 Okay, welcome back everyone to SuperCloud 22. This is theCUBE Studio's live performance we're streaming virtually at siliconangle.com and theCUBE.net. I'm John Furrier, host theCUBE with Dave Vellante with a distinguished panel talking about securing the SuperCloud. All CUBE alumni, G Rittenhouse, who's the CEO of Sky High Security, Piyush Sharma, founder of Curix, sold to Tenable, and Tony Quay, who's an investor, co-founder, former head of product at VMware. Gents, thanks for coming on to our inaugural SuperCloud pilot event. Good to see you guys, a big topic. Okay, so before we get into securing the cloud, one of the things that we've discussed before we came on camera was how cloud, the relationship between cloud and on-premise and multi-cloud and how SuperCloud fits into that. At the end of the day, security is driving a lot of the conversations at the Ops side, and Dev's shift left is happening. We see that out there. So before we get into it, how do you guys see SuperCloud? Tony, we'll start with you. Google, go down the line. What is SuperCloud to you? Well, to me, SuperCloud is really the next evolution, the culmination of the services coming all together, right? As an application developer today, you really don't need to worry about where this thing is sitting, or what's the latency, because the internet is fast enough now. I really want to know what services something provides, how do I get access to it? Now, security, we'll talk about that later, that becomes a big issue because of the fragmentation of how security is implemented across all the different vendors. So, to me, it's an IP address. I program to it, and off we go. But there's a lot of, like that Iceberg chart, right? Like I'm the developer touching the APIs up there. There's a bunch of other things below service. Okay, looking forward to getting that. Gee, what's your take? We've had many conversations on theCUBE. What's your SuperCloud update? Yeah, so I view it as just an extension of what we see today. Before, like maybe 10 years ago, we were mashing up applications, built on other SaaS applications and whatnot. Now, we're just extending that down to further primitives. We don't really care where our mashup resides, what cloud platform, where it sits, to Tony's point, as long as you have an IP address. But beyond that, we're just going to start to get little micro services and deeper into the applications. VP, what's your take? Yeah, I think SuperCloud to me is something that don't exist, it exists only on my laptop. That's the SuperCloud means to me. I know it takes a lot behind the scene to get that working of and running, but essentially that everything having to be able to touch physically versus not being able to touch anything is SuperCloud to me. That's what Victoria was saying. Yeah, we see serverless out there, all these cool things happening. Exactly. And you look at some of the successful companies that have come in, I call the V2 Cloud, some are saying the next gen. They're all building on top of the CapEx. I mean, why would you not want to leverage all that work AWS is doing in now Azure? And obviously Google's out there and you got other clouds out there. But in terms of AWS as a hyperscaler, they're spending all the money and they're getting better. They're getting lower level. We're talking about some of that yesterday. Databricks, Snowflake, Goldman Sachs. There's industry clouds that could be powerhouse service providers to themselves in their vertical. Then you got specialty clouds, like there could be a data cloud. There could be an identity cloud. So how does this sort itself out? How do you guys see that? Because can they co-exist? But I think they have to, right? Because I think, you know, eventually organizations will get big enough where they can be strong and really market leading in multiple segments. But if you think about what it takes to really build a massive scaled out database company, that DNA doesn't just overnight translate to identity or translate to video. It takes years to build that up. So in the meantime, all these guys have to understand that they are one part of the service stack to power the next gen solutions. And if they don't play well with each other, then you're going to have a problem. So security I think is one of the hardest problems of super cloud. And not only do you have too many tools and a lack of talent, but you've now got this new first line of defense, which is the cloud. And the problem is you've got multiple clouds. So you've got multiple first lines of defense with multiple cloud provider tools. And then the CISO I guess is the next line of defense with the application development team, you know, there to be the pivot point between strategy and execution. And I guess audit is the third line of the defense. It's an even more complicated environment. So gee, how do you see that CISO role changing? And can there actually be a unified security layer in super cloud? Yeah, so I believe that they can be. The role is definitely changing because now a CISO actually has to have a basic understanding of how clouds work, the dependency of clouds on the business that they serve. And to your point, not only do we have these new lines and opening up an attack service, but they're coupled together. So we have supply chain type connections between this. So there's a coherence across these systems that a CISO has to kind of think about not only these cloud boundaries, but the trust boundaries between them. So classic example, visibility, where are these things and what are the dependencies in my business? Then of course you mentioned compliance, am I regulatory? And then of course protecting and responding to this. The supply chain piece that you just mentioned, I mean, I feel like there's like these milestones. Stuxnet was a milestone. Obviously log4j was another one, the supply chain hack with solar winds. Just the adversary just keeps getting stronger and stronger and more