 Live from Las Vegas, it's theCUBE, covering AWS re-invent 2017, presented by AWS, Intel, and our ecosystem of partners. Welcome back, here on theCUBE, of course, the flagship broadcast for Silicon and go along with Justin Warren. I am John Walls and we are live here at re-invent. AWS is annual shindig here in Las Vegas and certainly with great success. We'll have more on that a little bit later on. Right now we're joined by Bill Mann, who's the Chief Product Officer at Centrify, the latest newcomer to the AWS Marketplace. Bill, good to see you. Thanks for the time today. Thanks for the time as well. Big week for you, right? Joining the Marketplace, tell us about the driver of that decision and what you're bringing, literally, to the Marketplace. Sure, sure. Well, we're bringing our products to the Marketplace. We are very excited about getting our products on the Marketplace and what was really the driver for us was we wanted to really be part of the Amazon ecosystem, yeah? And we wanted to make reduce the friction of selling to enterprise and mid-market customers and this was the way to get to those customers. We realized really early on that customers are already buying all the other services from Amazon already, they're buying their instances, they're buying their storage and so forth. So getting our products on the Marketplace was just an important aspect of reaching those customers and removing the friction and so forth. Also, with the move to the cloud, our customers were asking for how to secure servers in the cloud and secure access to applications in the cloud and then things just kind of, one thing leads to another where you say, okay, let's put everything in one place as well. I kind of use the analogy of we buy our diapers from Amazon now and everything else so, but the IT shop is working the same way. They don't want to deal with multiple vendors and if you can reduce that friction, at least my theory is reducing that friction will mean we can sell more product to the customer. That's an interesting image, diapers from, you know. And I give it a chance to talk about Centrify, a little bit security firm with the tag, the breach stops here so just tell for those at home who might not be familiar with Centrify a little bit more about your specific offer. Sure, well let's start with the breach stops here. The reason we call, we have our tag line, the breach stops here is it really is a definition of what's happening in the marketplace. If you look at most of the breaches out there, there's 80% of most breaches are to do is compromise credentials, our passwords. And that is really an area that we focus on. We are trying to solve the problem of how users have access to the applications like Salesforce and any homegrown application or how IT users have access to their servers like a server on AWS. And using a password and having too much privilege is really the long way to do things. So we are solving that problem and that's why we kind of start off with that line of the breach stops here because we fundamentally believe that if you implement security based upon a density you're going to be able to reduce your risk. Yeah, security is such a hot market right at the moment. I mean we're hearing constantly, we were talking earlier on theCUBE where we were talking about IoT and it immediately went to security was being really, really top of mind for people. So the things that you're doing it with Centrify there's kind of two prongs to it if I understand it. So one is identity management. So knowing who people are so that credentials management. The other one's actually to do with the access, is that right? We were talking before we went to where that about the beyondcorp concept where instead of having this sort of inside protected crunchy layer and then everything outside is bad now it's just becoming everything everywhere should not be trusted unless you are cleared by something like Centrify. Yeah, yeah. So yeah, so for those of you who are familiar with the beyondcorp model the model really is about zero trust. And so if you think of these two things here in our user let's say a server instance the thing in between you can't trust and in the past we've been trusting the firewall to stop the bad guys from coming into our network. So really the concept is around assume the bad actors are everywhere. And now that you've assumed that let's now focus on what you can do to actually gain security. So the concepts are let's do identity assurance. Let's make sure this is really bill. Let's make sure bills coming from a trusted device. Yeah, like a known mobile phone that hasn't been jailbroken has the right configuration policies, et cetera. Then let's do access control or what we call lease privilege to the asset that they're trying to have access to. So is bill coming from this show from his phone allowed to access Salesforce.com? Or is bill coming from this phone able to log into a Unix instance on AWS now? And what can he do on that instance? Can he go to root and restart the Oracle database? Or can he just run some lower level privilege commands? So that's the scope of what we're doing. In fact beyondcorp is a great descriptor of what we do. If a company wants to implement beyondcorp that security paradigm which I think a lot of modern companies are thinking that way, you can use the services that we provide on the Amazon marketplace to implement that. We have a service called application service which is all about securing your applications. We have a service called endpoint services which is securing the endpoints like the mobile phones and so forth. And we have a service called infrastructure service which is securing the instances in the cloud, right? Access to those instances. And all those services can be used together as well because as you know, I'm an IT user. One day I'm using Outlook to read my email and then the next second I'm logging on to a Unix instance. So for me, it's bringing all these components together and that's what we're providing by the marketplace. Yeah, and really providing that security in context. So as you mentioned, it could be the same person. Like I'm at work and I'm doing some things but I've got access to all of this great, all of this information inside the company. But when I go home, should I still have access to that? Probably not. So if I'm sitting at home and I'm using my device at home as many of us do, I have children and they sometimes put games on your phone or load stuff on your computer. So I've got my work computer at home with me and I suddenly start deciding, hmm, I think I'll log in and download all of the sales information. That shouldn't happen. That's absolutely right, right? So the context is a core part of it and that's what endpoint services does for us. So going back to an Amazon use