>>Good morning from New York city, Lisa Martin and John furrier with the cube. We are at AWS summit NYC. This is a series of summits this year, about 15 summit globally. And we're excited to be here, John, with about 10,000 folks. >>It's crowded. New York is packed big showing here at 80 of us summit. So it's super exciting, >>Super exciting. Just a little bit before the keynote. And we have our first guest, Kevin Farley joins us the director of strategic alliances at Maria DB. Kevin, welcome to >>The program. Thank you very much. Appreciate you guys having us. >>So all of us out from California to NYC. Yeah, lots of eyes. We got keynote with Warner Vogels coming up. We should be some good news, hopefully. Yep. But talk to us about Maria DB Skys cloud native version released a couple years ago. What's going on? >>Yeah, well, it's, you know, Skys SQL for us is really a be on the future. I think when we think about like the company's real mission is it's just creating a database for everyone. It's it's any cloud, any scale, um, any size of performance and really making sure that we're able to deliver on something that really kind of takes advantage of everything we've done in the market to date. If you think about it, there's not very many startups that have a billion downloads and 75% of the fortune 500 already using our service. So what we're really thinking about is how do we bridge that gap? How do we create a natural path for all of these customers? And if you think about not just Maria DB, but anyone else using the sequel query language, all the, my people, what I think most Andy jazzy TK, anyone says, you know, it's about 10% of the market currently is in the clouds. That's 90% of a total addressable market that hasn't done it yet. So creating cloud modernization for us, I think is just a huge opportunity. Do >>You guys have a great history with AWS? I want to just step back, you mentioned some stats on, on success. Can you scope the size and track record of Maria DB for us real quick and set the table? Because I think there's a bigger picture going on that we've been tracking for the past 13 years we address is the role of the database has always been one of those things where they didn't believe a one database fits all things, right. You guys have been part of that track record scope, the size and scale of Maria DB, the usage, the use cases and some of the successes. >>Yeah. I mean, like I said, some of the stats are already threw out there. So, you know, it is pervasive, I think is the best way to put it. I think what you look at what the database market really became is very siloed. Right? I think there was a lot of unique solutions that were built and delivered that had promise, but they also had compromise. And I think once you look at the landscape of a lot of fortune 500 companies, they have probably 10 to 15 different database solutions, right? And they're all doing unique things. They're difficult to manage. They're very costly. So what Marie DB is always kind of focused on is how do we continue to build more and more functionality into the database itself and allow that to be a single source of truth where application developers can seamlessly integrate applications. >>So then the theme of this event in New York city, which is scale dot, dot, dot, anything must align quite well with Maria and your >>Objectives. I mean, honestly, I think when I think of the problems that most database, um, companies, um, face customers, I should say it, it really comes down to performance and scale. Most of them like Maria DB, like you said, they it's like the car, you know, and love you've been driving it for years. You're an expert at it. It works great, but it doesn't have enough range. It doesn't go fast enough. It's hitting walls. That modern data requirements are just breaking. So scale for me is the favorite thing to talk about because what we launched as MariaDB expand, which is a plugable storage engine that is integrated into Skye, and it really gives you dynamic scale. So you can scale in, you can scale out, it's not costly compute to try to get for seasonality. So you can make your black Friday numbers. It's really about the dexterity to be able to come in and out as you need in a share, nothing architecture with full failover sale healing, high availability, married to the cloud for full cloud scale. And that's really the beauty of the AWS partnership. >>Can you elaborate a bit more on the partnership? How long have you guys been partners? Where is it now anything exciting coming out? >>Yeah, it it's, it's actually been a wonderful ride. They've really invested from the very beginning we went for the satisfactory. So they really brought a lot of resources to bear. And I think if you're looking at why it works, um, it's probably two things. I think the number one thing is that we share one of the core tenants and it's customer obsession in a, in a, in an environment where there is co-opetition right. You have to find paths for how do you get the best thing for the customer? And the second is pretty obvious, but if you look at any major cloud, their number one priority is getting large mission critical workloads into their cloud because the revenue is exponential on the backside. So what do we own? Large mission critical workloads. So if you marry that objective with AWS, the partnership is absolutely perfect for driving true revenue, growth scale, and, and revenue across, across both entities in the partner ecosystem. >>So Kevin talk about the, um, the hybrid strategy, cuz you're seeing cloud operations. Yep. Go hybrid. Amazon announced AWS announced outpost like four years ago. Right now edge is super hot. Yeah. So you're seeing like most of the enterprise is saying mm-hmm <affirmative> okay. Love cloud love the cloud database, but I got the on-prem hybrid cloud operations. Right. So it's not just proprietary operations. It's cloud ops. Yeah. How do you guys fit into that? What's the story. >>We, we actually it's. I mean, there's, there's all these new deliverables outposts, you know, come out with a promise. What we have is a reality right now, um, one of the largest, um, networking companies, which I can't mention yet publicly, um, we want a really big sky SQL deal, but what they had manufacturing plants, they needed to have on-prem deployments. So Maria DB naturally syncs with sky SQL. It's the same technology. It works in perfect harmony. So we really already deliver on the promise of hybrid, but of course there's a lot more we can grow in that area. And certainly thinking about app posts and other solutions, um, is definitely on the, the longer term roadmap of what could make sense for in our customer. What, >>What are some of the latest things that, that you guys are doing now that you weren't doing a few years ago that customers should know about the audience should know about? >>I mean, I think the game changer, we're always innovating. I mean, when you're the company that writes the code owns the code, you know, we can do hot fixes, we can do security patches, we can always do the things that give you real time access to what you need. But I think the game changer is what I mentioned a little bit earlier. And I think it's really the, the holy grail of the cloud. It's like, how can we take the, the SQL query language, which is well over 50% of the open source market. Right. And how do we convert that seamlessly into the cloud? How do we help you modernize on that journey? And expand gives you the ability to say, I can be the small, I can be a small startup. I got my C round. I don't wanna manage databases. I can use the exact same service as the largest fortune 100 company that has massive global scale and needs to be able to drive that across globe. Yeah. So I think that's the beauty is that it's really a democratization of the database, >>At least that, you know, we've been covering the big data space for 10 years. Remember all those different conversations had do those days and oh, they have big data and right. But then it's like too hard to set up. Then you had that kind of period where you saw a spark and data lakes emerge. Yeah. Then you, now it almost seems, seems like now more than ever, there's a data revolutions back. Right. It was almost like a lull in the, in, in the, in the market a little bit. Yeah. I'm gonna democratize data science right now. You got data. So now it just seems to be an explosion at that level. What's your analysis on that? Because you you've been in, in, in the weeds and in the, in the, in this market for 10 years. Yeah. And nothing really changed. It's just now it's more ready. Yeah. I think what's your observation. Why >>Is that? I think that's a really good question. And I love it cuz I mean, what the promise of things like could do and net new technologies sort of, it was always out there, but it required this whole net new lift and how do I do it? How do I manage it? How do I optimize it? The beauty of what we can do with Maria DB is that sky SQLs, which you already know and love. Right? And now we can Del you can deliver a data lake on S3, right? You can pull that data. And we also have the ability to do both analytical data and transactional data from the same database. So you can write applications that can pull column, store data up into, um, your application, but you can also have all of your asset transactions, which are absolutely required for all of your mission critical business. So I think that we're seeing more and more adoption. You've seen other companies start to talk about bringing the different elements in, but we're the only ones that really >>Do it and SQL standardizing that front end. Yeah. Even better than ever before. All the stuff under the covers is all being connected. >>That's the awesome part is right. Is you're literally doing what you already know how to do, but you blow it out on the back end, married to the cloud. And that I think is the real revolution of what makes usability real in the data space. And I think that's what was always the problem before >>When you're in partner conversations, you mentioned co-opetition. Yeah. <laugh> so I think when you're in partner conversations and customer conversations, there is a lot of the, the there's a lot of competition out there. Absolutely. Everyone's got their own key messages. What are the key differentiators that you're saying AWS Marie to be together better? And here's why, >>Yeah. I, I think that certainly you, you start with the global footprint of AWS, right? So what we rely on the most is having the ability to truly deal with global customers in availability zones, they're gonna optimize performance from them. But then when we look at what we do that really changes the game, it comes down to scale and performance. We actually just ran, um, a suspense test against cockroach that also does distributed sequel. Absolutely. You know, the results were off the chart. So we went public and said, we have an open challenge. Anyone that wants to try to beat, um, expand and Skye will we'll if you can, we'll put $25,000 towards charity. So we really are putting our money where our mouth is on that challenge. So we believe the performance cuz we've seen it and we know it's real, but then it's really always about data scale. Modern data requirements are breaking the mold of charting. They're breaking the mold of all these bandaids that people have put in these traditional services. And we give them future. We, we feature proof their investments, so they can say, Hey, I can start here. But if I end up being a startup that becomes Airbnb, I'm already built to blow it out on the back end. I can already use what I have. >>Speaking of startups, being the next Airbnb. If you look at behind us here, you can see, this is a really packed event in New York city events are back, but the ecosystem here is even flourishing. So Dave and I and Lisa were observing that we're still kind of in a growth mode, big time. So yeah, there's some market forces headwinds for the big unicorns, overfunded, you know, public companies, maybe the valuations are a little bit off, but there's still a surge of new innovations, new companies coming out of this. Um, and it's all around data and scale. It's all around new names. We've never heard of. Absolutely. What's your take on >>Reaction? Well, actually another awesome segues cuz in addition to the public clouds, I manage the ecosystem. And one of the things that we've really been focused on with Skys SQL is making it accessible API accessible. So if you're a company that has a huge Marine DB footprint change data capture might be the most important thing for you to say, we wanna do this, but we want you to stay in sync with our environments. Um, things like monitoring, things like BI, all of these are ecosystem plays and current partners that we have, um, that we really think about how do you holistically look at not only the database and what it can do, but how does it deliver value to different segments of your customer base or just your employee base that are using that stuff? So I think that's huge for us. >>Well, you know, one of the things that we talk often about is that every company, these days, regardless of industry, has to be a data company. Yep. You've gotta be able to access the data glean insights from an act on it quickly, whether it's manufacturing, retail, healthcare, are there any verticals in where Maria DB really excels? >>Um, so certainly we Excel in areas like financial services is huge DBS bank. Um, in APAC, one of our biggest customers, also one of the largest Oracle migrations, probably the, that we've ever done. A lot of people trying to get off Oracle, we make it seamless to get into Maria DB. Um, you can think about Samsung cloud and another, their entire consumer cloud is built on Maria DB, why it's integrated with expand right seasonality. So there's customers like that that really bring it home for us as far as ServiceNow tech sector. Right? So these are all different ones, but I think we're really strong in those >>Areas. So this brings up a good point. Dave and I a coined a term called super cloud at reinvent and Lisa and Dave were at multiple events we're together at events. And so a lot of people are getting behind this cuz it's multi-cloud sounds like something's broken. Yes. But so we call it super cloud because customers are building on top of ecosystems like Maria DB and others. Yeah. Not just AWS SOS does all the CapEx absolutely provide the value. So now people are having this new super cloud moment. We' saying we can get all the benefits of cloud scale mm-hmm <affirmative> without actually being a cloud. Right. So this is where the next gen layer comes. What's your reaction to, to super cloud. Do you think it's a thing? >>Well, I think it's a thing in the sense, from our perspective as an ISV, we're, we're laser focused on making sure that we support any cloud and we have a truly multicloud cloud platform. But the beauty of that as well is from a single UI, you're able to deploy databases in different clouds underneath that you're not looking at so you can have performance proximity, but you're still driving it through the same Skys UI. So for us it's, it's unequivocally true. Got it. And I think it's only ISVs like Maria DB that can deliver on that value because >>You're enabling, >>We're enabling it. Right. We partner, we build on top of everything. Right. So we can access everything underneath >>And they can then build on top of you. >>Sure, exactly. And that's exactly where it goes. Right? Yeah. So that, I think in that sense, the super cloud is actually already somewhat real. >>It's interesting. You look at the old, it spend, you take a big company. I won't say a name, but a leader in a, a vertical, they have such a big spend. Now they can leverage that spend in with the super cloud model. They then could become a service provider in the vertical. Absolutely capital one S doing it. Yeah. You're seeing, um, Goldman Sachs doing it. They have the power on the spend that they're leveraging in for their business and servicing their vertical and the smaller players. Do you see that trend? >>Well, I think that's the reality is that everyone is getting this place where if you're talking about sort of this broader super concept, you're talking about global scale, right? That's if in order to deliver a backbone that can service that model, you have to have the right data structure and the right database footprint to be able to scale. And I think that's what they all need to be able to do. And that's what we're really well positioned with Skys >>To enable companies, as we talked about a minute ago to truly become data companies. Yeah. And to be competitive and to scale on their own, where are your customer conversations? Are they at the C-suite level? Has that changed in the last couple of years? >>Uh, that's actually a really great way to state that question because I think you would've traditionally probably talked more to, um, the DBAs, right? They're the people that are having headaches. They're having problems. They're, they're trying to solve. We see a lot of developers now tons, right? They're thinking about, I have this, I have this new thing that I need to do to deliver this new application. And here's the requirements and the current model's broken. It doesn't optimize that it's a lot of work and it's hard to manage. So I think that we're in a great position to be able to take that to that next phase and deliver. And then of course, as you get deeper in with AWS, you're talking about, you know, CIO level, CISO level, they're they need to understand how do you fit into our larger paradigm. And many of these guys have, you know, hundreds of million dollar commits with AWS. So they think of their investment in the sense of the cloud stack. And we're part of that cloud stack, just like AWS services. So those conversations continue to happen certainly with our larger customers, cuz it truly is married. >>It is. And they continue to evolve. Kevin, thank you so much >>For joining. You're welcome. Great, >>John and me talking about what's going on with Maria >>D. Thank you, John. Thank you, Lisa. On behalf of Maria B, it was wonderful. Really >>Appreciate it. Fantastic as well for John furrier. I'm Lisa Martin. You're watching the cube live from New York city at AWS summit NYC, John and I we're back with our next guest in a minute.

