering team in that customer environment, simply installed a VM, installed an FTP server, and very easy to use password to that FTP server. And obviously two years later, someone also put all of the customer databases on that FTP server, open to the internet, open to everyone. And so I think it was for him and for us as well. It was a hard moment. First of all, he planned that no data will be leaked but actually what happened is way worse. The data was open to the to do to the world in a technology that exists for a very long time. And it's probably being scanned by attackers all the time. But after that, he not only allowed them to use S3 bucket because he knew that now he can monitor. Now, you can understand that they are using the technology as intended, now that they are using it securely. It's not open to everyone it's open in the right way. And there was no PII on that S3 bucket. And so I think the way he described it is that, now when he's coming to a meeting about things that needs to be improved, people are waiting for this meeting because he actually knows more than what they know, what they know about the environment. And I see it really so many times where a simple mistake or something that looks benign when you look at the environment in a holistic way, when you are looking on the context, you understand that there is a huge gap. That should be the breech. And another cool example was a case where a customer allowed an access from a third party service that everyone trusts to the crown jewels of the environment. And he did it in a very traditional way. He allowed a certain IP to be open to that environment. So overall it sounds like the correct way to go. You allow only a specific IP to access the environment but what he failed to to notice is that everyone in the world can register for free for this third-party service and access the environment from this IP. And so, even though it looks like you have access from a trusted service, a trusted third party service, when it's a Saas service, it's actually, it can mean that everyone can use it in order to access the environment and using Orca, you saw immediately the access, you saw immediately the risk. And I see it time after time that people are simply using Orca to monitor, to guardrail, to make sure that the environment stays safe throughout time and to communicate better in the organization to explain the risk in a very easy way. And the, I would say the statistics show that within few weeks, more than 85% of the different alerts and risks are being fixed, and think it comes to show how effective it is and how effective it is in improving your posture, because people are taking action. >> Those are two great examples, and of course they have often said that the shared responsibility model is often misunderstood. And those two examples underscore thinking that, "oh I hear all this, see all this press about S3, but it's up to the customer to secure the endpoint components et cetera. Configure it properly is what I'm saying. So what an unintended consequence, but but Orca plays a role in helping the customer with their portion of that shared responsibility. Obviously AWS is taking care of this. Now, as part of this program we ask a little bit of a challenging question to everybody because look it as a startup, you want to do well you want to grow a company. You want to have your employees, you know grow and help your customers. And that's great and grow revenues, et cetera but we feel like there's more. And so we're going to ask you because the theme here is all about cloud scale. What is your defining contribution to the future of cloud at scale, Gil? >> So I think that cloud is allowed the revolution to the data centers, okay? The way that you are building services, the way that you are allowing technology to be more adaptive, dynamic, ephemeral, accurate, and you see that it is being adopted across all vendors all type of industries across the world. I think that Orca is the first company that allows you to use this technology to secure your infrastructure in a way that was not possible in the on-prem world, meaning that when you're using the cloud technology and you're using technologies like Orca, you're actually gaining superior security that what was possible in the pre cloud world. And I think that, to that respect, Orca is going hand in hand with the evolution and actually revolutionizes the way that you expect to consume security, the way that you expect to get value, from security solutions across the world. >> Thank You for that Gil. And so we're at the end of our time, but we'll give you a chance for final wrap up. Bring us home with your summary, please. >> So I think that Orca is building the cloud security solution that actually works with its innovative aid agentless approach to cyber security to gain complete coverage, comprehensive solution and to gain, to understand the complete context of the 1% that matters in your security challenges across your data centers in the cloud. We are bridging the gap between the security teams, the business needs to grow and to do so in the paste of the cloud, I think the approach of being able to install within minutes, a security solution in getting complete understanding of your risk which is goes hand in hand in the way you expect and adopt cloud technology. >> That's great Gil. Thanks so much for coming on. You guys doing awesome work. Really appreciate you participating in the program. >> Thank you very much. >> And thank you for watching this AWS Startup Showcase. We're covering the next big thing in AI, Security, and Life Science on theCUBE. Keep it right there for more great content. (upbeat music)

>> Announcer: From theCUBE studios in Palo Alto and Boston, connecting with thought leaders all around the world. This is a CUBE Conversation. >> Hello. Welcome to today's session of the AWS Startup Showcase, The Next Big Thing in AI, Security & Life Sciences. Today featuring TetraScience for the life sciences track. I'm your host Natalie Erlich, and now we are joined by our special guests, Michelle Bradbury, VP of Product at TetraScience, as well as Mike Tarselli, the Chief Scientific Officer at TetraScience. We're going to talk about the R&D Data Cloud movement in life sciences, unlocking experimental data to accelerate discovery. Thank you both very much for joining us today. >> Thank you for having us. >> Yeah, thank you. Great to be here. >> Well, while traditionally slower to adopt cloud technology in R&D, global pharmas are now launching digital lab initiatives to improve time to market for therapeutics. Now, can you discuss some of the key challenges still facing big pharma in terms of digital transformation? >> Sure. I guess I'll start in. The big pharma sort of organization that we have today happens to work very well in its particular way, i.e., they have some architecture they've installed, usually on-premises. They are sort of tentatively sticking their foot into the cloud. They're learning how to move forward into that, and in order to process and automate their data streams. However, we would argue they haven't done enough fast enough and that they need to get there faster in order to deliver patient value and efficiencies to their businesses. >> Well, how specifically, now for Michelle, can R&D Data Cloud help big pharma in this digital transformation? >> So the big thing that large pharmas face is a couple different things. So the ecosystem within large pharma is a lot of diverse data types, a lot of diverse file types. So that's one thing that the data cloud handles very well to be able to parse through, harmonize, and bring together your data so that it can be leveraged for things like AI and machine learning at large-scale, which is sort of the other part where I think one of the large sort of challenges that pharma faces is sort of a proliferation of data. And what cloud offers, specifically, is a better way to store, more scalable storage, better ability to even tier your storage while still making it searchable, maintainable, and offer a lot of flexibility to the actual pharma companies. >> And what about security and compliance, or even governance? What are those implications? >> Sure. I'll jump into that one. So security and compliance, every large pharma is a regulated industry. Everyone watching this probably is aware of that. And so we therefore have to abide by the same tenets that they would. So 21 CFR Part 11 compliance, getting ready for GXP ready systems, And in fact, doing extra certifications around a SOC 2 Type 2, ISO 9001, really every single regulation that would allow our cloud solution to be quality, ready, inspectable, and really performant for what needs to be done for an eventual FDA submission. >> And can you also speak about some of the advances that we're seeing in machine learning and artificial intelligence, and how that will impact pharma, and what your role is in that at TetraScience? >> Sure. I'll pass this one to Michelle first. >> I was going to say I can take that one. So one of the things that we're seeing in terms of where AI and ML will go with large pharma is their ability to not only search and build models against the data that they have access to right now, which is very limited in the way they search, but the ability to go through the historical amount of data, the ability to leverage mass parallel compute on top of these giant data clusters, and what that means in terms of not only faster time to market for drugs, but also, I think, more accurate and precise testing coming in the future. So I think there's so much opportunity for this really data-rich vertical and industry to leverage in a lot of the modern tooling that it hasn't been able to leverage so far. >> And Mike, what would you say are the benefits that a fully automated lab could bring with increased fairness and data liquidity? >> Yeah, sure. Let's go five years into the future. I am a bench chemist, and I'm trying to get some results in, and it's amazing because I can look up everything the rest of my colleagues have ever done on this particular project with a single click of a button in a simple term set in natural language. I can then find and retrieve those results, easily visualize them in our platform or in any other platform I choose to use. And then I can inspect those, interrogate those, and say, "Actually, I'm going to be able to set up this automation cascade." I'll probably have it ready by the afternoon. All the data that's returned to me through this is going to be easily integratable, harmonized, and you're going to be able to find it, obviously. You're going to interoperate it with any system, so if I suddenly decide that I need to send a report over to another division in their preferred vis tool or data system of choice, great! I click three buttons, configure it. Boom. There goes that report to them. This should be a simple vision to achieve even faster than five years. And that data liquidity that enables you to sort of pass results around outside of your division, and outside of even your sort of company or division, to other who are able to see it should be fairly easy to achieve if all that data is ingested the right way. >> Well, I'd love to ask this next question to both of you. What is your defining contribution to the future of cloud scale? >> Mike, you want to go first? >> (chuckles) I would love to. So right now the pharmaceutical and life sciences companies, they aren't seeing data increase linearly. They're seeing it increase exponentially, right? We are living in the exabyte era, and really have on the internet since about 2016. It's only going to get bigger, and it's going to get bigger in a power law, right? So you're going to see, as sequencing comes on, as larger form microscopy comes on, and as more and more companies are taking on more and more data about each individual sample, retaining that data for longer, doing more analytics of that data, and also doing personalized medicine, right, more data about a specific patient, or animal, or cell line. You're just going to see this absolute data explosion. And because of that, the only thing you can really do to keep up with that is be in the cloud. On-prem, you will be buying disk drives and out of physical materials before you're going to outstrip the data. Michelle? >> Yeah. And, I think, to go along with not just the data storage scale, I think the compute scale. Mike is absolutely right. We're seeing personalized drugs. We're seeing customers that want to, within a matter of three, four hours, get to a personalized drug for patients. And that kind of scale on a compute basis not just requires a ton of data, but requires mass compute ability to be able to get it right, right? And so it really becomes this marriage of getting a huge amount of data, and getting the mass compute to be able to really leverage that per patient. And then the one thing that... Sort of enabling that ecosystem to come centrally together across such a diverse dataset is sort of that driving force. If you can get the data together but you can't compute it, if you can compute it but you can't get it together, it all needs to come together. Otherwise it just doesn't work. >> Yeah. Well, on your website you have all these great case studies, and I'd love it if you could outline some of your success stories for us, some specific, concrete examples. >> Sure. I'll take one first, and then they'll pass to Michelle. One really great concrete example is we were able to take data format processing for a biotech that had basically previously had instruments sitting off in a corner that they could not connect, were integratable for a high throughput screening cascade. We were able to bring them online. We were able to get the datasets interpretable, and get literally their processing time for these screens from the order of weeks to the order of minutes. So they could basically be doing probably a couple hundred more screens per year than they could have otherwise. Michelle? >> We have one customer that is in the process of automating their entire lab, even using robotics arms. So it's a huge mix of being able to ingest IoT data, send experiment data to them, understand sampling, getting the results back, and really automating that whole process, which when they even walked me through it, I was like, "Wow," and I'm like, "so cool." (chuckles) And there's a lot of... I think a lot of pharma companies want, and life science companies, want to move forward in innovation and do really creative and cool things for patients. But at the end of it, you sort of have to also realize it's like their core competency is focusing on drugs, and getting that to market, and making patients better. And we're just one part of that, really helping to enable that process and that ecosystem come to life, so it's really cool to watch. >> Right, right. And I mean, in this last year we've seen how critical the healthcare sector is to people all over the world. Now, looking forward, what do you anticipate some of the big innovations in the sector will be in the next five years, and where do you see TetraScience's role in that? >> So I think some of the larger innovations are... Mike mentioned one of them already. It's going to be sort of the personalized drugs the personalized health care. I think it is absolutely going to go to full lab automation to some degree, because who knows when the next pandemic will hit, right? And we're all going to have to go home, right? I think the days of trying to move around data manually and trying to work through that is just... If we don't plan for that to be a thing of the past, I think we're all going to do ourselves a disservice. So I think you'll see more automation. I think you'll see more personalization, and you'll see more things that leverage larger amounts of data. I think where we hope to sit is really at the ecosystem enablement part of that. We want to remain open. That's one of the cornerstones. We're not a single partner platform. We're not tied to any vendors. We really want to become that central aid and the ecosystem enabler for the labs. >> Yeah, to that point- >> And I'd also love to get your insight. >> Oh! Sorry. (chuckles) Thank you. To that point, we're really trying to unlock discovery, right? Many other horizontal cloud players will do something like you can upload files, or you can do some massive compute, but they won't have the vertical expertise that we do, right? They won't have the actual deep life sciences dedication. We have several PhDs, postdocs, et cetera, on staff who have done this for a living and can do this going forward. So you're going to see the realization of something that was really exciting in sort of 2005, 2006, that is fully automated experimentation. So get a robot to about an experiment, design it, have a human operator assist with putting together all the automation, and then run that over and over again cyclically until you get the result you want. I don't think that the compute was ready for that at the time. I don't think that the resources were up to snuff, but now you can do it, and you can do it with any tool, instrument, technique you want, because to Michelle's point, we're a vendor-agnostic partner networked platform. So you can actually assemble this learning automation cascade and have it run in the background while you go home and sleep. >> Yeah, and we often hear about automation, but tell us a little bit more specifically what is the harmonizing effect of TetraScience? I mean, that's not something that we usually hear, so what's unique about that? >> You want to take that, or you want me to go? >> You go, please. (chuckles) >> All right. So, really, it's about... It's about normalizing and harmonizing the data. And what does that... What that means is that whether you're a chromatography machine from, let's say Waters, or another vendor, ideally you'd like to be able to leverage all of your chromatography data and do research across all of it. Most of our customers have machinery that is of same sort from different customers, or sorry, from different vendors. And so it's really the ability to bring that data together, and sometimes it's even diverse instrumentation. So if I track a molecule, or a project, or a sample through one piece, one set of instrumentation, and I want to see how it got impacted in another set of instrumentation, or what the results were, I'm able to quickly and easily be able to sort of leverage that harmonized data and come to those results quickly. Mike, I'm sure you have a- >> May I offer a metaphor from something outside of science? Hopefully that's not off par for this, but let's say you had a parking lot, right, filled with different kinds of cars. And let's say you said at the beginning of that parking lot, "No, I'm sorry. We only have space right here for a Ford Fusion 2019 black with leather interior and this kind of tires." That would be crazy. You would never put that kind of limitation on who could park in a parking lot. So why do specific proprietary data systems put that kind of limitation on how data can be processed? We want to make it so that any car, any kind of data, can be processed and considered together in that same parking lot. >> Fascinating. Well, thank you both so much for your insights. Really appreciate it. Wonderful to hear about R&D Data Cloud movement in big pharma, and that of course is Michelle Bradbury, VP of Product at TetraScience, as well as Mike Tarselli, the Chief Scientific Officer at TetraScience. Thanks again very much for your insights. I'm your host for theCUBE, Natalie Erlich. Catch us again for the next session of the AWS Startup Session. Thank you. (smooth music)

(calm music)- Hello, and welcome to this CUBE conversation here in Palo Alto, California in theCUBE Studios, I'm John Furrier, host of theCUBE. We are here with the hot startup really working on some real, super important security technology for the cloud, great company, Orca Security, Avi Shua, CEO, and co founder. Avi, thank you for coming on theCUBE and share your story >> Thanks for having me. >> So one of the biggest problems that enterprises and large scale, people who are going to the cloud and are in the cloud and are evolving with cloud native, have realized that the pace of change and the scale is a benefit to the organizations for the security teams, and getting that security equation, right, is always challenging, and it's changing. You guys have a solution for that, I really want to hear what you guys are doing. I like what you're talking about. I like what you're thinking about, and you have some potentially new technologies. Let's get into it. So before we get started, talk about what is Orca Security, what do you guys do? What problem do you solve? >> So what we invented in Orca, is a unique technology called site scanning, that essentially enables us to connect to any cloud environment in a way which is as simple as installing a smartphone application and getting a full stack visibility of your security posture, meaning seeing all of the risk, whether it's vulnerability, misconfiguration, lateral movement risk, work that already been compromised, and more and more, literally in minutes without deploying any agent, without running any network scanners, literally with no change. And while it sounds to many of us like it can't happen, it's snake oil, it's simply because we are so used to on premise environment where it simply wasn't possible in physical server, but it is possible in the cloud. >> Yeah, and you know, we've had many (indistinct) on theCUBE over the years. One (indistinct) told us that, and this is a direct quote, I'll find the clip and share it on Twitter, but he said, "The cloud is more secure than on premise, because it's more changes going on." And I asked him, "Okay, how'd you do?" He says, "It's hard, you got to stay on top of it." A lot of people go to the cloud, and they see some security benefits with the scale. But there are gaps. You guys are building something that solves those gaps, those blind spots, because of things are always changing, you're adding more services, sometimes you're integrating, you now have containers that could have, for instance, you know, malware on it, gets introduced into a cluster, all kinds of things can go on in a cloud environment, that was fine yesterday, you could have a production cluster that's infected. So you have all of these new things. How do you figure out the gaps and the blind spots? That's what you guys do, I believe, what are the gaps in cloud security? Share with us. >> So definitely, you're completely correct. You know, I totally agree the cloud can be dramatically more secluded on-prem. At the end of the day, unlike an on-prem data center, where someone can can plug a new firewall, plug a new switch, change things. And if you don't instrument, it won't see what's inside. This is not possible in the cloud. In the cloud it's all code. It's all running on one infrastructure that can be used for the instrumentation. On the other hand, the cloud enabled businesses to act dramatically faster, by say dramatically, we're talking about order of magnitude faster, you can create new networks in matter of minutes, workloads can come and go within seconds. And this creates a lot of changes that simply haven't happened before. And it involves a lot of challenges, also from security instrumentation point of view. And you cannot use the same methodologies that you used for the on-prem because if you use them, you're going to