agile. So is this a data, do we solve this as a data problem? Is it, you can't just throw more infrastructure at it? What are your thoughts? I think, great point that you brought up. We need to look at things very fundamentally. What is happening is security has the most difficult job in the cloud, especially super cloud. The poor guys are managing something or securing something that they can't govern, right? Your custodian of the cloud is your developers and DevOps. They are the ones who are defining, creating, destroying things in the cloud. And that guy sitting at the end of the tunnel looking at things that what he gets and he has to immediately respond. That's why it has to be fundamentally solved. Number one, we talked about supply chain. We talked about the Stuxnet to wanna cry, to solar winds to get in the most recent one on the pipeline once. The interesting phenomena is that the way industry has moved super cloud, the attackers are also becoming super attackers, right? They have stopped, they have not stopped, but they have started slowly moving to the left, which is the governance part. So they have started attacking your source code, impersonating the codes, replacing the binaries, finding vulnerabilities there. So they can, if the cloud is built so early, why can't I go early and inject myself in? So super hackers is coming to super clouds. Super hackers. We're like in Hollywood right now. I mean, this brings up a good point. I mean, this whole trust thing is huge. I mean, I hear zero trust. I think, wait a minute, that's not the conference I was just at. We managed, we work with DockerCon and they were talking about trust services. So supply chain source code has trust and there's no brokerage going on. And yet you got zero trust. Which is which? Are they contextually different? I mean, what? From my perspective, they're the same. In that zero trust is a framework that starts with minimum privileges and then build up those privileges over time. Normally in today's dialogue, zero trust is around access. I'm not having a broad access. I'm having a narrow access around an application. But you can also extend those principles to usage. How much privilege do I have within an application? I have to build up my trust to enhance and get extended privileges within an application. Of course, you can then extend this naturally to applications, APIs, applications, talking with each other. And so by, you have to restrict the attack surface. That is based on a trust model, fundamentally. And then to your point, I mean, there's always this residual that you have to deal with afterwards. So SuperCloud implies more surface area. They're talking about private cloud. So here we go. So, and by the way, the AWS was supposed to be at this conference. They said they couldn't make it. They had a schedule issue, but they wanted to be here. But I would ask them, how do you differentiate AWS going forward? Do you go IaaS all the way? Do you release the past layer up? How does this solve? Because you have native clouds that are doing great. The complexity on SuperCloud and multi-cloud has to be solved. Let me offer maybe a different argument. So if you think about, we're all old enough to see the history sort of pendulum shift and it's shifting back. In a way, if you're arguing that this combination of all these services in the form of cloud today, essentially moving up stack, then really this is a architectural pattern that's emerging, right? And therefore there needs to be a SuperCloud almost operating system. So operating systems, if you build one before, you need a scheduler, you need process handler, you need process isolation, you need memory, storage, compute, all that together. Now that is all sitting in different parts of the internet. And there is no operating system. And that's the gap, right? And so if you don't even have an operating system, how do you implement security? And that's the pain. Because today it's one-off directly from service to service. Like how many times can you set up SAML orchestration? You can have the entire team doing that, right? If that's what you have to do. So I think that's ultimately the gap. And we're sort of just revolving around this concept that there's missing an operating system for SuperCloud. It's like Meribol Lopez said on the previous panel, that Lord of the Rings, there will be no one ring. I'm doing them all. Or maybe there is a neat one. Yeah, but so what happened? So again, security is the hardest problem. So Snowflake's got to implement its security. Databricks with an open source model has to implement its security. So there's these multiple security models. You can talk about zero trust, which if I infer what you said, G, it's essentially if you don't have a privilege access, you don't get access. Yeah, right. Okay, so that's the framework. Fine, and then you got to earn it over time. Now companies like Amazon, they have the talent and the skills to implement that zero trust framework. Sure, exactly. So the industry, you guys with R&D have to actually ultimately build that SuperCloud framework, don't you? Yeah, but I would just look all of the major Cloud providers, the ones you mentioned and more, will have their own framework within their own environment. The problem is with SuperCloud, you're extending it across multiple ones. There's no standards, there's no easy way to integrate that. So now all of that is left to the developer who is throwing out code as fast as they can. Is their job is to abstract that? I mean, they've got to secure the runtime, they got to secure the container. You have to abstract it. Right, okay, but they're not security pros. Or ops. Exactly. They're kebops. But to G's point, right, if everyone's implementing their own little ZTNA, then inherently there's a blind trust between two vendors. Right, that has to be established. That's implicit, you're saying? Yeah, but it's contractual, it's not technology, right? Because I'm turning