>>from around the globe. It's the Cube with digital coverage of AWS reinvent 2020 sponsored by Intel, AWS and our community partners. All right, you're continuing or we're continuing around the clock coverage and around the world coverage off a W s reinvent 2020 virtual conference This year, I'm guessing hundreds of thousands of folks are tuning in for coverage. And we have we have on the other end of the country a cube alarm. Stephen Towel, co founder and CTO of immunity. Stephen, welcome back to the show. >>Great. Great to be here. Thanks for having me again. I hope to match your enthusiasm. >>You know what is, uh, your co founder? I'm sure you could match the enthusiasm. Plus, we're talking about data governance. You You've been on the cute before, and you kind of laid the foundation for us last year. Talking about challenges around data access and data access control. I want to extend this conversation. I had a conversation with a CEO chief data officer a couple of years ago. He shared how his data analysts his the people that actually take the data and make business decisions or create outcomes to make business decisions spent 80% of their time wrangling the data just doing transformations. >>How's the >>Muda helping solve that problem? >>Yeah, great questions. So it's actually interesting. We're seeing a division of roles in these organizations where we have data engineering teams that are actually managing. Ah, lot of the prep work that goes into exposing data and releasing data analysts. Uh, and as part of their day to day job is to ensure that that data that they're released into the analyst is what they're allowed to see. Um and so we kind of see this, this problem of compliance getting in the way of analysts doing their own transformation. So it would be great if we didn't have to have a limited to just this small data engineering team to release the data. What we believe one of the rial issues behind that is that they are the ones that are trusted. They're the only ones that could see all the data in the clear. So it needs to be a very small subset of humans, so to speak, that can do this transformation work and release it. And that means that the data analyst downstream are hamstrung to a certain extent and bottlenecked by requesting these data engineers do some of this transformation work for them. Eso I think because, as you said, that's so critical to being able to analyze data, that bottleneck could could be a back breaker for organization. So we really think that to you need to tie transformation with compliance in order to streamline your analytics in your organization. >>So that has me curious. What does that actually look like? Because Because when I think of a data analyst, they're not always thinking about Well, who should have this data? They're trying to get the answer to the question Thio provide to the data engineer. What does that functionally looked like when that when you want to see that relationship of collaboration? >>Yeah, So we e think the beauty of a Muda and the beauty of governance solutions done right is that they should be invisible to the downstream analysts to a certain extent. So the data engineering team will takes on some requirements from their legal compliance. Seems such as you need a mask p I I or you need Thio. Hi. These kinds of rose from these kinds of analysts, depending on what the users doing. And we've just seen an explosion of different slices or different ways, you should dice up your data and what who's allowed to see what and not just about who they are, but what they're doing on DSO. You can kind of bake all these policies upfront on your data on a tool like Kamuda, and it will dynamically react based on who the analyst is and what they're doing to ensure that the right policies air being enforced. And we could do that in a way that when the analysts I mean, what we also see is just setting your policies on your data. Once up front, that's not the end of the story. Like a lot of people will tap themselves on the back and say, Look, we've got all our data protected appropriately, job done. But that's not really the case, because the analysts will start creating their own data products and they want to share that with other analysts. And so when you think about this, this becomes a very complex problem of okay. Before someone can share their data with anyone else, we need to understand what they were allowed to see eso being able to control the kind of this downstream flow of of transformations and feature engineering to ensure that Onley the right people, are seeing the things that they're allowed to see. But still, enabling analytics is really the challenges that that we saw that in Muda Thio, you know, help the the data teams create those initial policies at scale but also help the analytical teams build driven data products in a way that doesn't introduce data leaks. >>So as I think about the traditional ways in which we do this, we kind of, you know, take a data sad. Let's say, is the databases and we said, security rules etcetera on those data states. That's what you're painting to ISMM or of Dynamic. Has Muto approaching this problem from just a architectural direction? >>Yeah, great question. So I'm sure you've probably heard the term role based access control on, but it's been around forever where you basically aggregate your users in the roles, and then you build rules around those roles on gritty, much every legacy. Already, BMS manages data access this way. Um, what we're seeing now and I call it the private data era that we're now embarking on or have been embarking on for the past three years or so. Where consumers are more aware of their data, privacy and the needs they had their there's, you know, data regulations coming fast and furious with no end in sight. Um, we believe that this role based access control paradigm is just broken. We've got customers with thousands of roles that they're trying to manage Thio to, you know, slice up the data all the different