>>from around the globe. It's the Cube presenting Cuban cloud brought to you by silicon angle. Welcome to the cubes event. Virtual event. Cuban Cloud. I'm John for your host. We're here talking to all the thought leaders getting all the stories around Cloud What's going on this year and next today, Tomorrow and the future. We gotta featured startup here. Jonah Clipper, who is the CEO and founder of Stack Hawks. Developing security software for developers to have them put security baked in from the beginning. Johnny, thanks for coming on and being featured. Start up here is part of our Cuban cloud. Thanks for joining. >>Thanks so much for having me, John. >>So one of our themes this year is obviously Cloud natives gone mainstream. The pandemic has shown that. You know, a lot of things have to be modern. Modern applications, the emerald all they talked about modern applications. Infrastructure is code. Reinvent, um is here. They're talking about the next gen enterprise. Their public cloud. Now you've got hybrid cloud. Now you've got multi cloud. But for developers, you just wanna be building security baked in and they don't care where the infrastructure is. So this is the big trend. Like to get your thoughts on that. But before we jump in, tell us about Stack Hawk What you guys do your founded in 2019. Tell us about your company and what Your mission is >>Awesome. Yeah, our mission is to put application security in the hands of software developers so that they can find and fix upset books before they deployed a production. And we do that through a dynamic application scanning capability. Uh, that's deployable via docker, so engineers can run it locally. They can run it in C I C. D. On every single PR or merge and find bugs in the process of delivering software rather than after it's been production. >>So everyone's talking about shift left, shift left for >>security. What does >>that mean? Uh, these days. And what if some of the hurdles that people are struggling with because all I hear is shift left shift left from, like I mean, what does What does that actually mean? Now, Can you take us through your >>view? Yes, and we use the phrase a lot, and I and I know it can feel a little confusing or overused. Probably. Um, When I think of shift left, I think of that Mobius that we all look at all of the time, Um, and how we deliver and, like, plan, write code, deliver software and then manage it. Monitor it right like that entire Dev ops workflow. And today, when we think about where security lives, it either is a blocker to deploying production. Or most commonly, it lives long after code has been deployed to production. And there's a security team constantly playing catch up, trying to ensure that the development team whose job is to deliver value to their customers quickly, right, deploy as fast as we can, as many great customer facing features, um there, then, looking at it months after software has been deployed and then hurrying and trying to assess where the bugs are. And, um, trying to get that information back to software developers so that they can fix those issues. Shifting left to me means software engineers are finding those bugs as their writing code or in the CIA CD pipeline long before code has been deployed to production. >>And so you guys attack that problem right there so they don't have to ship the code and then come back and fix it again. Or where we forgot what the hell is going on. That point in time some Q 18 gets it. Is that the kind of problem that that's out there? Is that the main pain point? >>Yeah, absolutely. I mean a lot of the way software, specifically software like ours and dynamic applications scanning works is a security team or a pen tester. Maybe, is assessing applications for security vulnerability these, um, veteran prod that's normally where these tools are run and they throw them back over the wall, you know, interrupting sprints and interrupting the developer workflow. So there's a ton of context switching, which is super expensive, and it's very disruptive to the business to not know about those issues before they're in prod. And they're also higher risk issues because they're in fraud s. So you have to be able to see a >>wrong flywheel. Basically, it's like you have a penetration test is okay. I want to do ship this app. Pen test comes back, okay? We gotta fix the bug, interrupts the cycle. They're not coding there in fire drill mode. And then it's a chaotic death spiral at that point, >>right? Or nothing gets done. God, how did >>you What was the vision? How did you get here? What? How did you start? The company's woke up one morning. Seven started a security company. And how did what was the journey? What got you here? >>Sure. Thanks. I've been building software for software engineers since 2010. So the first startup I worked for was very much about making it easy for software engineers to deploy and manage applications super efficiently on any cloud provider. And we did programmatic updates to those applications and could even move them from cloud to cloud. And so that was sort of cutting my teeth and technology and really understanding the developer experience. Then I was a VP of product at a company called Victor Ops. We were purchased by spunk in 2018. But that product was really about empowering software engineers to manage their own code in production. So instead of having a network operations center right who sat in front of screens and was waiting for something to go wrong and would then just end up dialing there, you know, just this middle man trying to dial to find the person who wrote the software so that they can fix it. We made that way more efficient and could just route issues to software engineers. And so that was a very dev ops focused company in terms of, um, improving meantime to know and meantime to resolve by putting up time in the hands of software engineers where it didn't used to live there before it lived in a more traditional operations type of role. But we deploy software way too quickly and way too frequently to production to assume that another human can just sit there and know how to fix it, because the problems aren't repeatable, right? So So I've been living in the space for a long time, and I would go to conferences and people would say, Well, I love for, you know, we have these digital transformation initiatives and I'm in the security team and I don't feel like I'm part of this. I don't know. I don't know how to insert myself in this process. And so I started doing a lot of research about, um, how we can shift this left. And I was actually doing some research about penetration testing at the time, Um, and found just a ton of opportunity, a ton of problems, right that exist with security and how we do it today. So I really think of this company as a Dev Ops first Company, and it just so happens to be that we're taking security, and we're making it, um, just part of the the application testing framework, right? We're testing for security bugs, just like we would test for any other kind of bucks. >>That's an awesome vision of other great great history there. And thanks for sharing that. I think one of the things that I think this ties into that we have been reporting aggressively on is the movement to Dev Stack Up, Dev, Ops Dev SEC Ops. And you know, just doing an interview with the guy who stood up space force and big space conversation and were essentially riffing on the idea that they have to get modern. It's government, but they got to do more commercial. They're using open source. But the key thing was everything. Software defined. And so, as you move into suffer defined, then they say we want security baked in from the beginning and This is the big kind of like sea level conversation. Bake it in from the beginning, but it's not that easy. And this is where I think it's interesting where you start to think, uh, Dev ops for security because security is broken. So this is a huge trend. It sounds easy to say it baked security in whether it's an i o T edge or multi cloud. There's >>a lot >>of work there. What should people understand when they hear that kind of platitude of? I just baked security and it's really easy. It's not. It's not trivial. What's your thoughts on >>that? It isn't trivial. And in my opinion, there aren't a lot of tools on the market that actually make that very easy. You know, there are some you've had sneak on this program and they're doing an excellent job, really speaking to the developer and being part of that modern software delivery workflow. Um, but because a lot of tools were built to run in production, it makes it really difficult to bake them in from the beginning. And so, you know, I think there are several goals here. One is you make the tooling work so that it works for the software engineer and their workflow. And and there's some different values that we have to consider when its foreign engineer versus when it's for a security person, right? Limit the noise, make it as easy as possible. Um, make sure that we only show the most critical things that are worth an engineer. Stopping what they're doing in terms of building business value and going back and fixing that bugs and then create a way to discuss in triage other issues later outside of the development. Workflow. So you really have to have a lot of empathy and understanding for how software is built and how software engineers behave, I think, in order to get this right. So it's not easy. Um, but we're here and other tools air here. Thio support companies in doing that. >>What's the competitive strategy for you guys going forward? Because there's a big sea change. Now I see an inflection point. Obviously, Cove it highlights. It's not the main reason, but Cloud native has proven it's now gone mainstream kubernetes. You're seeing the big movement there. You're seeing scale be a huge issue. Software defined operations are now being discussed. So I think it's It's a simple moment for this kind of solution. How are you guys going to compete? What's what's the winning strategy? How are you guys gonna compete to win? >>Yeah, so there's two pieces to that one is getting the technology right and making sure that it is a product that developers love. And we put a ton of effort into that because when a software engineer says, Hey, I'd love to use the security product, right? CSOs around the world are going to be like, Yes, please. Did a software engineer just ask me, You have the security product. Thank you, Right. We're here to make it so easy for them and get the tech right. And then the other piece, in terms of being competitive, is the business model. There were something like, I don't You would know better than me, but I think the data point I last saw was like 1300 venture backed security companies since 2012 focused on selling to see SOS and Fortune 2000 companies. It is a mess. It's so noisy, nobody can figure out what anybody actually does. What we have done is said no, we're going to take a modern business model approach to security. So you know, it's a SAS platform that makes it super easy for a software engineer or anybody on the team to try and buy the software. So 14 day trial. You don't have to talk to anybody if you don't want Thio Awesome support to make sure that people can get on boarded and with our on boarding flow, we've seen that our customers go from signing up to first successful scan of their platform or whatever app they chose to scan in a knave ridge of about 10 minutes. The fastest is eight, right? So it's about delivering value to our customers really quickly. And there aren't many companies insecurity on the market today. That do that? >>You know, you mentioned pen test earlier. I I hear that word. Nice shit. And, like, pen test penetration test, as it's called, um, Sock reports. I mean, these are things that are kind of like I got to do that again. I know these people are doing things that are gonna be automated, but one of the things that cloud native has proven as be killer app is integrations because when you build a modern app, it has to integrate with someone else. So there you need these kind of pen tests. You gotta have this kind of code review. And as code, um, is part of, say, a purpose built device where it's an I o T. Edge updates have toe happen. So you need mawr automation. You need more scale around both updating software to, ah, purpose built device or for integration. What's your thoughts in reaction to that? Because this is a riel software challenge from a customer standpoint, because there are too many tools out there and every see so that I talk to says, I just want to get rid of half the tools consolidate down around my clouds that I'm working through my environment and b'more developer oriented, not just purchasing stuff. So you have all this going on? What's your reaction to that? You got the you know, the integration and you've got the software updates on purpose built devices. >>Yeah, I mean, we I make a joke a little bit. That security land is like, you know, acronyms. Dio there are so many types of security that you could choose to implement. And they all have a home and different use cases that are certainly valuable toe organizations. Um, what we like to focus on and what we think is interesting and dynamic application scanning is because it's been hard toe automate dynamic application for especially for modern applications. I think a lot of companies have ignored theon pertuan ity Thio really invest in this capability and what's cool about dynamic. And you were mentioning pen testing. Is that because it's actively attacking your app? It when you get a successful test, it's like a It's like a successful negative test. It's that the test executed, which means that bug is present in your code. And so there's a lot less false positives than in other types of scanning or assessment technologies. Not to say there isn't a home for them. There's a lot of we could we could spend a whole hour kind of breaking down all the different types of bugs that the different tools confined. Um, but we think that if you want to get started developer first, you know there's a lot of great technologies. Pick a couple or one right pick stack hawk pick, sneak and just get started and put it in your developer workflow. So integrations are super important. Um, we have integrations with every C I C. D provider, making it easy to scan your code on every merge or release. And then we also have workflow integrations for software engineers associated with where they want to be doing work and how they want to be interrupted or told about an issue. So, you know, we're very early to market, but right out of the gate, we made sure that we had a slack integration so that scans are running. Or as we're finding new things, it's populating in a specific slack channel for those engineers who work on that part of the app and you're a integration right. If we find issues, we can quickly make tickets and route them and make sure that the right people are working on those issues. Eso That's how I think about sort of the integration piece and just getting started. It's like you can't tackle the whole like every accurate, um, at once like pick something that helps you get started and then continue to build out your program, as you have success. >>A lot of these tools can they get in the hands of developers, and then you kind of win their trust by having functionality. Uh, certainly a winning strategy we've seen. You know, Splunk, you mentioned where you worked for Data Dog and very other tools out there just get started easily. If it's good, it will be used. So I love that strategy. Question. I wanna ask you mentioned Dr earlier. Um, they got a real popular environment, but that speaks to the open source area. How do you see the role of open source playing with you guys? Is that gonna be part of your community outreach? Does the feed into the product? Could you share your vision on how stack hawks engaging and playing an open source? >>Yeah, absolutely. Um So when we started this company, my co founders and I, we sat down and said here, What are the problems? Okay, the world doesn't need a better scanner, right? If you walk the floor of, ah, security, uh, conference. It's like our tool finds a million things and someone else is. My tool finds a million and five things. Right, And that's how they're competing on value. It's really about making it easy to use and put in the pipeline. So we decided not to roll. Our own scanner were based on an open source capability called Zap the Set Attack Proxy. Uh, it is the most the world's most downloaded application scanner. And, uh, actually we just hired the founder of Zap to join the Stack Hawk team, and we're really excited to continue to invest in the open source community. There is a ton of opportunity to grow and sort of galvanize that community. And then the work that we do with our customers and the feedback that we get about the bugs we find if there, ah, false positive or this one's commonly risk accepted, we can go back to the community, which were already doing and saying, Hey, ditch this rule, Nobody likes it or we need to improve this test. Um, so it's a really nice relationship that we have, and we are looking forward to continuing to grow that >>great stuff. You guys are hot. Start of love. The software on security angle again def sec. Cox is gonna be It's gonna be really popular. Can you talk about some of the customer success is What's the What's the feedback from customers? Can you share some of the use cases that you guys are participating in where you're winning? You mentioned developers love it and try It can just give us a couple of use cases and examples. >>Yeah. Ah, few things. Um ah, lot of our customers are already selling on the notion. Like before we even went to G A right. They told all of their customers that they scan for security bugs with every single release. So in really critical, uh, industry is like fintech, right. It's really important that their customers trust that they're taking security seriously, which everybody says they dio. But they show it to their customers by saying here, every single deploy I can show you if there were any new security bugs released with that deploy. So that's really awesome. Other things We've heard our, uh, people being able to deploy really quickly thio the Salesforce marketplace, right? Like if they have toe have a scan to prove that that they can sell on Salesforce, they do that really rapidly. Eso all of that's going really well with our customers. >>How would I wanna How would I be a customer if I was interested in, um, using Stack Hawks say we have some software we wanna stand up, and, uh, it's super grade. And so Amazon Microsoft Marketplace Stairs Force They'll have requirements or say I want to do a deal with an integration they don't want. They want to make sure there's no nothing wrong with the code. This seems to be a common use case. How doe I if I was a customer, get involved or just download software? Um, what's the What's the procurement? What's the consumption side of it looked like, >>Yeah, you just go to Stockholm dot com and you create an account. If you'd like to get started that way so you can have a 14 day free trial. We have extremely extensive documentation, so it's really easy to get set up that way. You should have some familiarity. Or grab a software engineer who has familiarity with a couple of things. So one is how to use Docker, right? So Docker is, ah, deployment mechanism for the scanner. We do that so you can run it anywhere that you would like to, and we don't have to do things like pierce firewalls or other protective measures that you've instrumented on your production environment. You just run it, um, wherever you like in your system. So locally, C I c d So docker is an important thing to understand the way we configure our scanner is through a, um, a file. So if you are getting a scan today, either your security team