lose, they were a compromise, that worked for certain physics, certain set of constraints that no longer apply. And our thesis is that essentially, you need to use the capabilities of the cloud itself, for the instrumentation of everything that can runs on the cloud. And when you do that, by definition, you have full coverage, because if it's run on the cloud, it can be instrumented on cloud, this essentially what Docker does. And you're able to have this full visibility for all of the risks and the importance because all of them, essentially filter workload, which we're able to analyze. >> What are some of the blind spots in the public cloud, for instance. I mean, that you guys are seeing that you guys point out or see with the software and the services that you guys have. >> So the most common ones are the things that we have seen in the last decades. I don't think they are materially different simply on steroids. We see things, services that are launched, nobody maintained for years, using things like improper segmentation, that everyone have permission to access everything. And therefore if one environment is breached, everything is breached. We see organization where something goes dramatically hardened. So people find a way to a very common thing is that, and now ever talks about CIM and the tightening their permission and making sure that every workload have only the capabilities that they need. But sometimes developers are a bit lazy. So they'll walk by that, but also have keys that are stored that can bypass the entire mechanism that, again, everyone can do everything on any environment. So at the end of the day, I think that the most common thing is the standard aging issues, making sure that your environment is patched, it's finger tightened, there is no alternative ways to go to the environment, at scale, because the end of the day, they are destined for security professional, you need to secure everything that they can just need to find one thing that was missed. >> And you guys provide that visibility into the cloud. So to identify those. >> Exactly. I think one of the top reasons that we implemented Orca using (indistinct) technology that I've invented, is essentially because it guarantees coverage. For the first time, we can guarantee you that if you scan it, that way, we'll see every instance, every workload, every container, because of its running, is a native workload, whether it's a Kubernetes, whether it's a service function, we see it all because we don't rely on any (indistinct) integration, we don't rely on friction within the organization. So many times in my career, I've been in discussion with customer that has been breached. And when we get to the core of the issue, it was, you couldn't, you haven't installed that agent, you haven't configured that firewall, the IPS was not up to date. So the protections weren't applied. So this is technically true, but it doesn't solve the customer problem, which is, I need the security to be applied to all of my environment, and I can't rely on people to do manual processes, because they will fail. >> Yeah, yeah. I mean, it's you can't get everything now and the velocity, the volume of activity. So let me just get this right, you guys are scanning container. So the risk I hear a lot is, you know, with Kubernetes, in containers is, a fully secure cluster could have a container come in with malware, and penetrate. And even if it's air gapped, it's still there. So problematic, you would scan that? Is that how it would work? >> So yes, but so for nothing but we are not scanning only containers, the essence of Orca is scanning the cloud environment holistically. We scan your cloud configuration, we scan your Kubernetes configuration, we scan your Dockers, the containers that run on top of them, we scan the images that are installed and we scan the permission that these images are one, and most importantly, we combined these data points. So it's not like you buy one solution that look to AWS configuration, is different solution that locate your virtual machines at one cluster, another one that looks at your cluster configuration. Another one that look at a web server and one that look at identity. And then you have resolved from five different tools that each one of them claims that this is the most important issue. But in fact, you need to infuse the data and understand yourself what is the most important items or they're correlated. We do it in an holistic way. And at the end of the day, security is more about thinking case graphs is vectors, rather than list. So it is to tell you something like this is a container, which is vulnerable, it has permission to access your sensitive data, it's running on a pod that is indirectly connected to the internet to this load balancer, which is exposed. So this is an attack vector that can be utilized, which is just a tool that to say you have a vulnerable containers, but you might have hundreds, where 99% of them are not exposed. >> Got it, so it's really more logical, common sense vectoring versus the old way, which was based on perimeter based control points, right? So is that what I get? is that right is that you're looking at it like okay, a whole new view of it. Not necessarily old way. Is that right? >> Yes, it is right, we are looking at as one problem that is entered in one tool that have one unified data model. And on top of that, one scanning technology that can provide all the necessary data. We are not a tool that say install vulnerability scanner, install identity access management tools and infuse all of the data to Orca will make sense, and if you haven't installed the tools to you, it's not our problem. We are scanning your environment, all of your containers, virtual machine serverless function, cloud configuration using guard technology. When standard risk we put them in a graph and essentially what is the attack vectors that matter for you? >> The sounds like a very promising value proposition. if I've workloads, production workloads, certainly in the cloud and someone comes to me and says you could have essentially a holistic view of your security posture at any given point in that state of operations. I'm going to look at it. So I'm compelled by it. Now tell me how it works. Is there overhead involved? What's the cost to, (indistinct) Australian dollars, but you can (indistinct) share the price to would be great. But like, I'm more thinking of me as a customer. What do I have to do? What operational things, what set up? What's my cost operationally, and is there overhead to performance? >> You won't believe me, but it's almost zero. Deploying Orca is literally three clicks, you just go log into the application, you give it the permission to read only permission to the environment. And it does the rest, it doesn't run a single awkward in the environment, it doesn't send a single packet. It doesn't create any overhead we have within our public customer list companies with a very critical workloads, which are time sensitive, I can quote some names companies like Databricks, Robinhood, Unity, SiteSense, Lemonade, and many others that have critical workloads that have deployed it for all of the environment in a very quick manner with zero interruption to the business continuity. And then focusing on that, because at the end of the day, in large organization, friction is the number one thing that kills security. You want to deploy your security tool, you need to talk with the team, the team says, okay, we need to check it doesn't affect the environment, let's schedule it in six months, in six months is something more urgent then times flybys and think of security team in a large enterprise that needs to coordinate with 500 teams, and make sure it's deployed, it can't work, Because we can guarantee, we do it because we leverage the native cloud capabilities, there will be zero impact. This allows to have the coverage and find these really weak spot nobody's been looking at. >> Yeah, I mean, this having the technology you have is also good, but the security teams are burning out. And this is brings up the cultural issue we were talking before we came on camera around the cultural impact of the security assessment kind of roles and responsibilities inside companies. Could you share your thoughts on this because this is a real dynamic, the people involved as a people process technology, the classic, you know, things that are impacted with digital transformation. But really the cultural impact of how developers push code, the business drivers, how the security teams get involved. And sometimes it's about the security teams are not under the CIO or under these different groups, all kinds of impacts to how the security team behaves in context to how code gets shipped. What's your vision and view on the cultural impact of security in the cloud. >> So, in fact, many times when people say that the cloud is not secure, I say that the culture that came with the cloud, sometimes drive us to non secure processes, or less secure processes. If you think about that, only a decade ago, if an organization could deliver a new service in a year, it would be an amazing achievement, from design to deliver. Now, if an organization cannot ship it, within weeks, it's considered a failure. And this is natural, something that was enabled by the cloud and by the technologies that came with the cloud. But it also created a situation where security teams that used to be some kind of a checkpoint in the way are no longer in that position. They're in one end responsible to audit and make sure that things are acting as they should. But on the other end, things happen without involvement. And this is a very, very tough place to be, nobody wants to be the one that tells the business you can't move as fast as you want. Because the business want to move fast. So this is essentially the friction that exists whether can we move fast? And how can we move fast without breaking things, and without breaking critical security requirements. So I believe that security is always about a triode, of educate, there's nothing better than educate about putting the guardrails to make sure that people cannot make mistakes, but also verify an audit because there will be failures in even if you educate, even if you put guardrails, things won't work as needed. And essentially, our position within this, triode is to audit, to verify to empower the security teams to see exactly what's happening, and this is an enabler for a discussion. Because if you see what are the risks, the fact that you have, you know, you have this environment that hasn't been patched for a decade with the password one to six, it's a different case, then I need you to look at this environment because I'm concerned that I haven't reviewed it in a year. >> That's exactly a great comment. You mentioned friction kills innovation earlier. This is one friction point that mismatch off cadence between ownership of process, business owners goals of shipping fast, security teams wanting to be secure. And developers just want to write code faster too. So productivity, burnout, innovation all are a factor in cloud security. What can a company do to get involved? You mentioned easy to deploy. How do I work with Orca? You guys are just, is it a freemium? What is the business model? How do I engage with you if I'm interested in deploying? >> So one thing that I really love about the way that we work is that you don't need to trust a single word I said, you can get a free trial of Orca at website orca.security, one a scan on your cloud environment, and see for yourself, whether there are critical ways that were overlooked, whether everything is said and there is no need for a tool or whether they some areas that are neglected and can be acted at any given moment (indistinct) been breached. We are not a freemium but we offer free trials. And I'm also a big believer in simplicity and pricing, we just price by the average number workload that you have, you don't need to read a long formula to understand the pricing. >> Reducing friction, it's a very ethos sounds like you guys have a good vision on making things easy and frictionless and sets that what we want. So maybe I should ask you a question. So I want to get your thoughts because a lot of conversations in the industry around shifting left. And that's certainly makes a lot of sense. Which controls insecurity do you want to shift left and which ones you want to shift right? >> So let me put it at, I've been in this industry for more than two decades. And like any industry every one's involved, there is a trend and of something which is super valuable. But some people believe that this is the only thing that you need to do. And if you know Gartner Hype Cycle, at the beginning, every technology is (indistinct) of that. And we believe that this can do everything and then it reaches (indistinct) productivity of the area of the value that it provides. Now, I believe that shifting left is similar to that, of course, you want to shift left as much as possible, you want things to be secure as they go out of the production line. This doesn't mean that you don't need to audit what's actually warning, because everything you know, I can quote, Amazon CTO, Werner Vogels about everything that can take will break, everything fails all the time. You need to assume that everything will fail all the time, including all of the controls that you baked in. So you need to bake as much as possible early on, and audit what's actually happening in your environment to find the gaps, because this is the responsibility of security teams. Now, just checking everything after the fact, of course, it's a bad idea. But only investing in shifting left and education have no controls of what's actually happening is a bad idea as well. >> A lot of people, first of all, great call out there. I totally agree, shift left as much as possible, but also get the infrastructure and your foundational data strategies, right and when you're watching and auditing. I have to ask you the next question on the context of the data, right, because you could audit all day long, all night long. But you're going to have a pile of needles looking for haystack of needles, as they say, and you got to have context. And you got to understand when things can be jumped on. You can have alert fatigue, for instance, you don't know what to look at, you can have too much data. So how do you manage the difference between making the developers productive in the shift left more with the shift right auditing? What's the context and (indistinct)? How do you guys talk about that? Because I can imagine, yeah, it makes sense. But I want to get the right alert at the right time when it matters the most. >> We look at risk as a combination of three things. Risk is not only how pickable the lock is. If I'll come to your office and will tell you that you have security issue, is that they cleaning, (indistinct) that lock can be easily picked. You'll laugh at me, technically, it might be the most pickable lock in your environment. But you don't care because the exposure is limited, you need to get to the office, and there's nothing valuable inside. So I believe that we always need to take, to look at risk as the exposure, who can reach that lock, how easily pickable this lock is, and what's inside, is at your critical plan tools, is it keys that can open another lock that includes this plan tools or just nothing. And when you take this into context, and the one wonderful thing about the cloud, is that for the first time in the history of computing, the data that is necessary to understand the exposure and the impact is in the same place where you can understand also the risk of the locks. You can make a very concise decision of easily (indistinct) that makes sense. That is a critical attack vector, that is a (indistinct) critical vulnerability that is exposed, it is an exposed service and the service have keys that can download all of my data, or maybe it's an internal service, but the port is blocked, and it just have a default web server behind it. And when you take that, you can literally quantize 0.1% of the alert, even less than that, that can be actually exploited versus device that might have the same severity scores or sound is critical, but don't have a risk in terms of exposure or business impact. >> So this is why context matters. I want to just connect what you said earlier and see if I get this right. What you just said about the lock being picked, what's behind the door can be more keys. I mean, they're all there and the thieves know, (indistinct) bad guys know exactly what these vectors are. And they're attacking them. But the context is critical. But now that's what you were getting at before by saying there's no friction or overhead, because the old way was, you know, send probes out there, send people out in the network, send packers to go look at things which actually will clutter the traffic up or, you know, look for patterns, that's reliant on footsteps or whatever metaphor you want to use. You don't do that, because you just wire up the map. And then you put context to things that have weights, I'm imagining graph technologies involved or machine learning. Is that right? Am I getting that kind of conceptually, right, that you guys are laying it out holistically and saying, that's a lock that can be picked, but no one really cares. So no one's going to pick and if they do, there's no consequence, therefore move on and focus energy. Is that kind of getting it right? Can you correct me where I got that off or wrong? >> So you got it completely right. On one end, we do the agentless deep assessment to understand your workloads, your virtual machine or container, your apps and service that exists with them. And using the site scanning technology that some people you know, call the MRI for the cloud. And we build the map to understand what are connected to the security groups, the load balancer, the keys that they hold, what these keys open, and we use this graph to essentially understand the risk. Now we have a graph that includes risk and exposure and trust. And we use this graph to prioritize detect vectors that matters to you. So you might have thousands upon thousands of vulnerabilities on servers that are simply internal and these cannot be manifested, that will be (indistinct) and 0.1% of them, that can be exploited indirectly to a load balancer, and we'll be able to highlight these one. And this is the way to solve alert fatigue. We've been in large organizations that use other tools that they had million critical alerts, using the tools before Orca. We ran our scanner, we found 30. And you can manage 30 alerts if you're a large organization, no one can manage a million alerts. >> Well, I got to say, I love the value proposition. I think you're bringing a smart view of this. I see you have the experience there, Avi and team, congratulations, and it makes sense of the cloud is a benefit, it can be leveraged. And I think security being rethought this way, is smart. And I think it's being validated. Now, I did check the news, you guys have raised significant traction as valuation certainly raised around the funding of (indistinct) 10 million, I believe, a (indistinct) Funding over a billion dollar valuation, pushes a unicorn status. I'm sure that's a reflection of your customer interaction. Could you share customer success that you're having? What's the adoption look like? What are some of the things customers are saying? Why do they like your product? Why is this happening? I mean, I can connect the dots myself, but I want to hear what your customers think. >> So definitely, we're seeing huge traction. We grew by thousands of percent year over year, literally where times during late last year, where our sales team, literally you had to wait two or three weeks till you managed to speak to a seller to work with Orca. And we see the reasons as organization have the same problems that we were in, and that we are focusing. They have cloud environments, they don't know their security posture, they need to own it. And they need to own it now in a way which guarantees coverage guarantees that they'll see the important items and there was no other solution that could do that before Orca. And this is the fact. We literally reduce deployment (indistinct) it takes months to minutes. And this makes it something that can happen rather than being on the roadmap and waiting for the next guy to come and do that. So this is what we hear from our customers and the basic value proposition for Orca haven't changed. We're providing literally Cloud security that actually works that is providing full coverage, comprehensive and contextual, in a seamless manner. >> So talk about the benefits to customers, I'll give you an example. Let's just say theCUBE, we have our own cloud. It's growing like crazy. And we have a DevOps team, very small team, and we start working with big companies, they all want to know what our security posture is. I have to go hire a bunch of security people, do I just work with Orca, because that's the more the trend is integration. I just was talking to another CEO of a hot startup and the platform engineering conversations about people are integrating in the cloud and across clouds and on premises. So integration is all about posture, as well, too I want to know, people want to know who they're working with. How does that, does that factor into anything? Because I think, that's a table stakes for companies to have almost a posture report, almost like an MRI you said, or a clean (indistinct) health. >> So definitely, we are both providing the prioritized risk assessment. So let's say that your cloud team want to check their security, the cloud security risk, they'll will connect Orca, they'll see the (indistinct) in a very, very clear way, what's been compromised (indistinct) zero, what's in an imminent compromise meaning the attacker can utilize today. And you probably want to fix it as soon as possible and things that are hazardous in terms that they are very risky, but there is no clear attack vectors that can utilize them today, there might be things that combining other changes will become imminent compromise. But on top of that, when standard people also have compliance requirements, people are subject to a regulation like PCI CCPA (indistinct) and others. So we also show the results in the lens of these compliance frameworks. So you can essentially export a report showing, okay, we were scanned by Orca, and we comply with all of these requirements of SOC 2, etc. And this is another value proposition of essentially not only showing it in a risk lens, but also from the compliance lens. >> You got to be always on with security and cloud. Avi, great conversation. Thank you for sharing nice knowledge and going deep on some of the solution and appreciate your conversation. Thanks for coming on. >> Thanks for having me. >> Obviously, you are CEO and co founder of Orca Security, hot startup, taking on security in the cloud and getting it right. I'm John Furrier with theCUBE. Thanks for watching. (calm music)