ways that they need Thio. So instead, we we offer an accurate based access control solution and also policy based access control solution. We're. Instead, it's really about How do you dynamically enforced policy by separating who the user is from the policy that needs to be enforced and and having that execute at runtime? A good analogy to this is role based. Access control is like writing code without being able to use variables. You're writing the same block a code over and over again with slight changes based on the roll where actually based access control is, you're able to use variables and basically the policy gets decided at runtime based on who the user is and what they're doing. So >>that dynamic nature kind of lends itself to the public cloud. Were you seeing this applied in the world off a ws were here Reinvent so our customers using this with a W s >>So it all comes down to scalability so that the same reasons that used to separate storage from compute. You know, you get your storage in one place you could ephemera, lee, spin up, compute like EMR if you want. Um, you can use Athena against your storage in a server lis way that that kind of, um, freedom to choose whatever compute you want. Um, the same kind of concepts of apply with policy enforcement. You wanna separate your policy from your platform on that This private data era has has, you know, created this need just like you have to separate your compute from storage in the big data era. And this allows you to have a single plane of glass to enforce policy consistently, no matter what compute you're using or what a U s resource is you're using, um and so this gives our customers power to not only, um, you know, build the rules that they need to build and not have to do it uniquely her service in the U. S. But also proved to their legal and compliance teams that they're doing it correctly because, um, when when you do it this way, it really simplifies everything. And you have one place to go toe, understand how policies being enforced. And this really gives you the auditing and reporting around, um, be enforcement that you've been doing to put every one of these, that everything is being done correctly and that your data consumers can understand You know how your data is being protected. Their data is being protected. Um, and you could actually answer those questions when they come at you. >>So let's put this idea to the test a little bit. So I have the data engineer who kind of designs the security policy around the data or implements that policy using Kamuda Aziz dictated by the security and chief data officer of the organization. Then I have the analyst, and the analyst is just using the tools at their disposal. Let's say that one analyst wants to use AWS Lambda and another analysts wants to use our type database or analysis tools. You're telling me that Muda allows the flexibility for that analyst to use either tool within a W S. >>That's right, because we enforce policy at the data layer. Eso If you think about a Muda, it's really three layers policy authoring, which you touched on where those requirements get turned into real policies. Policy decision ing. So at query time we see who the user is, what they're doing on what policy has been defined to dynamically build that policy at run time and then enforcement, which is what you're getting at. The enforcement happens at the data layer, for example, we can enforce policies, natively and spark. So no matter how you're connecting to spark, that policy is going to get enforced appropriately. So we don't really care about what the clients Liz, because the enforcement is happening at the data or the compute layer is is a more accurate way todo to say it >>so. A practical reality off collaboration, especially around large data sets, is the ability to share data across organizations. How is immune hoping thio just make that barrier? Ah, little lower but ensuring security so that when I'm sharing data with, uh, analysts with within another firm. They're only seeing the data that they need to see, but we can effectively collaborate on those pieces of content. >>Yeah, I'm glad you asked this. I mean, this is like the, you know, the big finale, right? Like, this is what you get when you have this granularity on your own data ecosystem. It enables you to have that granularity now, when you want to share outside of your internal ecosystem. And so I think an important part about this is that when you think about governance, you can't necessarily have one God users so to speak, that has control over all tables and all policies. You really need segmentation of duty, where different parts of the organ hooking their own data build their own policies in a way where people can't step on each other and then this can expand this out. The third party data sharing where you can set different anonymous ation levels on your data when you're sharing an external the organization verse, if it's internal users and then someone else in your ord could share their data with you and then that also do that Third party. So it really enables and freeze these organizations Thio share with each other in ways that weren't possibly before. Because it happens in the day. The layer, um, these organizations can choose their own compute and still have the same policies being forced again. Going back to that consistency piece, um, it provides. Think of it is almost a authoritative way to share data in your organization. It doesn't have to be ad hoc. Oh, I have to share with this group over here. How should I do it? What policies should enforce. There's a single authoritative way to set policy and share your data. >>So the first thing that comes to my mind, especially when we give more power to the users, is when the auditors come and they say, You know what, Keith? I understand this is the policy, but prove it. How do we provide auditors with the evidence that you know, the we're implementing the policy that we designed and then two were ableto audit