is doing it or you have a pen tester doing it. Um, the whole like getting ready for that engagement takes a lot of time because the people who are running the tests don't know how the software was built. So the way we think about this is, just ask them. So you just fill out a Yamil file with parameters that tell the scanner what to dio tell it how to authenticate and not log out. Um, feed us an A p. I speak if you want, so weaken super efficiently, scan your app and you can be up and running really quickly, and then that's it. You can work with our team at any time if you need help, and then we have a really efficient procurement process >>in my experience some of the pen tests of firms out there, is it? It's like the house keeping seal of approval. You get it once and then you gotta go back again. Software change, new things come in. And it's like, Wait a minute, what's the new pen test? And then you to write a check or engaged to have enough meeting? I mean, this is the problem. I mean, too many meetings. Do you >>guys solve that problem? Do >>you solve that problem? >>We solve a piece of that problem. So I think you know, part of how I talk about our company is this idea that we live in a world where we deploy software every single day. Yet it seems reasonable that once a year or twice a year, we go get a pen test where human runs readily available, open source software on our product and gives us a like, quite literal. Pdf of issues on. It's like this is so intellectually dishonest, like we deploy all of the time. So here's the thing. Pen tests are important and everybody should do them. But that should not be the introduction to these issues that are also easy to automate and find in your system. So the way we think about how we work with pen testers is, um, run, stack hawk or zapped right in an automated fashion on your system, and then give that, give the configuration and give the most recent results to your pen tester and say, Go find the hard stuff. You shouldn't be cutting checks for $30,000 to a pen tester or something that you could easily meet in your flare up. Klein. You could write the checks for finding finding the hard stuff that's much more difficult to automate. >>I totally agree. Final question. Business model Once I get in, is it a service software and services? A monthly fee? How do you guys make money? >>Yep, it is software as a service, it is. A monthly fee were early to market. So I'm not going to pretend that we have perfectly cracked the pricing. Um, but the way that we think about this is this is a team product for software engineers and for, you know, informed constituents, right? You want a product person in the product. You want a security person in the product? Um, and we also want to incent you to scan your APS And the most modern fashion, which is scanning the smallest amount of http that lives in your app, like in a micro services architecture because it makes a lot easier, is easy to isolate the problems where they live and to fix those issues really quickly. So we bundle team and for a UPS and then we scale within, uh, companies as they add more team. So pen users. 10 APS is 3 99 a month. And as you add software engineers and more applications, we scale within your company that way. >>Awesome. So if you're successful, you pay more, but doesn't matter. You already succeeded, and that's the benefit of by As you go Great stuff. Final question. One more thing. Your vision of the future. What are the biggest challenges you see in the next 24 months? Plus beyond, um, that you're trying to attack? That's a preferred future that you see evolving. What's the vision? >>Yeah, you've touched on this a couple of times in this interview with uh being remote, and the way that we need to build software already has been modernizing, and I feel like every company has a digital transformation initiative, but it has toe happen faster. And along with that, we have to figure out how Thio protect and secure these Moderna Gail. The most important thing that we do the hearts and minds of our support engineers and make it really easy for them to use security capabilities and then continue to growth in the organization. And that's not an easy thing tied off. It's easy change, a different way of being security. But I think we have to get their, uh, in order to prepare the security, uh, in these rapidly deployed and developed applications that our customers expect. >>Awesome. Jodi Clippers, CEO and founder of Stack Hawk. Thank you for coming on. I really appreciate it. Thanks for spending the time featured Startup is part of our Cuban cloud. I'm Sean for your host with silicon angle to Cube. Thanks for watching

>>from San Francisco. It's the queue every day to thank you. Brought to you by day to like you. Hey, >>welcome back already, Jeffrey. Here with the Cube were a day to IQ's headquarters in downtown San Francisco. They used to be metal sphere, which is what you might know them as. And they've rebranded earlier this year. And they're really talking about helping Enterprises in their journey to cloud native. And we're really excited to have really one of the product guys he's been here and seeing this journey and how through with the customers and helping the company transforming his Chandler hosing tonight. He's the s VP of engineering and product. Chandler, great to see you. Thanks. So, first off, give everyone kind of a background on on the day to like you. I think a lot of people knew mesosphere. You guys around making noise? What kind of changed in the marketplace to to do a rebranding? >>Sure. Yeah, we've been obviously, Mason's here in the past and may so so I think a lot of people watching the cube knows No, no one knows about Mace ose as as we were going along our journey as a company. We noticed that a lot of people are also asking for carbonates. Eso We've actually been working with kubernetes since I don't know 16 4017 something that for a while now and as Maur Maur as communities ecosystem starting involving mature more. We also want to jump in and take advantage of that. And we started building some products that were specific to kubernetes and eso. We thought, Look, you know, it's a little bit confusing for people May, SOS and Kubernetes and at times those two technologies were seen almost as competitive, even though we didn't always see it that way. The market saw it that way, so we said, Look, this is going too confusing for customers being called Mesa Sphere. Let's let's rebrand around Maur what we really do. And we felt like what we do is not just focus around one specific technology. We felt like we helped customers with more than that more than just may so support more than just community support, Andi said. Look, let's let's get us a name that shows what we actually do for customers, and that's really helping them take their workloads and put them on on Not just, you know, um, a source platform, but actually take their workloads, bring them into production and enterprise way. That's really ready for day two. And that's that's why we called it data. >>And let's unpack the day to, cause I think some people are really familiar with the concept of day two. And for some people, they probably never heard it. But it's a pretty interesting concept, and I think it packs a lot of meaning in it. A number of letters. I think you >>can kind of just think about it if you were writing software, right? I mean, Day zero is okay. We're gonna design it. We're gonna start playing with some ideas. We're gonna pull into different technologies. We're gonna do a POC. We're gonna build our skateboards. So to say, that's kind of your day. Zero. What do we want? Okay, we're gonna build a Data Analytics pipeline. We want spark. We're going to store data. Cassandra, we're gonna use cough. Go to pass it around. We're gonna run our containers on top of communities. That's just kind of your day. Zero idea. You get it working, you slap it on a cluster. Things are good right? Day one might be okay. Let's actually do a beta put in production in some kind of way. You start getting customers using it. But now, in Day two, after all that's done, you're like, Wait a second. Things were going wrong. Where's our monitoring? We didn't set that up. Where's our logging? Oh, I don't know. Like, >>who do we >>call this? Our container Run time, we think has above. Who do we call like? Oh, I don't know What support contract that we cut, Right? So that's the things that we want to help customers with. We want to help them in the whole journey, getting to Day two. But once they're there, we want them to be ready for day two, right? And that's what we do. >>I love it because one of my favorite quotes I've used it 1000 times. I'll do 2001 right? Is that open source is free like a puppy. Exactly for you. When you leave you guys, you're not writing a check necessarily to the to the shelter, But there's a whole lot of other check. You got a right and take care of. And I think that's such a key piece. Thio Enterprise, right. They need somebody to call when that thing breaks. >>Yeah. I mean, I haven't come from enterprise company. I was actually a customer basis Fear before I joined. Yeah, that's exactly why we're customers that we wanted. Not only that, insurance policy, but someone that partner with us as we start figuring this out, you know? I mean, just picking. You know what container run time do I want to use with communities? That one decision could take months if you're not familiar with it. And you you put a couple of your best architects on it. Go research container. You go research, cryo go research doctor. Tell me what's what's the best one we should use with kubernetes. Whereas if you're going, if you have a partnership with a company like day two, you can say, Look, I trust these. You know this company, they they're they're experts of this and they see a lot of this. Let's go with their recommendation. It's >>okay. So you got you got your white board. You've got a whole bunch of open source things going on, right? And you've got a whole bunch of initiatives and the pressure's coming down from from on high to get going, you've got containers, Asian and Cloud native and hybrid Cloud all the stuff. And then you've got some port CEO on his team trying to figure it out. You guys have a whole plethora of service is around some of these products. So as you try it and then you got the journey right and you don't start from from a standing start. You gotta go. You gotta go. So how do you map out the combination of how people progress through their journey? What are the different types of systems that they want to put in place and into, prioritize and have some type of a logical successful implementation and roll out of these things from day zero day 132? No, it's >>a great question. I think that's actually how we formed our product. Strategy is we've been doing this for a while now and we've we've gone. We've gone on this journey with really big advanced customers like ride sharing companies and large telcos customers like that. We've also gone on this journey with smaller, less sophisticated customers like, you know, industrial customers from the Midwest. Right? And those are two very, very different customers. But what's similar is they're both going on the same journey we feel like, but they're just at different places. So we wanted to build products, find the customer where they're at in their journey, and the way we see it really is just at the very beginning. It's just training, right? So we have, ah, bunch of support. We're sorry. Service is around training. Help you understand? Not just kubernetes, but the whole cloud native ecosystem. So what is all this stuff? How does it work? How does it fit together? How do I just deploy simple app to right? That's the beginning of it. We also have some products in that area as well, to help people scale their training across the whole whole organization. So that's really exciting for us once once, once that customer has their training down there like Okay, look, get I need a cluster now, like I need a destroyer of sorts and criminals itself is great, but it needs a lot of pieces to actually get it ready for prime time. And that's where we build a product called Convoy Say Okay, here is your enterprise great. Ready to go kubernetes destro right out of the box. And that product is really it's what you could use to just fiddle around with communities. It's also what you put into production right on the game. That's that's been scale tested, security tests and mixed workload tested. It's everything. So that's that's kind of our communities. Destro. So you've gotten your training. You have your destro and now you're like, OK, I actually wanna want to run some applesauce. >>Let me hold there. Is it Is it open corps? Or, you know, there's a lot of conversation in the way the boys actually >>the way we built convoy. It's a great question. The way we build convoys said, Okay, we don't We want to pick the best of breed from each of these. Have you seen the cloud native ecosystem kind of like >>by charter, high charter, whatever it is, where they have all the logos and all the different spiral thing. So it's crazy. Got thousands of logos, right? And >>we said, Look, we're gonna navigate this for you. What's the best container run time to pick. And it's It's almost as if we were gonna build this for ourselves using all open source technology. So convoys completely opens. Okay, um, there's some special sauce that we put in on how to bring these things together. Install it. But all the actual components itself is open source. Okay, so that's so if you're a customer, you're like, OK, I want open source. I don't want to be tied to any specific vendor. I want to run on Lee open. So >>yeah, I was just thinking in terms of you know, how Duke is a reference right. And you had, you know, the Horton worst cloud there and map our strategies, which were radically different in the way they actually packaged told a dupe under the covers. Yeah, >>you can think of it similar. How Cloudera per ship, Possibly where they had cdh. And they brought in a lot of open source. But they also had a lot of proprietary components to see th and what we've tried to get away from it is tying someone in tow. Us. I know that sounds counterintuitive from a business perspective, but we don't want customers to feel like if I go with D to like you. I always have to go with me to like you. I have to drink the Kool Aid, and I'm never gonna be able to get off. >>Kind of not. Doesn't really go with the open source. Exactly this stuff. It's not >>right for our customers, right? A lot of our customers want that optionality, and they don't want to feel locked in. And so when we built convoy, he said, Look, you know, if we were to start our own company, not not an infrastructure coming that we are right now, but just a software company build any kind of ab How would we approach it? And that was one of the problems we saw for We don't wanna feel like we're tied into any. >>Right. Okay, so you got to get the training, you got the products. What's >>next? What's next is if you think about the journey, you're like, OK, a lot. What we've found and this may or may not be totally true is one of the first things people like to run on committees is actually they're builds. So see, I see. And we said, How can we help with this. We looked around the market and there's a lot of great see, I see products out there right now. There's get lab, which is great partner of ours. It's a great product. There's there's your older products. Like Jenkins. There's a bunch of sass products, Travis. See all these things. But what we we wanted to do if we were customers of our own products is something that was native to Kubernetes. And so we started looking at projects like tectonic and proud. Some of these projects, right? And we said, How can we do the same thing we did with convoy where we bring these projects together and make it easy for someone to adopt these kubernetes native. See, I see tools. And we did some stuff there that we think is pretty innovative as well. And that's what that's the product we call dispatch. >>Okay. What do you got? More than just products. You've got profession service. That's right. So now >>you need help setting all this up. How do you actually bring your legacy applications to this new platform? How do you get your legacy builds onto these new build systems That that's where our service is coming the plate and kind of steer you through this whole journey. Lastly, what we next in the journey, though? Those service's compliment Really? Well, with with the kind of the rest of the product suite, right? And we didn't just stop with C i c. He said, what is the next type of work that we want to run here? Okay, so there we looked at things like red hat operators. Right? And we said, Look, red hats doing really cool thing here with this operator framework, how can we simplify it? We learn we've done a lot of this before with D. C. O s, where we built what we called the DCS sdk to help people bring advanced complex workloads onto that platform. And we saw a lot of similarities with operators to our d c West sdk. We said, How can we bring some of our understanding and knowledge to that world? And we built this open source product called kudo. Okay, people are free to go check that out. And that's how we bring more advanced workload. So if you think about the journey back to the journey again, you got some training you have your have your cluster, you put your builds on it. Now you want to run some advance work logs? That's where Kudo comes. >>Okay? And then finally, at the end of the trail is 1 800 I need help. Well, almost into the trail. We're not there yet. There was one thing they're still moving with one more step right on >>the very last one. Actually, we said, Okay, what's next in this journey? And that's running multiple clusters of the same. Okay, so that's kind of the scale. That's the end of the journey from for us, for our proxy as it stands right now. And that's where you build a product called Commander. And that's really helping us launch and manage multiple >>companies clusters at the same time. >>So it's so great that you have the perspective of a customer and you bring that directly in two. You know what you want because you just have gone through this this journey. But I'm just curious, you know, if you put your old hat on, you know, kind of c i o your customer. You know, you just talked about the cake chart with Lord knows how many logos? How do you help people even just begin to think about about the choices and about the crazy rapid change in what? That I mean? Kubernetes wasn't a thing four years ago to help them stay on top of it to help them, you know, both kind of have a night to the vision, you know, make sure you're delivering today on not just get completely distracted by every bright, shiny object that happens to come along. Yeah, no, >>I think it's really challenging for the buyers. You know, I think there's a, especially as the industry continues to make sure there's a new concept that gets thrown at all times. Service Manager. You know, some new, cool way to do monitoring or logging right? And you almost feel like a dinosaur. If you're not right on top of these things to go to a conference in, are you using? You know, you know B P f. Yet what is that? You didn't feel right? Exactly. I think I think most importantly, what customers want is the ability what, the ability to move their technology and their platforms as their business has the need. If the need isn't there for the business, and the technology is running well. There shouldn't be a reason to move to a new platform. Our new set of technologies, in fact, with dese us with Mason charities. To us, we have a lot of happy customers that are gonna be moving crib. Amazing if they wanted to anytime soon. Do you see What's that? Something's that criminal is currently doesn't do. It may never do because the community is just not focused on it that DCS is solving. And those customers just want to see that will continue to support them in the journey that they're on with their their business. And I think that's what's most important is just really understanding our customer's understanding their business, understand where they wanna go. What are their goals, So to say, for their technology platforms and and making sure you were always one step ahead >>of them, that's a >>good place to be one step ahead of demand. All right, well, thanks for for taking a few minutes and sharing the story. Appreciate it. Okay. Thank you. All right. Thanks. Chandler. I'm Jeff. You're watching >>the Cube. Where? Day two. I >>Q in downtown San Francisco. Thanks for watching. We'll see you next time