(electronic music) >> From Santa Clara, California in the heart of Silicon Valley, its theCUBE. Covering Altitude 2020, brought to you by Aviatrix. (electronic music) >> Female pilot: Good morning, ladies and gentlemen, this is your captain speaking, we will soon be taking off on our way to altitude. (upbeat music) Please keep your seat belts fastened and remain in your seat. We will be experiencing turbulence, until we are above the clouds. (thunder blasting) (electronic music) (seatbelt alert sounds) Ladies and gentlemen, we are now cruising at altitude. Sit back and enjoy the ride. (electronic music) >> Female pilot: Altitude is a community of thought leaders and pioneers, cloud architects and enlightened network engineers, who have individually and are now collectively, leading their own IT teams and the industry. On a path to lift cloud networking above the clouds. Empowering enterprise IT to architect, design and control their own cloud network, regardless of the turbulent clouds beneath them. It's time to gain altitude. Ladies and gentlemen, Steve Mullaney, president and CEO of Aviatrix. The leader of multi-cloud networking. (electronic music) (audience clapping) >> Steve: All right. (audience clapping) Good morning everybody, here in Santa Clara as well as to the millions of people watching the livestream worldwide. Welcome to Altitude 2020, all right. So, we've got a fantastic event, today, I'm really excited about the speakers that we have today and the experts that we have and really excited to get started. So, one of the things I wanted to share was this is not a one-time event. This is not a one-time thing that we're going to do. Sorry for the Aviation analogy, but, you know, Sherry Wei, aviatrix means female pilot so everything we do has an aviation theme. This is a take-off, for a movement. This isn't an event, this is a take-off of a movement. A multi-cloud networking movement and community that we're inviting all of you to become part of. And why we're doing that, is we want to enable enterprises to rise above the clouds, so to speak and build their network architecture, regardless of which public cloud they're using. Whether it's one or more of these public clouds. So the good news, for today, there's lots of good news but this is one good news, is we don't have any PowerPoint presentations, no marketing speak. We know that marketing people have their own language. We're not using any of that, and no sales pitches, right? So instead, what are we doing? We're going to have expert panels, we've got Simon Richard, of Gartner here. We've got ten different network architects, cloud architects, real practitioners that are going to share their best practices and their real world experiences on their journey to the multi-cloud. So, before we start, everybody know what today is? In the U.S., it's Super Tuesday. I'm not going to get political, but Super Tuesday there was a bigger, Super Tuesday that happened 18 months ago. And Aviatrix employees know what I'm talking about. Eighteen months ago, on a Tuesday, every enterprise said, "I'm going to go to the cloud". And so what that was, was the Cambrian explosion, for cloud, for the enterprise. So, Frank Cabri, you know what a Cambrian explosion is. He had to look it up on Google. 500 million years ago, what happened, there was an explosion of life where it went from very simple single-cell organisms to very complex, multi-cell organisms. Guess what happened 18 months ago, on a Tuesday, I don't really know why, but every enterprise, like I said, all woke up that day and said, "Now I'm really going to go to cloud" and that Cambrian explosion of cloud meant that I'm moving from a very simple, single cloud, single-use case, simple environment, to a very complex, multi-cloud, complex use case environment. And what we're here today, is we're going to go undress that and how do you handle those, those complexities? And, when you look at what's happening, with customers right now, this is a business transformation, right? People like to talk about transitions, this is a transformation and it's actually not just a technology transformation, it's a business transformation. It started from the CEO and the Boards of enterprise customers where they said, "I have an existential threat to the survival of my company." If you look at every industry, who they're worried about is not the other 30-year-old enterprise. What they're worried about is the three year old enterprise that's leveraging cloud, that's leveraging AI, and that's where they fear that they're going to actually wiped out, right? And so, because of this existential threat, this is CEO led, this is Board led, this is not technology led, it is mandated in the organizations. We are going to digitally transform our enterprise, because of this existential threat and the movement to cloud is going to enable us to go do that. And so, IT is now put back in charge. If you think back just a few years ago, in cloud, it was led by DevOps, it was led by the applications and it was, like I said, before the Cambrian explosion, it was very simple. Now, with this Cambrian explosion, an enterprise is getting very serious and mission critical. They care about visibility, they care about control, they care about compliance, conformance, everything, governance. IT is in charge and that's why we're here today to discuss that. So, what we're going to do today, is much of things but we're going to validate this journey with customers. >> Steve: Did they see the same thing? We're going to validate the requirements for multi-cloud because, honestly, I've never met an enterprise that is not going to be multicloud. Many are one cloud today but they all say, " I need to architect my network for multiple clouds", because that's just what, the network is there to support the applications and the applications will run in whatever cloud it runs best in and you have to be prepared for that. The second thing is, is architecture. Again, with IT in charge, you, architecture matters. Whether its your career, whether its how you build your house, it doesn't matter. Horrible architecture, your life is horrible forever. Good architecture, your life is pretty good. So, we're going to talk about architecture and how the most fundamental and critical part of that architecture and that basic infrastructure is the network. If you don't get that right, nothing works, right? Way more important than compute. Way more important than storage. Network is the foundational element of your infrastructure. Then we're going to talk about day two operations. What does that mean? Well day one is one day of your life, where you wire things up they do and beyond. I tell everyone in networking and IT -- it's every day of your life. And if you don't get that right, your life is bad forever. And so things like operations, visibility, security, things like that, how do I get my operations team to be able to handle this in an automated way because it's not just about configuring it in the cloud, it's actually about how do I operationalize it? And that's a huge benefit that we bring as Aviatrix. And then the last thing we're going to talk and it's the last panel we have, I always sayyou can't forget about the humans, right? So all this technology, all these things that we're doing, it's always enabled by the humans. At the end of the day, if the humans fight it, it won't get deployed. And we have a massive skills gap, in cloud and we also have a massive skills shortage. You have everyone in the world trying to hire cloud network architects, right? There's just not enough of them going around. So, at Aviatrix, we said as leaders do, "We're going to help address that issue and try to create more people." We created a program, what we call the ACE Program, again, aviation theme, it stands for Aviatrix Certified Engineer. Very similar to what Cisco did with CCIEs where Cisco taught you about IP networking, a little bit of Cisco, we're doing the same thing, we're going to teach network architects about multicloud networking and architecture and yeah, you'll get a little bit of Aviatrix training in there, but this is the missing element for people's careers and also within their organizations. So we're going to go talk about that. So, great, great event, great show. We're going to try to keep it moving. I next want to introduce, my host, he is the best in the business, you guys have probably seen him multiple, many times, he is the co-CEO and co founder of theCUBE, John Furrier. (audience clapping) (electronic music) >> John: Okay, awesome, great speech there, awesome. >> Yeah. >> I totally agree with everything you said about the explosion happening and I'm excited, here at the heart of silicon valley to have this event. It's a special digital event with theCUBE and Aviatrix, where we're live-streaming to, millions of people, as you said, maybe not a million. >> Maybe not a million. (laughs) Really to take this program to the world and this is really special for me, because multi-cloud is the hottest wave in cloud. And cloud-native networking is fast becoming the key engine, of the innovations, so we got an hour and a half of action-packed programming. We have a customer panel. Two customer panels. Before that Gartner's going to come out, talk about the industry. We have global system integrators, that will talk about, how their advising and building these networks and cloud native networking. And then finally the ACE's, the Aviatrix Certified Engineers, are going to talk more about their certifications and the expertise needed. So, let's jump right in, let's ask, Simon Richard to come on stage, from Gartner. We'll kick it all off. (electronic music) (clapping) >> John: Hi, can I help you. Okay, so kicking things off, getting started. Gartner, the industry experts on cloud. Really kind of more, cue your background. Talk about your background before you got to Gartner? >> Simon: Before being at Gartner, I was a chief network architect, of a Fortune 500 company, that with thousands of sites over the world and I've been doing everything in IT from a C programmer, in the 90, to a security architect, to a network engineer, to finally becoming a network analyst. >> So you rode the wave. Now you're covering the marketplace with hybrid cloud and now moving quickly to multi-cloud, is really what everyone is talking about. >> Yes. >> Cloud-native's been discussed, but the networking piece is super important. How do you see that evolving? >> Well, the way we see Enterprise adapting, cloud. The first thing you do about networking, the initial phases they either go in a very ad hoc way. Is usually led by none IT, like a shadow IT, or application people, sometime a DevOps team and it just goes as, it's completely unplanned. They create VPC's left and right with different account and they create mesh to manage them and they have Direct Connect or Express Route to any of them. So that's the first approach and on the other side. again within our first approach you see what I call, the lift and shift. Where we see like enterprise IT trying to, basically replicate what they have in a data center, in the Cloud. So they spend a lot of time planning, doing Direct Connect, putting Cisco routers and F5 and Citrix and any checkpoint, Palo Alto device, that in a sense are removing that to the cloud. >> I got to ask you, the aha moment is going to come up a lot, in one our panels, is where people realize, that it's a multi-cloud world. I mean, they either inherit clouds, certainly they're using public cloud and on-premises is now more relevant than ever. When's that aha moment? That you're seeing, where people go, "Well I got to get my act together and get on this cloud." >> Well the first, right, even before multi-cloud. So there is two approach's. The first one, like the adult way doesn't scare. At some point IT has to save them, 'cause they don't think about the tools, they don't think about operation, they have a bunch of VPC and multiple cloud. The other way, if you do the lift and shift way, they cannot take any advantages of the cloud. They lose elasticity, auto-scaling, pay by the drink. All these agility features. So they both realize, okay, neither of these ways are good, so I have to optimize that. So I have to have a mix of what I call, the cloud native services, within each cloud. So they start adapting, like all the AWS Construct, Azure Construct or Google Construct and that's what I call the optimal phase. But even that they realize, after that, they are all very different, all these approaches different, the cloud are different. Identities is constantly, difficult to manage across clouds. I mean, for example, anybody who access' accounts, there's subscription, in Azure and GCP, their projects. It's a real mess, so they realized, well I don't really like constantly use the cloud product and every cloud, that doesn't work. So I have, I'm going multi-cloud, I like to abstract all of that. I still want to manage the cloud from an EPI point of view, I don't necessarily want to bring my incumbent data center products, but I have to do that and in a more EPI driven cloud environment. >> So, the not scaling piece that you where mentioning, that's because there's too many different clouds? >> Yes. >> That's the least they are, so what are they doing? What are they, building different development teams? Is it software? What's the solution? >> Well, the solution is to start architecting the cloud. That's the third phase. I called that the multi-cloud architect phase, where they have to think about abstraction that works across cloud. Fact, even across one cloud it might not scale as well, If you start having like ten thousand security agreement, anybody who has that doesn't scale. You have to manage that. If you have multiple VPC, it doesn't scale. You need a third-party, identity provider. In variously scales within one cloud, if you go multiple cloud, it gets worse and worse. >> Steve, weigh in here. What's your thoughts? >> I thought we said this wasn't going to be a sales pitch for Aviatrix. (laughter) You just said exactly what we do, so anyway, that's a joke. What do you see in terms of where people are, in that multi-cloud? So, like lot of people, you know, everyone I talk to, started at one cloud, right, but then they look and then say okay but I'm now going to move to Azure and I'm going to move to... (trails off) Do you see a similar thing? >> Well, yes. They are moving but there's not a lot of application, that uses three cloud at once, they move one app in Azure, one app in AWS and one app in Google. That's what we see so far. >> Okay, yeah, one of the mistakes that people think, is they think multi-cloud. No one is ever going to go multi-cloud, for arbitrage. They're not going to go and say, well, today I might go into Azure, 'cause I get a better rate on my instance. Do you agree? That's never going to happen. What I've seen with enterprise, is I'm going to put the workload in the app, the app decides where it runs best. That may be Azure, maybe Google and for different reasons and they're going to stick there and they're not going to move. >> Let me ask you guys-- >> But the infrastructure, has to be able to support, from a networking team. >> Yes. >> Be able to do that. Do you agree with that? >> Yes, I agree. And one thing is also very important, is connecting to the cloud, is kind of the easiest thing. So, the wide area network part of the cloud, connectivity to the cloud is kind of simple. >> Steve: I agree. >> IP's like VPN, Direct Connect, Express Route. That's the simple part, what's difficult and even the provisioning part is easy. You can use Terraform and create VPC's and Vnet's across your three cloud provider. >> Steve: Right. >> What's difficult is that they choose the operation. So we'll define day two operation. What does that actually mean? >> Its just the day to day operations, after you know, the natural, lets add an app, lets add a server, lets troubleshoot a problem. >> Something changes, now what do you do? >> So what's the big concerns? I want to just get back to the cloud native networking, because everyone kind of knows what cloud native apps are. That's been the hot trend. What is cloud native networking? How do you guys, define that? Because that seems to be the hardest part of the multi-cloud wave that's coming, is cloud native networking. >> Well there's no, you know, official Gartner definition but I can create one on the spot. >> John: Do it. (laughter) >> I just want to leverage the Cloud Construct and the cloud EPI. I don't want to have to install, like a... (trails off) For example, the first version was, let's put a virtual router that doesn't even understand the cloud environment. >> Right. If I have if I have to install a virtual machine, it has to be cloud aware. It has to understand the security group, if it's a router. It has to be programmable, to the cloud API. And understand the cloud environment. >> And one thing I hear a lot from either CSO's, CIO's or CXO's in general, is this idea of, I'm definitely not going API. So, its been an API economy. So API is key on that point, but then they say. Okay, I need to essentially have the right relationship with my suppliers, aka you called it above the clouds. So the question is... What do I do from an architectural standpoint? Do I just hire more developers and have different teams, because you mentioned that's a scale point. How do you solve this problem of, okay, I got AWS, I got GCP, or Azure, or whatever. Do I just have different teams or do I just expose EPI's? Where is that optimization? Where's the focus? >> Well, I think what you need, from a network point of view is a way, a control plane across the three clouds. And be able to use the API's of the cloud, to build networks but also to troubleshoot them and do day to day operation. So you need a view across the three clouds, that takes care of routing, connectivity. >> Steve: Performance. >> John: That's the Aviatrix plugin, right there. >> Steve: Yeah. So, how do you see, so again, your Gartner, you see the industry. You've been a network architect. How do you see this this playing out? What are the legacy incumbent client server, On Prem networking people, going to do? >> Well they need to.. >> Versus people like a Aviatrix? How do you see that playing out? >> Well obviously, all the incumbents, like Arista, Cisco, Juniper, NSX. >> Steve: Right. >> They want to basically do the lift and shift part, they want to bring, and you know, VMware want to bring in NSX on the cloud, they call that "NSX everywhere" and Cisco want to bring in ACI to the cloud, they call that "ACI Anywhere". So, everyone's.. (trails off) And then there's CloudVision from Arista, and Contrail is in the cloud. So, they just want to bring the management plane, in the cloud, but it's still based, most of them, is still based on putting a VM in them and controlling them. You extend your management console to the cloud, that's not truly cloud native. >> Right. >> Cloud native you almost have to build it from scratch. >> We like to call that cloud naive. >> Cloud naive, yeah. >> So close, one letter, right? >> Yes. >> That was a big.. (slurs) Reinvent, take the T out of Cloud Native. It's Cloud Naive. (laughter) >> That went super viral, you guys got T-shirts now. I know you're loving that. >> Steve: Yeah. >> But that really, ultimately, is kind of a double-edged sword. You can be naive on the architecture side and ruleing that. And also suppliers or can be naive. So how would you define who's naive and who's not? >> Well, in fact, their evolving as well, so for example, in Cisco, it's a little bit more native than other ones, because there really is, "ACI in the cloud", you can't really figure API's out of the cloud. NSX is going that way and so is Arista, but they're incumbent, they have their own tools, its difficult for them. They're moving slowly, so it's much easier to start from scratch. Even you, like, you know, a network company that started a few years ago. There's only really two, Aviatrix was the first one, they've been there for at least three or four years. >> Steve: Yeah. >> And there's other one's, like Akira, for example that just started. Now they're doing more connectivity, but they want to create an overlay network, across the cloud and start doing policies and things. Abstracting all the clouds within one platform. >> So, I got to ask you. I interviewed an executive at VMware, Sanjay Poonen, he said to me at RSA last week. Oh, there'll only be two networking vendors left, Cisco and VMware. (laughter) >> What's you're response to that? Obviously when you have these waves, these new brands that emerge, like Aviatrix and others. I think there'll be a lot of startups coming out of the woodwork. How do you respond to that comment? >> Well there's still a data center, there's still, like a lot, of action on campus and there's the wan. But from the cloud provisioning and cloud networking in general, I mean, they're behind I think. You know, you don't even need them to start with, you can, if you're small enough, you can just keep.. If you have AWS, you can use the AWS construct, they have to insert themselves, I mean, they're running behind. From my point of view. >> They are, certainly incumbents. I love the term Andy Jess uses at Amazon web services. He uses "Old guard, new guard", to talk about the industry. What does the new guard have to do? The new brands that are emerging. Is it be more DevOp's oriented? Is it NetSec ops? Is it NetOps? Is it programmability? These are some of the key discussions we've been having. What's your view, on how you see this programmability? >> The most important part is, they have to make the network simple for the Dev teams. You cannot make a phone call and get a Vline in two weeks anymore. So if you move to the cloud, you have to make that cloud construct as simple enough, so that for example, a Dev team could say, "Okay, I'm going to create this VPC, but this VPC automatically associates your account, you cannot go out on the internet. You have to go to the transit VPC, so there's lot of action in terms of, the IAM part and you have to put the control around them to. So to make it as simple as possible. >> You guys, both. You're the CEO of Aviatrix, but also you've got a lot of experience, going back to networking, going back to the, I call it the OSI days. For us old folks know what that means, but, you guys know what this means. I want to ask you the question. As you look at the future of networking, you hear a couple objections. "Oh, the cloud guys, they got networking, we're all set with them. How do you respond to the fact that networking's changing and the cloud guys have their own networking. What's some of the paying points that's going on premises of these enterprises? So are they good with the clouds? What needs... What are the key things that's going on in networking, that makes it more than just the cloud networking? What's your take on it? >> Well as I said earlier. Once you could easily provision in the cloud, you can easily connect to the cloud, its when you start troubleshooting applications in the cloud and try to scale. So that's where the problem occurred. >> Okay, what's your take on it. >> And you'll hear from the customers, that we have on stage and I think what happens is all the clouds by definition, designed to the 80-20 rule which means they'll design 80% of the basic functionality. And then lead to 20% extra functionality, that of course every Enterprise needs, to leave that to ISV's, like Aviatrix. Because why? Because they have to make money, they have a service and they can't have huge instances, for functionality that not everybody needs. So they have to design to the common and that, they all do it, right? They have to and then the extra, the problem is, that Cambrian explosion, that I talked about with enterprises. That's what they need. They're the ones who need that extra 20%. So that's what I see, there's always going to be that extra functionality. In an automated and simple way, that you talked about, but yet powerful. With the up with the visibility and control, that they expect of On Prem. That kind of combination, that Yin and the Yang, that people like us are providing. >> Simon I want to ask you? We're going to ask some of the cloud architect, customer panels, that same question. There's pioneer's doing some work here and there's also the laggards who come in behind their early adopters. What's going to be the tipping point? What are some of these conversations, that the cloud architects are having out there? Or what's the signs, that they need to be on this, multi-cloud or cloud native networking trend? What are some of the signal's that are going on in the environment? What are some of the thresholds? Are things that are going on, that they can pay attention to? >> Well, once they have the application on multiple cloud and they have to get wake up at two in the morning, to troubleshoot them. They'll know it's important. (laughter) So, I think that's when the rubber will hit the road. But, as I said, it's easier to prove, at any case. Okay, it's AWS, it's easy, user transit gateway, put a few VPC's and you're done. And you create some presents like Equinox and do a Direct Connect and Express Route with Azure. That looks simple, its the operations, that's when they'll realize. Okay, now I need to understand! How cloud networking works? I also need a tool, that gives me visibility and control. But not only that, I need to understand the basic underneath it as well. >> What are some of the day in the life scenarios. you envision happening with multi-cloud, because you think about what's happening. It kind of has that same vibe of interoperability, choice, multi-vendor, 'cause they're multi-cloud. Essentially multi-vendor. These are kind of old paradigms, that we've lived through with client server and internet working. What are some of the scenarios of success, that might be possible? Will be possible, with multi-cloud and cloud native networking. >> Well, I think, once you have good enough visibility, to satisfy your customers, not only, like to, keep the service running and application running. But to be able to provision fast enough, I think that's what you want to achieve. >> Simon, final question. Advice for folks watching on the Livestream, if they're sitting there as a cloud architect or CXO. What's your advice to them right now, in this market, 'cause obviously, public cloud check, hybrid cloud, they're working on that. That gets on premises done, now multi-cloud's right behind it. What's your advice? >> The first thing they should do, is really try to understand cloud networking. For each of their cloud providers and then understand the limitations. And, is what the cloud service provider offers enough? Or you need to look to a third party, but you don't look at a third party to start with. Especially an incumbent one, so it's tempting to say "I have a bunch of F5 experts", nothing against F5. I'm going to bring my F5 in the Cloud, when you can use an ELB, that automatically understand eases and auto scaling and so on. And you understand that's much simpler, but sometimes you need your F5, because you have requirements. You have like iRules and that kind of stuff, that you've used for years. 