(bright music) >> Welcome back everyone to the live Cube coverage here in Boston, Massachusetts for AWS re:Inforce 22, with a great guest here, Denise Hayman, CRO, Chief Revenue of Sonrai Security. Sonrai's a featured partner of Season Two, Episode Four of the upcoming AWS Startup Showcase, coming in late August, early September. Security themed startup focused event, check it out. awsstartups.com is the site. We're on Season Two. A lot of great startups, go check them out. Sonrai's in there, now for the second time. Denise, it's great to see you. Thanks for coming on. >> Ah, thanks for having me. >> So you've been around the industry for a while. You've seen the waves of innovation. We heard encrypt everything today on the keynote. We heard a lot of cloud native. They didn't say shift left but they said don't bolt on security after the fact, be in the CI/CD pipeline or the DevStream. All that's kind of top of line, Amazon's talking cloud native all the time. This is kind of what you guys are in the middle of. I've covered your company, you've been on theCUBE before. Your, not you, but your teammates have. You guys have a unique value proposition. Take a minute to explain for the folks that don't know, we'll dig into it, but what you guys are doing. Why you're winning. What's the value proposition. >> Yeah, absolutely. So, Sonrai is, I mean what we do is it's, we're a total cloud solution, right. Obviously, right, this is what everybody says. But what we're dealing with is really, our superpower has to do with the data and identity pieces within that framework. And we're tying together all the relationships across the cloud, right. And this is a unique thing because customers are really talking to us about being able to protect their sensitive data, protect their identities. And not just people identities but the non-people identity piece is the hardest thing for them to reign in. >> Yeah. >> So, that's really what we specialize in. >> And you guys doing good, and some good reports on good sales, and good meetings happening here. Here at the show, the big theme to me, and again, listening to the keynotes, you hear, you can see what's, wasn't talk about. >> Mm-hmm. >> Ransomware wasn't talked about much. They didn't talk about air-gapped. They mentioned ransomware I think once. You know normal stuff, teamwork, encryption everywhere. But identity was sprinkled in everywhere. >> Mm-hmm. >> And I think one of the, my favorite quotes was, I wrote it down, We've security in the development cycle CSD, they didn't say shift left. Don't bolt on any of that. Now, that's not new information. We know that don't bolt, >> Right. >> has been around for a while. He said, lessons learned, this is Stephen Schmidt, who's the CSO, top dog on security, who has access to what and why over permissive environments creates chaos. >> Absolutely. >> This is what you guys reign in. >> It is. >> Explain, explain that. >> Yeah, I mean, we just did a survey actually with AWS and Forrester around what are all the issues in this area that, that customers are concerned about and, and clouds in particular. One of the things that came out of it is like 95% of clouds are, what's called over privileged. Which means that there's access running amok, right. I mean, it, it is, is a crazy thing. And if you think about the, the whole value proposition of security it's to protect sensitive data, right. So if, if it's permissive out there and then sensitive data isn't being protected, I mean that, that's where we really reign it in. >> You know, it's interesting. I zoom out, I just put my historian hat on going back to the early days of my career in late eighties, early nineties. There's always, when you have these inflection points, there's always these problems that are actually opportunities. And DevOps, infrastructure as code was all about APS, all about the developer. And now open source is booming, open source is the software industry. Open source is it in the world. >> Right. >> That's now the software industry. Cloud scale has hit and now you have the Devs completely in charge. Now, what suffers now is the Ops and the Sec, Second Ops. Now Ops, DevOps. Now, DevSecOps is where all the action is. >> Yep. >> So the, the, the next thing to do is build an abstraction layer. That's what everyone's trying to do, build tools and platforms. And so that's where the action is here. This is kind of where the innovation's happening because the networks aren't the, aren't in charge anymore either. So, you now have this new migration up to higher level services and opportunities to take the complexity away. >> Mm-hmm. >> Because what's happened is customers are getting complexity. >> That's right. >> They're getting it shoved in their face, 'cause they want to do good with DevOps, scale up. But by default their success is also their challenge. >> Right. >> 'Cause of complexity. >> That's exactly right. >> This is, you agree with that. >> I do totally agree with that. >> If you, you believe that, then what's next. What happens next? >> You know, what I hear from customers has to do with two specific areas is they're really trying to understand