that policy? >>Yeah. Good question. So, um, I briefly spoke about this a little bit, but the when you author and define the policies in the Muda there immediately being enforced. So when you write something in our platform, um, it's not a glorified Wikipedia, right? It's actually turning those policies on and enforcing it at the data later. And because of that, any query that's coming through a Muda is going to be audited. But I think even more importantly, to be honest, we keep a history of how policy changes happening over time, too. So you could understand, you know, so and so changed the policy on this table versus other table, you know, got newly added, these people got dropped from it. So you get this rich history of not only who's touching what data and what data is important, but you're also getting a rich history off. Okay, how have we been treating this data from a policy perspective over time? How is it like what were my risk levels over the past year? With B six tables on? You can answer those kinds of questions as well. >>And then we're in the era of cloud. We expect to be able to consume these services via AP I via pay as you go type of thing. How is your relationship with AWS and how in the cutting. Ultimately, the customer. How do I consume a music? >>Yeah, so in Munich can pretty much be deployed anywhere. So obviously we're talking to us here. We have a SAS offering where you can spin up Muda pretrial and just be often running building policies and hooking up hooking our policy enforcement engine into your compute. Um, that runs in our, um you know, infrastructure. There's also a deployment model where you deploy immune it into your VPC s so it can run on your infrastructure. Behind your firewalls on DWI do not require any public Internet access at all for that to run. We don't do any kind of phone homing because, obviously, privacy company, we take this very seriously internally as well. We also have on premise deployments, um, again with zero connectivity air gapped environments. Eso. So we offer that kind of flexibility to our customers wherever they want immediate toe to be deployed. An important thing to remember their two is immediate. Does not actually store any data. We just store metadata and policy information. Um, so it's that also provides the customers some flexibility where if they want to use our SAS, they can simply go policy in there, and then the data still lives in their account. We're just kind of pushing policy down into that. Dynamically. >>So Stephen Towel co founder c t o of immunity. I don't think you have to worry about matching my energy level. I through some pretty tough questions at at you and you were ready there with all the answers. You wanna see more interesting conversations from around the world with founders, builders, AWS reinvent is all about builders and we're talking to the builders throughout this show. Visit us on the web. The Cube. You can engage with us on Twitter. Talk to you next episode off the Cube from AWS reinvent 2020.

>> Announcer: Live from Las Vegas, it's theCUBE! Covering AWS re:Invent 2019. Brought to you by Amazon Web Services and Intel, along with it's ecosystem partners. >> Welcome inside Live here at the Sands as we continue our coverage of AWS re:Invent 2019 on theCUBE, day three. Always an exciting time I think to get a summary of what's happened here. Dave Vellante, John Walls, we're joined by a couple of gentlemen from Immuta, Steven Touw who's a co-founder and CTO. Steve, good to see you. >> Yeah thanks for having me. >> John Walls: And Rob Lancaster, who's the GM of Cloud at Immuta. Rob, thanks for joining us as well. >> Great to be here. >> First off, let's talk about Immuta a little bit. You're all about governance right? You're trying to make it simple, easy, taking out the complexity. But for those at home who might not be too familiar with your company, tell us a little bit about you. >> Yeah so the company started out, our roots are in the U.S. intelligence community. So we had been dealing with access and control issues for data for years and we said to ourselves, "Hey this product has to be useful for non-IC customers. "This problem has to exist." And with the advent of all these privacy regulations like CCPA, GDPR and of course HIPPA's been around for a long time, really our goal was to bring a product to the market that makes it easy to govern access to data in a way that you don't have to be technical to do it, you don't have to understand how to write SQL statements, you don't have to be a system administrator. We really bring together three personas, the users that want to get access to the data, legal compliance that needs to understand how the rules are being enforced or even enforce them themselves, and then of course the data owners and the DBAs who need to expose the data. So usually those three personas are at odds with one another, we bring them together in our platform and allow them to work together in a way that's compliant and also accelerates their data analytics. >> Could we talk a little bit about why this is such a problem? Because it is a big problem and especially today and in the cloud and we'll get into that, but you've got data lakes, data oceans now, you got data coming in, all types of data. Might be internal transaction data, it might be stuff in your data warehouse. And the organization say, "Well I want some other data. "I want to bring in maybe some social data." So certain data is, everybody can have access to. Certain data not everybody can have access to. And it's not necessarily just a security problem, edicts of my organization that need to be enforced. So first of all, is that sort of, the problem that you're solving? And maybe you can double-click on that a little bit. >> Yeah sure, so the market has evolved and is evolving. You allude to data lakes, I think you can point to the immersion of Hadoop, as a distributed infrastructure as kind of the original data lakes, or the most recent data lakes, where you