'cause you cannot do it. Okay, I have requirement and that's not met, I'm going to use Legacy Star and then you have to start thinking, okay, what about visibility control, above the true cloud. But before you do that you have to understand the limitations of the existing cloud providers. First, try to be as native as possible, until things don't work, after that you can start thinking of the cloud. >> Great insight, Simon. Thank you. >> That's great. >> With Gartner, thank you for sharing. (electronic music) >> Welcome back to ALTITUDE 2020. For the folks in the live stream, I'm John Furrier, Steve Mullaney, CEO of Aviatrix. For our first of two customer panels with cloud network architects, we've got Bobby Willoughby, AEGON Luis Castillo from National Instruments and David Shinnick with FactSet. Guys, welcome to the stage for this digital event. Come on up. (audience clapping) (upbeat music) Hey good to see you, thank you. Customer panel, this is my favorite part. We get to hear the real scoop, we get the Gardener giving us the industry overview. Certainly, multi-cloud is very relevant, and cloud-native networking is a hot trend with the live stream out there in the digital events. So guys, let's get into it. The journey is, you guys are pioneering this journey of multi-cloud and cloud-native networking and are soon going to be a lot more coming. So I want to get into the journey. What's it been like? Is it real? You've got a lot of scar tissue? What are some of the learnings? >> Absolutely. Multi-cloud is whether or not we accept it, as network engineers is a reality. Like Steve said, about two years ago, companies really decided to just bite the bullet and move there. Whether or not we accept that fact, we need to not create a consistent architecture across multiple clouds. And that is challenging without orchestration layers as you start managing different tool sets and different languages across different clouds. So it's really important to start thinking about that. >> Guys on the other panelists here, there's different phases of this journey. Some come at it from a networking perspective, some come in from a problem troubleshooting, what's your experiences? >> From a networking perspective, it's been incredibly exciting, it's kind of once in a generational opportunity to look at how you're building out your network. You can start to embrace things like infrastructure as code that maybe your peers on the systems teams have been doing for years, but it just never really worked on-prem. So it's really exciting to look at all the opportunities that we have and all of the interesting challenges that come up that you get to tackle. >> And effects that you guys are mostly AWS, right? >> Yeah. Right now though, we are looking at multiple clouds. We have production workloads running in multiple clouds today but a lot of the initial work has been with Amazon. >> And you've seen it from a networking perspective, that's where you guys are coming at it from? >> Yup. >> Awesome. How about you? >> We evolve more from a customer requirement perspective. Started out primarily as AWS, but as the customer needed more resources from Azure like HPC, Azure AD, things like that, even recently, Google analytics, our journey has evolved into more of a multi-cloud environment. >> Steve, weigh in on the architecture because this is going to be a big conversation, and I wanted you to lead this section. >> I think you guys agree the journey, it seems like the journey started a couple of years ago. Got real serious, the need for multi-cloud, whether you're there today. Of course, it's going to be there in the future. So that's really important. I think the next thing is just architecture. I'd love to hear what you, had some comments about architecture matters, it all starts, every enterprise I talked to. Maybe talk about architecture and the importance of architects, maybe Bobby. >> From architecture perspective, we started our journey five years ago. >> Wow, okay. >> And we're just now starting our fourth evolution over network architect. And we call it networking security net sec, versus just as network. And that fourth-generation architecture should be based primarily upon the Palo Alto Networks and Aviatrix. Aviatrix to new orchestration piece of it. But that journey came because of the need for simplicity, the need for a multi-cloud orchestration without us having to go and do reprogramming efforts across every cloud as it comes along. >> I guess the other question I also had around architecture is also... Luis maybe just talk about it. I know we've talked a little bit about scripting, and some of your thoughts on that. >> Absolutely. So for us, we started creating the network constructs with cloud formation, and we've stuck with that for the most part. What's interesting about that is today, on-premise, we have a lot of automation around how we provision networks, but cloud formation has become a little bit like the new manual for us. We're now having issues with having to automate that component and making it consistent with our on-premise architecture and making it consistent with Azure architecture and Google cloud. So, it's really interesting to see companies now bring that layer of abstraction that SD-WAN brought to the wound side, now it's going up into the cloud networking architecture. >> Great. So on the fourth generation, you mentioned you're on the fourth-gen architecture. What have you learned? Is there any lessons, scratch issue, what to avoid, what worked? What was the path that you touched? >> It's probably the biggest lesson there is that when you think you finally figured it out, you haven't. Amazon will change something, Azure change something. Transit Gateway is a game-changer. And listening to the business requirements is probably the biggest thing we need to do upfront. But I think from a simplicity perspective, like I said, we don't want to do things four times. We want to do things one time, we want be able to write to an API which Aviatrix has and have them do the orchestration for us. So that we don't have to do it four times. >> How important is architecture in the progression? Is it do you guys get thrown in the deep end, to solve these problems, are you guys zooming out and looking at it? How are you guys looking at the architecture? >> You can't get off the ground if you don't have the network there. So all of those, we've gone through similar evolutions, we're on our fourth or fifth evolution. I think about what we started off with Amazon without Direct Connect Gateway, without Transit Gateway, without a lot of the things that are available today, kind of the 80, 20 that Steve was talking about. Just because it wasn't there doesn't mean we didn't need it. So we needed to figure out a way to do it, we couldn't say, "Oh, you need to come back to the network team in a year, and maybe Amazon will have a solution for it." We need to do it now and evolve later and maybe optimize or change the way you're doing things in the future. But don't sit around and wait, you can't. >> I'd love to have you guys each individually answer this question for the live streams that comes up a lot. A lot of cloud architects out in the community, what should they be thinking about the folks that are coming into this proactively and, or realizing the business benefits are there? What advice would you guys give them on architecture? What should be they'd be thinking about, and what are some guiding principles you could share? >> So I would start with looking at an architecture model that can spread and give consistency to the different cloud vendors that you will absolutely have to support. Cloud vendors tend to want to pull you into using their native tool set, and that's good if only it was realistic to talk about only one cloud. But because it doesn't, it's super important to talk about, and have a conversation with the business and with your technology teams about a consistent model. >> And how do I do my day one work so that I'm not spending 80% of my time troubleshooting or managing my network? Because if I'm doing that, then I'm missing out on ways that I can make improvements or embrace new technologies. So it's really important early on to figure out, how do I make this as low maintenance as possible so that I can focus on the things that the team really should be focusing on? >> Bobby, your advice there, architecture. >> I don't know what else I can add to that. Simplicity of operations is key. >> So the holistic view of day two operations you mentioned, let's can jump in day one as you're getting stuff set up, day two is your life after. This is kind of of what you're getting at, David. So what does that look like? What are you envisioning as you look at that 20-mile stair, out post multi-cloud world? What are some of the things that you want in the day two operations? >> Infrastructure as code is really important to us. So how do we design it so that we can start fit start making network changes and fitting them into a release pipeline and start looking at it like that, rather than somebody logging into a router CLI and troubleshooting things in an ad hoc nature? So, moving more towards a dev-ops model. >> You guys, anything to add on that day two? >> Yeah, I would love to add something. In terms of day two operations you can either sort of ignore the day two operations for a little while, where you get your feet wet, or you can start approaching it from the beginning. The fact is that the cloud-native tools don't have a lot of maturity in that space and when you run into an issue, you're going to end up having a bad day, going through millions and millions of logs just to try to understand what's going on. That's something that the industry just now is beginning to realize it's such a big gap. >> I think that's key because for us, we're moving to more of an event-driven or operations. In the past, monitoring got the job done. It's impossible to monitor something that is not there when the event happens. So the event-driven application and then detection is important. >> Gardner is all about the cloud-native wave coming into networking. That's going to be a serious thing. I want to get your guys' perspective, I know you have each different views of how you come into the journey and how you're executing. And I always say the beauty's in the eye of the beholder and that applies to how the network's laid out. So, Bobby, you guys do a lot of high-performance encryption, both on AWS and Azure. That's a unique thing for you. How are you seeing that impact with multi-cloud? >> That's a new requirement for us too, where we have an increment to encrypt. And then if you ever get the question, should I encrypt, should I not encrypt? The answer is always yes. You should encrypt when you can encrypt. For our perspective, we need to migrate a bunch of data from our data centers. We have some huge data centers, and getting that data to the cloud is a timely expense in some cases. So we have been mandated, we have to encrypt everything, leave in the data center. So we're looking at using the Aviatrix insane mode appliances to be able to encrypt 10, 20 gigabits of data as it moves to the cloud itself. >> David, you're using Terraform, you've got FireNet, you've got a lot of complexity in your network. What do you guys look at the future for your environment? >> So many exciting that we're working on now as FireNet. So for our security team that obviously have a lot of knowledge base around Palo Alto, and with our commitments to our clients, it's not very easy to shift your security model to a specific cloud vendor. So there's a lot of SOC 2 compliance and things like that were being able to take some of what you've worked on for years on-prem and put it in the cloud and have the same type of assurance that things are going to work and be secure in the same way that they are on-prem, helps make that journey into the cloud a lot easier. >> And Louis, you guys got scripting, you got a lot of things going on. What's your unique angle on this? >> Absolutely. So for disclosure, I'm not an Aviatrix customer yet. (laughs) >> It's okay, we want to hear the truth, so that's good. Tell us, what are you thinking about? What's on your mind? >> When you talk about implementing a tool like this, it's really just really important to talk about automation focus on value. When you talk about things like encryption and things like so you're encrypting tunnels and encrypting the path, and those things should be second nature really. When you look at building those back-ends and managing them with your team, it becomes really painful. So tools like Aviatrix that add a lot automation it's out of sight, out of mind. You can focus on the value, and you don't have to focus on this. >> So I got to ask you guys. I see Aviatrix was here, they're supplier to this sector, but you guys are customers. Everyone's pitching your stuff, people knock on you, "Buy my stuff." How do you guys have that conversation with the suppliers, like the cloud vendors and other folks? What's it like? We're API all the way? You've got to support this? What are some of your requirements? How do you talk to and evaluate people that walk in and want to knock on your door and pitch you something? What's the conversation like? >> It's definitely API driven. We definitely look at the API structure that the vendors provide before we select anything. That is always first of mine and also, what problem are we really trying to solve? Usually, people try to sell or try to give us something that isn't really valuable, like implementing a Cisco solution on the cloud doesn't really add a lot of value, that's where we go. >> David, what's your conversation like with suppliers? Do you have a certain new way to do things? As it becomes more agile, essentially networking, and getting more dynamic, what are some of the conversations with either in commits or new vendors that you're having? What do you require? >> Ease of use is definitely high up there. We've had some vendors come in and say, "Hey, when you go to set this up, "we're going to want to send somebody on-site." And they're going to sit with you for a day to configure it. And that's a red flag. Well, wait a minute, do we really, if one of my really talented engineers can't figure it out on his own, what's going on there and why is that? Having some ease of use and the team being comfortable with it and understanding it is really important. >> Bobby, how about you? Old days was, do a bake-off and the winner takes all. Is it like that anymore? What's evolving? Bake-off last year for but still win. But that's different now because now when you get the product, you can install the product in AWS and Azure, have it up running in a matter of minutes. So the key is that can you be operational within hours or days instead of weeks? But do we also have the flexibility to customize it, to meet your needs? Because you don't want to be put into a box with the other customers when you have needs that are past their needs. >> I can almost see the challenge that you guys are living, where you've got the cloud immediate value, depending how you can roll up any solutions, but then you might have other needs. So you've got to be careful not to buy into stuff that's not shipping. So you're trying to be proactive and at the same time, deal with what you got. How do you guys see that evolving? Because multi-cloud to me is definitely relevant, but it's not yet clear how to implement across. How do you guys look at this baked versus future solutions coming? How do you balance that? >> Again, so right now, we're taking the ad hoc approach and experimenting what the different concepts of cloud are and really leveraging the native constructs of each cloud. But there's a breaking point for sure. You don't get to scale this like someone said, and you have to focus on being able to deliver, developers their sandbox or their play area for the things that they're trying to build quickly. And the only way to do that is with some consistent orchestration layer that allows you to-- >> So you expect a lot more stuff to becoming pretty quickly in that area. >> I do expect things to start maturing quite quickly this year. >> And you guys see similar trend, new stuff coming fast? >> Yeah. Probably the biggest challenge we've got now is being able to segment within the network, being able to provide segmentation between production, non-production workloads, even businesses, because we support many businesses worldwide and isolation between those is a key criteria there. So the ability to identify and quickly isolate those workloads is key. So the CIOs that are watching are saying, "Hey, take that hill, do multi-cloud." And then you have the bottoms up organization, "Pause, you're like off a little bit, it's not how it works." What is the reality in terms of implementing as fast as possible? Because the business benefits are clear, but it's not always clear on the technology how to move that fast. What are some of the barriers, what are the blockers, what are the enablers? >> I think the reality is that you may not think you're multi-cloud, but your business is. So I think the biggest barrier there is understanding what the requirements are and how best to meet those requirements in a secure manner. Because you need to make sure that things are working from a latency perspective that things work the way they did and get out of the mind shift that it was a tier-three application and the data center, it doesn't have to be a tier-three application in the cloud. So, lift and shift is not the way to go. >> Scale is a big part of what I see is the competitive advantage by these clouds and used to be proprietary network stacks in the old days, and then open systems came, that was a good thing. But as cloud has become bigger, there's an inherent lock-in there with the scale. How do you guys keep the choice open? How are you guys thinking about interoperability? What are some of the conversations that you guys are having around those key concepts? >> When we look at from a networking perspective, it's really key for you to just enable all the class to be able to communicate between them. Developers will find a way to use the cloud that best suits their business needs. And like you said, it's whether you're in denial or not, of the multi-cloud fact that your company is in already that's it becomes really important for you to move quickly. >> Yeah. And a lot of it also hinges on how well is the provider embracing what that specific cloud is doing? So, are they swimming with Amazon or Azure and just helping facilitate things, and they're doing the heavy lifting API work for you? Or are they swimming upstream and they're trying to hack it all together in messy way? And so that helps you stay out of the lock-in because there, if they're using Amazon native tools to help you get where you need to be, it's not like Amazon is going to release something in the future that completely makes you have designed yourself into a corner. So the closer, more than cloud-native they are, the more, the easier it is to deploy. >> Which also need to be aligned in such a way that you can take advantage of those cloud-native technologies. Will it make sense? TGW is a gamechanger in terms of cost and performance. So to completely ignore that, would be wrong. But if you needed to have encryption, TGW is not encrypted, so you need to have some type of Gateway to do the VPN encryption. So, the Aviatrix tool will give you the beauty of both worlds. You can use TGW or the Gateway. Real quick on the last minute we have, I want to just get a quick feedback from you guys. I hear a lot of people say to me, "Hey, pick the best cloud for the workload you got, then figure out multicloud behind the scenes." Do you guys agree with that? Do I go more to one cloud across the whole company or this workload works great on AWS, that workload works great on this. From a cloud standpoint, do you agree with that premise, and then when is multi-cloud stitching altogether? >> From an application perspective, it can be per workload, but it can also be an