control frameworks, right. And be able to take these scenarios and build them into something that they, where they can understand where the gaps are, right. And then on top of that building in automation. So, the automation is a, is a theme that we're hearing from everybody. Like how, how do they take and do things like, you know it's what we've been hearing for years, right. How do we automatically remediate? How do we automatically prioritize? How do we, how do we build that in so that they're not having to hire people alongside that, but can use software for that. >> The automation has become key. You got to find it first. >> Yes. >> You guys are also part of the DevCycle too. >> Yep. >> Explain that piece. So, I'm a developer, I'm an organization. You guys are on the front end. You're not bolt-on, right? >> We can do either. We prefer it when customers are willing to use us, right. At the very front end, right. Because anything that's built in the beginning doesn't have the extra cycles that you have to go through after the fact, right. So, if you can build security right in from the beginning and have the ownership where it needs to be, then you're not having to, to deal with it afterwards. >> Okay, so how do you guys, I'm putting my customer hat on for a second. A little hard, hard question, hard problem. I got active directory on Azure. I got, IM over here with AWS. I wanted them to look the same. Now, my on-premises, >> Ah. >> Is been booming, now I got cloud operations, >> Right. >> So, DevOps has moved to my premise and edge. So, what do I do? Do I throw everything out, do a redo. How do you, how do you guys talk about, talk to customers that have that chance, 'cause a lot of them are old school. >> Right. >> ID. >> And, and I think there's a, I mean there's an important distinction here which is there's the active directory identities right, that customers are used to. But then there's this whole other area of non-people identities, which is compute power and privileges and everything that gets going when you get you know, machines working together. And we're finding that it's about five-to-one in terms of how many identities are non-human identities versus human identity. >> Wow. >> So, so you actually have to look at, >> So, programmable access, basically. >> Yeah. Yes, absolutely. Right. >> Wow. >> And privileges and roles that are, you know accessed via different ways, right. Because that's how it's assigned, right. And people aren't really paying that close attention to it. So, from that scenario, like the AD thing of, of course that's important, right. To be able to, to take that and lift it into your cloud but it's actually even bigger to look at the bigger picture with the non-human identities, right. >> What about the CISOs out there that you talk to. You're in the front lines, >> Yep. >> talking to customers and you see what's coming on the roadmap. >> Yep. >> So, you kind of get the best of both worlds. See what they, what's coming out of engineering. What's the biggest problem CISOs are facing now? Is it the sprawl of the problems, the hacker space? Is it not enough talent? What, I mean, I see the fear, what are, what are they facing? How do you, how do you see that, and then what's your conversations like? >> Yeah. I mean the, the answer to that is unfortunately yes, right. They're dealing with all of those things. And, and here we are at the intersection of, you know, this huge complex thing around cloud that's happening. There's already a gap in terms of resources nevermind skills that are different skills than they used to have. So, I hear that a lot. The, the bigger thing I think I hear is they're trying to take the most advantage out of their current team. So, they're again, worried about how to operationalize things. So, if we bring this on, is it going to mean more headcount. Is it going to be, you know things that we have to invest in differently. And I was actually just with a CISO this morning, and the whole team was, was talking about the fact that bringing us on means they have, they can do it with less resource. >> Mm-hmm. >> Like this is a a resource help for them in this particular area. So, that that was their value proposition for us, which I loved. >> Let's talk about Adrian Cockcroft who retired from AWS. He was at Netflix before. He was a big DevOps guy. He talks about how agility's been great because from a sales perspective the old model was, he called it the, the big Indian wedding. You had to get everyone together, do a POC, you know, long sales cycles for big tech investments, proprietary. Now, open sources like speed dating. You can know what's good quickly and and try things quicker. How is that, how is that impacting your sales motions. Your customer engagements. Are they fast? Are they, are they test-tried before they buy? What's the engagement model that you, you see happening that the customers like the best. >> Yeah, hey, you know, because of the fact that we're kind of dealing with this serious part of the problem, right. With the identities and, and dealing with data aspects of it it's not as fast as I would like it to