can store all your data and run analytics on all your data, and now with the advent, with the emergence of Cloud you've effectively got very low, if not zero cost storage, and the ability to throw an unlimited amount of compute at the data. That, kind of in conjunction with heightened awareness for consumer data privacy and risk associated with data, has created a market for data governance beyond kind of the course-grained access controls that people have been using on their databases for decades now. >> Yeah I mean Hadoop really got it all started. You're right and despite all it's problems, it had some real epiphany-like technical innovations, but one of the things that it didn't worry about at the time was governance. So whose responsibility is this? Is it the CISO? That is essentially trying to build out a new cloud stack to provide security, privacy, governance and what does that stack look like? >> Rob: Go ahead. >> Yeah so it depends, it's actually pretty interesting that different organizations have tackled this different ways. So we have CISOs that maintain this. In other organizations we've got the legal compliance teams that want to do this but maybe don't have the technical chops. And the CISO doesn't necessarily know all the privacy rules that need to be enforced, so it's kind of moving into this world where security is about keeping the bad guys out and black or white access, like you either can see the data or you won't, but with privacy controls it gets into this gray area where there's a lot of technical complexity and there's a lot of legal complexity. So the organizations struggle with this 'cause you've got to play in that gray area where it's not just like I said, black and white. The analogy we use is, security is like a light switch, you're either in or you're out. With privacy controls you need to anonymize the data, you need to do privacy by design. It's like a dimmer switch where you want to play in that gray area and allow some utility out of the data but also protect privacy at differing levels of whatever you're doing analytically. So this can be challenging for an organization to wrestle with because it's not as, I would argue it's not as black and white as it is with security. >> Your question is in many cases it's the business that's running really fast and that is building these data lakes because they want to get value out of their data and the CISO or the compliance or risk officers are the ones that are telling them to slow down. So our product that Steve set up caters to both parties. It checks the boxes for risk, but it also enable the business to get utility out of their data lake. >> It's a very complicated situation because you've got this corpus of data that's organic and constantly changing and you have, you mentioned GDPR, you've got California now, every state's going to have it's own regulations so you've got to be able to sort of adjudicate that. And can you talk about, I mean obviously I've interviewed Matt Carroll, we covered you guys so I know a little bit about you, but can you talk about your tech in terms of it's ability? You've got a capability to do really granular level understanding and governance policies, can you describe that a little bit? >> Yeah sure, so when we talk about privacy controls, these are things like way beyond just table-level access. So instead of saying, "Hey you have access to this table or not," or even, "You have access to this column or not," you've got to go deeper than that, you've got to be able to make rows disappear based on what people are doing. So for example, we have financial institution customers that are using us for all their trading data and only some traders can see some trade desks and we manage all that dynamically. We're not making anonymized copies of data. Everything happens at query time, and depending on what compute you're using that all works differently, but then at the column level we're able to do these anonymization techniques like we could make numeric data less specific, we could use techniques like k-anonymization that allows analysts to analyze the data but ensures that small groups that exist in that data won't reveal someone's true identity. And we have techniques like differential privacy, which provides mathematical guarantees of privacy. So for example, one of our manufacturing customers set aside, these are the four analytical use cases that we're using our data for and under GDPR we want different levels of privacy associated to those use cases. So they could do that all with Immuta. So they could say, "When I'm doing this "I want these columns to be anonymized to this level "and these rows to disappear, but if I'm doing something, "maybe more critical, which our consumers have consented to "you know there's less privacy controls." And that all happens dynamically so the analysts could actually switch context of what they're doing and get a different view of the data and all of that is audited so we understand why someone's doing what they're doing and when they're running queries we can associate those queries to purpose. >> We've talked about customers of course and they're adapting right, to a new world? How are you adapting? I mean what are you learning about, in terms of policy regulation and governance, what have you, you said you came out of the intelligence community, high bar there right? >> Steven Touw: Yeah. >> So what have you done to evolve as a company and what are you, as the headlights basically for these folks, what are you seeing change that is going to require a lot of shift on the other side? >> Yeah so, I don't know if you have thoughts. >> I mean it's a great question but there's really two parts to it, there's what are we doing? But, what is the market doing as well, right? So if you think about when we got started, even a year ago people understood the technology, they thought it was cool but maybe a little nichey for government or financial services or maybe healthcare because there's