economical decision, certain enterprise contracts will pull you in one direction to add value, but the network problem is still the same. >> It doesn't go away. >> You don't want to be trying to fit a square into a round hall. If it works better on that cloud provider, then it's our job to make sure that service is there and people can use it. >> I agree, you just need to stay ahead of the game, make sure that the network infrastructure is there, security is available and is multi-cloud capable. >> At the end of the day, you guys are just validating that it's the networking game now. Cloud storage, compute check, networking is where the action is. Awesome. Thanks for your insights guys, appreciate you coming on the panel. Appreciate it, thanks. (upbeat music) >> John: Our next customer panel, got great another set of cloud network architects, Justin Smith with Zuora, Justin Brodley with EllieMae and Amit Utreja with Coupa. Welcome to stage. (audience applauds) (upbeat music) >> All right, thank you. >> How are ya? >> Thank you. Thank You. >> Hey Amit. How are ya? >> Did he say it right? >> Yeah. >> Okay he's got all the cliff notes from the last session, welcome back. Rinse and repeat. We're going to go into the hood a little bit. And I think they nailed what we've been reporting, we've been having this conversation around, networking is where the action is because that's at the end of the day you got to move packet from A to B and you got workloads exchanging data. So it's really killer. So let's get started. Amit, what are you seeing as the journey of multicloud as you go under the hood and say, "Okay, I got to implement this. "I have to engineer the network, "make it enabling, make it programmable, "make it interoperable across clouds." That almost sounds impossible to me. What's your take? >> Yeah, it seems impossible but if you are running an organization which is running infrastructure as a code it is easily doable. Like you can use tools out there that's available today, you can use third party products that can do a better job. But put your architecture first, don't wait. Architecture may not be perfect, put the best architecture that's available today and be agile, to iterate and make improvements over the time. >> We get to Justin's over here, so I have to be careful when I point a question to Justin, they both have the answer. Okay, journeys, what's the journey been like? Is there phases, We heard that from Gardner, people come into multicloud and cloud native networking from different perspectives? What's your take on the journey, Justin? >> Yeah, from our perspective, we started out very much focused on one cloud and as we've started doing acquisitions, we started doing new products to the market, the need for multicloud becomes very apparent, very quickly for us. And so having an architecture that we can plug and play into and be able to add and change things as it changes is super important for what we're doing in the space. >> Justin, your journey. >> Yes. For us, we were very ad hoc oriented and the idea is that we were reinventing all the time, trying to move into these new things and coming up with great new ideas. And so rather than it being some iterative approach with our deployments that became a number of different deployments. And so we shifted that toward and the network has been a real enabler of this. There's one network and it touches whatever cloud we want it to touch, and it touches the data centers that we need it to touch, and it touches the customers that we needed to touch. Our job is to make sure that the services that are available in one of those locations are available in all of the locations. So the idea is not that we need to come up with this new solution every time, it's that we're just iterating on what we've already decided to do. >> Before we get the architecture section, I want to ask you guys a question? I'm a big fan of let the app developers have infrastructure as code, so check. But having the right cloud run that workload, I'm a big fan of that, if it works great. But we just heard from the other panel, you can't change the network. So I want to get your thoughts, what is cloud native networking? And is that the engine really, that's the enabler for this multicloud trend? What's you guys take? We'll start with Amit, what do you think about that? >> Yeah, so you're going to have workloads running in different clouds and the workloads would have affinity to one cloud or other. But how you expose that it's a matter of how you are going to build your networks. How you're going to run security. How you're going to do egress, ingress out of it so -- >> You said networking is the big problem to solve. >> Yes. >> What's the solution? What's the key pain points and problem statement? >> The key pain point for most companies is how do you take your traditionally on premise network and then blow it out to the cloud in a way that makes sense. You have IP conflicts, you have IP space, you have public IPs on premise as well as in the cloud. And how do you kind of make sense of all of that? And I think that's where tools like Aviatrix make a lot of sense in that space. >> From our side, it's really simple. It's a latency, it's bandwidth and availability. These don't change whether we're talking about cloud or data center, or even corporate IT networking. So our job when these all of these things are simplified into like, S3, for instance and our developers want to use those. We have to be able to deliver that and for a particular group or another group that wants to use just just GCP resources. We have to support these requirements and these wants, as opposed to saying, "Hey, that's not a good idea." No, our job is to enable them not to disable them. >> Do you guys think infrastructure is code? Which I love that, I think that's the future in this. We even saw that with DevOps. But as you start getting the networking, is it getting down to the network portion where its network as code? Because storage and compute working really well, we're seeing all Kubernetes on service mesh trend. Network has code, reality is it there? Is it still got work to do? >> It's absolutely there, you mentioned net DevOps and it's very real. In Coupa we build our networks through terraform and not only just terraform, build an API so that we can consistently build VNets and VPC all across in the same way. >> So you guys are doing it? >> Yup. And even security groups. And then on top and Aviatrix comes in, we can peer the networks bridge all the different regions through code. >> Same with you guys. >> Yeah. >> What do you think about this? >> Everything we deploy is done with automation and then we also run things like Lambda on top to make changes in real time, we don't make manual changes on our network. In the data center, funny enough, it's still manual but the cloud has enabled us to move into this automation mindset. And all my guys, that's what they focus on is bringing, now what they're doing in the cloud into the data center, which is kind of opposite of what it should be or what it used to be. >> It's full DevOps then? >> Yes. >> For us, it was similar on-prem is still somewhat very manual, although we're moving more and more to ninja and terraform type concepts. But everything in the production environment is code, confirmation terraform code and now coming into the data center same (mumbles). >> So I just wanted to jump in Justin Smith, one of the comment that you made, because it's something that we always talk about a lot is that the center of gravity of architecture used to be an on-prem and now it's shifted in the cloud. And once you have your strategic architecture, what do you do? You push that everywhere. So what you used to see at the beginning of cloud was pushing the architecture on-prem into cloud. Now, I want to pick up on what you said, do you others agree that the center of gravity is here, I'm now pushing what I do in the cloud back into on-prem? And then so first that and then also in the journey, where are you at from zero to 100 of actually in the journey to cloud? Are you 50% there, are you 10%? Are you evacuating data centers next year? Where are you guys at? >> Yeah, so there's there's two types of gravity that you typically are dealing with, with the migration. First is data, gravity and your data set, and where that data lives. And then the second is the network platform that wraps all that together. In our case, the data gravity solely mostly on-prem but our network is now extending out to the app tier, it's going to be in cloud. Eventually, that data, gravity will also move to cloud as we start getting more sophisticated but in our journey, we're about halfway there. About halfway through the process, we're taking a handle of lift and shift and -- >> Steve: And when did that start? >> We started about three years ago. >> Okay, okay. >> Well for Coupa it's a very different story. It started from a garage and 100% on the cloud. So it's a business plan management platform, software as a service run 100% on the cloud. >> That was was like 10 years ago, right? >> Yes. >> Yeah. >> You guys are riding the wave of the architecture. Justin I want to ask you, Zuora, you guys mentioned DevOps. Obviously, we saw the huge observability wave, which essentially network management for the cloud, in my opinion. It's more dynamic, but this is about visibility. We heard from the last panel you don't know what's being turned on or turned off from a services standpoint, at any given time. How is all this playing out when you start getting into the DevOps down (mumbles)? >> This is the big challenge for all of us is visibility. When you talk transport within a cloud, very interestingly we we have moved from having a backbone that we bought, that we own, that would be data center connectivity. Zuora's a subscription billing company, so we want to support the subscription mindset. So rather than going and buying circuits and having to wait three months to install and then coming up with some way to get things connected and resiliency and redundancy. My backbone is in the cloud. I use the cloud providers interconnections between regions to transport data across and so if you do that with their native solutions, you do lose visibility. There are areas in that that you don't get, which is why controllers and having some type of management plane is a requirement for us to do what we're supposed to do and provide consistency while doing it. >> Great conversation. I loved what you said earlier latency, bandwidth, I think availability were your top three things. Guys SLA, just do ping times between clouds it's like, you don't know what you're getting for round trip time. This becomes a huge kind of risk management, black hole, whatever you want to call it, blind spot. How are you guys looking at the interconnect between clouds? Because I can see that working from ground to cloud on per cloud but when you start dealing with multiclouds workloads, SLAs will be all over the map, won't they just inherently. How do you guys view that? >> Yeah, I think we talked about workload and we know that the workloads are going to be different in different clouds, but they're going to be calling each other. So it's very important to have that visibility, that you can see how data is flowing at what latency and what availability is there and our authority needs to operate on that. >> So use the software dashboard, look at the times and look at the latency -- >> In the old days, Strongswan Openswan you try to figure it out, in the new days you have to figure out. >> Justin, what's your answer to that because you're in the middle of it? >> Yeah, I think the key thing there is that we have to plan for that failure, we have to plan for that latency in our applications. If certain things are tracking in your SLI, certain things are planning for and you loosely coupled these services in a much more microservices approach. So you actually can handle that kind of failure or that type of unknown latency and unfortunately, the cloud has made us much better at handling exceptions in a much better way. >> You guys are all great examples of cloud native from day one. When did you have the tipping point moment or the epiphany of saying a multiclouds real, I can't ignore it, I got to factor that into all my design principles and everything you're doing? Was there a moment or was it from day one? >> There are two reasons, one was the business. So in business, there were some affinity to not be in one cloud or to be in one cloud and that drove from the business side. So as a cloud architect our responsibility was to support that business. Another is the technology, some things are really running better in, like if you're running Dotnet workload or your going to run machine learning or AI so that you would have that preference of one cloud over other. >> Guys, any thoughts on that? >> That was the bill that we got from AWS. That's what drives a lot of these conversations is the financial viability of what you're building on top of. This failure domain idea which is fairly interesting. How do I solve our guarantee against a failure domain? You have methodologies with back end direct connects or interconnect with GCP. All of these ideas are something that you have to take into account but that transport layer should not matter to whoever we're building this for. Our job is to deliver the frames and the packets, what that flows across, how you get there? We want to make that seamless. And so whether it's a public internet API call or it's a back end connectivity through direct connect, it doesn't matter. It just has to meet a contract that you've signed with your application, folks. >> Yeah, that's the availability piece. >> Justin, your thoughts on that, any comment on that? >> So actually multiclouds become something much more recent in the last six to eight months, I'd say. We always kind of had a very much an attitude of like moving to Amazon from our private cloud is hard enough, why complicate it further? But the realities of the business and as we start seeing, improvements in Google and Azure and different technology spaces, the need for multicloud becomes much more important. As well as our acquisition strategies are matured, we're seeing that companies that used to be on premise that we typically acquire are now very much already on a cloud. And if they're on a cloud, I need to plug them into our ecosystem. And so that's really changed our multicloud story in a big way. >> I'd love to get your thoughts on the clouds versus the clouds, because you compare them Amazon's got more features, they're rich with features. Obviously, the bills are high to people using them. But Google's got a great network, Google's networks pretty damn good And then you got Azure. What's the difference between the clouds? Where do they fall? Where do they peak in certain areas better than others? What are the characteristics, which makes one cloud better? Do they have a unique feature that makes Azure better than Google and vice versa? What do you guys think about the different clouds? >> Yeah, to my experience, I think the approach is different in many places. Google has a different approach very DevOps friendly and you can run your workloads with your network can span regions. But our application ready to accept that. Amazon is evolving. I remember 10 years back Amazon's network was a flat network, we would be launching servers in 10.0.0/8, right. And then the VPCs came out. >> We'll have to translate that to English for the live feed. Not good. So the VPCs concept came out, multi account came out, so they are evolving. Azure had a late start but because they have a late start, they saw the pattern and they have some mature setup on the network. >> They've got around the same price too. >> I think they're all trying to say they're equal in their own ways. I think they all have very specific design philosophies that allow them to be successful in different ways and you have to kind of keep that in mind as you architect your own solution. For example, Amazon has a very regional affinity, they don't like to go cross region in their architecture. Whereas Google is very much it's a global network, we're going to think about as a global solution. I think Google also has advantage that it's third to market and so has seen what Azure did wrong, it seeing what AWS did wrong and it's made those improvements and I think that's one of their big advantage. >> They got great scale too. Justin thoughts on the cloud. >> So yeah, Amazon built from the system up and Google built from the network down. So their ideas and approaches are from a global versus original, I agree with you completely that is the big number one thing. But the if you look at it from the outset, interestingly, the inability or the ability for Amazon to limit layer to broadcasting and what that really means from a VPC perspective, changed all the routing protocols you can use. All the things that we had built inside of a data center to provide resiliency and make things seamless to users, all of that disappeared. And so because we had to accept that at the VPC level, now we have to accept that at the WAN level. Google's done a better job of being able to overcome those things and provide those traditional network facilities to us. >> Just a great panel, we could go all day here, it's awesome. So I heard, we will get to the cloud native naive questions. So kind of think about what's naive and what's cloud, I'll ask that next but I got to ask you I had a conversation with a friend he's like, "WAN is the new LAN?" So if you think about what the LAN was at a data center, WAN is the new LAN, cause you keep talking about the cloud impact? So that means ST-WAN, the old ST-WAN kind of changing. There's a new LAN. How do you guys look at that? Because if you think about it, what LANs were for inside a premises was all about networking, high speed. But now when you take the WAN and make it, essentially a LAN, do you agree with that? And how do you view this trend? Is it good or bad or is it ugly? What you guys take on this? >> Yeah, I think it's a thing that you have to work with your application architects. So if you are managing networks and if you're a server engineer, you need to work with them to expose the unreliability that it would bring in. So the application has to handle a lot of the difference in the latencies and the reliability has to be worked through the application there. >> LAN, WAN, same concept is that BS? Can you give some insight? >> I think we've been talking about for a long time the erosion of the edge. And so is this just a continuation of that journey we've been on for last several years. As we get more and more cloud native and we talked about API's, the ability to lock my data in place and not be able to access it really goes away. And so I think this is just continuation. I think it has challenges. We start talking about WAN scale versus LAN scale, the tooling doesn't work the same, the scale of that tooling is much larger. and the need to automation is much, much higher in a WAN than it wasn't a LAN. That's why you're seeing so much infrastructure as code. >> Yeah. So for me, I'll go back again to this, it's bandwidth and its latency that define those two LAN versus WAN. But the other thing that's comes up more and more with cloud deployments is whereas our security boundary and where can I extend this secure aware appliance or set of rules to protect what's inside of it. So for us, we're able to deliver VRFs or route forwarding tables for different segments wherever we're at in the world. And so they're trusted to talk to each other but if they're going to go to someplace that's outside of their network, then they have to cross the security boundary, where we enforce policy very heavily. So for me, there's it's not just LAN, WAN it's how does environment get to environment more importantly. >> That's a great point in security, we haven't talked it yet but that's got to be baked in from the beginning, this architecture. Thoughts on security, how you guys are dealing with it? >> Yeah, start from the base, have app to app security built in. Have TLS, have encryption on the data at transit, data at rest. But as you bring the application to the cloud and they're going to go multicloud, talking to over the internet, in some places, well have app to app security. >> Our principles day, security is day zero every day. And so we always build it into our design, build into our architecture, into our applications. It's encrypt everything, it's TLS everywhere. It's make sure that that data is secure at all times. >> Yeah, one of the cool trends at RSA, just as a side note was the data in use encryption piece, which is homomorphic stuff was interesting. Alright guys, final question. We heard on the earlier panel was also trending at re:Invent, we think the T out of cloud native, it spells cloud naive. They have shirts now, Aviatrix kind of got this trend going. What does that mean to be naive? To your peers out there watching the live stream and also the suppliers that are trying to supply you guys with technology and services, what's naive look like and what's native look like? When is someone naive about implementing all this stuff? >> So for me, because we are in 100% cloud, for us its main thing is ready for the change. And you will find new building blocks coming in and the network design will evolve and change. So don't be naive and think that it's static, evolve with the change. >> I think the biggest naivety that people have is that well, I've been doing it this way for 20 years, I've been successful, it's going to be successful in cloud. The reality is that's not the case. You got to think some of the stuff a little bit differently and you need to think about it early enough, so that you can become cloud native and really enable your business on cloud. >> Yeah for me it's being open minded. Our industry, the network industry as a whole, has been very much I'm smarter than everybody else and we're going to tell everybody how it's going to be done. And we fell into a lull when it came to producing infrastructure and so embracing this idea that we can deploy a new solution or a new environment in minutes as opposed to hours, or weeks or months in some cases, is really important in and so >> - >> It's naive being closed minded, native being open minded. >> Exactly. For me that was a transformative kind of where I was looking to solve problems in a cloud way as opposed to looking to solve problems in this traditional old school way. >> All right, I know we're at a time but I got to asked one more question, so you guys so good. Give me a quick answer. What's the BS language when you, the BS meter goes off when people talk to you about solutions? What's the kind of jargon that you hear, that's the BS meter going off? What are people talking about that in your opinion you here you go, "That's total BS?" What triggers you? >> So that I have two lines out of movies if I say them without actually thinking them. It's like 1.21 gigawatts are you out of your mind from Back to the Future right? Somebody's giving you all these wiz bang things. And then Martin Maul and Michael Keaton in Mr Mom when he goes to 220, 221, whatever it takes. >> Yeah. >> Those two right there, if those go off in my mind where somebody's talking to me, I know they're full of baloney. >> So a lot of speeds and feeds, a lot of speeds and feeds a lot of -- >> Just data. Instead of talking