be, right. >> Yeah, it's pretty important, actually. >> They still need to get in and understand it. And then it's different if you're AWS environment versus other environments, right. We have to normalize all of that and bring it together. And it's such a new space, >> Yeah. >> that they all want to see it first. >> Yeah. >> Right, so. >> And, and the consequences are pretty big. >> They're huge. >> Yeah. >> Right, so the, I mean, the scenario here is we're still doing, in some cases we'll do workshops instead of a POV or a POC. 90% of the time though we're still doing a POV. >> Yeah, you got to. >> Right. So, they can see what it is. >> They got to get their hands on it. >> Yep. >> This is one of those things they got to see in action. What is the best-of-breed? If you had to say best-of-breed in identity looks like blank. How would you describe that from a customer's perspective? What do they need the most? Is it robustness? What's some of the things that you guys see as differentiators for having a best-of-breed solution like you guys have. >> A best-of-breed solution. I mean, for, for us, >> Or a relevant solution for that matter, for the solution. >> Yeah. I mean, for us, this, again, this identity issue it, for us, it's depth and it's continuous monitoring, right. Because the issue in the cloud is that there are new privileges that come out every single day, like to the tune of like 35,000 a year. So, even if at this exact moment, it's fine. It's not going to be in another moment, right. So, having that continuous monitoring in there, and, and it solves this issue that we hear from a lot of customers also around lateral movement, right. Because like a piece of compute can be on and off, >> Yeah, yeah, yeah. >> within a few seconds, right. So, you can't use any of the old traditional things anymore. So to me, it's the continuous monitoring I think that's important. >> I think that, and the lateral movement piece, >> Yep. >> that you guys have is what I hear the most of the biggest fears. >> Mm-hmm. >> Someone gets in here and can move around, >> That's right. >> and that's dangerous. >> Mm-hmm. And, and no traditional tools will see it. >> Yeah. Yeah. >> Right. There's nothing in there unless you're instrumented down to that level, >> Yeah. >> which is what we do. You're not going to see it. >> I mean, when someone has a firewall, a perimeter based system, yeah, I'm in the castle, I'm moving around, but that's not the case here. This is built for full observability, >> That's right. >> Yet there's so many vulnerabilities. >> It's all open. Mm-hmm, yeah. And, and our view too, is, I mean you bring up vulnerabilities, right. It, it is, you know, a little bit of the darling, right. People start there. >> Yep. >> And, and our belief in our view is that, okay, that's nice. But, and you do have to do that. You have to be able to see everything right, >> Yep. >> to be able to operationalize it. But if you're not dealing with the sensitive data pieces right, and the identities and stuff that's at the core of what you're trying to do >> Yeah. >> then you're not going to solve the problem. >> Yeah. Denise, I want to ask you. Because you make what was it, five-to-one was the machine to humans. I think that's actually might be low, on the low end. If you could imagine. If you believe that's true. >> Yep. >> I believe that's true by the way If microservices continues to be the, be the wave. >> Oh, it'll just get bigger. >> Which it will. It's going to much bigger. >> Yeah. >> Turning on and off, so, the lateral movement opportunities are going to be greater. >> Yep. >> That's going to be a bigger factor. Okay, so how do I protect myself. Now, 'cause developer productivity is also important. >> Mm-hmm. >> 'Cause, I've heard horror stories like, >> Yep. >> Yeah, my Devs are cranking away. Uh-oh, something's out there. We don't know about it. Everyone has to stop, have a meeting. They get pulled off their task. It's kind of not agile. >> Right. Right. >> I mean, >> Yeah. And, and, in that vein, right. We have built the product around what we call swim lanes. So, the whole idea is we're prioritizing based on actual impact and context. So, if it's a sandbox, it probably doesn't matter as much as if it's like operational code that's out there where customers are accessing it, right. Or it's accessing sensitive data. So, we look at it from a swim lane perspective. When we try to get whoever needs to solve it back to the person that is responsible for it. So we can, we can set it up that way. >> Yeah. I think that, that's key insight into operationalizing this. >> Yep. >> And remediation is key. >> Yes. >> How, how much, how important is the timing of that. When you talk to your customer, I mean, timing is obviously going to be longer, but like seeing it's one thing, knowing what to do is another. >> Yep. >> Do you guys provide that? Is that some of the insights you guys provide? >> We do, it's almost like, you know, us. The, and again, there's context that's involved there, right? >> Yeah. >> So, some remediation from a priority perspective doesn't have to be immediate. And some of it is hair on fire, right. So, we