>>from around the globe. It's the Cube with digital coverage of AWS reinvent 2020 sponsored by Intel, AWS and our community partners. All right, you're continuing or we're continuing around the clock coverage and around the world coverage off a W s reinvent 2020 virtual conference This year, I'm guessing hundreds of thousands of folks are tuning in for coverage. And we have we have on the other end of the country a cube alarm. Stephen Towel, co founder and CTO of immunity. Stephen, welcome back to the show. >>Great. Great to be here. Thanks for having me again. I hope to match your enthusiasm. >>You know what is, uh, your co founder? I'm sure you could match the enthusiasm. Plus, we're talking about data governance. You You've been on the cute before, and you kind of laid the foundation for us last year. Talking about challenges around data access and data access control. I want to extend this conversation. I had a conversation with a CEO chief data officer a couple of years ago. He shared how his data analysts his the people that actually take the data and make business decisions or create outcomes to make business decisions spent 80% of their time wrangling the data just doing transformations. >>How's the >>Muda helping solve that problem? >>Yeah, great questions. So it's actually interesting. We're seeing a division of roles in these organizations where we have data engineering teams that are actually managing. Ah, lot of the prep work that goes into exposing data and releasing data analysts. Uh, and as part of their day to day job is to ensure that that data that they're released into the analyst is what they're allowed to see. Um and so we kind of see this, this problem of compliance getting in the way of analysts doing their own transformation. So it would be great if we didn't have to have a limited to just this small data engineering team to release the data. What we believe one of the rial issues behind that is that they are the ones that are trusted. They're the only ones that could see all the data in the clear. So it needs to be a very small subset of humans, so to speak, that can do this transformation work and release it. And that means that the data analyst downstream are hamstrung to a certain extent and bottlenecked by requesting these data engineers do some of this transformation work for them. Eso I think because, as you said, that's so critical to being able to analyze data, that bottleneck could could be a back breaker for organization. So we really think that to you need to tie transformation with compliance in order to streamline your analytics in your organization. >>So that has me curious. What does that actually look like? Because Because when I think of a data analyst, they're not always thinking about Well, who should have this data? They're trying to get the answer to the question Thio provide to the data engineer. What does that functionally looked like when that when you want to see that relationship of collaboration? >>Yeah, So we e think the beauty of a Muda and the beauty of governance solutions done right is that they should be invisible to the downstream analysts to a certain extent. So the data engineering team will takes on some requirements from their legal compliance. Seems such as you need a mask p I I or you need Thio. Hi. These kinds of rose from these kinds of analysts, depending on what the users doing. And we've just seen an explosion of different slices or different ways, you should dice up your data and what who's allowed to see what and not just about who they are, but what they're doing on DSO. You can kind of bake all these policies upfront on your data on a tool like Kamuda, and it will dynamically react based on who the analyst is and what they're doing to ensure that the right policies air being enforced. And we could do that in a way that when the analysts I mean, what we also see is just setting your policies on your data. Once up front, that's not the end of the story. Like a lot of people will tap themselves on the back and say, Look, we've got all our data protected appropriately, job done. But that's not really the case, because the analysts will start creating their own data products and they want to share that with other analysts. And so when you think about this, this becomes a very complex problem of okay. Before someone can share their data with anyone else, we need to understand what they were allowed to see eso being able to control the kind of this downstream flow of of transformations and feature engineering to ensure that Onley the right people, are seeing the things that they're allowed to see. But still, enabling analytics is really the challenges that that we saw that in Muda Thio, you know, help the the data teams create those initial policies at scale but also help the analytical teams build driven data products in a way that doesn't introduce data leaks. >>So as I think about the traditional ways in which we do this, we kind of, you know, take a data sad. Let's say, is the databases and we said, security rules etcetera on those data states. That's what you're painting to ISMM or of Dynamic. Has Muto approaching this problem from just a architectural direction? >>Yeah, great question. So I'm sure you've probably heard the term role based access control on, but it's been around forever where you basically aggregate your users in the roles, and then you build rules around those roles on gritty, much every legacy. Already, BMS manages data access this way. Um, what we're seeing now and I call it the private data era that we're now embarking on or have been embarking on for the past three years or so. Where consumers are more aware of their data, privacy and the needs they had their there's, you know, data regulations coming fast and furious with no end in sight. Um, we believe that this role based access control paradigm is just broken. We've got customers with thousands of roles that they're trying to manage Thio to, you know, slice up the data all the different ways that they need Thio. So instead, we we offer an accurate based access control solution and also policy based access control solution. We're. Instead, it's really about How do you dynamically enforced policy by separating who the user is from the policy that needs to be enforced and and having that execute at runtime? A good analogy to this is role based. Access control is like writing code without being able to use variables. You're writing the same block a code over and over again with slight changes based on the roll where actually based access control is, you're able to use variables and basically the policy gets decided at runtime based on who the user is and what they're doing. So >>that dynamic nature kind of lends itself to the public cloud. Were you seeing this applied in the world off a ws were here Reinvent so our customers using this with a W s >>So it all comes down to scalability so that the same reasons that used to separate storage from compute. You know, you get your storage in one place you could ephemera, lee, spin up, compute like EMR if you want. Um, you can use Athena against your storage in a server lis way that that kind of, um, freedom to choose whatever compute you want. Um, the same kind of concepts of apply with policy enforcement. You wanna separate your policy from your platform on that This private data era has has, you know, created this need just like you have to separate your compute from storage in the big data era. And this allows you to have a single