about what you're actually doing and solutioning for. You're talking about, "Well, it does this this this." Okay to 220, 221. (laughter) >> Justin, what's your take? >> Anytime I start seeing the cloud vendors start benchmarking against each other. Your workload is your workload, you need to benchmark yourself. Don't listen to the marketing on that, that's just awful. >> Amit, what triggers you in the BS meter? >> I think if somebody explains to you are not simple, they cannot explain you in simplicity, then it's all bull shit. >> (laughs) That's a good one. Alright guys, thanks for the great insight, great panel. How about a round of applause to practitioners. (audience applauds) (upbeat music) >> John: Okay, welcome back to Altitude 2020 for the digital event for the live feed. Welcome back, I'm John Furrier with theCUBE with Steve Mullaney, CEO Aviatrix. For the next panel from Global System Integrated, the folks who are building and working with folks on their journey to multicloud and cloud-native networking. We've got a great panel, George Buckman with DXC and Derrick Monahan with WWT, welcome to the stage. (Audience applauds) >> Hey >> Thank you >> Groovy spot >> All right (upbeat music) >> Okay, you guys are the ones out there advising, building, and getting down and dirty with multicloud and cloud-native networking, we just heard from the customer panel. You can see the diversity of where people come in to the journey of cloud, it kind of depends upon where you are, but the trends are all clear, cloud-native networking, DevOps, up and down the stack, this has been the main engine. What's your guys' take of this journey to multicloud? What do you guys think? >> Yeah, it's critical, I mean we're seeing all of our enterprise customers enter into this, they've been through the migrations of the easy stuff, ya know? Now they're trying to optimize and get more improvements, so now the tough stuff's coming on, right? They need their data processing near where their data is. So that's driving them to a multicloud environment. >> Yeah, we've heard some of the Edge stuff, I mean, you guys are-- >> Exactly. >> You've seen this movie before, but now it's a whole new ballgame, what's your take? Yeah, so, I'll give you a hint, our practice is not called the cloud practice, it's the multicloud practice, and so if that gives you a hint of how we approach things. It's very consultative. And so when we look at what the trends are, like a year ago. About a year ago we were having conversations with customers, "Let's build a data center in the cloud. Let's put some VPCs, let's throw some firewalls, let's put some DNS and other infrastructure out there and let's hope it works." This isn't a science project. What we're starting to see is customers are starting to have more of a vision, we're helping with that consultative nature, but it's totally based on the business. And you've got to start understanding how lines of business are using the apps and then we evolve into the next journey which is a foundational approach to-- >> What are some of the problems some of your customers are solving when they come to you? What are the top things that are on their mind, obviously the ease of use, agility, all that stuff, what specifically are they digging into? >> Yeah, so complexity, I think when you look at a multicloud approach, in my view is, network requirements are complex. You know, I think they are, but I think the approach can be, "Let's simplify that." So one thing that we try to do, and this is how we talk to customers is, just like you simplify in Aviatrix, simplifies the automation orchestration of cloud networking, we're trying to simplify the design, the plan, and implementation of the infrastructure across multiple workloads, across multiple platforms. And so the way we do it, is we sit down, we look at not just use cases, not just the questions we commonly anticipate, we actually build out, based on the business and function requirements, we build out a strategy and then create a set of documents, and guess what? We actually build it in a lab, and that lab that we platform rebuilt, proves out this reference architectural actually works. >> Absolutely, we implement similar concepts. I mean, they're proven practices, they work, right? >> But George, you mentioned that the hard part's now upon us, are you referring to networking, what specifically were you getting at there when you said, "The easy part's done, now the hard part?" >> So for the enterprises themselves, migrating their more critical apps or more difficult apps into the environments, ya know, we've just scratched the surface, I believe, on what enterprises are doing to move into the cloud, to optimize their environments, to take advantage of the scale and speed to deployment and to be able to better enable their businesses. So they're just now really starting to-- >> So do you guys see what I talked about? I mean, in terms of that Cambrian explosion, I mean, you're both monster system integrators with top fortune enterprise customers, you know, really rely on you for guidance and consulting and so forth, and deploy their networks. Is that something that you've seen? I mean, does that resonate? Did you notice a year and a half ago all of a sudden the importance of cloud for enterprise shoot up? >> Yeah, I mean, we're seeing it now. >> Okay. >> In our internal environment as well, ya know, we're a huge company ourselves, customer zero, our internal IT, so, we're experiencing that internally and every one of our other customers as well. >> So I have another question and I don't know the answer to this, and a lawyer never asks a question that you don't know the answer to, but I'm going to ask it anyway. DXC and WWT, massive system integrators, why Aviatrix? >> Great question, Steve, so I think the way we approach things, I think we have a similar vision, a similar strategy, how you approach things, how we approach things, at World Wide Technology. Number one, we want a simplify the complexity. And so that's your number one priority. Let's take the networking, let's simplify it, and I think part of the other point I'm making is we see this automation piece as not just an after thought anymore. If you look at what customers care about, visibility and automation is probably at the top three, maybe the third on the list, and I think that's where we see the value. I think the partnership that we're building and what I get excited about is not just putting yours and our lab and showing customers how it works, it's co-developing a solution with you. Figuring out, "Hey, how can we make this better?" >> Right >> Visibility is a huge thing, just in security alone, network everything's around visibility. What automation do you see happening, in terms of progression, order of operations, if you will? What's the low hanging fruit? What are people working on now? What are some of the aspirational goals around when you start thinking about multicloud and automation? >> So I wanted to get back to his question. >> Answer that question. >> I wanted to answer your question, you know, what led us there and why Aviatrix. You know, in working some large internal IT projects, and looking at how we were going to integrate those solutions, you know, we like to build everything with recipes. Network is probably playing catch-up in the DevOps world but with a DevOps mindset, looking to speed to deploy, support, all those things, so when you start building your recipe, you take a little of this, a little of that, and you mix it all together, well, when you look around, you say, "Wow, look, there's this big bag of Aviatrix. "Let me plop that in. That solves a big part "of my problems that I had, the speed to integrate, "the speed to deploy, and the operational views "that I need to run this." So that was what led me to-- >> John: So how about reference architectures? >> Yeah, absolutely, so, you know, they came with a full slate of reference architectures already out there and ready to go that fit our needs, so it was very easy for us to integrate those into our recipes. >> What do you guys think about all the multi-vendor inter-operability conversations that have been going on? Choice has been a big part of multicloud in terms of, you know, customers want choice, they'll put a workload in the cloud if it works, but this notion of choice and interoperability has become a big conversation. >> It is, and I think that our approach, and that's the way we talk to customers is, "Let's speed and de-risk that decision making process, "and how do we do that?" Because interoperability is key. You're not just putting, it's not just a single vendor, we're talking, you know, many many vendors, I mean think about the average number of cloud applications a customer uses, a business, an enterprise business today, you know, it's above 30, it's skyrocketing and so what we do, and we look at it from an interoperability approach is, "How do things inter-operate?" We test it out, we validate it, we build a reference architecture that says, "These are the critical design elements, "now let's build one with Aviatrix "and show how this works with Aviatrix." And I think the important part there, though, is the automation piece that we add to it and visibility. So I think the visibility is what I see lacking across industry today. >> In cloud-native that's been a big topic. >> Yep >> Okay, in terms of Aviatrix, as you guys see them coming in, they're one of the ones that are emerging and the new brands emerging with multicloud, you've still got the old guard encumbered with huge footprints. How are customers dealing with that kind of component in dealing with both of them? >> Yeah, I mean, we have customers that are ingrained with a particular vendor and you know, we have partnerships with many vendors. So our objective is to provide the solution that meets that client. >> John: And they all want multi-vendor, they all want interoperability. >> Correct. >> All right, so I got to ask you guys a question while we were defining Day-2 operations. What does that mean? You guys are looking at the big business and technical components of architecture, what does Day-2 operations mean, what's the definition of that? >> Yeah, so I think from our perspective, with my experience, we, you know, Day-2 operations, whether it's not just the orchestration piece in setting up and let it automate and have some, you know, change control, you're looking at this from a Day-2 perspective, "How do I support this ongoing "and make it easy to make changes as we evolve?" The cloud is very dynamic. The nature of how fast it's expanding, the number features is astonishing. Trying to keep up to date with the number of just networking capabilities and services that are added. So I think Day-2 operations starts with a fundamental understanding of building out supporting a customer's environments, and making the automation piece easy from a distance, I think. >> Yeah and, you know, taking that to the next level of being able to enable customers to have catalog items that they can pick and choose, "Hey I need this network connectivity "from this cloud location back to this on-prem." And being able to have that automated and provisioned just simply by ordering it. >> For the folks watching out there, guys, take a minute to explain as you guys are in the trenches doing a lot of good work. What are some of the engagements that you guys get into? How does that progress? What happens there, they call you up and say, "Hey I need some multicloud," or you're already in there? I mean, take us through how someone can engage to use a global SI, they come in and make this thing happen, what's the typical engagement look like? >> Derrick: Yeah, so from our perspective, we typically have a series of workshops in the methodology that we kind of go along the journey. Number one, we have a foundational approach. And I don't mean foundation meaning the network foundation, that's a very critical element, we got to factor in security and we got to factor in automation. So when you think about foundation, we do a workshop that starts with education. A lot of times we'll go in and we'll just educate the customer, what is VPC sharing? You know, what is a private link in Azure? How does that impact your business? We have customers that want to share services out in an ecosystem with other customers and partners. Well there's many ways to accomplish that. Our goal is to understand those requirements and then build that strategy with them. >> Thoughts George, on-- >> Yeah, I mean, I'm one of the guys that's down in the weeds making things happen, so I'm not the guy on the front line interfacing with the customers every day. But we have a similar approach. We have a consulting practice that will go out and apply their practices to see what those-- >> And when do you parachute in? >> Yeah, when I parachute in is, I'm on the back end working with our offering development leads for networking, so we understand and are seeing what customers are asking for and we're on the back end developing the solutions that integrate with our own offerings as well as enable other customers to just deploy quickly to meet their connectivity needs. So the patterns are similar. >> Right, final question for you guys, I want to ask you to paint a picture of what success looks like. You don't have to name customers, you don't have to get in and reveal who they are, but what does success look like in multicloud as you paint a picture for the folks here and watching on the live stream, if someone says, "Hey I want to be multicloud, I got to to have my operations Agile, I want full DevOps, I want programmability and security built in from Day-zero." What does success look like? >> Yeah, I think success looks like this, so when you're building out a network, the network is a harder thing to change than some other aspects of cloud. So what we think is, even if you're thinking about that second cloud, which we have most of our customers are on two public clouds today, they might be dabbling in it. As you build that network foundation, that architecture, that takes in to consideration where you're going, and so once we start building that reference architecture out that shows, this is how to approach it from a multicloud perspective, not a single cloud, and let's not forget our branches, let's not forget our data centers, let's not forget how all this connects together because that's how we define multicloud, it's not just in the cloud, it's on-prem and it's off-prem. And so collectively, I think the key is also is that we provide them an HLD. You got to start with a high level design that can be tweaked as you go through the journey but you got to give it a solid structural foundation, and that networking which we think, most customers think as not the network engineers, but as an after thought. We want to make that the most critical element before you start the journey. >> George, from your seat, how does success look for you? >> So, you know it starts out on these journeys, often start out people not even thinking about what is going to happen, what their network needs are when they start their migration journey to the cloud. So I want, success to me looks like them being able to end up not worrying about what's happening in the network when they move to the cloud. >> Steve: Good point. >> Guys, great insight, thanks for coming on and sharing. How about a round of applause for the global system integrators? (Audience applauds) (Upbeat music) >> The next panel is the AVH certified engineers, also known as ACEs. This is the folks that are certified, they're engineering, they're building these new solutions. Please welcome Toby Foss from Informatica, Stacey Lanier from Teradata, and Jennifer Reed with Viqtor Davis to the stage. (upbeat music) (audience cheering) (panelists exchanging pleasantries) >> You got to show up. Where's your jacket Toby? (laughing) You get it done. I was just going to rib you guys and say, where's your jackets, and Jen's got the jacket on. Okay, good. >> Love the Aviatrix, ACEs Pilot gear there above the Clouds. Going to new heights. >> That's right. >> So guys Aviatrix aces, I love the name, think it's great, certified. This is all about getting things engineered. So there's a level of certification, I want to get into that. But first take us through the day in the life of an ACE, and just to point out, Stacy is a squad leader. So he's, he's like a-- >> Squadron Leader. >> Squadron Leader. >> Yeah. >> Squadron Leader, so he's got a bunch of ACEs underneath him, but share your perspective a day in the Life. Jennifer, we'll start with you. >> Sure, so I have actually a whole team that works for me both in the North America, both in the US and in Mexico. So I'm eagerly working to get them certified as well, so I can become a squad leader myself. But it's important because one of the critical gaps that we've found is people having the networking background because you graduate from college, and you have a lot of computer science background, you can program you've got Python, but networking in packets they just don't get. So, just taking them through all the processes that it's really necessary to understand when you're troubleshooting is really critical. Because you're going to get an issue where you need to figure out where exactly is that happening on the network, Is my issue just in the VPCs? Is it on the instance side is a security group, or is it going on prem? This is something actually embedded within Amazon itself? I mean, I troubleshot an issue for about six months going back and forth with Amazon, and it was the VGW VPN. Because they were auto scaling on two sides, and we ended up having to pull out the Cisco's, and put in Aviatrix so I could just say, " okay, it's fixed," and actually helped the application teams get to that and get it solved. But I'm taking a lot of junior people and getting them through that certification process, so they can understand and see the network, the way I see the network. I mean, look, I've been doing this for 25 years when I got out. When I went in the Marine Corps, that's what I did, and coming out, the network is still the network. But people don't get the same training they got in the 90s. >> Was just so easy, just write some software, and they were, takes care of itself. I know, it's pixie dust.  >> I'll come back to that, I want to come back to that, the problem solved with Amazon, but Toby. >> I think the only thing I have to add to that is that it's always the network's fault. As long as I've been in networking, it's always been the network's fault. I'm even to this day, it's still the network's fault, and part of being a network guy is that you need to prove when it is and when it's not your fault. That means you need to know a little bit about 100 different things, to make that work. >> Now you got a full stack DevOps, you got to know a lot more times another hundred. >> Toby: And the times are changing, yeah. >> This year the Squadron Leader and get that right. What is the Squadron Leader firstly? Describe what it is. >> I think is probably just leading on the network components of it. But I think, from my perspective, when to think about what you asked them was, it's about no issues and no escalations. So of my day is like that, I'm happy to be a squadron leader. >> That is a good outcome, that's a good day. >> Yeah, sure, it is. >> Is there good days? You said you had a good day with Amazon? Jennifer, you mentioned the Amazon, and this brings up a good point, when you have these new waves come in, you have a lot of new things, new use cases. A lot of the finger pointing it's that guy's problem , that girl's problems, so how do you solve that, and how do you get the Young Guns up to speed? Is there training, is it this where the certification comes in? >> This is where the certifications really going to come in. I know when we got together at Reinvent, one of the questions that we had with Steve and the team was, what should our certification look like? Should we just be teaching about what AVH troubleshooting brings to bear, but what should that be like? I think Toby and I were like, No, no, no, no. That's going a little too high, we need to get really low because the better someone can get at actually understanding what's actually happening in the network, and where to actually troubleshoot the problem, how to step back each of those processes. Because without that, it's just a big black box, and they don't know. Because everything is abstracted, in Amazon and in Azure and in Google, is abstracted, and they have these virtual gateways, they have VPNs, that you just don't have the logs on, is you just don't know. So then what tools can you put in front of them of where they can look? Because there are full logs. Well, as long as they turned on the flow logs when they built it, and there's like, each one of those little things that well, if they'd had decided to do that, when they built it, it's there. But if you can come in later to really supplement that with training to actual troubleshoot, and do a packet capture here, as it's going through, then teaching them how to read that even. >> Yeah, Toby, we were talking before we came on up on stage about your career, you've been networking all your time, and then, you're now mentoring a lot of younger people. How is that going? Because the people who come in fresh they don't have all the old war stories, like they don't talk about it, There's never for, I walk in bare feet in the snow when I was your age, I mean, it's so easy now, right, they say. What's your take on how you train the young People. >> So I've noticed two things. One is that they are up to speed a lot faster in generalities of networking. They can tell you what a network is in high school level now, where I didn't learn that til midway through my career, and they're learning it faster, but they don't necessarily understand why it's that way here. Everybody thinks that it's always slash 24 for a subnet, and they don't understand why you can break it down smaller, why it's really necessary. So the ramp up speed is much faster for these guys that are coming in. But they don't understand why and they need some of that background knowledge to see where it's coming from, and why is it important, and that's old guys, that's where we thrive. >> Jennifer, you mentioned you got in from the Marines, it helps, but when you got into networking, what was it like then and compare it now? Because most like we heard earlier static versus dynamic Don't be static is like that. You just set the network, you got a perimeter. >> Yeah, no, there was no such thing. So back in the day, I mean, we had Banyan vines for email, and we had token ring, and I had to set up token ring networks and figure out why that didn't work. Because how many of things were actually sharing it. But then actually just cutting fiber and running fiber cables and dropping them over shelters to plug them in and all crap, they swung it too hard and shattered it and now I got to figure eight Polish this thing and actually should like to see if it works. I mean, that was the network , current cat five cables to run an Ethernet, and then from that I just said, network switches, dumb switches, like those were the most common ones you had. Then actually configuring routers and logging into a Cisco router and actually knowing how to configure that. It was funny because I had gone all the way up, I was the software product manager for a while. So I've