provide actually, >> Yeah. >> a recommendation per each of those situations. And, and in some cases we can auto remediate, right. >> Yeah. >> If, it depends on what the customer's comfortable with, right. But, when I talk to customers about what is their favorite part of what we do it is the auto remediation. >> You know, one of the things on the keynotes, not to, not to go off tangent, one second here but, Kurt who runs platforms at AWS, >> Mm-hmm. >> went on his little baby project that he loves was this automated, automatic reasoning feature. >> Mm-hmm. >> Which essentially is advanced machine learning. >> Right. >> That can connect the dots. >> Yep. >> Not just predict stuff but like actually say this doesn't belong here. >> Right. >> That's advanced computer science. That's heavy duty coolness. >> Mm-hmm. >> So, operationalizing that way, the way you're saying it I'm imagining there's some future stuff coming around the corner. Can you share how you guys are working with AWS specifically? Is it with Amazon? You guys have your own secret sauce for the folks watching. 'Cause this remediation should, it only gets harder. You got to, you have to be smarter on your end, >> Yep. >> with your engineers. What's coming next. >> Oh gosh, I don't know how much of what's coming next I can share with you, except for tighter and tighter integrations with AWS, right. I've been at three meetings already today where we're talking about different AWS services and how we can be more tightly integrated and what's things we want out of their APIs to be able to further enhance what we can offer to our customers. So, there's a lot of those discussions happening right now. >> What, what are some of those conversations like? Without revealing. >> I mean, they have to do with, >> Maybe confidential privilege. >> privileged information. I don't mean like privileged information. >> Yep. I mean like privileges, right, >> Right. >> that are out there. >> Like what you can access, and what you can't. >> What you can, yes. And who and what can access it and what can't. And passing that information on to us, right. To be able to further remediate it for an AWS customer. That's, that's one. You know, things like other AWS services like CloudTrail and you know some of the other scenarios that they're talking about. Like we're, you know, we're getting deeper and deeper and deeper with the AWS services. >> Yeah, it's almost as if Amazon over the past two years in particular has been really tightly integrating as a strategy to enable their partners like you guys >> Mm-hmm. >> to be successful. Not trying to land grab. Is that true? Do you get that vibe? >> I definitely get that vibe, right. Yesterday, we spent all day in a partnership meeting where they were, you know talking about rolling out new services. I mean, they, they are in it to win it with their ecosystem. Not on, not just themselves. >> All right, Denise it's great to have you on theCUBE here as part of re:Inforce. I'll give you the last minute or so to give a plug for the company. You guys hiring? What are you guys looking for? Potential customers that are watching? Why should they buy you? Why are you winning? Give a, give the pitch. >> Yeah, absolutely. So, so yes we are hiring. We're always hiring. I think, right, in this startup world. We're growing and we're looking for talent, probably in every area right now. I know I'm looking for talent on the sales side. And, and again, the, I think the important thing about us is the, the fullness of our solution but the superpower that we have, like I said before around the identity and the data pieces and this is becoming more and more the reality for customers that they're understanding that that is the most important thing to do. And I mean, if they're that, Gartner says it, Forrester says it, like we are one of the, one of the best choices for that. >> Yeah. And you guys have been doing good. We've been following you. Thanks for coming on. >> Thank you. >> And congratulations on your success. And we'll see you at the AWS Startup Showcase in late August. Check out Sonrai Systems at AWS Startup Showcase late August. Here at theCUBE live in Boston getting all the coverage. From the keynotes, to the experts, to the ecosystem, here on theCUBE, I'm John Furrier your host. Thanks for watching. (bright music)

(upbeat music) >> Welcome to today's session of theCUBE's presentation of the AWS Startup Showcase, The Next Big Thing in AI, Security, & Life Sciences, and in this segment, we feature Sonrai security, of course for the security track I'm your host, Dave Vellante, and today we're joined by Sandy Bird, who's the co-founder and chief technology officer of Sonrai, and Avi Boru, who's the director of cloud engineering at World Fuel Services, and in this discussion, we're going to talk about 22 to two data centers, how World Fuel Services and Sonrai Security actually made it happen securely. Folks, welcome to theCUBE, come on in. >> Thank you. >> So we hear consistent themes from chief information security officers, that many if not most enterprises they struggle today with cloud security, there's confusion