>> from our studios in the heart of Silicon Valley, Palo Alto, California. It is a cute conversation. >> Everyone. Welcome to this Special Cube conversation here at the Palo Alto Cube Studios. I'm John for a host of Cuba here. Moritz man is the head of the product management team at Open Systems A G. Great to see you again. Thanks for coming in. >> Hey, John. Thanks for having me. >> So last time we spoke, you had your event in Las Vegas. You guys are launching. You have a new headquarters here in Silicon Valley. Opened up this past spring. Congratulations. Thank you. >> Yeah, it's a great, great venue to start, and we set foot on the Silicon Valley ground. So to make our way to >> I know you've been super busy with the new building and rolling out, expanding heavily here in the Valley. But you guys were in the hottest area that we're covering Security Cloud security on premise, security. The combination of both has been the number one conversation pretty much in the cloud world right now. Honestly, besides a normal cloud, native cloud I t hybrid versus multi cloud out. See, that continues to be the discussion I think there's no more debate around multi cloud in hybrid public clouds. Great people gonna still keep their enterprises. But the security equation still is changing this new requirements. What's the latest that you guys are seeing with respect to security? >> Yeah. So, John, what we see is actually that cloud adoption had happens at different speeds. So you have usually the infrastructure of the service. Adoption would happens in a quite controlled way because there's a lift in shift. Do you have your old data center? You you take it and you transferred into azure I W S O G C P. But then there's also uncontrolled at option, which is in the SAS space. And I think this is where a lot off data risk occur, especially the wake off GDP are on where we see that this adoption happens. Maurin a sometimes control, but sometimes in a very uncontrolled way, >> explain that the uncontrolled and controlled expansion of of how security and multi cloud and cloud is going because this interesting control means this this plan's to do stuff uncontrolled means it's just by other forces explain uncontrolled versus controls >> eso controlled specifically means the IittIe team takes as a project plan and aches servers and workloads and moves them in a controlled fashion or in a dedicated project to the cloud. But what happened in the business world of business I t is actually did use those share content at any time with any device at any at any time and in all locations. So this is called the Mobile Enterprise on the Cloud First Enterprise. So it means that the classical security perimeter and the controls in that are my past, actually, by the path of least resistance or the shortest path >> available. And this is the classic case. People use Dropbox with some, you know, personal things. They're at home, they're at work, a p I based software. That's what you're getting at the >> and the issue of this is that that the data that has bean, like contained an pera meters where, you know, as it Caesar, where your data is. This has bean deployed too many edge devices, too many mobile devices, and it's get it gets shared, a nun controlled way. >> We'll get a couple talk tracks would like to drill down on that, because I think this is the trend. We're seeing a pea eye's dominant. The perimeter on the infrastructure has gone away. It's only getting bigger and larger. You got I, O. T and T Edge just and the networks are controlled and also owned by different people. So the packets of moving on it that's crazy so that that's the reality. First, talk track is the security challenge. What is the security challenge? How does a customer figure out what to do from an architectural standpoint when they're dealing with hybrid and multi cloud? So first of >> all, um, customers or BC enterprises try need to re think their infrastructure infrastructure centric view off the architecture's. So the architecture that had been built around data send us needs to become hybrid and multi cloud aware. So that means they need to define a new way off a perimeter, which is in cloud but also in the covering. Still the old, so to say, legacy hyper data center set up, which has the data still in the old data center and at the same time, they need to open up and become the cloud themselves, so to say, and but still draw a perimeter around their data and they users and not and their applications and not so much anymore around the physical infrastructure. >> So taking, changing their view of what a security product is, Is that really what you're getting at? >> Yeah, So the issues with the product point solution was that they fixed a certain part off off a tactile issue. So if you take a firewall in itself, firewall back then it was like a entry door to a big building, and you could could decide who comes out goes in. Now. If the the kind of the walls of the building are vanishing or arm or more FIC, you need to come over the more integrated concept. So having these stacked appliance and stacked security solutions trying to work together and chain them doesn't work anymore. So we think and we see that, >> Why is that? Why doesn't it work? Because in >> the end, it's it's it's hardly two to operate them. Each of those points solutions have their own end off life. They have their own life cycle. They have their own AP eyes. They have their own TCO, as all that needs to be covered. And then there's the human aspect where you have the knowledge pools around >> those technologies. So as an enterprise you have to content to continuously keep the very scar security experts to maintain content continues the depreciating assets running right, >> and they're also in it. We weren't built for tying into a holistic kind of platform. >> Yeah, What we see is that that enterprises now realize we have data centers and it's not accepted reality that you can abstracted with the cloud. So you have You don't own your own servers and buildings anymore. So you have a PAX model to subscribe to Cloud Service is and we think that this has to happen to security to so shift from cap ex to our pecs and the same way also for operational matters >> securities. The service is a crepe is a small I want to ask you on that front you mentioned mobile users. How do you secure the mobile uses when they use cloud collaboration? Because this is really what uses expect, and they want How do you secure it? >> So be secured by by actually monitoring the data where it actually gravitates, and this is usually in the cloud. So we enforce the data that is in transit through, ah, proxies and gators towards the cloud from the endpoint devices, but also then looking by AP eyes in the cloud themselves to look for threats, data leakage and also sandbox. Certain activities that happened. There >> are the next talk talk I want to get into is the expansion to hybrid and multi cloud so that you guys do from a product standpoint, solution for your customers. But in general, this is in the industry conversation as well. How how do you look at this from a software standpoint? Because, you know, we've heard Pat Gelsinger of'em were talking about somewhere to find Data Center S d n. Everything's now software based. You talk about the premiere goes away. You guys were kind of bring up a different approaches. A software perimeter? Yeah, what is the challenge for expanding to multi cloud and hybrid cloud? >> So So the challenge for enterprise and customers we talked to is that they have to run their old business. Gardner once called it by motile business, and it's still adopting not one cloud, but we see in our surveys. And this is also what market research confirms is that customers end up with 2 to 3 loud vendors. So there were will be one or two platforms that will be the primary to their major majority of applications and data gravity. But they will end up and become much more flexible with have running AWS, the old Davis Center. But it was the G, C, P and Azure, or Ali Baba glowed even side by side, right tow cover the different speeds at what their own and the price runs. And >> so I gotta ask you about Cloud Needed was one of the things that you're bringing up that just jumps in my head. And when I got to ask, because this is what I see is a potential challenge. It might be a current challenges when you have kubernetes growing such a rapid rate. You see the level of service is coming online much higher rate. So okay, people, mobile users, they're using the drop boxes, the boxes and using all these FBI service's. But that's just those wraps. As a hundreds and thousands of micro service is being stood up and Tauron down in there, you guys are taking, I think, an approach of putting a perimeter software premieres around these kinds of things, but they get turned on enough. How do you know what's clean? It's all done automatically, so this is becoming a challenge. So is this what you guys mean when you say software perimeter that you guys could just put security around things at any time? Is that explain this? >> Yeah, So? So if you talk about the service match so really mashing cloudy but native functions, I think it's still in the face where it's, I would say, chaos chaotic when you have specific projects that are being ramped up them down. So we draw a perimeter in that specific contact. So let's say you have You're ramping up a lot off cloud a function AWS. We can build a pyramid around this kind off containment and look especially for threats in the activity locks off. The different component is containers, but from from a design perspective, this needs to be, uh, we need to think off the future because if you look at Mike soft on AWS strategy, those containers will eventually move Also back to the edge. Eso were in preparing that to support those models also cover. Bring these functions closer back again to the edge on We call that not any longer the when, ej but it will become a cloud at at actually. So it's not an extension of the land that comes to the data. It's actually the data and the applications coming back to the user and much closer. >> Yeah. I mean, in that case, you could define the on premises environment has an edge, big edge, because this is all about moving, were close and data around. This is what the new normal is. Yeah, So okay, I gotta ask the next question, which is okay, If that's true, that means that kubernetes becomes a critical part of all this. And containers. How do you guys play with that at all? >> So we play with us by by actually looking at data coming from that at the moment. We're looking at this from a from a data transit perspective. We But we will further Maur integrate into their eighties AP eyes and actually become part off the C I C D. Process that building then actually big become a security function in approval and rolling out a cannery to certain service mesh. And we can say, Well, this is safe for this is unsafe This is, I think, the eventual goal to get there. But But for now, it's It's really about tracking the locks of each of those containers and actually having a parent her and segmentation around this service mash cloud. So to say, >> I think you guys got a good thing going on when you talk about this new concept that's of softer to find perimeter. You can almost map that to anything you get. Really think everything has its own little perimeter workload. Could be moving around still in these three secure. So I gotta ask on the next talk Trek is this leads into hybrid cloud. This is the hottest topic. Hybrid cloud to me is the same as multi cloud. Just kind of get together a little bit different. But hybrid cloud means you're operating both on premises and in the cloud. This is becoming a channel most si si SOS Chief admission Security officers. I don't want to fork their teams and have multiple people coding different stacks. They don't want the vendor lock in, and so you're seeing a lot of people pulling back on premises building their own stacks, deploying in the cloud and having a seamless operation. What is your definition of hybrid? Where do you see hybrid going? And how important is it? Have a hybrid strategy. >> So I think the key successfactors of a hybrid strategy is that standards standardization is a big topic. So we think that a service platform that to secure that like the SD when secure service platform rebuilt, needs to be standardized on operational level, but also from a baseline security and detection level. And this means that if you run and create your own work, those on Prem you need to have the same security and standard security and deployment standard for the clout and have the seamless security primary perimeter and level off security no matter where these these deployments are. And the second factor of this is actually how do you ensure a secure data transfer between those different workloads? And this is where S T win comes into play, which acts as a fabric together with when backbone, where we connect all those pieces together in a secure fashion >> where it's great to have you on the Q and sharing your insight on the industry. Let's get into your company. Open systems. You guys provide an integrated solution for Dev Ops and Secure Service and Security Platform. Take a minute to talk about the innovations that you guys were doing because you guys talk a lot about Casby. Talk a lot about integrated esti when but first define what Casby is for. The audience doesn't know what Casby is. C. A S B. It's kicked around all of the security conscious of your new to security. It's an acronym that you should pay attention to so defined casby and talk about your solution. >> Eso casby isn't theory. Aviation means cloud access security we broker. So it's actually becoming this centralized orchestrator that that allows and defines access based on a trust level. So saying, um, first of all, it's between networks saying I have a mobile workforce accessing SAS or I s applications. Can't be it in the middle to provide security and visibility about Where's my data moving? Where's married? Where do I have exposure off off GDP, our compliance or P C. I or he power risks And where is it exposed to, Which is a big deal on it's kind of the lowest level to start with, But then it goes further by. You can use the Casby to actually pull in data that that is about I s were close to toe identified data that's being addressed and stored. So are there any incidentally, a shared data artifacts that are actually critical to the business? And are they shared with extra resource is and then going one step further, where we then have a complete zero trust access model where we say we know exactly who can talkto which application at any time on give access to. But as everything this needs to be is in embedded in an evolution >> and the benefit ultimately goes to the SAS applications toe, have security built in. >> That's the first thing that you need to tackle. Nowadays, it's get your sass, cloud security or policy enforced on, but without disrupting service on business on to actually empower business and not to block and keep out the business >> can make us the classic application developer challenge, which is? They love to co they love the build applications, and what cloud did with Dev Ops was abstracted away the infrastructure so that they didn't have to do all this configuration. Sister. Right? APs You guys air enabling that for security? >> Exactly. Yeah. So coming back to this multi protein product cloud would, which is not keeping up anymore with the current reality and needs of a business. So we took the approach and compared death ops with a great service platform. So we have engineers building the platform. That's Integrated Security Service Platform, which promotes Esti Wen managed Detection response and Caspi Service is in one on the one platform which is tightly integrated. But in the in the customer focus that we provide them on or Pecs model, which is pretty, very predictable, very transparent in their security posture. Make that a scalable platform to operate and expand their business on. >> And that's great. Congratulations. I wanna go back for the final point here to round up the interview for the I T. Folks watching or, um, folks who have to implement multi cloud and hybrid cloud they're sitting there could be a cloud architect that could be an I T. Operations or 90 pro. They think multi cloud this in hybrid club. This is the environment. They have to get their arms around. How? What >> should they >> be thinking about? Around multi cloud and hybrid cloud. What is it, really? What's the reality now? What >> should they be considering for evaluation? What are some of the key things that that should be on their mind when they're dealing with hybrid cloud and all the opportunity around it? >> So I think they're they're like, four key pieces. Oneness. Um, they think they still have to start to think strategic. So what? It's a platform and a partner That helps them to plan ahead for the next 3 to 5 years in a way that they can really focus on what their business needs are. This is the scalability aspect. Secondly, it's a do. We have a network on security, our architecture that allows me to grow confidently and go down different venues to to actually adopt multi clouds without worrying about the security implication behind it. Too much, uh, and to implement it. And third is have this baseline and have this standardized security posture around wherever the data is moving, being at Mobil's being it SAS or being on Prem and in clouds workloads, the fourth pieces again, reading, thinking off where did you spend most of my time? Where do I create? Create value by by defining this framework so it really can create a benefit and value for the enterprise? Because if you do it not right your not right. You will have a way. You will end up with a an architecture that will break the business and not accelerated. >> Or it's made head of product that open systems here inside the Cube studios. Um, great job. Must love your job. You got the keys. A lot of pressure. Security being a product. Head of product for security companies. A lot of pressure before we wrap up. Just give a quick plug for the company. You guys hiring you have a new office space here in Redwood City. Looks beautiful. Give a quick shared play for the company. >> Yeah. So open systems the great company to work with. We're expanding in the U. S. On also, Amy, uh, with all the work force. So we're hiring. So go on our website. We have a lot off open positions, exciting challenges in a growth or into workspace. Andi. Yeah. As you said, security at the moment, it's one of the hottest areas to be in, especially with all the fundamental changes happening in the enterprise and architecture. I d landscape. So yeah, >> and clouds securing specifically. Not just in point. The normal stuff that people used to classify as hot as hot as Hades could be right now. But thanks for coming on. Strong insights. I'm jumping with Cuba here in Palo Alto with more Morris Man is the head of product management for open systems. Thanks for watching.