gone all the way up the stack, and then two and a half, three years ago, I came across to work with Entity group that became Viqtor Davis. But we went to help one of our customers Avis, and it was like, okay, so we need to fix the network. Okay, I haven't done this in 20 years, but all right, let's get to it. Because it really fundamentally does not change. It's still the network. I mean, I've had people tell me, Well, when we go to containers, we will not have to worry about the network. And I'm like, yeah, you don't I do. >> And that's within programmability is a really interesting, so I think this brings up the certification. What are some of the new things that people should be aware of that come in with the Aviatrix A certification? What are some of the highlights? Can you guys share some of the highlights around the certifications? >> I think some of the importance is that it doesn't need to be vendor specific for network generality or basic networking knowledge, and instead of learning how Cisco does something, or how Palo Alto does something, We need to understand how and why it works as a basic model, and then understand how each vendor has gone about that problem and solved it in a general. That's true in multicloud as well. You can't learn how Cloud networking works without understanding how AWS and Azure and GCP are all slightly the same but slightly different, and some things work and some things don't. I think that's probably the number one take. >> I think having a certification across Clouds is really valuable because we heard the global s eyes as you have a business issues. What does it mean to do that? Is it code, is it networking? Is it configurations of the Aviatrix? what is, he says,the certification but, what is it about the multiCloud that makes it multi networking and multi vendor? >> The easy answer is yes, >> Yes is all of us. >> All of us. So you got to be in general what's good your hands and all You have to be. Right, it takes experience. Because every Cloud vendor has their own certification. Whether that's SOPs and advanced networking and event security, or whatever it might be, yeah, they can take the test, but they have no idea how to figure out what's wrong with that system. The same thing with any certification, but it's really getting your hands in there, and actually having to troubleshoot the problems, actually work the problem, and calm down. It's going to be okay. I mean, because I don't know how many calls I've been on or even had aviators join me on. It's like, okay, so everyone calm down, let's figure out what's happening. It's like, we've looked at that screen three times, looking at it again is not going to solve that problem, right. But at the same time, remaining calm but knowing that it really is, I'm getting a packet from here to go over here, it's not working, so what could be the problem? Actually stepping them through those scenarios, but that's like, you only get that by having to do it, and seeing it, and going through it, and then you get it. >> I have a question, so, I just see it. We started this program maybe six months ago, we're seeing a huge amount of interest. I mean, we're oversubscribed on all the training sessions. We've got people flying from around the country, even with Coronavirus, flying to go to Seattle to go to these events where we're subscribed, is that-- >> A good emerging leader would put there. >> Yeah. So, is that something that you see in your organizations? Are you recommending that to people? Do you see, I mean, I'm just, I guess I'm surprised or not surprised. But I'm really surprised by the demand if you would, of this MultiCloud network certification because there really isn't anything like that. Is that something you guys can comment on? Or do you see the same things in your organization? >> I see from my side, because we operate in a multiCloud environments that really helps and some beneficial for us. >> Yeah, true. I think I would add that networking guys have always needed to use certifications to prove that they know what they know. >> Right. >> It's not good enough to say, Yeah, I know IP addresses or I know how a network works. A couple little check marks or a little letters body writing helps give you validity. So even in our team, we can say, Hey, we're using these certifications to know that you know enough of the basics and enough of the understandings, that you have the tools necessary, right. >> I guess my final question for you guys is, why an ACE certification is relevant, and then second part is share with the live stream folks who aren't yet ACE certified or might want to jump in to be aviatrix certified engineers. Why is it important, so why is it relevant and why should someone want to be a certified aviatrix certified engineer? >> I think my views a little different. I think certification comes from proving that you have the knowledge, not proving that you get a certification to get an army there backwards. So when you've got the training and the understanding and you use that to prove and you can, like, grow your certification list with it, versus studying for a test to get a certification and have no understanding of it. >> Okay, so that who is the right person that look at this and say, I'm qualified, is it a network engineer, is it a DevOps person? What's your view, a little certain. >> I think Cloud is really the answer. It's the, as we talked like the edges getting eroded, so is the network definition getting eroded? We're getting more and more of some network, some DevOps, some security, lots and lots of security, because network is so involved in so many of them. That's just the next progression. >> Do you want to add something there? >> I would say expand that to more automation engineers, because we have those now, so I probably extend it beyond this one. >> Jennifer you want to? >> Well, I think the training classes themselves are helpful, especially the entry level ones for people who may be "Cloud architects" but have never done anything in networking for them to understand why we need those things to really work, whether or not they go through to eventually get a certification is something different. But I really think fundamentally understanding how these things work, it makes them a better architect, makes them better application developer. But even more so as you deploy more of your applications into the Cloud, really getting an understanding, even from people who have traditionally done Onprem networking, they can understand how that's going to work in Cloud. >> Well, I know we've got just under 30 seconds left. I want to get one more question then just one more, for the folks watching that are maybe younger than, that don't have that networking training. From your experiences each of you can answer why should they know about networking, what's the benefit? What's in it for them? Motivate them, share some insights of why they should go a little bit deeper in networking. Stacy, we'll start with you, we'll go then. >> I'll say it's probably fundamental, right? If you want to deliver solutions, networking is the very top. >> I would say if you, fundamental of an operating system running on a machine, how those machines start together is a fundamental changes, something that start from the base and work your way up. >> Jennifer? >> Right, well, I think it's a challenge. Because you've come from top down, now you're going to start looking from bottom up, and you want those different systems to cross-communicate, and say you've built something, and you're overlapping IP space, note that that doesn't happen. But how can I actually make that still operate without having to re IP re platform. Just like those challenges, like those younger developers or assistant engineers can really start to get their hands around and understand those complexities and bring that forward in their career. >> They get to know then how the pipes are working, and they're got to know it--it's the plumbing. >> That's right, >> They got to know how it works, and how to code it. >> That's right. >> Awesome, thank you guys for great insights, ACE Certified Engineers, also known as ACEs, give them a round of applause. (audience clapping) (upbeat music) >> Thank you, okay. All right, that concludes my portion. Thank you, Steve Thanks for having me. >> John, thank you very much, that was fantastic. Everybody round of applause for John Furrier. (audience applauding) Yeah, so great event, great event. I'm not going to take long, we got lunch outside for the people here, just a couple of things. Just to call the action, right? So we saw the ACEs, for those of you out of the stream here, become a certified, right, it's great for your career, it's great for not knowledge, is fantastic. It's not just an aviator's thing, it's going to teach you about Cloud networking, MultiCloud networking, with a little bit of aviatrix, exactly like the Cisco CCIE program was for IP network, that type of the thing, that's number one. Second thing is learning, right? So there's a link up there to join the community. Again like I started this, this is a community, this is the kickoff to this community, and it's a movement. So go to community.avh.com, starting a community of multiCloud. So get get trained, learn. I'd say the next thing is we're doing over 100 seminars across the United States and also starting into Europe soon, we will come out and we'll actually spend a couple hours and talk about architecture, and talk about those beginning things. For those of you on the livestream in here as well, we're coming to a city near you, go to one of those events, it's a great way to network with other people that are in the industry, as well as to start alone and get on that MultiCloud journey. Then I'd say the last thing is, we haven't talked a lot about what Aviatrix does here, and that's intentional. We want you leaving with wanting to know more, and schedule, get with us and schedule a multi hour architecture workshop session. So we sit down with customers, and we talk about where they're at in that journey, and more importantly, where they're going, and define that end state architecture from networking, computer, storage, everything. Everything you've heard today, everybody panel kept talking about architecture, talking about operations. Those are the types of things that we solve, we help you define that canonical architecture, that system architecture, that's yours. So many of our customers, they have three by five, plotted lucid charts, architecture drawings, and it's the customer name slash Aviatrix, network architecture, and they put it on their whiteboard. That's the most valuable thing they get from us. So this becomes their 20 year network architecture drawing that they don't do anything without talking to us and look at that architecture. That's what we do in these multi hour workshop sessions with customers, and that's super, super powerful. So if you're interested, definitely call us, and let's schedule that with our team. So anyway, I just want to thank everybody on the livestream. Thank everybody here. Hopefully it was it was very useful. I think it was, and Join the movement, and for those of you here, join us for lunch, and thank you very much. (audience applauding) (upbeat music)

(upbeat music) >> Hello, and welcome to our Palo Alto studios in California. I'm John Furrier, host of theCUBE. This is a CUBE conversation with Jason Zintak, CEO of 6sense. This is part of our next gen conversation series. We talk about the technologies and the news and the people making it happen for the next generation technologies, clouds, and solutions. Jason, welcome to theCUBE conversation. Thanks for coming on. >> Thanks, happy to be here. >> So you guys got some news. So you got a couple weeks ago you announced $40 million in funding, which we'll talk about. I want to get that out right away. But I think, more importantly, we're seeing a trend where this next gen blank is happening. You know, I'm watching just the Super Bowl next gen stats is for NFL. You got next gen cloud, you got next gen data. The world of the technology is kind of shifting to a new architecture. You're starting to see visibility into what this next gen looks like. Your company is squarely in the middle of this next gen sales and marketing platform, solutions in the new model. Cloud-scale, data first, this is a core, major shift and it's a huge market. Look at Salesforce, look at all these companies that've been around. And they're incumbents now, you're the new guard. >> Jason: Yeah, yeah. >> Tell us, what's going on with you guys? >> Sure, well you're right. We just raised $40 million. It's our Series C from Insight Partners. Went through a lengthy evaluation process and compete and happy to have announce that last month. And as far as next generation, you're correct. I grew up in a world of email platforms and then big data platforms, marketing automation. And this is a data first strategy, where we allow, we now have compute power that allows us to process huge amounts of data sets. So it's our belief that it should all be data first and driven from AI and ML on top of data that drives a next generation marketing tactic or sales tactic, an email, or a display ad. >> What's interesting is that you mentioned you worked in previous old school technology. You were CEO of Responsys, which was sold to Oracle. That was a great wave that brought in the marketing technology stack. We saw the sales and marketing solutions from Salesforce.com obviously. That was the first wave that you were part of. Now the new wave is going to that next level. This is really the fundamental shift. And it's not so much they're being replaced, but they're just being abstracted away with new capabilities, in some cases being replaced. What's the core problem that customers are having, or the core problem that you're solving because some of these old solutions can't scale. >> Jason: Sure. >> Some of them are because they're big, but what's the core problem in the industry? >> The core problem is that these systems were designed to be contact first, or lead first. And as you know today, no one likes an abundance of emails in their inbox. And so companies have said, hey I want to have a relationship with my customer or prospect. I want it to be a cycle of engagement, an infinity loop. Which means we don't blast emails. We monitor a relationship, what that's like, how we might engage. And the data allows us to do that. We can see what's going on with the activity, and based on that engagement, AI tells us what tactic might be the most appropriate. Which is actually send less but more effective and more targeted. So it's a data-driven approach. It's an account based focus in B2B world, as opposed to old generation which is lead and actually rule based. And so we used to write these, call them journey maps, these if then statements, which were manual. And the second we got done doing weeks of if then statements, they become stale. And so now data helps us and AI helps us understand real time behavior with intent and then the tactic. >> Love the name 6sense. Obviously you want to get a sense of what's going on around you, six degrees of separation. You got network effect. We're seeing a new reality and that is organic kind of user experience is different happening outside the funnel, sometimes inside the funnel, as they talk about in the sales and marketing. But users, at the end of the day, they're downloading Brave browser. They don't necessarily want the ads, and so they're making these decisions based on their experience that they want. So this is changing some of the tactics. >> Jason: Absolutely. >> So talk about that dynamic because the old way was based on see an ad, click on it, go to a landing page, get a lead, throw it in the funnel, matriculate down, and sell them something. And time's not on your side. It's not real time. It's slow, antiquated, you know how to quit. >> Exactly right, so if you don't look at Forrester or Gartner, they'll give you stats that 80% of the B2B sales cycle is done anonymously today. Meaning, they don't want to contact the vendor. There's an abundance of data on the web. And so we appreciate that. We want to actually enable an engagement through learning. We call it the actual dark funnel. This is all the research where it's happening without the vendor being contacted, without someone raising their hand and saying I want a vendor message. Because of this activity that we're able to see and be patient with, we're allowed to engage when the prospect or customer says they want to. But in a nurture format, so it's more respectful of their time. And all the while, this engagement idea is we're giving them content when they want it, when it's on demand, and when it's appropriate. >> And there's all kinds of new data laws coming, so you got to navigate that kind of regulatory environment. But we've been saying on theCUBE, this is our 10th year, and you know the old way and now we got a new way that you're on with company is that people are connected. Everything can be instrumented. This is the big data revelation that started about 10 years ago when the big data movement, and when people said hey data's going to be a big part of it. But with the internet, everyone's kind of connected, so you can technically measure everything. So as a company, how do you look at data? I mean data's fundamental to your vision and your execution. How is that ingrained into the culture and your product? >> Good question and first like to say we respect privacy in the data and personal and companies. So we are GDPR compliant, SOC 2, CCPA, the new California laws as you know. And that is part and parcel to our strategy, respect it. But at the same time, today's consumers generally want to be known in some way, shape or form because they understand the experience of engagement, whether it's an account or an individual customer. The experience is that much richer, if it's personalized and done with taste. Meaning, it's not spam. It's not a thousand emails. It's a meaningful, purposeful, time-based engagement,' content's relative to when they want to know something. >> Well I like what you guys are doing. I like this next gen architecture. It's definitely been valid. You've seen the rise of Amazon. Microsoft's shifted their business model to the cloud. And you're starting to see other ones, other people shifting. IBM shifting to the cloud. So they're all shifting to this new business model. So for you guys, 6sense, talk about and tell me about your target market. What market are you going after? Is it the marketing automation? Is it like the sales platform? What's the market that you're in now, and what market are you expanding into? >> Interesting you say that, so we're classically B2B. We obviously have a bunch of tech customers as our, in the account universe. But also manufacturers, service businesses. We are going after the entire B2B organization because the world as you know it, relative to marketing and sales, is changing. And so it's not just marketing automation that we're replacing, or a next generation of, it's customer success. It's the sellers. Our customers' sales organizations use it with their sales people to understand insights of their accounts and how to engage. So I'd say it's that whole universe, and it's that infinity loop across customer, sellers, marketers. >> You know, I want to just before I get into some of the business model questions and target audience, the buyer, you mentioned customer success. We're seeing a lot of energy around what that is. It used to be customer success was like customer satisfaction, support organization. You're seeing companies bring customer success much further forward into the sales and marketing process for pre-sales and or ongoing engagement as some of these SaaS environments evolve. >> Jason: Yep. >> Are you seeing that, and what's going on with this customer success? I'm seeing a lot more other than lip service. It's pretty integral with companies, organizations these days. What's your thoughts on that? >> I think all of us drive to be customer first, customer happiness, loyalty. Sure, why not? I mean, that's what we should do as organizations. Our software actually, interestingly enough, allows customers to monitor how their customers are engaging with the vendor. And for instance, they may be, if we see a spike in looking at a competitor, the customer will say, hey are you happy? Or product telemetry and usage. We help companies track that usage and see spikes and based on that intent, you might engage with your customer differently, high or low propensity to actually churn. We help with churn mitigation and churn management. >> Okay, let's get in to the product. We're kind of teasing around the product. What is the product? What's the core jewel? What's the IP? What's the main platform look like? What's the product? >> So as mentioned, we're a big data company first. Meaning, we believe it all starts with the data. Because of the compute power available, we're analyzing data, which is your first party data. So all your historical sales and marketing outbound, maybe your CRM system, your marketing automation system, some of the systems that will continue to evolve. And we'll match that data with behavioral data. So what's happening on the web, what's happening through maybe it's cookies, email hashes, display account ID, advertising ID. And we've patented an approach called a company ID graph. And this ID graph is essentially this marriage of people, personas, and accounts and what's going on. Based on the insight that comes from this monitoring, you can create audiences or segments to market to, to sell to. So the insights would be on the marketing side, relative to how do I parse my total addressable market. Or on the seller's side, Oh, I can understand what my count or my prospect might be doing today, therefore I want to execute XYZ tactic, and all led by AI. >> And so I got a, good point there about sales and marketing. In the old way you had a marketing tech, and a sales tech. The lines have blurred, almost seem to be fully integrated now, they're one in the same now, seems like that's the way you guys look at it. Is that true? >> Absolutely, I grew up in sales and marketing and the old world they didn't talk to each other. Today this is absolutely the glue, the connective tissue for sales and marketing so you can start with, whether it's marketing or sales ops, you start with a central plan around your account universe, and then parse from there and segment from there. And so, marketers and sellers will come up with the annual strategy, but allows the conversation. So it's no longer is my lead any good. We've got data around the lead, is the customer responding to an ad campaign. We've got data that it's true. It's not, you know, maybe. >> Yeah, it's always the sales guys always tripping about the leads, these are good leads. The leads are from Glen Gary, Glen Ross, always great quote, good quote that in there. All kidding aside, at the end of the day it's about customer satisfaction. No one wants to be marketed to, so it's a wave of personalization coming. And we're starting to see that now with Big Data, kind of set the tone on that. How are you seeing this new account based marketing and company selling platform. To deliver this kind of personalization it adds value. How do you orchestrate all that? So this is the big challenge, how do you bring that all together? What's your thoughts? >> So, actually our platform