with various tools and depressing lack of available talent to attack this problem. So Sandy, I want to start with you, we always love to ask co-founders, why did you start your company? Take us back to that decision. >> Yeah, I think looking at Sonrai Security was interesting in that, it was a time to start over, it was a time to build a native in the cloud, as opposed to having a data center, and be able to use, you know, a vendor of infrastructure, be able to use the latest and greatest technology and really change the way people secure their workloads, what was interesting, you know, when we started the company, I believe that the world was in a more mature space probably in cloud than they were at the time when we were starting it, in that we were really focused around, if we could understand all of the rights and entitlements to data, we could understand data movement, we'd had hope in protecting the data and arriving in cloud, we realized that the maturity of the companies building in cloud, we're not quite there yet, they were really struggling with, you know, the identities models in the cloud, how to actually secure, you know, workloads, server less functions that are ephemeral these types of things, and even just sometimes basic governance problems, and the technology we had built was great at understanding all of the ways that data could be accessed, and we were able to expand that into all the resources of the cloud and it's an exciting space to be in, and it's also, I truly believe we'll be able to actually make cloud environments more secure than what we were doing in enterprise, because again for the first time ever you have full inventory, you have the ability to make controls that apply to the entire infrastructure, it's really an exciting time. >> I mean, I've said many times I feel like security is a do over and the fact that you're coming at it as a data problem and bringing in the cloud that intersection, I think is actually quite exciting. So Avi let's bring you into the conversation, you know, obviously we've seen cloud exploding it's continuing to be a staple of digital business transformations and acceleration especially around identity, so what's your point of view on cloud security, what's different and how does your company approach it? >> Sure, thank you for having me Dave, and just to give you a bit of World Fuel Services, World Fuel Services is a public company, and it's based out of Miami, and we are ranked 91 in the fortune 500 list, so we are spread all across the globe, and as part of our transformation to distress our business, we took over a big challenge to migrate all our global infrastructure from 22 data centers to AWS, that was a massive challenge for us, and we are downright now to 20 data centers, we only have two more to go, and we did this in the last two years, and that was really good for us, but as we've been doing this migration, there was also a strong need for us to build a strong security foundation, because going into the cloud as much as capabilities it gives us to innovate, it also gives us a lot of challenges to deal with from security standpoint, and as part of building the security foundation, we had to tackle some key challenges, one was how do we build our cloud security operating model and how do we up skill our people, the talent that you've been binding it out, and how do we make security a way of working in this new world, and more than choosing a solution we needed a really strong security partner who can help us guide in this journey, help us build the foundations and take us further and mature us in this, and that's where it was really interesting for us to partner with Sonrai, who helped us along the way, develop a foundation and now helping us mature our security platform. >> Avi, what were the technology underpinnings, that enticed you to work with Sonrai? >> Sonrai has lot of unique capabilities but I'll take it out on two key points, right? One, Sonrai has a cloud security posture management which is different from other platforms that are out there because they give you capability for a lot of out of the box frameworks and controls, but in addition to that, every organization has need to build unique specific frameworks, specific controls, they give you that capability, which is massive for enterprises, and the second key thing is, if you look at AWS, it has more than 200 services and every service has its unique capability but one key component they use across all the services, is Identity and Access Management, IAM and Sonrai has a unique perspective of using IAM to track risks and identify the interactions between user and machine identities which was really exciting and new for us, and we felt that was a really good foundation and stepping point to use Sonrai. >> All right, Sandy, we definitely saw the need for a better identity explode, in conjunction with the cloud migrations during the pandemic, it was sort of building and building and then it was accelerated, maybe talk a little bit about how you approach this, and specifically talk about your identity analytics and the graph solution that you guys talk