well understood regulation, these vertical regulation. Even over the past year with kind of this increasing or heightened awareness for consumer data privacy, not just driven by CCPA and GDPR but kind of this, call it the Facebook Effect right? Cambridge Analytica has created this awareness within the general population for what are these organizations actually doing with my data? Before it was okay 'cause you give your data to Google and you get a better search result and you're okay with that but now they may be using your data for their own profit in different ways so this has created this rising tides effect for the overall market and we talk a lot about organizations using something like Immuta to protect their highly sensitive data. I like to think of it is their most valuable data, which may be highly sensitive but it also could be the crown jewels, trading data for a bank for example. So it's become about extracting value and operational benefit from data, whereas the risk offices are trying to lock it down in many cases. >> So, there's definitely a big problem and people are becoming more aware of it. I want to talk about where you guys fit into this whole cloud ecosystem. There's a sea change now, there's this sort of, this new cloud coming into play. It's not just about infrastructure anymore. I'll give you some examples, you got all these data lakes, maybe you got Redshift running, Snowflake's another one, you've now got this data exchange where you can bring data right in the Cloud bring in all different types of data, you're bringing in some AML and AI and it's all, really again, a complicated situation. So I see you guys as fitting in there and real need but can you describe where you fit in the ecosystem, what your relationship is with AWS, how do I engage with you? >> Yeah absolutely, so a core part of our value is that we are heterogeneous in terms of the environment that we support. We support a hybrid estate so the architecture of the product is fully microservices based so we can run on PRIM as well as on Cloud, on any Cloud, we support effectively any popular database system or analytical tool. So think of us as a data abstraction layer across a hybrid environment, so we're here because AWS is obviously the big boy in the market, they have market share, this is a strategic relationship for us. We're working very deeply with AWS field teams, particularly around some of their verticals, the verticals that align to our business and at the end of the day we're trying to define a category. It's a similar category that we've had for decades but with all the changes that are happening in data and regulation and infrastructure what we're trying to do is raise the level of awareness for the fact that Immuta has actually solved the problem that many of these risk officers are struggling with today. >> Yeah and from a, diving a little on the technical side of that answer is that we are, think of us as the way to enforce policy in the Cloud. We consider ourselves a Cloud-first software vendor. And you don't necessarily want one point solution in Redshift or another point solution on your on-premise Cloudera instance, whatever it may be where you're using your data and running analytics, you need to abstract the policies out into a consistent layer and then have them be enforced across whatever you're using. So you might be using Cloudera today and then you switch to Databricks tomorrow, that shouldn't be a hard change from you from a policy perspective. You just re-point Immuta at Databricks and all your policies are still working like they used to so it gives you this flexibility now to use all these different services that AWS provides 'cause as was stated in the keynote on Tuesday, there's no one database solves all. You're always going to be using a heterogenous set of compute to do your job in analytics so you need a consistent way to enforce policies across all of that. >> That's a great point. I mean I don't know if you saw the Vanguard guy today in the keynote, he basically said, "We rip down, or tore down our big data infrastructure "moved it to the Cloud, spun up EMR." I mean there's a perfect example of, you got to bring your governance with you. You can't have to rebuild that whole stack. Are you in the Marketplace yet? >> Steve and Rob: Yes. >> You are, great, awesome. >> Yeah we launched a managed version of Immuta over the summer on AWS Marketplace. We'll be launching a second one shortly and it's really, the offering that we have out there is really geared toward, for lack of a better term, democratizing data governance. It's actually free up to the fifth user so any organization can deploy Immuta in under 30 minutes through Marketplace and start protecting their data. >> That's great, we had Dave McCann on yesterday, he runs the Marketplace, he was telling us just now, private offers for every marketplace, so ICV, so that's from. Last question I have is, how do you see this all playing out? You got GDPR, remember you talked about California regulations, there's a technology component, any predictions you guys want to share? What's your telescope say? >> All data will be regulated data eventually. So if you're not thinking about that now you need to. So, at least that's our theory, obviously, so we think it's critical that you're doing that from day one instead of day 365 and in your migration strategy. And if you're not thinking about that it's going to potentially bite you in the ass. >> Yeah you're right, I mean Web 2.0 was the wild, wild west, there was no privacy, there was no regulation, GDPR started to get people focused on that and it's now a whole new world. >> Gentlemen thank you, appreciate the time and best of luck. I know you said you had the big launch this summer but good things are ahead no doubt. >> For sure, thank you. >> Thank you. >> Dave Vellante: Thanks guys. >> Back with more coverage here on theCUBE. You're watching AWS re:Invent 2019. We are live and we're in Las Vegas. (upbeat tones)