allows for that. So as you might imagine, you mentioned the sales funnel, and start with you know customer having initial curiosity, or maybe down at the bottom of the funnel there, actual buying stages through procurement. Based on where we detect someone is in the funnel, you would personalize the content. So if we detect through ID graph, that the company or person might be interested in general awareness, awareness content. If they're down in the buying cycle, far down into the funnel, then it's more related to transactional, meaningful clips that would be more relevant. And that is the personalization, so it's stage appropriate as someone would want to consume it. As there engaging with us. >> Jason give us some of the top use cases that you guys are seeing, as you start to see visibility, you got $40 million in funding, third round venture. You got customer growth, good growth. What's the visibility, what do you see in front of you, what are the use cases? >> Great, so for the capital, I assume you mean. We've had two great years, we've doubled the company two years in a row. We're expanding, so it's actually going to be sort of broad brush, we're expanding our field organization, we're expanding the engineering. We're looking for acquisitions that are strategic, and so our growth will be both organic and inorganic, but it's because of the success and the growth. We want to build the product better to make the customer happier. And that is the general use, of our international expansion. >> So I'm a customer, sell me on this, what's the pitch? >> So-- >> I'm a big tech company, I've got five tons of data. People, internal knife fights going on, I got this platform, we got to get the ROI out of it. How do you, what's the, what's in it for me, pitch me? >> Hey, John is your sales organization happy with the leads? Do they think it's quality? >> The leads are shit. (John laughs) >> The leads are shit, we can help you there, we actually have you know AI helping us understand your account prospects of whose high propensity to buy. We help your sellers. Does marketing talk to sales, John? >> They have meetings, no one want to attend them, I mean this is the kind of thing that goes on. I mean we're talking about, kind of role playing here, but in real time, Hey, no, we're good. It's the sales guys fault, they're not good enough. >> Yeah, exactly, so-- >> The leads are terrible. So there's obviously, again, this is the kind of thing, the tension that goes on. >> Yes, so from the marketers perspective they're looking for a more data driven approach to, and again data helps, data doesn't lie. You know it's sort of math. And so it's no longer speculative, it's we can see the engagement if we run a campaign, whether it be email, ads, social posts, chat bots. All this is collecting data, and showing data relative to efficacy, and that is actually what the marketer wants, and candidly the CEO wants to the see the result of those joint selling and marketing efforts. >> All right, so you got me hooked. Let's do something. How do your clients engage with you? What do they do? A POC? Do they just have a sandbox, is there kind of a freemium tier? can you explain some of the business model and engagement? >> Sure, yeah. We do POC's, we do sandbox. But interestingly enough, we can turn the data on in an hour, an actually a prospect can see what's happening in their universe, they're competitive universe or their own. website, for instance. And so that's a very easy way, tell-tale sign to see data at work. We have low entry points, where companies can come in at 30K at 20K, and start. Or we have million dollar plus contracts that you know span the breadth of sales, marketing and customer success. So it's an easy entry point, you can grow with data, you can grow with users, or you can grow with models. >> So Facebook, and LinkedIn are on, and Twitter, but mainly Facebook and LinkedIn are showing micro targeting as highly valuable. I mean the election train wreck that's happened this past few years, and even this year, I see Facebook has their own issues, but LinkedIn, a lot of people from a B2B standpoint, like LinkedIn. It's network effect kind of distribution, you got targeting, you got a lot of metadata in there. So it's kind of brought up the conversation around micro-targeting. Why can't you just go at the people? You guys do an account based marketing and sales orchestration platform, and you've got these little walled garden organizations out there like LinkedIn. I'm not sure they're selling the data, do they do that? Do you work with LinkedIn, so will there be more LinkedIn? Nope, we got our data, we're going to keep it? Data becomes the key, but if they're going to hoard the data, it's a problem. How do you address that? First of all, do they hoard the data or not? And if so, how do you guys get around that? >> Well you know LinkedIn's got a wonderful business, and they, to agree some of this wall, are a partner of ours, and actually we'll have some announcements pending. So I'll save that for later, but -- >> So they are engaging with platforms, LinkedIn from a data standpoint. >> Very much so, we're an active talks with LinkedIn. And I think we all want to share for the benefit of the ultimate customer experience. And we believe that because we have the Big Data, and we also allow for that micro-segmenting. LinkedIn's another channel, and we want to activate every channel through our platform and that is our strategy. So we allow you as mentioned before, email, display, social sites. >> Do you guys have a program or approach or posture to the marketplace in terms of, if I have a platform, do I engage with you. Can I be a partner or am I a customer? How do you look at the biz dev or partner side of it? >> You know part of the $40 million funding is going to allow us to build out the partner ecosystem that's already in play. We work with agencies, ad agencies. We work with professional service organizations. We work with complimentary software products. We want it to be an open system. We want to be able to bring your own data, and we'll carry it for you to make the AI that much smarter. >> Awesome, great stuff, quick plug of the company, we're you guys at in terms of head count? What are some of your goals this year? And what are you guys looking for, obviously hiring, you said, you mentioned earlier? Give a quick plug for the company. >> Yeah, thank you for that. As I mentioned we doubled the company two years in a row. We've tripled our head count. You know we're hiring everyday in every single segment, looking for people. We'd love to talk to you. We've also tripled our customer base in that same period. So, things are going well, we're happy and I think the big challenge is just keep doing it, and deliver delightful experience for customers. >> Interesting, companies can be very successful Jason if they have a certain you know view. You guys are data first, you got to a horizontal view of the data, but yet providing a specific unique solution to differentiate off that. We're video first, that's our angle. A lot of people having virtual first. Your starting to see this new kind of scale with companies. So I want to ask you about your vision for the next few years. As you look out as the wave is coming in, it's very clear. Cloud-scale, the roll of data, machine learning and AI. It's going to build this Application Layer that has to be horizontally scalable, but yet vertically specialized, for the use cases. Which requires a very dynamic data intensive environment. What's your vision of the next few years? How do you see the world evolving? Because there's a lot of big companies, and start-ups that have been around doing a lot of these point solutions that are features. How do you see this next wave go in the next five years? >> I had a thesis three years ago, I joined the company that these point solutions would go away because they weren't data driven. The hard work is in the large data, the applying the ML and AI on top of that and then doing something with that. We surfaced in applications for the last two years, we've been building the apps that allow marketers, sellers, and customer success organizations to prosecute that data, understand the data and let AI recommend a tactic. So I think it'll just be more of the same but specialized by use case. So where some of our applicability is generic use cases, we'll get specific to telecom on that use case, we'll get more specific in customer success enabling turn mitigation as opposed to just sellers and marketers. >> That's awesome. And if you look at the current events, I got to get your expert opinion. Donald Trump, the Democrats, they've been using social platforms, political ads are being kicked off, but there is a lot more innovation that they're actually doing. So with all that they had actors out there, there's actually an innovation story that's going on under the covers. What's your view of that, I mean the bad stuff's out there, but they're leveraging the new architecture. Facebook's on record saying that Donald Trump ran the best campaign ever. Mentions why he's winning. >> That's the story and back story is sort of history unfolds when we understand it. Is that these election cycles have leveraged data to run their campaigns and it's the new world. And so while there may be bad actors, I think hopefully the world is majority good. And much like our story, we tryna bring a data solution and help decisioning. Obviously, the political campaigns are leveraging it to. >> Yeah, it's disastrous to see the applications fail like they did in Iowa, but the data's there, I mean it's about time. I always say it's going to be on block chain, and Andrew Yang is, just recently came out and said, All the voting should be on block chain. Maybe that's going to happen someday, we'll see. Jason thanks for coming, I appreciate the conversation. >> I appreciate the opportunity, thanks John. >> Jason Zintak, here the CEO of 6sense, industry veteran. Big pedigree, big company with $40 million in fresh funding. We're talking about next generation platforms, I'm John Furrier, thanks for watching. (upbeat music)

>> Live from Las Vegas, it's theCUBE. Covering AWS re:Invent 2018. Brought to you by Amazon Web Services, Intel, and their ecosystem partners. >> And welcome back, here on theCUBE, along with Justin Warren, I'm John Walls and now we're joined by Peter Nichol, who's the CEO of Instaclustr. Peter, good to see you this morning sir. >> Thank you very much John. Nice to meet you. >> and Todd Greene, CEO of PubNub. >> Good to see ya. >> Good morning Todd. >> Good morning. >> First off, let's just talk about what the two of you guys do or specifically what Instaclustr does and PubNub. Peter, if you would. >> Basically at a high level, what Instaclustr does is, we help customers to build applications that have to scale massively in a reliable way. Massive scale means terabytes or petabytes of data or even more. Reliability means the application has got to be up and running all of the time. The way we do that is, we focus on technologies in the data layer and we allow companies to essentially outsource the management of those technologies to us. So they can focus on building their application, which is what they do best, and we focus on taking a lot of the complexity away, which is helping to manage the technologies in the data layer. And the technologies that we focus on are basically in the area of storage, search, messaging, and analytics. Those technologies are Cassandra, for storage, Kafka, for messaging, Spark, for analytics, and Elasticsearch for search. We can manage all of those technologies, in any of the cloud providers, including AWS, and essentially this allows customers to outsource that and focus on their core business. We've got some great customers, PubNub being one of our best customers, a hot startup in Silicon Valley, and we're really proud to have them here with us today. >> So Todd, >> Thanks Peter. >> if you will, give us the PubNub story. >> PubNub is a company that provides a global network, which is infrastructure for real-time applications. What's a real-time application? When we started the company six, seven years ago, we made this realization that, the world was moving from applications that sort of requested data when they needed to, you know, you pull up social information, you wanted to see where something was, you ask a question, to ones where things were constantly moving and changing. So devices were emitting data and consuming data all the time. Uber was launching and everyone wanted to see where their taxi was now. Chat applications were getting big inside, dating apps and B to B apps, and B to C apps, and on top of that IoT was exploding and people needed a way to control devices and turn lights on and off. And all the infrastructure that existed at the time, didn't really address these real-time use cases. So these companies were building that stuff themselves. So PubNub launched this thing we call a Data Stream Network, but it effectively does three things. It allows you to connect to devices and leave an always-on connection over the internet, to deliver data bidirectionally to those devices. Real-time message signaling in under a quarter of a second, and then control that data going back and forth, so being able to provide logic. That core infrastructure, that sort of connect, deliver, control, powers everything from Peloton exercise bikes to Symphony Investor chat applications, athenahealth doctor, patient, nurse, kinds of collaboration and lots of IoT companies, from Logitech Harmony to Samsung smart refrigerators. Across the board, it turns out, our infrastructure has been the key to making these real-time experiences come alive. >> So you had this moment, and startups usually do, they have, you hope you do, they reach a tipping point, right, of success And things work great and you hit a boiling point (laughs) in a way, a few years back, to where things were working almost too well, and that's how you got in to Instaclustr. Tell us, give me that story if you would, or share that with our folks watching. >> Yeah absolutely, you know, it's funny, I was talking to someone recently at Amazon, at AWS, who said we rarely talk to a company your size that actually is doing more traffic than AWS is and we discovered we were doing more than twice as many messages, these control signals we talked about, around our network, more than twice as many as the world's global SMS traffic. We were doing close to 50 billion of these messages per day. So as you can imagine, that's not a simple infrastructure. We store that data, we process it, we route it, we do all these things and in one of our storage layers, built on Cassandra, we were really struggling with the expertise needed to scale this thing at the size that we needed to scale it. And we hit a tipping point about two years ago, when we realized we really needed help and we needed help immediately. We had a lot of outreach to a lot of companies, including the company themselves that had created Cassandra. But once we stumbled on Instaclustr, it was like, you know, the clouds parting, right? All of the sudden we had folks from Instaclustr on with us 24 by 7, helping us migrate, helping us move to a more stable and scaled infrastructure and we've had this ongoing relationship ever since. We now have them managing a lot of different uses of Cassandra within PubNub. >> Yeah, so, infrastructure is, (stammers) sorry, Instaclustr is built on all these open-source technologies you mentioned, like Cassandra and Spark and Kafka, but what made you choose those technologies? What was it that was attractive about them that said, you know what, this is what we want to base our company on? >> Customers are always basically looking for three things, and I think Todd summed it up very well in his business, it's basically all about scalability. If your business is successful, you want to be able to scale massively as you get more and more customers. The second thing is reliability, which means the applications have got to be always on, always up and running. The third thing is performance, which is all about latency and speed and feed and all that type of thing. We chose Cassandra because it is one of the most popular, highly scalable data bases. It's used by Apple and Netflix and big companies that have got millions of customers. We generally pick technologies, based on those three criteria, but we also focus on open-source only, for two reasons. Number one, open-source doesn't involve expensive license fees, so customers don't get locked in with expensive license fees and number two, open-source provides a degree of flexibility, cloud independence, so if you don't want to be locked in to a specific cloud provider, and you want to keep your options in the future, choose open-source. >> Okay, that's a pretty compelling sort of argument there and certainly I think the world has discovered that open-source is totally a thing that we should all be using. I'm old enough to remember when open-source was verboten and you shouldn't be using it and now it just seems to be everywhere. What is it about Instaclustr that makes you special though, because open-source, anyone could use it. I could go and download it >> Yep, yep. >> for free tomorrow, so maybe I could attempt to steal PubNub's customers, steal your customers away. So clearly that's not going to be possible for me to be able to do tomorrow. What is it about Instaclustr that you've invested in this company that makes you so special, that means that PubNub was able to rely on you? >> Right, so I think the main thing is, we have 100% of our focus on operations, not on developing proprietary IP, which we sell, which is the typical software model, we take the open-source software and we actually manage it for our customers. Basically what that means is, if they want to use Cassandra, they go to our website, they go to the customer portal, they choose the cloud provider they want to use, they choose the technology they want to use, what regions do they want to run in, what size is their cluster? They press a button and everything else is done behind the scenes by us. We do the provisioning, we install the software, and from that point on, we're managing it 24 by 7. So instead of, for example, PubNub having to build their own team for each one of these technologies, they can outsource it to us, we can do it much cheaper and we can get them to market much faster, if we're doing our job right. It's all about the operations. We can do it much cheaper and faster and that's our main advantage. The other advantage is we manage all of these different technologies in the data layer, which means that customers have one vendor they can go to, to manage several different technologies. It's all heavily, highly, integrated from one vendor. That's a big, rather than having five different vendors to manage five different technologies, we provide the complete platform. >> So Todd, what does this mean for you, now that you have this partner that you can rely on and that you can trust? What does that change for the business? What has that enabled you to be able to do now that you can look forward to saying, you know what, we can do this to grow our business. >> Well that's a good question. Like Instaclustr, we operate PubNub. Customers pay us, not for our technology, but for our ability to operate our technology at massive scale. And we provide five nines SLA, which is a fancy way for saying, if we have an outage for more than 26 seconds in a month, we provide credits back to our customers. That's a really hard, high bar to fill. And so philosophically, we see ourselves as an operations company ourselves, right? And so we're very careful about who we would bring in to the fold as part of operations, right? And so it has to be an organization that has the same security levels that we do, SOC 2 Type II Compliance, has the same understandings and philosophy around operating things at high availability, and can do it in a way that we feel like, you know, in many ways is a part of our team and not some vendor that we don't know how to get on the phone. Not some vendor that we don't really trust, right? It has to feel like it's part of our company. So really it's only been Instaclustr that we've been able to develop that trust around. And so it is actually in all of us to sort of focus on areas where we can do more innovation while keeping the five nines SLAs at 26 seconds minimum, you know, maximum, of issues any month, but allow us to focus a lot more on innovation and not on the things that, frankly, Instaclustr, as far as we can tell, is best in the world at, which is really operating this infrastructure, the Cassandra piece. >> And what do you want to take on then? You told about innovation. If there's an area of your business, you say alright, this is where 2019, where I want it to take us, what would that be? >> It's a great question. One of the big changes for PubNub, was that we built our initial business on the backs of other startups and it was great. We got to some level of scale by powering a lot of innovative interesting applications that were themselves trying to be the first real-time this and the first real-time that and the first real-time the other thing. And then about two years ago something happened, a year and a half ago, that need for real-time, for having things update in real time, inventory, prices, chat applications, moving things on a map, seeing where your trucks were, that went mainstream, and now even the largest app companies in the world, if they release any kind of application, whether it's a business application or a consumer app, if it doesn't have that same real-time experience like an Uber or like a Snapchat, people kind of look at it and say, well this feels like it was built 20 years ago, right? And so what's happened to our industry, has been the moving of the need for this real-time experience, into the mainstream. Now that's been great for us, but it also means as we are selling to a larger and larger group of, we call mainstream larger enterprise customers, the way we package our product, the way we make it consumable by larger companies, make it easier to deploy our product, make it easier to understand and adding features that round that out, is really the core of our focus right now. Is really being able to appeal to those larger companies. We already have the scale, in fact, we recently participated in an event which was the Guinness Book of World (stammers) Record's largest online event in history. And we powered the source in India for Cricket, we powered the largest social interaction, over 10 million people synchronously going through our network, all in one virtual environment. So we know we can scale this thing beyond any existing human need and now it's really about making sure it's accessible to the world's largest companies. >> So it was cricket in India? >> Yes, yes. >> I would've thought it was the Justin Warren fan club, but I guess not, I (stammers) second online, right? >> Yeah, probably. >> There's a lot of people in India who love cricket, and they all have mobile phones. >> Yes, well gentlemen, thanks for being with us, Peter, Todd, continued success and then thanks for being here on theCUBE. >> Okay, thank you very much. >> Thank you so much, it's been a pleasure, thank you. >> We continue live coverage here from Las Vegas. We're in the Sands. We're here all week at AWS re-Invent. (calm digital music)