>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019 brought to you by Amazon Web service is and its ecosystem partners. >> Okay, welcome back. Everyone's two cubes Live coverage here in Boston, Massachusetts, for AWS reinforce. This is Amazon Web services Inaugural conference around Cloud security There first of what? Looks like we'll be more focused events around deep dive security to reinvent for security. But not no one's actually saying that. But it's not a summit. It's ah, branded event Reinforce. We're hearing Mark Ryland off director Office of the Sea. So at eight of us, thanks for coming back. Good to see you keep alumni. Yeah, I'm staying here before It's fun. Wait A great Shadow 80 Bucks summit in New York City Last year we talked about some of the same issues, but now you have a dedicated conference here on the feedback from the sea. So as we've talked to and the partners in the ecosystem is, it's great to have an event where they go deep dives on some of the key things that are really, really important to security. Absolutely. This is really kind of a vibe that how reinvents started, right? So reinventing was a similar thing for commercial. You're deep, not easy to us. Three here, deeper on Amazon. But with security. Yeah, security lens on some of the same issues. One thing that happened >> and kind of signal to us that we needed an event like this over the years with reinvent was consistently over the years, the security and compliance track became one of the most important tracks that was oversubscribed in overflow rooms and like, Hey, there's a signal here, right? And so, but at the same time, we wanted to be able to reach on audience. Maybe they wouldn't go to reinvent because they thought I'd say It's all the crazy Dale Ops guys were doing this cloud thing. But now, of course, they're getting the strong message in their security organizations like, Hey, we're doing cloud. Or maybe as a professional, I need to really get smart about this stuff. So it's been a nice transition from still a lot of the same people, but definitely the different crowd that's coming here and was a cross pollination between multiple and I was >> just at Public sector summit. They about cyber security from a national defense and intelligence standpoint. Obviously, threesome Carlson leads That team you got on the commercial side comes like Splunk who our data and they get into cyber. So you started to see kind of the intersection of all the kind of Amazon ecosystems kind of coming around security, where it's now part of its horizontal. It's not just these are the security vendors and partners writes pretty much everyone's kind of becoming native into thinking about security and the benefits that you guys have talk about that what Amazon has to have a framework, a posture. Yeah, they call it shared responsibility. But I get that you're sharing this with the ecosystem. Makes sense. Yeah, talk about the Amazon Web service is posture for this new security >> world. Well, the new security world is if you look at like a typical security framework like Mist 853 120 50 controls all these different things you need to worry about if you're a security professional. And so what eight obvious able to do is say, look, there's a whole bunch of these that we can take care of on your behalf. There's some that we'll do some things and you got to do some things and there's some There's still your responsibility, but we'll try to make it easy for you to do those parts. So right off the bat we can get a lot of wins from just hey, there's a lot of things will just take care of. And you could essentially delegate to us. And for the what remain, You'll take your expertise and you'll re focus it on more like applications security. There still may be some operating systems or whatever. If using virtual machine service, you still have to think about that. But even there, we'll use we have systems Manager will make it easy to do patch management, updating, et cetera. And if you're willing to go all the way to is like a lambda or some kind of a platform capability, make it super easy because all you gotta do is make sure your code is good and we'll take care of all the infrastructure automatically on your behalf so that share responsibility remains. There's a lot of things you still need to be careful about and do well, but your experts can refocus. They could be very you know like it's just a lot less to worry about it. So it's really a message for howto raise the bar for the whole community, but yet still have >> that stays online with the baby value properties, which is, you know, build stuff, ship fast, lower prices. I mazon ethos in general. But when you think about the core A. W. S what made it so great Waas you can reduce the provisioning of resource is to get something up and running. And I think that's what I'm taking away from the security peace you could say. We know Amazon Web service is really well, and we're gonna do these things. You could do that so us on them and then parts to innovate. So I get that. That's good. The other trend I want to get your reaction to is comments we've had on the Cube with si SOS and customers is a trend towards building in house coding security. Your point about Lambda some cool things air being enabled through a B s. There's a real trend of big large companies with security teams just saying, Hey, you know what? I wanna optimize my talent to code and be security focused on use cases that they care about. So you know, Andy Jazz talks about builders. You guys are about builders you got cos your customers building absolutely. Yet they don't want Tonto, but they are becoming security. So you have a builder mindset going on in the big enterprises. >> Yes, talk about that dynamic. That's a That's a really important trend. And we see that even in security organizations which historically were full of experts but not full of engineers and people that could write code. And what we're seeing now is people say, Look, I have all this expertise, but I also see that with a software defined the infrastructure and everything's in a P I. If I pair up in engineering team with a security professional team, then well, how good things will happen because the security specials will say, Gosh, I do this repetitive task all the time. Can you write code to do that like, Yeah, we can write code to do that. So now I can focus on things that require judgment instead of just more rep repetitive. So So there's a really nice synergy there, and our security customers are becoming builders as well, and they're codifying if you moment expression in code, a policy that used to be in a document. And now they write code this as well. If that policy is whatever password length or how often we rode a credentials, whatever the policy is where Icho to ensure that that actually happening. So it's a real nice confluence of security expertise with the engineering, and they're not building the full stack >> themselves. This becomes again Aki Agility piece I had one customer on was an SMS business. They imported to eight of US Cloud with three engineers, and they wrote all the Kuban aged code themselves. They could have used, you know, other things, but they wanted to make sure it's stable so they could bring in some suppliers that could add value. So, again, this is new. Used to be this way back in the old days, in House developers build the abs on the mainframe, build the APS on the mini computers and then on I went to outsourcing, so we're kind of back. The insourcing is the big trend now, >> right in with the smaller engineering team, I can do a lot that used to require so many more people with a big waterfall method and long term projects. And now I take all these powerful building blocks and put an engineering team five people or what we would call it to pizza team five or six people off to the side, given 34 weeks, and they can generate a really cool system that would have required months and not years before. So that's a big trend, and it applies across the board, including two security. >> I think there's a sea change, and I think it's clear what I like about this show is this cloud security. But it's also they have the on premises conversation, Mrs Legacy applications that have been secured and or need to be secured as they evolve. And then you got cloud native and all these things together where security has to be built in. Yeah, this is a key theme, so I want to get your thoughts on this notion of built in security from Day one. What's your what's your view on this? And how should customers start thinking >> about it? And >> what did you guys bringing to the table? Well, I think that's just a general say maturation that goes on in the industry, >> whether it's cloud or on Prem is that people realize that the old methods we used to use like, Hey, I'm gonna build a nap And then I'm gonna hand it to the security team and they're gonna put firewalls around it That's not really gonna have a good result. So security by design, having security is equal co aspect of If I'm getting doing an architecture, I look a performance. I look, it cost. I look at security. It's just part of my system designed. I don't think of it as like a bolt on afterwards, so that leads to things like, you know, Secure Dev ops and kind of integration teams through. This could be happening on premises to it's just part of I T. Modernization. But Cloud is clearly a driver as well, and cloud makes it easier because it's all programmable. So things that are still manual on premises, you can do in a more automated getting into a lot of conversations here under the covers, A lot of under the hood conversations here around >> security BC to one of the most popular service is you guys have obviously compute a big part of the mission Land, another of the feature VPC traffic flows, where mirroring was a big announcement. Like we talked about that a lot of talking about the E c two nitro. You gave a talk on that. Did you just unpacked it a little bit because this has been nuanced out there. It's out there people are interested in. What's that talk about inscription is, is in a popular conversation taking minutes? Explain your talk. Sure, So we've talked for now a year and 1/2 >> about how we've essentially rien. Imagine reinvented our virtual machine architecture, too. Go from a primarily soft defined system where you have a mainboard with memory and intel processor and all that kind of a coup treatments of a standard server. And then your virtual ization layer would run a full copy of an operating system, which we call a Dom zero privileged OS that would mediate access between the guest OS is in this and the outside world because it would maintain the device model like how do I talk to a network card? How I talked to a storage device. I talked through the hyper visor, but through also a dom zero Ah, copy of Lennox. A copy of Windows to do all that I owe. So what we just did over the past few years, we begin to take all the things we're running inside that privileged OS and move that into dedicated hardware software, harbor combination where we now have components we call nitro components their actual separate little computers that do dbs processing. They do vpc processing they do instance, storage. So at this point now, we've taken all of the components of that damn zero. We've moved it out into these You could call Cho processors. I almost think of them is like the Nitro controllers. The main processor and the Intel motherboard is a co processor where customer workloads run because the trust now is in these external all systems. And when you go to talk to the outside world from easy to now you're talking through these very trusted, very powerful co processors that do encryption. They do identity management for you. They do a lot of work that's off the main processor, but we can accelerate it. We could be more assured that it's trustworthy. It can it can protect itself from potential types of hacks that might have been exposed if that, say, an encryption key was in the and the main motherboard. Now it's not so it's a long story until one hour version and doing three minutes now. But overall we feel that we built a trustworthy system for virtual. What was the title of talk so people can find it online? So I was just called the night to architecture security implications of the night to architecture. So it's taking information that we had out there. But we're like highlighting the fact that if you're a security professional, you're gonna really like the fact that this system has it has no damn zero. It has no shell. You can't log into the system as a human being. It's impossible to log in. It's all software to find suffer driven, and all the encryption features air in these co processors so we can do like full line made encryption of 100 gigabits of network traffic. It's all encrypted like that's never been done before. Really, in the history of computing, what's the benefit of nitro architectural? Simply not shelter. More trust built into it a trusted root. That's not the main board encryption, off load and more isolation. Because even if I somehow we're toe managed to the impossible combination of facts to get sort of like ownership of that main board, I still don't have access to the outside world. From there, I have to go through a whole another layer of very secure software that mediates between the inner world of where customer were close run and the outside world where the actual cloud is. So it's just a bunch of layers that make things more secure, >> and I'm sure Outpost will have that as well. Can you waste on that? Seem to me to hear about that. Okay, Encryption, encrypt everything. Is it philosophy we heard in the keynote? You also talked about that as well. Um, encrypting traffic on the hour. I didn't talk about what that means. What was talked to you? What's the big conversation around? Encryption within a. W s just inside and outside. What's the main story there? >> There's a lot of pieces to the pie, but a big one that we were talking about this week is a pretty long term project we call Project lever. It was actually named after a ah female cryptographer. Eventually Park team that was help. You know, one of the major factors, including World War Two, are these mathematicians and cryptographers. So we we wanted to do a big scale encryption project. We had a very large scale network and we had, you know, all the features you normally have, but we wanted to make it so that we really encrypted everything when it was outside of our physical control. So we done that took a long time. Huge investment, really exciting now going forward, everything we build. So any time data that customers give to us or have traffic between regions between instances within the same region outside reaches, whenever that traffic leaves our physical control so kind of our building boundaries or gates and guards and going down the street on a fiber optic to another data center, maybe not far away or going inter continent intercontinental links are going sub oceanic links all those links. Now we encrypt all the traffic all the time. >> And what's the benefit of that? So the benefit of that is there. Still, you know, it's it's obscure, >> but there is a threat model where, you know, governments have special submarines that are known to exist that go in, sniff those transoceanic links. And potentially a bad guy could somehow get into one of those network junction points or whatever. Inspect traffic. It's not, I would say, a high risk, but it's possible now. That's a whole nother level of phishing attacks. Phishing attack, submarine You're highly motivated to sniff that line couldn't resist U. S. O. So that's now so people could feel comfortable that that protection exists and even things like here's a kind of a little bit of scare example. But we have customers that say, Look, I'm a European customer and I have a very strong sense of regional reality. I wanna be inside the European community with all my data, etcetera, and you know, what about Brexit? So now I've got all this traffic going through. A very large Internet peering point in London in London won't be part of Europe anymore according to kind of legal norms. So what are you doing in that case? Unless they Well, how about this? How about if yes, the packets are moving through London, but they're always encrypted all the time. Does that make you feel good? Yeah, that makes me feel good. I mean, I so my my notion of work as extra territorial extra additional congee modified to accept the fact that hey, if it's just cipher text, it's not quite the same as unscripted. >> People don't really like. The idea of encrypted traffic. I mean, just makes a lot of sense. Why would absolutely Why wouldn't you want to do that right now? Final question At this event, a lot of attendee high, high, high caliber people on the spectrum is from biz dab People building out the ecosystem Thio Hardcore check. He's looking under the hood to see SOS, who oversee the regime's within companies, either with the C i O or whatever had that was formed and every couple is different. But there's a lot of si SOS here to information security officers. You are in the office of the Chief Security Information officer. So what is the conversations they're having? Because we're hearing a lot of Dev ops like conversations in the security bat with a pretty backdrop about not just chest undead, but hack a phone's getting new stuff built and then moving into production operations. Little Deb's sec up So these kinds of things, we're all kind of coming together. What are you hearing from those customers inside Amazon? Because I know you guys a customer driven in the customers in the sea SOS as your customer. What are they saying? What are they asking for? So see, so's our first getting their own minds around >> this big technical transformations that are happening on dhe. They're thinking about risk management and compliance and things that they're responsible for. They've got a report to a board or a board committee say, Hey, we're doing things according to the norms of our industry or the regulated industries that we sit in. So they're building the knowledge base and the expertise and the teams that can translate from this sort of modern dev ops e thing to these more traditional frameworks like, Hey, I've got this oversight by the Securities Exchange Commission or by the banking regulators, or what have you and we have to be able to explain to them why our security posture not only is maintained, it in some ways improved in these in this new world. So they're they're challenge now is both developing their own understanding, which I think they're doing a good job at, but also kind of building this the muscle of the strength. The terminology translate between these new technologies, new worlds and more traditional frameworks that they sit within and people who give oversight over them. So you gotta risk. So there's risk committees on boards of these large publics organizations, and the risk committees don't know a lot about cloud computing. So s O they're part of what they do now is they do that translation function and they can say, Look, I've I've got assurance is based on my work that I do in the technology and my compliance frameworks that I could meet the risk profiles that we've traditionally met in other ways with this new technology. So it's it's a pretty interesting >> had translations with the C I A. Certainly in public sector, those security oriented companies, a cz well, as the other trend, they're gonna educate the boards and they're secure and not get hacked the obsolete. And then there's the innovation side of it. Yeah, we actually gotta build out. Yes. This is what we just talked about a big change for our C says. That we talk to and work with all the time is that hey, we're in engineering community now. We didn't used to write a lot of code, and now we do. We're getting strong in that way. Or else we're parting very closely with an engineering team who has dedicated teams that support our security requirements and build the tools. We need to know that things are going well from our perspective. So that's a really cool, I think, changing that. I think that is probably one >> of my favorite trends that I see because he really shows the criticality of security was pretty much all critically, only act. But having that code coding focus really shows that they're building in house use case that they care about and the fact that I can now get native network traffic. Yeah, and you guys are exposing new sets of service is with land and other things >> over the top. >> It just makes for a good environment to do these clouds. Security things. That seems to be the show >> in a nutshell. Yeah, I think that's one of the nice thing about this show. Is It's a very positive energy here. It's not like the fear and scary stuff sometimes hear it. Security conference is like a the sky's falling by my product kind of thing Here. It's much more of a collaborative like, Hey, we got some serious challenges. There's some bad guys out there. They're gonna come after us. But as a community using new tooling, new techniques, modern approaches, modernization generally like let's get rid of a lot of these crusty old systems we've never updated for 10 or 20 years. It's a positive energy, which is really exciting. Good Mark, get your insights out. So this is your wheelhouse Show. Congratulations. >> You got to ask you the question. Just take your see. So Amazon had off just as an industry participant riding this way, being involved in it. What is the most important story that needs to be told in the press? In the media that should be told what's as important. Either it's being told it, then should be amplified or not being told and be written out. What's the What's the top story? I don't think that even after all this time that you know when people >> hear public cloud computing. They still have this kind of instinctive reaction like, Oh, that sounds kind of scary or a little bit risky and, you know, way need to get to the point where those words don't elicit some sense of risk in people's minds, but rather elicit like, Oh, cool, that's gonna help me be secure instead of being a challenge. Now that's a journey, and people have to get there, and our customers who go deep, very consistently, say, And I'm sure you've had them say to you, Hey, I feel more confident in my cloud based security. Then I do my own premises security. But that's still not the kind of the initial reaction. And so were we still have a ways, a fear based mentality. Too much more >> of a >> Yeah. Modernization base like this is the modern way to get the results in the outcomes I want, and cloud is a part of that, and it doesn't not only doesn't scare me, I want to go there because it's gonna take a community as well. Yeah, Mark, thanks so much for coming back on the greatest. Be hearing great Mark Mark Riley, direct of the office of the chief information security at Amazon Web services here, sharing his inside, extracting the signal. But the top stories and most important things >> being being >> said and discussed and executed here, it reinforced on the Cube. Thanks for watching. We'll be right back with more after this short break.