about. >> Yeah, I've been a fan of graph solutions for many years, one of the great benefits in this particular space with identity is that, the cloud models for identity are fairly complex and quite different between AWS, Azure and GCP, however, the way that entitlements work, some identity is granted in entitlement, and that entitlement gives them access to do something, sometimes that's something is to assume another identity, and then do something on that identities behalf, and when you're actually trying to secure these clouds this jumping of identities, which happens a lot in the AWS model, or inheritance which happens a lot in the Azure model where you're given access at one level of the tree and you automatically gain access to things below that if you have that entitlement, those models inside of graph allow us to understand exactly how any given identity when we talk about identity we always think of people, but it's not, of course as you said, sometimes it's a machine, sometimes it's a cloud service, it could be many different things, how does every single one of those identities get access to that given resource? And it's not always as clear as, okay, well, here are the direct identities that can access this resource, it may only be able to be accessed with a single key, but who has access to the key, and what has access to the key, and what's the policy on that key, and if that's set too widely can other maybe nefarious actors get access to that key, and by using the graph, we can tie that whole model together to understand the entire list, of what gets access, I think that's actually what surprises a lot of the identity governance and data governance teams that are not in cloud, you know, when enterprise was very intentional, you configured the database to use the identity provider and the rules that you wanted it to use, and that's all that ever got access to that database. In cloud, there are a lot of configuration knobs and things and depending on how you turn them, you could open up a lot of identities to get access to whatever that resource is, often it's data, but it could be a network, it could be many things. So, the graph allows us to tie all that together, the second part of it is, it really allows us to see, we call them effective permissions, what the effective permission of that identity is, the clouds have done this phenomenal thing in using identities as a control mechanism just like in firewall, like an identity firewall, where they can take permissions away from things based on sets of conditions, so one of the great ways, let's say you didn't want to have any data stored deployed without encryption, you could write a policy at the top of your cloud, that says, anytime a data stores is deployed, if encryption is not there, deny that function. And so what happens is, is you can create this very protective environment using identity controls, but the problem is when you actually go to evaluate your cloud for risk, you may find a scenario where an identity has access as an example, to do something like create an internet gateway, or create a public endpoint, but there's this policy somewhere else, that's taking that away, and you don't want thousands of alerts because of that, you want to actually understand the model and say, look if we understand that this policy is mitigating your risk, then don't show the alert in the first place. And it really helps by putting it in a graph, because we can actually see all of these interconnections, we can see how they're interrelated, and determine the exact effective permissions of any identity and what risks that may have. >> So Avi, I mean, Sandy is really getting to the heart of sort of operationalizing you security in the cloud, and we looked at the compelling aspect of the cloud, and one of them anyway is scale, but people tell us to really take advantage of the cloud, they have to evolve that operating model maybe completely change the operating model, to really take advantage of scale, so my question is how do you operationalize your security practices, what should people think about, in terms of the time it takes to build in automations and bots for things like continuous compliance what can you share in terms of best practice? >> So traditional ways of operating if you look at it is, you identify a security risk, and a ticket is created and teams starts mitigating them. But with so many cloud services and with many solutions, the team start building in the cloud, it becomes too much of an overhead for teams to mitigate all these security risks that keep coming into the backlog, so as we partner with Sonrai in building a foundation, the way we tried to approach it is differently, we said why don't we build this using automatic recommendations, if we know what are the security risks, that we should not be creating in our environment and be noncompliant, how can we mitigate them? And with Sonrai and AWS API capabilities, it's not that hard for us to be a lot of intimidation buds because I didn't find risks, 'cause they have been taken care by Sonrai, the only aspect we need to take care is, how do we mitigate that? So