something out in my cloud, you're turning out something in your cloud that says we've got something, some token exchange, which gives us trust. But what happens if that breaks down? And whatever happens to the third party comes in? I think that's the problem. Yeah, in fact, if I put the combine one of those comments, the zero trust was built keeping identity, authentication, and authorization in mind, right? This needs to be extended because the zero trust definition now probably go into integrity. Yeah, exactly. I authenticated, I worked well with Tony in the past, but how do I know that something has changed on the Tony side? Yeah, exactly. Right? That integrity is going to be very, very foundational. Given developers are building those third party libraries, the source code, pumping stuff, the only way I can validate is, hey, what has changed? And then throw Edge into the equation, John, and IoT and machine to machine. Exactly. And that's just, well, you know this. I think we have another example to build on Tony's operating system model. And that is the cloud access service broker model for SAS. So we have these services sitting out there. We've brokered them together. They're normally on user policies, what I can have access to, what I can do, what I can't do. But that can be extended down to services and have the same kind of broker arrangement all through APIs. You have to establish that trust and the policies there. And they can be dynamic and all of this stuff. But you can, from either an operating system or a SAS interaction and integration model, come to these same kind of points. So who builds the secure super cloud? Is it new guys like you? Is it your old company? Giants like Palo Alto? Who actually builds and secures the super cloud? It sounds like it's an ecosystem. Yeah, it is an ecosystem. Absolutely, it's an ecosystem. There's no one security super cloud as well. No, but I do think there's one difference in that historically security has always focused on that shiny object. A particular solution to a particular threat. When you're dealing with a cloud or a super cloud, like the number of that is incalculable. So you have to come into some sort of platform. And so you will see if it's not one, a finite number of platform type solutions that are trying to solve this on behalf of the customer. That to your point then get connected. I think it's gonna be like Unix, right? Like how many flavors of Unix were there out there? All of them had a scheduler, all of them had these processes, all of them had their little compilers. You can compile to that system, target to that system. And for a while it's gonna be very fragmented until multiple parties decide to converge. Right, well this is the final question. We have one minute left. I wish we had more time, this is a great panel. We'll bring you guys back for sure after the event. What one thing needs to happen to unify or get through the other side of this fragmentation and the challenges for super cloud? Because remember, the enterprise equation is solve complexity with more complexity. Well that's not what the market wants. They want simplicity, they want SaaS, they want ease of use, they want infrastructure as code. What has to happen? What do you guys think, each of you? So I can start and extending to the previous conversation. I think we need a consortium. We need a framework that defines that if you really want to operate in super cloud, these are the 10 things that you must follow. It doesn't matter whether you take AWS, Azure, TCP or you have all and you will have the on-prem also, which means that it has to follow a pattern and that pattern is what is required for super cloud, in my opinion. Otherwise security is going everywhere. They're like, they have to fix everything, find everything and so on and so forth. It's not gonna be possible. So they need a framework, they need a consortium and this consortium needs to be, I think needs to led by the cloud providers because they're the ones who have these foundational infrastructure elements and the security vendor should contribute on providing more severe detections or severe findings. So that's, in my opinion, should be the model. Well, thank you, G. Yeah, I would think it's more along the lines of a business model. We've seen in cloud that the scale matters and once you're big, you get bigger. We haven't seen that coalesce around either a vendor, a business model or whatnot to bring all of this and connect it all together yet. So that value proposition in the industry, I think is missing, but there's elements of it already available. I think there needs to be a mindset. If you look, again, history repeating itself, the internet sort of came together around a set of IETF RFC standards. Everybody embraced and extended it, right? But still, there was at least a baseline. And I think at that time, the largest and most innovative vendors understood that they couldn't do it by themselves, right? And so I think what we need is a mindset where these big guys, like Google, let's take an example, they're not gonna win at all, but they can have a substantial share. So how do they collaborate with the ecosystem around a set of standards so that they can bring their differentiation and then embrace everybody together? Guys, this has been fantastic. I mean, I would just chime in back in the day there's proprietary NAS, there's proprietary network protocols. You had kind of an enemy to rally around. I'm not sure I see an enemy out here right now. So the clouds are doing great, right? So it's a tough one, but I think super OS, super consortium, super business models are gonna emerge. Thanks so much for spending the time. Great conversation. Thank you for having us here. Thank you for having us here. We're gonna go an hour alone. Super clouds here in Palo Alto, live coverage stream. Virtually I'm John Furrier with Dave Vellante. Thanks for watching. Stay with us for more coverage at this break.