>> live from Orlando, Florida It's the que covering accelerate nineteen. Brought to you by important. >> Welcome back to the Cube. We air live in Orlando, Florida, for accelerate border, not accelerate twenty nineteen. Lisa Martin with Peter Burroughs And we're pleased to welcome back to the Cube. Chief information Security officer See, So from Fortinet fell quite Phil. Thank you so much for joining Peter and me on the Cube today. >> Thanks for much. >> So lots of news, Lots of buzz. You can hear a lot of the folks behind us in the Expo hall here. We've had probably, I think five or six or seven guests today. So far you are on the front lines as to see so afforded it talking with si sos. I'd love to get your your view on what are some of the things they're top of mind for si sos today. The challenge is that they're facing and how are they looking to for doughnut to mitigate this challenge is >> the good news is that the solution sets not as complicated a cz youthink So all the sea says and senior people I talked to are very much focused on How can they reduce complexity, And how can they better leverage automation? I know there's some overlap between those two things, but they care quite a bit about that. Why? Because with less complexity, there's less mistakes with less complexity. There's less optics, right costs, costs for people and then with automation. It also helps with the op ex problem. But automation also allows humans to do things that humans you're better doing things. That and let's machines do things that their better doing that. So, complexity management, Lebanese automation are really top of mind. Of course, you know the next level down, you really need to do segmentation. Well, you need to have good visibility, need to inspection something that But I'd say those couple things are definitely top of mind, no matter who you talked to. >> But one of the things that's especially important about this issue complexity is that the threat surface goes to value, right so that, as you think about I ot as you think about Mohr devices, Mohr elements, et cetera, the threat surface is going to go up the on ly way that you're going to be able to bring that in in a managed way that delivers consistent value without dramatically exploding amount of risk is to reduce the complexity of the rest of the threat >> surface. Thie. If you're trying to place the face the problem of of, of speed and scale, you have to adopt the solutions of automation in integration you need a strategy on. Of course, hope is never a strategy, and so you need to leverage these technologies to do that. Instead, it's all about automation integration, >> right on this notion of the threats surface going to values, gotta have some mean si SOS sort of. Some of the ones that I'm talking to are using terminology like that. Maybe not that concept directly, but they want to make sure that whatever task that they're performing, whatever, uh, whatever risked their engendering or dealing with has some corresponds back to value. Are you seeing that as well? >> Yeah, and since we're talking about value, the end point is becoming a whole lot more interesting in terms of value. So traditionally we think of the endpoint is being a place where there's desktops and then laptops and tablets, and now smartphones, and they've always been part of our cyber domain. But there's this new thing that's happening, I think just left of end point. And it's where there's going to be the heavy instrumentation of physical processes and things. So it's starting with OT operational technology. It's going to be magnified by I ot and, of course, building automation. And so all of a sudden, the definition of value, I think, is going to be places that can collect data about physical processes and things, protect that data and then commoditize it. So value is moving further, further and out into the endpoint defined as thie, a collection of information about physical processes, something so I call this environment cyber physical or, more specifically, more catchy. SciFi right. It's where cyber data, physical data will be intermingled to provide value and efficiencies to customers and things like that. It's a really important area that's the new in point >> in physics. We talk about transducers, right? The transducer is something that takes one form of energy and turns into another form of energy so they could perform a different kind of work. We're talking about what we call information transducers the idea, take one form of information and turn it into another form of information so that it can perform work that's seminal to this notion that you're describing with the side fi. >> That's a >> great analogy. I haven't heard it described that way before. It's kind of like, you know, back in the day where where people use fire to heat and people used sales to move things right. And one day >> it was a more >> wins, right? Wait, move sales. Sorry. Wings. Yeah. Okay. And, uh, someone saw the story. As the story goes, someone saw a pot on the fire, a kettle full of water boil and the lid of the pop move. So they realized I can use heat to move it. So they started integrating different ways of doing things to achieve new effects. And I think that's what you're talking about. He used the word trans transducer, but I think it's the same thing. And how can you use things previously kept separate to do things that you previously couldn't D'Oh. >> So let's talk about this SciFi era C y dash p H y. For those watching at home, what are some of the security challenges that this brings, but also the opportunities to be uncovered by that boiling point analogy. >> Yeah, if you don't mind, I'LL start with the start with positives right where the was a potential benefits to society. So we are all of us and everyone behind us. We're creatures, the physical domain and the opportunities that there will be new data connected about this physical domain that can affect his very personally. So in cyberspace, its ultimate a virtual world. So there could be compromises in cyberspace. That effect is in cyber ways, but when you have compromises in the physical domain, it could be a lot more personal. So let's say that you have a medical device or you have a something else that instruments the temperature, heat, humidity, vector, you name it. Failures in those areas can have a really profound effect on a negative way in this physical oriented domain. So now the flip side of that is because it has a very, very positive effect, Right? Thes healthcare devices could bring new conveniences or perhaps even help address some very important things where they'd be physical or mental disabilities weaken instrument very heavily how we create food products. And so maybe this heavy instrumentation of how you create food can help address world hunger. I know I'm getting kind of heavy about this, but heavy instrumentation of this physical domain has a lot of promise. Now back to the other side. It also has a lot of responsibility involved, right, because, as I mentioned earlier, we're creatures of the physical domain. So if you get it wrong, you could mess up something really important to our health. Care for our transportation, Andi. We also have a very strong feeling towards privacy. At some point, collecting too much about us physically is just too much. So you need to make sure that that any sense data's you have privacy protections built it. So like anything with great opportunity. There's great challenges involved. But by giving their name and starting described, this challenge is we are. We're one step down the path, I think. >> But if we take that and then turn it into a set of cyber security challenges, no secure network challenges, that one of the other things you describe is we're constantly learning about what are the characteristics of a good, competent, reasonable interface between the physical and digital worlds. That knowledge then has to be put back into how we handle network security. >> That's right. I like your use of the word knowledge. And earlier today I gave a talk about something I'm calling a digital big bang. It's an analogy of that. We had a digital big bang fifty years ago where an explosion of data is among us and there's some challenges will get back that in a second. The analogy is thie cosmic big bang of fourteen billion years ago. And it wasn't until we started certain had a quest for knowledge about the fundamental elements of the cosmic Big Bang and the hard sciences behind it. Physics, chemistry, biology, things like that that we actually started obtaining an accumulating knowledge. So I think to your point, there's a lot of knowledge accumulation that we need to start a quest for in this cyber physical domain. And that's that's all about treating cybersecurity more like a science rather than an art. And I think this cyber SciFi domain is a great place to start practicing that accumulating knowledge in a very, very scientific way, build on the build on the successes of our our forefathers. I could say >> Sorry if I can build on this for one second. Sorry, Lisa, that the entropy gets everything in the end. But isn't it interesting that the process of creating Mohr information creating more knowledge and then securing it is our main fight against entropy? Right. That's how we create increase optimization of our resources. How we get Maura out of less on DH. That seems to me to be an especially important thing here. A CZ we think about it is how we utilize that knowledge, share it and in so doing security so that we're sharing inappropriately. >> There's a there's a great saying. I'm sure you're familiar with each of you. It's called. I use it often. Data is the oil the twenty first century, right? So the last century, those who could find oil explored it put it good use and protected dominated that century. Let's fast forward to the twenty first century. I think the same words apply data right. Those who can find it generate wisdom from it, insight from it and protect it will dominate in a good way the twenty first century. So, on the way you were going to do that. This is the collective we is bias. You said Collect, Ate it. Make it better. Send it back out, bring it back in. Make it better. Send it back out. It's a somewhat circular, but I think it's a very, very healthy example of, ah, circular augmentation. >> So don't think I want to touch on a little bit with you. Feel before we let you go is we talked about knowledge a minute ago and sharing that knowledge forty nights Very dedicated to education. Educating your customers, educating your partners When you're talking with si SOS and we know that there's an ostensible skills got with cyber security. What are some of the solutions that you talked to those customers that like Hey, this is how fourteen that nurse ecosystem partners can help you here. Address this so you can leverage the power of that data to, As you said, you know, for the twenty first century, for example, data becomes the new oil. What's that education conversation like there's >> a There's a long game in a short game, you know, the short game is about leveraging like we talked about a few minutes ago. Speed, speed, automation, integration, too. Compliment the shortage of human beings right rely machines, moron for what machines we're good at on DH. Take the humans, the humans, the steel personnel and have them do the higher order thinking. So the near term game. It's foreign. It's really well. Pasha provide our customers is speed, automation and integration. So that's the short game. Long game is about creating, Ah, larger workforce or larger population of folks who could all be construed contribute to this great new world we've been talking about. And that's training. And that's education. And I think, you know important. It's also, you know, working the long game as well, with some near term training at multiple levels for folks in in the networking world, but were also part of something called the World Economic Form West's Center for Cyber Security. We're founding member, and there were trying to create a long game where we can help educate a whole lot of people on cybersecurity and create the future. Workforce is in the long game. So short term long game, both her important >> except well, Phil, thank you so much for joining Peter and me on the cute this afternoon. We appreciate your time. >> Thanks again. It was nice. Nice being back and >> excellent. Our pleasure for Peter. Boris. I'm Lisa Martin. You're watching the Cube

>> From our studios in the heart of Silicon Valley. HOLLOWAY ALTO, California It is a cube conversation. >> Welcome to the special. Keep conversation here in Palo Alto, California. I'm John for a co host of the Cube. Were Arsenal was a C I S O. C. So for Microsoft also corporate vice President, Chief information security. Thanks for joining me today. >> Thank you. >> Appreciate it. Thanks. So you have a really big job. You're a warrior in the industry, security is the hardest job on the planet. >> And hang in sight >> of every skirt. Officer is so hard. Tell us about the role of Microsoft. You have overlooked the entire thing. You report to the board, give us an overview of what >> happens. Yeah. I >> mean, it's you know, obviously we're pretty busy. Ah, in this world we have today with a lot of adversaries going on, an operational issues happening. And so I have responsibility. Accountability for obviously protecting Microsoft assets are customer assets. And then ah, And for me, with the trend also responsibility for business continuity Disaster recovery company >> on the sea. So job has been evolving. We're talking before the camera came on that it's coming to CEO CF roll years ago involved to a business leader. Where is the sea? So roll now in your industry is our is a formal title is it establishes their clear lines of reporting. How's it evolved? What's the current state of the market in terms of the sea? So it's roll? >> Yeah, the role is involved. A lot. Like you said, I think like the CIA or twenty years ago, you know, start from the back room of the front room and I think the, you know, one of things I look at in the role is it's really made it before things. There's technical architecture, there's business enablement. There's operational expert excellence. And then there's risk management and the older ah, what does find the right word? But the early see so model was really about the technical architecture. Today. It's really a blend of those four things. How do you enable your business to move forward? How do you take calculated risks or manage risks? And then how do you do it really effectively and efficiently, which is really a new suit and you look at them. You'LL see people evolving to those four functions. >> And who's your boss? Would you report to >> I report to a gentleman by the name of a curtain. Little Benny on DH. He is the chief digital officer, which would be a combination of Seo did officer and transformation as well as all of Microsoft corporate strategy >> and this broad board visibility, actually in security. >> Yeah, you >> guys, how is Microsoft evolved? You've been with the company for a long time >> in the >> old days ahead perimeters, and we talk about on the Cube all the time. When a criminalist environment. Now there's no perimeter. Yeah, the world's changed. How is Microsoft evolved? Its its view on security Has it evolved from central groups to decentralize? How is it how how was it managed? What's the what's the current state of the art for security organization? >> Well, I think that, you know, you raise a good point, though things have changed. And so in this idea, where there is this, you know, perimeter and you demanded everything through the network that was great. But in a client to cloak cloud world, we have today with mobile devices and proliferation or cloud services, and I ot the model just doesn't work anymore. So we sort of simplified it down into Well, we should go with this, you know, people calls your trust, I refer to It is just don't talk to strangers. But the idea being is this really so simplified, which is you've got to have a good identity, strong identity to participate. You have to have managed in healthy device to participate, to talk to, ah, Microsoft Asset. And then you have to have data in telemetry that surrounds that all the time. And so you basically have a trust, trust and then verify model between those three things. And that's really the fundamental. It's really that simple. >> David Lava as Pascal senior with twenty twelve when he was M. C before he was the C E O. V M. Where he said, You know his security do over and he was like, Yes, it's going to be a do over its opportunity. What's your thoughts on that perspective? Has there been a do over? Is it to do over our people looking at security and a whole new way? What's your thoughts? >> Yeah, I mean, I've been around security for a long time, and it's there's obviously changes in Massa nations that happened obviously, at Microsoft. At one point we had a security division. I was the CTO in that division, and we really thought the better way to do it was make security baked in all the products that we do. Everything has security baked in. And so we step back and really change the way we thought about it. To make it easier for developers for end users for admin, that is just a holistic part of the experience. So again, the technology really should disappear. If you really want to be affected, I think >> don't make it a happy thought. Make it baked in from Day one on new product development and new opportunity. >> Yeah, basically, shift the whole thing left. Put it right in from the beginning. And so then, therefore, it's a better experience for everyone using it. >> So one of things we've observed over the past ten years of doing the Cube when do first rolled up with scene, you know, big data role of date has been critical, and I think one of the things that's interesting is, as you get data into the system, you can use day that contextually and look at the contextual behavioral data. It's really is create some visibility into things you, Meyer may not have seen before. Your thoughts and reaction to the concept of leveraging data because you guys get a lot of data. How do you leverage the data? What's the view of data? New data will make things different. Different perspectives creates more visibility. Is that the right view? What's your thoughts on the role of Data World Data plays? >> Well, they're gonna say, You know, we had this idea. There's identity, there's device. And then there's the data telemetry. That platform becomes everything we do, what there's just security and are anomalous behavior like you were talking about. It is how do we improve the user experience all the way through? And so we use it to the service health indicator as well. I think the one thing we've learned, though, is I was building where the biggest data repositories your head for some time. Like we look at about a six point five trillion different security events a day in any given day, and so sort of. How do you filter through that? Manage? That's pretty amazing, says six point five trillion >> per day >> events per day as >> coming into Microsoft's >> that we run through the >> ecosystem your systems. Your computers? >> Yeah. About thirty five hundred people. Reason over that. So you can Certainly the math. You need us. Um, pretty good. Pretty good technology to make it work effectively for you and efficiently >> at RC A Heard a quote on the floor and on the q kind of echoing the same sentiment is you can't hire your way to success in this market is just not enough people qualified and jobs available to handle the volume and the velocity of the data coming in. Automation plays a critical role. Your reaction to that comment thoughts on? >> Well, I think I think the cure there, John, those when you talk about the volume of the data because there's what we used to call speeds and feeds, right? How big is it? And I used to get great network data so I can share a little because we've talked, like from the nineties or whatever period that were there. Like the network was everything, but it turns out much like a diverse workforce creates the best products. It turns out diverse data is more important than speeds and feeds. So, for example, authentication data map to, you know, email data map to end point data map. TEO SERVICE DATA Soon you're hosting, you know, the number of customers. We are like financial sector data vs Healthcare Data. And so it's the ability Teo actually do correlation across that diverse set of data that really differentiates it. So X is an example. We update one point two billion devices every single month. We do six hundred thirty billion authentications every single month. And so the ability to start correlating those things and movement give us a set of insights to protect people like we never had before. >> That's interesting telemetry you're getting in the marketplace. Plus, you have the systems to bring it in >> a pressure pressure coming just realized. And this all with this consent we don't do without consent, we would never do without consent. >> Of course, you guys have the terms of service. You guys do a good job on that, But I think the point that I'm seeing there is that you guys are Microsoft. Microsoft got a lot of access. Get a lot of stuff out there. How does an enterprise move to that divers model because they will have email, obviously. But they have devices. So you guys are kind of operating? I would say tear one of the level of that environment cause you're Microsoft. I'm sure the big scale players to that. I'm just an enterprising I'm a bank or I'm an insurance company or I'm in oil and gas, Whatever the vertical. Maybe. What do I do if I'm the sea? So they're So what does that mean, Diversity? How should they? >> Well, I think they have a diverse set of data as well. Also, if they participate, you