plane of glass to enforce policy consistently, no matter what compute you're using or what a U s resource is you're using, um and so this gives our customers power to not only, um, you know, build the rules that they need to build and not have to do it uniquely her service in the U. S. But also proved to their legal and compliance teams that they're doing it correctly because, um, when when you do it this way, it really simplifies everything. And you have one place to go toe, understand how policies being enforced. And this really gives you the auditing and reporting around, um, be enforcement that you've been doing to put every one of these, that everything is being done correctly and that your data consumers can understand You know how your data is being protected. Their data is being protected. Um, and you could actually answer those questions when they come at you. >>So let's put this idea to the test a little bit. So I have the data engineer who kind of designs the security policy around the data or implements that policy using Kamuda Aziz dictated by the security and chief data officer of the organization. Then I have the analyst, and the analyst is just using the tools at their disposal. Let's say that one analyst wants to use AWS Lambda and another analysts wants to use our type database or analysis tools. You're telling me that Muda allows the flexibility for that analyst to use either tool within a W S. >>That's right, because we enforce policy at the data layer. Eso If you think about a Muda, it's really three layers policy authoring, which you touched on where those requirements get turned into real policies. Policy decision ing. So at query time we see who the user is, what they're doing on what policy has been defined to dynamically build that policy at run time and then enforcement, which is what you're getting at. The enforcement happens at the data layer, for example, we can enforce policies, natively and spark. So no matter how you're connecting to spark, that policy is going to get enforced appropriately. So we don't really care about what the clients Liz, because the enforcement is happening at the data or the compute layer is is a more accurate way todo to say it >>so. A practical reality off collaboration, especially around large data sets, is the ability to share data across organizations. How is immune hoping thio just make that barrier? Ah, little lower but ensuring security so that when I'm sharing data with, uh, analysts with within another firm. They're only seeing the data that they need to see, but we can effectively collaborate on those pieces of content. >>Yeah, I'm glad you asked this. I mean, this is like the, you know, the big finale, right? Like, this is what you get when you have this granularity on your own data ecosystem. It enables you to have that granularity now, when you want to share outside of your internal ecosystem. And so I think an important part about this is that when you think about governance, you can't necessarily have one God users so to speak, that has control over all tables and all policies. You really need segmentation of duty, where different parts of the organ hooking their own data build their own policies in a way where people can't step on each other and then this can expand this out. The third party data sharing where you can set different anonymous ation levels on your data when you're sharing an external the organization verse, if it's internal users and then someone else in your ord could share their data with you and then that also do that Third party. So it really enables and freeze these organizations Thio share with each other in ways that weren't possibly before. Because it happens in the day. The layer, um, these organizations can choose their own compute and still have the same policies being forced again. Going back to that consistency piece, um, it provides. Think of it is almost a authoritative way to share data in your organization. It doesn't have to be ad hoc. Oh, I have to share with this group over here. How should I do it? What policies should enforce. There's a single authoritative way to set policy and share your data. >>So the first thing that comes to my mind, especially when we give more power to the users, is when the auditors come and they say, You know what, Keith? I understand this is the policy, but prove it. How do we provide auditors with the evidence that you know, the we're implementing the policy that we designed and then two were ableto audit that policy? >>Yeah. Good question. So, um, I briefly spoke about this a little bit, but the when you author and define the policies in the Muda there immediately being enforced. So when you write something in our platform, um, it's not a glorified Wikipedia, right? It's actually turning those policies on and enforcing it at the data later. And because of that, any query that's coming through a Muda is going to be audited. But I think even more importantly, to be honest, we keep a history of how policy changes happening over time, too. So you could understand, you know, so and so changed the policy on this table versus other table, you know, got newly added, these people got dropped from it. So you get this rich history of not only who's touching what data and what data is important, but you're also getting a rich history off. Okay, how have we been treating this data from a policy perspective over time? How is it like what were my risk levels over the past year? With B six tables on? You can answer those kinds of questions as well. >>And then we're in the era of cloud. We expect to be able to consume these services via AP I via pay as you go type of thing. How is your relationship with AWS and how in the cutting. Ultimately, the customer. How do I consume a music? >>Yeah, so in Munich can pretty much be deployed anywhere. So obviously we're talking to us here. We have a SAS offering where you can spin up Muda pretrial and just be often running building policies and hooking up hooking our policy enforcement engine into your compute. Um, that runs in our, um you know, infrastructure. There's also a deployment model where you deploy immune it into your VPC s so it can run on your infrastructure. Behind your firewalls on DWI do not require any public Internet access at all for that to run. We don't do any kind of phone homing because, obviously, privacy company, we take this very seriously internally as well. We also have on premise deployments, um, again with zero connectivity air gapped environments. Eso. So we offer that kind of flexibility to our customers wherever they want immediate toe to be deployed. An important thing to remember their two is immediate. Does not actually store any data. We just store metadata and policy information. Um, so it's that also provides the customers some flexibility where if they want to use our SAS, they can simply go policy in there, and then the data still lives in their account. We're just kind of pushing policy down into that. Dynamically. >>So Stephen Towel co founder c t o of immunity. I don't think you have to worry about matching my energy level. I through some pretty tough questions at at you and you were ready there with all the answers. You wanna see more interesting conversations from around the world with founders, builders, AWS reinvent is all about builders and we're talking to the builders throughout this show. Visit us on the web. The Cube. You can engage with us on Twitter. Talk to you next episode off the Cube from AWS reinvent 2020.