that's the part we chose in building, cloud security operating model, is modeling more than an automated imitations, but as part building that there is always, where everything cannot be remediated automatically, and for these kinds of scenarios, we built a workflow where it still gets funneled to teams, so they can prioritize in their backlog, but other key thing that we did as part of operationalizing is, teams need to use Sonrai as their way of working, teams need to know what and why they should be using Sonrai. So we conduct a lot of training and onboarding and working sessions for teams, so they understand how we use Sonrai, how to consume the data coming out of Sonrai, so they can proactively start acting on how to stay compliant, but yeah, it's been an amazing experience building our foundation though. >> Sandy, I wonder if we can come back to, talking about comparisons with the traditional prevailing security models, I mean, we entering this API economy, as I said before, cloud is a staple of digital business, but you know people have been doing on-prem security for decades, you know, data loss prevention is an entire sub-industry, so what's different about doing it in the cloud, how should we think about that, in terms of whether you know, what responsibilities we have, the technology, what's your perspective on that? >> There's at least five questions in there Dave, so we'll. >> Pick your favorite. >> Yeah, you know, to feed off of what Avi was talking about, you know, he said many times, you know, teams need to solve these issues, teams need to see the issues they're creating, and it's interesting as we move to cloud, we decentralize some of these security functions, and that's actually an important part of the Sonrai solution and how you build a cloud security operating model, there's a set of findings, we'll call them, maybe there are security findings, maybe they're informational findings, that are a fairly low risk, and should be dealt with by the individual teams themselves, but that same team, you know, maybe isn't the person that can sign off on the risk if it's high enough, and if it's not then it needs to be escalated to the next level up to have that risk signed off on. A lot of times in large enterprise for workloads, that was done using unfortunately, you know tickets and systems and, you know, humans actually, you know, filling out some form of a checklist, saying, yes I met this, no I didn't, and we can automate huge numbers of those tests, including distributing them to the teams for the teams to solve themselves, and if they do their job right, there's not even the need for the central security body necessarily to know about the issues because they got solved, but when they don't get solved, that's when rather, you know, escalation to Boston automation or escalating to a centralized team starts to make sense, you kind of said a lot about DLP there as you were doing in cloud and just data security in general, and I do think, you know, cloud has given us this interesting opportunity, that's really upset data security in the old way on its head, you know, we used to do data security by putting agents on systems, or sometimes it was a proxy in front of it but either way that doesn't work well in cloud, when you're consuming platform as a service, you know, Amazon is not going to let you put an agent on their database that they're provisioning for you, and, you know, if you put in your own proxy in front of it you probably just messed up the elastic scalability that was built into the whole thing to begin with. So we needed a different way to look at this, however, we also took away a couple of things, in cloud the application teams themselves generally use fit for purpose data stores, they use the data store that's the best for the workload they're doing, our own workload has many data stores under the covers, it's not one data store, and so because of that, this kind of, you know, the old world of there being a data security team or you know, database optimization team, that you know optimize the database workloads, actually gets distributed as well all back to those teams, and so, we've gained kind of this, you know, fit for purpose smaller sets of data stores that are being used all over, and on top of that, the cloud vendors in many cases have done great things to enable monitoring, you know, part of the reason we were putting agents on database servers, is because the Oracle admin said I can't turn logging on, I don't have a big enough system to do it, it's going to crash the system, well in cloud parts of that go away, you can scale the systems up, you can enable loggings, now you can get that rich data that you wanted when you were an enterprise, and so, you know Sonrai is really kind of taken that model and said, look we can give you the visibility around data movement, we can give you the visibility around all of the entitlements to that data, we can understand, is your data at risk? And then we can profile all that for anomalies, and say, you know, it's kind of odd that the workload that normally connects into this through this automated fashion is now using