know, even in our platform today, we you know, we have this thing called the security graph, which is an FBI people can tap into and tap into the same graph that I use and so they can use that same graph particular for them. They can use our security experts to help them with that if they don't have the all the resource and staff to go do that. So we provide both both models for that to happen, and I think that's why a unique perspective I should think should remind myself of which is we should have these three things. We have a really good security operations group we have. I think that makes us pretty unique that people can leverage. We build this stuff into the product, which I think is good. But then the partnership, the other partners who play in the graph, it's not just us. So there's lots of people who play on that as well. >> So like to ask you two lines of questions. Wanting on the internal complex is that organizations will have on the external complexity and realities of threats and coming in. How do they? How do you balance that out? What's your vision on that? Because, you know, actually, there's technology, his culture and people, you know in those gaps and capabilities on on all three. Yeah, internally just getting the culture right and then dealing with the external. How does a C so about his company's balance? Those realities? >> Well, I think you raised a really good point, which is how do you move the culture for? That's a big conversation We always have. And that was sort of, you know, it's interesting because the the one side we have thirty five hundred people who have security title in their job, But there's over one hundred thousand people who every day part of their job is doing security, making sure they'LL understand that and know that is a key part we should reinforce everyday on DSO. But I think balancing it is, is for me. It's actually simplifying just a set of priorities because there's no shortage of, you know, vendors who play in the space. There's no shortage of things you can read about. And so for us it was just simplifying it down and getting it. That simplifies simplified view of these are the three things we're going to go do we build onerous platform to prioritize relative to threat, and then and then we ensure we're building quality products. Those five things make it happen. >> I'd like to get your thoughts on common You have again Before I came on camera around how you guys view simplification terminal. You know, you guys have a lot of countries, the board level, and then also you made a common around trust of security and you an analogy around putting that drops in a bucket. So first talk about the simplification, how you guys simplifying it and why? Why is that important? >> You think we supply two things one was just supplying the message to people understood the identity of the device and making sure everything is emitting the right telemetry. The second part that was like for us but a Z to be illustrative security passwords like we started with this technology thing and we're going to do to FAA. We had cards and we had readers and oh, my God, we go talk to a user. We say we're going to put two FAA everywhere and you could just see recoil and please, >> no. And then >> just a simple change of being vision letters. And how about this? We're just going to get rid of passwords then People loved like they're super excited about it. And so, you know, we moved to this idea of, you know, we always said this know something, know something new, how something have something like a card And they said, What about just be something and be done with it? And so, you know, we built a lot of the capability natively into the product into windows, obviously, but I supported energies environment. So I you know, I support a lot of Mac clinics and IOS and Android as well So you've read it. Both models you could use by or you could use your device. >> That's that. That's that seems to be a trend. Actually, See that with phones as well as this. Who you are is the password and why is the support? Because Is it because of these abuses? Just easy to program? What's the thought process? >> I think there's two things that make it super helpful for us. One is when you do the biometric model. Well, first of all, to your point, the the user experience is so much better. Like we walk up to a device and it just comes on. So there's no typing this in No miss typing my password. And, you know, we talked earlier, and that was the most popular passwords in Seattle with Seahawks two thousand seventeen. You can guess why, but it would meet the complexity requirements. And so the idea is, just eliminate all that altogether. You walk up machine, recognize you, and you're often running s o. The user experience is great, but plus it's Actually the entropy is harder in the biometric, which makes it harder for people to break it, but also more importantly, it's bound locally to the device. You can't run it from somewhere else. And that's the big thing that I think people misunderstanding that scenario, which is you have to be local to that. To me, that's a >> great example of rethinking the security paradigm. Exactly. Let's talk about trust and security. You you have an opinion on this. I want to get your thoughts, the difference between trust and security so they go hand in hand at the same time. They could be confused. Your thoughts on this >> well being. You can have great trust. You can, so you can have great security. But you generally and you would hope that would equate like a direct correlation to trust. But it's not. You need to you build trust. I think our CEO said it best a long time ago. You put one bucket of water, one bucket. Sorry, one truffle water in the bucket every time. And that's how you build trust. Over time, my teenager will tell you that, and then you kick it over and you put it on the floor. So you have to. It's always this ratcheting up bar that builds trust. >> They doing great you got a bucket of water, you got a lot of trust, that one breach. It's over right, >> and you've got to go rebuild it and you've got to start all over again. And so key, obviously, is not to have that happen. But then, that's why we make sure you have operational rigor and >> great example that just totally is looking Facebook. Great. They have massive great security. What really went down this past week, but still the trust factor on just some of the other or societal questions? >> Yeah, >> and that something Do it. >> Security. Yeah, I think that's a large part of making sure you know you're being true. That's what I said before about, you know, we make sure we have consent. We're transparent about how we do the things we do, and that's probably the best ways to build trust. >> Okay, so you guys have been successful in Microsoft, just kind of tight the company for second to your role. It's pretty well documented that the stock prices at an all time high. So if Donatella Cube alumni, by the way, has been on the cue before he he took over and clear he didn't pivot. He just said we'd go in the cloud. And so the great moves, he don't eat a lot of great stuff. Open source from open compute to over the source. And this ship has turned and everything's going great. But that cheering the cloud has been great for the company. So I gotta ask you, as you guys move to the cloud, the impact to your businesses multi fold one products, ecosystem suppliers. All these things are changing. How has security role in the sea? So position been impact that what have you guys done? How does that impact security in general? Thoughts? >> Yeah, I think we obviously were like any other enterprise we had thousands of online are thousands of line of business applications, and we did a transformation, and we took a method logical approach with risk management. And we said, Okay, well, this thirty percent we should just get rid of and decommission these. We should, you know, optimize and just lifting shifting application. That cloud was okay, but it turns out there's massive benefit there, like for elasticity. Think of things that quarterly reporting or and you'll surveys or things like that where you could just dynamically grow and shrink your platform, which was awesome linear scale that we never had Cause those events I talk about would require re architectures. Separate function now becomes linear. And so I think there is a lot of things from a security perspective I could do in a much more efficient must wear a fish. In fact, they're then I had to have done it before, but also much more effective. I just have compute capability. Didn't have I have signal I didn't have. And so we had to wrap her head around that right and and figure out how to really leverage that. And to be honest, get the point. We're exploited because you were the MySpace. I have disaster and continent and business. This is processed stuff. And so, you know, everyone build dark fiber, big data centers, storage, active, active. And now when you use a platform is a service like on that kind of azure. You could just click a Bach and say, I want this thing to replicate. It also feeds your >> most diverse data and getting the data into the system that you throw a bunch of computer at that scale. So What diverse data? How does that impact the good guys and the bad guys? That doesn't tip the scales? Because if you have divers date and you have his ability, it's a race for who has the most data because more data diversity increases the aperture and our visibility into events. >> Yeah, I you >> know, I should be careful. I feel like I always This's a job. You always feel like you're treading water and trying to trying to stay ahead. But I think that, um, I think for the first time in my tenure do this. I feel there's an asymmetry that benefits. They're good guys in this case because of the fact that your ability to reason over large sets of data like that and is computed data intensive and it will be much harder for them like they could generally use encryption were effectively than some organization because the one the many relationship that happens in that scenario. But in the data center you can't. So at least for now, I feel like there's a tip This. The scales have tipped a bit for the >> guy that you're right on that one. I think it's good observation I think that industry inside look at the activity around, from new fund adventures to overall activity on the analytics side. Clearly, the data edge is going to be an advantage. I think that's a great point. Okay, that's how about the explosion of devices we're seeing now. An explosion of pipe enabled devices, Internet of things to the edge. Operational technologies are out there that in factory floors, everything being I P enables, kind of reminds me of the old days. Were Internet population you'd never uses on the Internet is growing, and >> that costs a lot >> of change in value, creation and opportunities devices. Air coming on both physical and software enabled at a massive rate is causing a lot of change in the industry. Certainly from a security posture standpoint, you have more surface area, but they're still in opportunity to either help on the do over, but also create value your thoughts on this exploding device a landscape, >> I think your Boston background. So Metcalfe's law was the value the net because the number of the nodes on the network squared right, and so it was a tense to still be true, and it continues to grow. I think there's a huge value and the device is there. I mean, if you look at the things we could do today, whether it's this watch or you know your smartphone or your smart home or whatever it is, it's just it's pretty unprecedented the capabilities and not just in those, but even in emerging markets where you see the things people are doing with, you know, with phones and Lauren phones that you just didn't have access to from information, you know, democratization of information and analysis. I think it's fantastic. I do think, though, on the devices there's a set of devices that don't have the same capabilities as some of the more markets, so they don't have encryption capability. They don't have some of those things. And, you know, one of Microsoft's responses to that was everything. Has an M see you in it, right? And so we, you know, without your spirit, we created our own emcee. That did give you the ability to update it, to secure, to run it and manage it. And I think that's one of the things we're doing to try to help, which is to start making these I, O. T or Smart devices, but at a very low cost point that still gives you the ability because the farm would not be healed Update, which we learn an O. T. Is that over time new techniques happen And you I can't update the system >> from That's getting down to the product level with security and also having the data great threats. So final final talk Tracking one today with you on this, your warrior in the industry, I said earlier. See, so is a hard job you're constantly dealing with compliance to, you know, current attacks, new vector, new strains of malware. And it's all over the map. You got it. You got got the inbound coming in and you got to deal with all that the blocking and tackling of the organization. >> What do you What do >> you finding as best practice? What's the what if some of the things on the cso's checklist that you're constantly worried about and or investing in what some of >> the yeah, >> the day to day take us through the day to day life >> of visited a lot? Yeah, it >> starts with not a Leslie. That's the first thing you have to get used to, but I think the you know again, like I said, there's risk Manager. Just prioritize your center. This is different for every company like for us. You know, hackers don't break and they just log in. And so identity still is one of the top things. People have to go work on him. You know, get rid of passwords is good for the user, but good for the system. We see a lot in supply chain going on right now. Obviously, you mentioned in the Cambridge Analytical Analytics where we had that issue. It's just down the supply chain. And when you look at not just third party but forthe party fifth party supply and just the time it takes to respond is longer. So that's something that we need to continue to work on. And then I think you know that those are some of the other big thing that was again about this. How do you become effective and efficient and how you managed that supply chain like, You know, I've been on a mission for three years to reduce my number of suppliers by about fifty percent, and there's still lots of work to do there, but it's just getting better leverage from the supplier I have, as well as taking on new capability or things that we maybe providing natively. But at the end of the day, if you have one system that could do what four systems going Teo going back to the war for talent, having people, no forces and versus one system, it's just way better for official use of talent. And and obviously, simplicity is the is the friend of security. Where is entropy is not, >> and also you mentioned quality data diversity it is you're into. But also there's also quality date of you have quality and diverse data. You could have a nice, nice mechanism to get machine learning going well, but that's kind of complex, because in the thie modes of security breaches, you got pre breached in breech post breach. All have different data characteristics all flowing together, so you can't just throw that answer across as a prism across the problem sets correct. This is super important, kind of fundamentally, >> yeah, but I think I >> would I would. The way I would characterize those is it's honestly, well, better lessons. I think I learned was living how to understand. Talk with CFO, and I really think we're just two things. There's technical debt that we're all working on. Everybody has. And then there's future proofing the company. And so we have a set of efforts that go onto like Red Team. Another actually think like bad people break them before they break you, you know, break it yourself and then go work on it. And so we're always balancing how much we're spending on the technical, that cleanup, you know, modernizing systems and things that are more capable. And then also the future proofing. If you're seeing things coming around the corner like cryptography and and other other element >> by chain blockchain, my supply chain is another good, great mechanism. So you constantly testing and R and D also practical mechanisms. >> And there in the red team's, which are the teams that attacking pen everything, which is again, break yourself first on this super super helpful for us >> well bred. You've seen a lot of ways of innovation have been involved in multiple ways computer industry client server all through the through the days, so feel. No, I feel good about this you know, because it reminds me and put me for broken the business together. But this is the interesting point I want to get to is there's a lot of younger Si SOS coming in, and a lot of young talent is being attractive. Security has kind of a game revived to it. You know, most people, my friends, at a security expert, they're all gamers. They love game, and now the thrill of it. It's exciting, but it's also challenging. Young people coming might not have experience. You have lessons you've learned. Share some thoughts over the years that scar either scar tissue or best practices share some advice. Some of the younger folks coming in breaking into the business of, you know, current situation. What you learned over the years it's Apple Apple. But now the industry. >> Yeah, sadly, I'd probably say it's no different than a lot of the general advice I would have in the space, which is there's you value experience. But it turns out I value enthusiasm and passion more here so you can teach about anybody whose passion enthusiastic and smart anything they want. So we get great data people and make them great security people, and we have people of a passion like you know, this person. It's his mission is to limit all passwords everywhere and like that passion. Take your passion and driver wherever you need to go do. And I >> think the nice >> thing about security is it is something that is technically complex. Human sociology complex, right? Like you said, changing culture. And it affects everything we do, whether it's enterprise, small, medium business, large international, it's actually a pretty It's a fasten, if you like hard problem. If you're a puzzle person, it's a great It's a great profession >> to me. I like how you said Puzzle. That's I think that's exactly it. They also bring up a good point. I want to get your thoughts on quickly. Is the talent gap is is really not about getting just computer science majors? It's bigger than that. In fact, I've heard many experts say, and you don't have to be a computer scientist. You could be a lot of cross disciplines. So is there a formula or industry or profession, a college degree? Or is it doesn't matter. It's just smart person >> again. It depends if your job's a hundred percent. Security is one thing, but like what we're trying to do is make not we don't have security for developers you want have developed to understand oppa security and what they build is an example on DSO. Same with administrators and other components. I do think again I would say the passion thing is a key piece for us, but But there's all aspects of the profession, like the risk managers air, you know, on the actuarial side. Then there's math people I had one of my favorite people was working on his phD and maladaptive behavior, and he was super valuable for helping us understand what actually makes things stick when you're trying to train their educate people. And what doesn't make that stick anthropologist or super helpful in this field like anthropologist, Really? Yeah, anthropologist are great in this field. So yeah, >> and sociology, too, you mentioned. That would think that's a big fact because you've got human aspect interests, human piece of it. You have society impact, so that's really not really one thing. It's really cross section, depending upon where you want to sit in the spectrum of opportunity, >> knowing it gives us a chance to really hire like we hire a big thing for us has been hard earlier in career and building time because it's just not all available. But then also you, well, you know, hire from military from law enforcement from people returning back. It's been actually, it's been a really fascinating thing from a management perspective that I didn't expect when I did. The role on has been fantastic. >> The mission. Personal question. Final question. What's getting you excited these days? I mean, honestly, you had a very challenging job and you have got attend all the big board meetings, but the risk management compliance. There's a lot of stuff going on, but it's a lot >> of >> technology fund in here to a lot of hard problems to solve. What's getting you excited? What what trends or things in the industry gets you excited? >> Well, I'm hopeful we're making progress on the bad guys, which I think is exciting. But honestly, this idea the you know, a long history of studying safety when I did this and I would love to see security become the air bags of the technology industry, right? It's just always there on new president. But you don't even know it's there until you need it. And I think that getting to that vision would be awesome. >> And then really kind of helping move the trust equation to a whole other level reputation. New data sets so data, bits of data business. >> It's total data business >> breath. Thanks for coming on the Q. Appreciate your insights, but also no see. So the chief information security officer at Microsoft, also corporate vice president here inside the Cuban Palo Alto. This is cute conversations. I'm John Career. Thanks for watching. >> Thank you.