its access key from a different location, that doesn't make any sense, why is that happening? And so you get kind of strong anomaly detection as well as the governance. So, you know, data security and cloud, if we kind of fast forward a few years, will look very different than it does today, I still believe some of the teams are not quite there yet in cloud, you know, they're still struggling with some of these identity problems we talked about, they still struggle some of them with CSBM problems, and so we have to solve those first obviously before we get to the true data security. But it's interesting that cloud has enabled us with such rich tooling and APIs to actually do it better than what we've done on enterprise. >> A lot of really powerful concepts in there, thank you Sandy. I mean, this notion of decentralizing security functions reminds me when Vogels describes this hyper decentralized distributed system that Amazon is building, and it is clearly a theme, you know, maybe it's bromide, but people talk about shifting left, designing security in, and it's important, not just bolting it on as an afterthought, and so, maybe this next question sort of really relates to the theme of this event, which is all about scale, here's the question Sandy, thinking about your contribution to the future of cloud, obviously you start a company, you want to grow that company, you want to serve customers and grow your revenues et cetera. But what's your defining contribution to the future of cloud scale? >> Look, we want to enable companies to scale faster, we want them to be able to put more workloads in cloud using, you know, the right set of security controls to keep those workloads safe, I know we can actually do this in a way where, you know, we talk about defense in depth for years, right? And usually in enterprise that meant many levels of networks before you got access, now we need to do defense in depth in terms of, you know, actually variety of controls, we can't throw the network control away, it still has to be there, we need an identity control, and it will be the primary control for what we do in cloud, we need a data lock, you know, rather that's through an encryption key policy or whatever it is, so we have multiple different layers of defense in depth, we can use in cloud today, and so it will be a much more secure environment than it was in the future, but we have to, again, so my contribution is hopefully I can help everybody get to that level, because right now we still see way too many breaches with very simple configuration problems that ended up exposing data unintentionally, and that's worrisome. >> You know, it's funny, a lot of people maybe can't relate to that defense in depth, I mean, obviously security people can, but we as individuals who now rely so much on our mobile phones, and things like SMS, and then you start to build in, non SMS, you know, base two factor authentication and you start to build your own personal layers, it's sort of a microcosm of the complexity that you have to think about in the enterprise, but in having tools to automate is critical, and expertise obviously, so let's wrap. Avi give us your final thoughts and key takeaways on building a world-class cloud security. >> I guess the key take of this would be, you know, to choose the right partner, it's not just the solution, another key takeaway is automate your way, because with security in the cloud is different than traditionally how do you do it, and the only fastest way to move is automate yourself away out of it and rely on talent, rely on a lot of young talent that's coming in and all the tools like Sonrai AWS are making it easier to operate in the cloud, so bring up the young talent and up skill the talent and leverage on these tools to be more secure on the cloud. >> Yeah, use automation to solve the big problem of, you know, that talent gap, there is not enough of it out there, and the adversaries they're well-equipped and quite capable. Okay Sandy, please give us your last word. >> Look again, I think a cloud is going to get us to a point where we are more secure than we were on enterprise, we have all of the right tools and controls to do it, we can decentralize the security and make it better, again, I think if anything just to encourage people to really look at a cloud security governance model, right? You can't do this ad hoc, trying to whack-a-mole small issues as they come up, you build it in as an operating model, you automate it and you deal with the exceptions. >> Yeah, I mean, you're very optimistic and I think is for good reason, I just remembered listening to Steven Schmidt a couple of years ago at reinforce, basically saying, look, we feel pretty optimistic about solving this problem, whereas, I have to say every year I look back in the enterprise and on-prem and I know it's getting worse, and so, keep up the good work gents, I really appreciate the time on theCUBE today, thank you. >> Thank you. >> Thank you. >> And thank you for watching theCUBE presentation of the AWS Startup Showcase, The Next Big Thing in AI, Security & Life Sciences. I'm Dave Vellante. (upbeat music)