>> Las Vegas. Extensive signal from the noise. It's the Q covering interconnect 2016. Brought to you by IBM. Now your host, John Hurry and Dave Ilan. >> Okay, Welcome back, everyone. We are here live in Las Vegas for exclusive coverage of IBM interconnect 2016. This is Silicon Angles. The Q. That's our flagship program. We go out to the events and extract the signal from the noise. I'm John Ferrier with my Coast Day Volante. Our next guest, Steve Robinson News. The GM of client technical engagement before that, in the cloud doing all the blue mix now has the army of technical soldiers out there doing all the action because it's so much robust. So much demand for horizontally scale. The sluices with vertically targeted, prepackaged application development. That's horrible. First you name it big data. Welcome back. Good to see you, John. Thanks. Good to be with you again. Always, like great to have you on because you got a great perspective. You understand the executive viewpoint. A 20 mile stare in the industry. But also you got the in the nuts and bolts in under the hood. >> That's right. A >> lot of action happening under the hood. So let's get that right away. Blue, Mrs Hot Night. Now it's about the developers. What's going on under the hood right now that customers are caring about? >> I always love the Cube. You guys were like one of the first guys talking to us two years ago when we just launched a blue makes on stage. We walked off, got in front of cameras here, and it was great. Over the past year, it's been it's been outstanding. We we're writing about 20,000 folks toe blue mix right now on public, we came out with dedicated and then what people had really been warning was local blue mix as well. So we finally have full hybrid chain that goes from behind the firewall to a single client dedicated cloud all the way up to the public as well. So we've been building that out with service is as well, so have over 106 service is on top of it. You'll see things like Watson, which is unique, our Dash CB analytics, which is unique Internet of things coming in as well. So it's been a great year old building it out and getting more clients on top of it, >> it's like really trying to change the airplane engine in 30,000 feet. Or, in your case, you guys were taken off and from the runway. How has that been? It's been growing pains, of course. Unlearning What? What's going on? What have you learned? Give us the update on >> changing the engine while the plane is flying, and we've used that analogy quite a bit in the labs and way have to show relevance in this market. You know, this market is probably the fastest face technical market I think I've ever been in, and it's moving at such a rapid pace. We had to ship a lot of technology out last year is well, we have every new middleware group in IBM. Putting service is on top of blue mix, so let's get it out there. Let's get it out fast. Now, of course, this year we're gonna harden it up a little bit as well. So more architectures, more points of view. Better look on how this stuff works together hardening up our container strategy, pulling it all the way back to the virtual machine. So both continue to expand it out but let's make it enterprise grade at the same time. >> And also, some differentiation with Watts has been a big play around Catnip. Yeah, really is different because right now with the quote, um, market the way it is court monetization is on number one's mind. Start from startups to enterprises. If you're in business, you want you're top line if you're starting to get monetization. So there's a little bit of IBM in here for people to take in. Well, >> you know, if you look at Watson, you know, when we first started with it, you know, it was this very large big chunk of software that she had to buy. And and we work with Mike Rodents Team toe. Can we chop it up into a set of service is Let's really make this a set of AP eyes, and we started noticing, you know, you saw in Main stage the other day out from Otis. You know, this was a pure startup. He's started picking up the social semantics. Let's pick up the you know, some of the works to text etcetera, conversions, and all of a sudden they're starting to add it in. They said they would have never had access to this technology before way Have that a P I said. Not growing up to 28 we announced a couple cool things this morning. We even showed how would improve your dating life. Probably need some of that with my wife is well to translate between the sexes there, but what people are doing with it now, it's kind of like blowing people. His mind is far beyond what the initial exception waas. >> So your team of your niche is when they get right. It's a large team. It's, but it's a new initiative. New Justice unit, New role for you Talk about that >> way. Kinda had >> a couple pockets of this, but way clearly found that getting clients to the cloud is both a technology challenge as well as a cultural challenge as well. So he brought together some technical experts to kind of help through that entire life chain help up front. You know, many clients are trying to figure out what their overall cloud strategy is, where they truly today and where do they want to get to be? And how can we help him with a road map? That kind of helps them through the transition. Many accounts are very comfortable with the only wanting to be private and only glimpsing forward Thio Public Cloud Helping us bridge across that as well. Then we have the lab service's teams and these air the rial ninjas, the Navy seals. They go as low as you can go and what they're helping. A good way. Yeah, that's good. That's good. That's why they're helping with this very specific technical issue. Technical deployments. A lot of our dedicated local environment. These guys, they're they're really helping it wire in a cz Well, and then we have the garages, you know, we're up Thio. Five of those were going. We announced four new Blockchain garages as well. And this is where firms air coming in to kind of explore do the innovative type project as well. So I think all the way from the initial inception through rolling it out into production, having that team to be able to support him across the >> board. And so this capability existed in IBM previously, But it existed in a sort of bespoke fashion that coordinated >> couple pockets here and there. We always have supports. We had various pockets a lap service's. But we won't really wanna have the capability of seeing that client all the way through their journey, bringing it all under me. We now can easily pass the baton, Handoff says. We need to have that consistent skill there with the clients all the way through their >> journey and is the What's the life cycle of these service is? Is it Is it both pre sales in and post there? Just posted >> many times we'll get involved like our cloud advisers would get involved. Presale. They'll say a specific workload wants to go to the cloud. What are the steps we need to take to make that happen? A CZ well, with our Laps Service's teams, you know, we kind of have, you know, anywhere from a 4 to 6 week engagement. Thio do a specific technology. Let's get it in place. Let's get it wired in et cetera, and then in the garage is you know, we could just take a very novel idea and get it up to, ah, minimal viable product in about a six week period. So again, we're not doing dance lessons for life but strategically placing key skills in with accounts toe. Help him get over that next hump of their journey. >> Steve, when you look at the spectrum from from public all the way down to private and everything in between are you, I wonder if you could describe the level of capability that you are able to achieve with the best practice on Prem with regard to cloud ability. It's service is all the wonderful attributes of child that we've come to know and love. Are you able to, you know, somewhat replicate that roughly replicate that largely replicate, exactly. Replicate that. Where are we today? >> Yeah, I think >> it's a great question. I think. You know, I think most of the clients that we're dealing with have been dealing with some virtualized infrastructure, probably more VMC as they as they've been kind of progressing. That story. One of the things we did it IBM is Could we bring a true cloud infrastructure back behind the firewall? Could we bring an open stack? We bring a cloud foundry base past all the way back through because the goal, of course, is if we could have the same infrastructure private, dedicated and public as they continue to grow and got more comfortable with the public cloud that could start taking work clothes that they had built in one location and start to migrate it out with you. That that local cloud the Maur used for EJ cases. So taking that system of record and building a p i's and allowing to do extensions to that allowing you access into data records that you have today dealing with a lot of extension type cases, you know the core application still needs to be federally regulated. It needs to be under compliance domain. It's gotta be under audit. But maybe I wantto connect it in with a Fitbit or connected in with with a lot Soon are connected in with the Internet of things sensor. I gotta go public cloud for that as well. So locally we can bring that same infrastructure in and then they could doom or service. Is that extended out in the hybrid scenario >> code basis? Because this has come up. Oracle claims this is their big claim to fame. That code base is the same on premise hybrid public. Is that an issue with that? Is that just their marketing, or does it matter what's IBM take on this? >> But we've done ah lot of work with the open standard communities to let's get to a true reference implementation. So on open Stack, we've been doing a lot of work with them, and this is one of the reasons we picked up the Blue box acquisition. Could we really provide a standard open stack locally and also replicate that dedicated and, of course, have it match a reference architecture in public as well? We've also done the same thing with clout. Foundry worked with Sam Ram G to be one of the first vendors, have a certified cloud. Foundry instance is the same local dedicated in public. I think that's kind of the Holy Grail. If you could get the same infrastructural base across all, three, magic can happen. >> But management's important and integration piece becomes the new complexity. I mean, I would say it sounds easy, but it's really hard. Okay, developing in the clouds. Easy, easier ways always used to be right, right well, but not for large enterprises. The integration becomes that new kind of like criteria, right? That separates kind of the junior from the senior type players. I mean do you see the same thing and what we believe >> we do? I think there's usually two issues. We start to see that this model looks great. Let's have the same code base across all three environments. What things? We noticed that a lot of folks, when you get into Private Cloud, had tried to roll their own. You know, open Stack is an open source Project clout. Foundry is an open source project. Let's pull it down and let's see units roll it out and manage it ourselves. These air a little bit you they're very dynamic environments, and they're also a bit punishing if you don't stay current with them, both of them update on a very regular basis. And we found a lot of firms once they applied tenor well, folks to it, they just could not keep up with the right pace of change. So when the technologies we invented was a notion called relay on, this allowed us to actually to use the public cloud is our master copy and then we could provide updates to get down to the dedicated environment and down to the local. This takes the headache completely away from the firm's on trying to keep that local version current. It's not manage service, but it's kind of a new way that we can provide manage patches down to that environment. >> So one of the problems we hear in our community is and presume IBM has some visibility on this. I'm thinking about last year, John, we're at the IBM Z announcement in January, rose 1,000,000 company talked a lot about bringing transaction analytic capabilities together. But one of the problems that our community has practitioners in our community course the data for analytics. A lot of it's in the cloud and a lot of transaction data sitting, you know, on the mainframe, something. How do they bring those two together? Do I remove the data into the data center? Do I do I move pieces in how you see >> we're seeing a lot of that. A lot of it was. Bring the technology down to where the data is, and and now you know the three amount of integration you can do with public data sources, private data sources, et cetera. We're seeing a lot more of the compute want to go out to the cloud as well. You know, we've done some things like around the dash, CB Service's et cetera, where I can start to extract some of that transactional data, but maybe only need a few pieces to really make the data set. That is important to me as I move it out, so I can actually, you know, extract that record. I can actually mask it into being something brand new, and then I could minute we mix it with public data tohave. It do brand new things as well, so I think you're gonna see a lot of dynamic capability across that with or cloud computing technologies coming back behind the firewall and then more ability to release that data be intermixed with public data as well. >> What's the number one thing that you're seeing from customers that you guys were executing on? There's always the low hanging fruit for the easy winds from bringing a team of street team, if you will out. Technical service is out to clients where they really putting that gather, not their five year plans, but their one year. Of course, there's a lot of that agile going on right now. New technologies. You can't isolate one thing and break everything. Za new model. What a customer is caring about, right? What's that? What's the common thing? I think >> over there in 2015 I think the discussion changed and went from Are we going to go to the cloud or we're going to the cloud now? How are we going to do it? And the nice thing about I think a lot of enterprise architecture groups kind of took a step back to say, What do we truly have to do? What is a common platform? What is an integration layer? How do we take some of our old applications and decomposed those into a set of AP eyes? How can we then mix that with public AP eyes? So probably taking one or two projects to be proof points so they could say, this thing really has the magic associated with it. We can really build stuff fast. If we do it the right way, it's gonna be in a catalyst to have the I t. Organization now take the tough steps in what's gonna be the commonality? What common service is are we going to use and how do we start breaking up >> around things you know, we have our own data science and our backcourt operation and one of the things that we always looked at with bloom. It's way start our Amazon. But now, with blue mix, you have a couple things kind of coming together in real time. You said it's getting hard, but those hardened areas are important identity. For instance, where's the data is an instruction and structure. I want a little mongo year or something over there, but with blue mix and compose, I oh, really has a nice fit. I want to explain to the folks we talked before he came on about this new dynamic of composed Io and some of the things that are gluing around blue mix. Could you share this >> William Davis King right? And I think people look to the Cloud Data Service is air. Probably it's the most critical, the most visible, and the one we have to harden up the most is well, even though IBM has been well known for D. B two and we've been a >> wire composed right >> that we did Cognos first, and then we followed up with composed by you because recent waded about, we did compose. I know about eight months ago what we liked about it was all of your favorite flavors, you know? So your your progress, your mongo, you're you're ready. But really having it behave like Like what you would want an enterprise database to do. You can back it up. You can have multiple versions of it. We can replicate itself >> is a perfect cloud need of civic >> class. It has all the cloud properties to it and all the enterprise. Great capabilities with it. Yeah, we've got that now in public, and then you're gonna start seeing dedicated, and you want >> to go bare metal, Just go to soft layer. It's not required right on these things where this will work in the cloud, and then you get the bare metal object you want pushed up the bare metal. No problem. Well, I think >> you know it. Almost hybrid is not gonna get a new definition around it. So it's all gonna be around control and automation, more automation. You need to go all the way up to a cloud foundry where it's managing all the health, checking and keeping your apple. I've etcetera. If you want to go all the way down to bare metal so you can tune it audited et cetera. You can do that as well. I think I've got one of the broader spectrum, is there? >> I'm impressed with the composer. I got to say, Go ahead, get hotel Excited by what? I get excited by just about every way. Just love the whole Dev Ops has been just a game changer in extras. Code has been around for a while, but it's actually going totally mainstream. That's right. The benefits are just off the charts. With Mobile, we have the mobile first guys on. Earlier in the Swift, we had 10 made 12 year old kid. I mean, it's just really amazing. Now that the APS themselves aren't the discussion, it's the under the hood. That's right, so you can have an app look and feel like it's targeted for a vertical, say, retail or whatever. But the actions under the hood yeah, yeah, more than ever. Now >> it's, you know it's funny this year, you know, Dick Tino to the Devil Obsession yesterday and you're the amount of proof points we had around it last year. We were scrambling a little bit and this year it's just we always had to thin out. That's how many guys were having great success with this stuff is coming into its own. >> It totally is. And you guys are give you guys Props were running as fast as you can and you're working hard. And it's not just talk. Yeah, it's It's it's legit. I'm gonna ask you a question. What's the big learnings from last year? This year? What's happened? What do you look back and say? Wow, we really learned a lot or something that might have been Magda ified for you in this journey this past year. >> A lot of it goes back to, you know, this changing culture at IBM, you know, the amount of code we put out in two years was just just unbelievable. But I think also the IBM becoming a true cloud company. Some of that we did with our own shop some, but we did through injecting it with acquisitions. You know, like to compose Io the cloud and team, the blue box guys, et cetera. I think we got the chops now to play it play pro ball way worked very hard, Teoh. How many folks, Can we attract the blue mix? We're getting up to 20,000 week. Right now. We're starting. Get some great recognition and the successes are rolling in as well. So a lot of hard work and a lot of busted knuckles. A lot of guys are tired. Definitely, definitely straight in the game now. >> Ready for the crow bait? Taking the pro GameCube madness starts on cute madness. There were, you know, keep matched all the brackets of the Cube alumni and vote on it turns into a hack a phone because everyone stuffed the ballots. Let's talk about pro ball for next year, a CZ. You guys continue? Sure. The theme here obviously is developer. I mean, the show could be dedicated 100%. The blooming LeBlanc up there kind of going fast at the end of this booth on the clock anymore. Time >> right. Like the Star Wars trailer we had >> going up, he needed more time. So it's good props you got for this year. What's going on the road map this year? What if some of the critical goals that you guys see on your group and then just in general for the thing a >> lot of the activities were gonna be doing again is hardening the stack. I've got a brand new team now called a Solution Architecture, where we're looking at it from top to bottom, taking customer scenarios and really testing it out. How do you do? Back up. How do you do? Disaster recovery? How do you do? Multi geography, You know, things like PC I compliance. The rial enterprise problems are now coming to the class global and their global. And with security and compliance, they're changing in a very dynamic fashion. We have to show how you can do those in the cloud. You'd be amazed on how many conversations we have with Si SOS every single week. Is the cloud secure? How do we do enterprise? Great workloads. IBM is bringing that story to the cloud as well. That's the story of >> a potato that content >> Curation is unbelievable, right? That's the hardest part. And it's not that we have it fixed either. But you were doing more of aggregating it together so that we can really pull it all together. I call it the diamond Mine versus the jewelry store. You know, we always have really did you got yet? The great answers out there somewhere. But if you don't start to pull it together into a single place So one of things we did this year was launched the blue mixed garage methodology where we took all of our best practices. We took text test cases, even sample code, and brought it into a single methodology site where people start to go out, pull it down, use it, etcetera. Previously, we had it scattered all over the place, and we're gonna be doing more things like that. Bring in the assets to the programmers, things that we've tried, things we've tested being more open about it, putting in a single location. >> Well, we certainly would like to help promote that. Any kind of those kind of customer reference architectures. Happy to pump on silicon angle with the bond outlook for the vibe. I'm sorry. Five for the show things year. What's the vibe this year? You know, I think I've >> been very impressed with it, and I think, you know, I've been stepping up its game If you go down to the blue. Mixed garages are motives. A motorcycle on stage, you know, kind of getting a little more hip and happening as well. But I think the clients here and this is always about the customer stories and some of the things that we're hearing from the three guys start ups that are doing GPS logistical management 22 to the big accounts, and the big banks that you really see have embraced the cloud and doing great stories on it as well. I think people come to this show so they see what their peers were doing. And they definitely walk away with a sense that the cloud Israel it's happening and 2016. It is really going to driving it home. That has to be part of everybody. Strategy motorcycles I had put on the Harley Man. We'll take it for a spin guarantee. Come on down >> and give my wife. When I got married, it was terms of conditions. That's right. That's right. Last, Watson that Yeah, Thanks, Steve. Thanks. Taking the time and great to see you again. Congratulations. What? They get technical engagement team that you have all the work that you did that blue mix noted certainly by the cube. Congratulations and continued success with Loomis congratulating >> you guys. Well, always a pleasure. >> Okay. Cube Madness, March 15th Cube Gems go to Twitter. And speaking of jewelry, we have Cube gems hashtag Cube gems. That's the highlights of the videos up there. Real time. And, of course, we're gonna get that TV for all. All the action videos are up there right now. I'll be right back with more coverage after this short break here in Las Vegas.