case, if I'm at home and I'm logging on to my Amazon console, yeah, for my home machine let's say and I'm kicking off an instance, should I be able to do that? I'm not using maybe an endpoint that is authorized but I could authorize that endpoint and say this is a known endpoint, like a lot of IT workers do. And you could also do things like I'm in Vegas now and I'm using my Mac and I'm trying to go to the Amazon console, should I be able to? Because that's outside of my normal behavior. In which case we would up level your multi-factor authentication and it would re-prompt me to re-authenticate. So all of that is built into our environment. So our services are not just for Amazon, it's for on-premises and for cloud apps because it's the whole gamut of what an enterprise has. As companies are moving or migrating from on-premises to the cloud, we can protect the applications and servers on-premises as well as the servers in cloud and applications on-premises as well as SaaS apps like Salesforce, Conquer, et cetera, et cetera. So it's that gamut of giving a user access to applications and infrastructure that we're doing with this BeyondCorp model in mind, which is I think the cool and the interesting thing about what we're doing, because we are connecting these components together and that's the only way we're going to raise security because if you go back to the stat I gave you earlier on, about the 80%, that is the problem, right? I mean, a firewall will not protect you from these breaches and we can have an argument about it but if it was, then we wouldn't see the breaches, right? I mean, that's kind of the high level. There's only so much that you as a, like Amazon can do so much about it securing their environment, but ultimately you as the customer need to spend a bit of time. That's like the shared responsibility, right? Absolutely, right. I mean, Amazon does an awesome job in defining the shared responsibility model and we are relying on them to do their part of the responsibility and we're providing the technology for customers to worry about their aspects, right? So Amazon does not worry about bill coming from this device having access to an instance, right? We're worrying about those things. So absolutely, so we're part of the shared responsibility model for Amazon. We're not going to worry about bill coming in either. I think you're okay. I think it's going to be all right. I mean, how do you guys, I mean, in the big picture, put on your bad guy hat, you know? I mean, how do you look for, if you offer a product, this is our latest security offering. Now let's go look for holes. Now you're trying to beat it up all the time, right? You're always, you're looking for vulnerabilities. So how do you, I mean, switch gears like that and go to the other side of the fence to think about what the next problem is going to be or what the next vulnerability is going to be? Well, you know what? I think we like most of the security, you know, modern, you know, security companies, we are thinking one side of our brain, he's thinking like the bad guys all the time. We have to and honestly, they are always multiple steps ahead of us. And one of the things I like to really make sure customers understand is some customers get really wound up about zero risk, right? They want it to be perfect before they implement a solution. And really the reality is most companies don't even have multi-factor authentication implemented for all of their employees. And if companies just implementing multi-factor authentication for all their users, for all their access, you would have a significant reduction in risk. So the types of security we're focused on is not about reducing risks to zero or finding every single vulnerability out there. It's really trying to attack the problem that hasn't been attacked already. If, you know, let me give you another analogy. As we all know, patching, right, is a basic security model that we all need to know. Yeah, but how many vulnerabilities have there been in the news where patching was not done? We're like patching, you know, understanding a user is authenticating their environment without a password and instead using multi-factor authentication is the best precaution against the bad guys, right? And it won't eliminate risk, right? But it's going to drastically reduce it. Now, as part of the services we're offering on Amazon, we have multi-factor authentication as a service, right? And by definition, as it's a service, it means it can be implemented extremely fast for enterprises, it's a SaaS service, right? It's pay by use, right, by definition. So, gone are the days where the technology was the reason you couldn't implement these sets of capabilities because they're easy to procure, they're in the cloud, they're mobile friendly, they're modern, et cetera, et cetera. So, that's how we really deal with the aspect of the bad guys, right? I mean, they're going to be there all the time, but honestly speaking, companies have spent so much time and energy and dollars on the wrong security products, right? Or focusing on the wrong stuff. And it was fine when you had a legacy closed environment with no cloud and no SaaS. That's not the environment anybody lives in, especially a show like this, everybody using the cloud. It's like the obvious thing, right? So, it should be obvious that these kind of controls need to be implemented. And I agree, just do the simple things. If you can do one or two simple things, multi-factor, absolutely. Just do these basic things, you will eliminate 80% of your risk. That's right. Do that first, then worry about the esoteric problems that are going to cost millions and millions of dollars to solve, just brush your teeth, go for a walk. So, we define in our maturity model of going towards beyond-corp slash zero trust. And the first thing on that maturity chart is identity assurance, i.e. multifactor authentication. And that's the first thing that organizations need to implement. And the issue is companies haven't implemented these products in the past because they've been too expensive, on-premise, hard to implement, not mobile-friendly. So, we're hoping once we're on Amazon's marketplace, with the reach we've got with Amazon, we're going to see a lot of customers adopting those. So, it's good for us as a business, but ultimately it's good for enterprises, they're going to get safer, and our data is going to be safeguarded, and so forth, which is the primary responsibility. Yeah. I'm not sure, I think Justin just told you to take some time off. I'm not sure. Bill, thanks for being with us. Thank you very much. Thanks for the time, and congratulations on joining the marketplace, and we wish you continued success. Cheers, thank you. At Centrify, thank you, sir. Bill Mann, Chief Product Officer at Centrify. Back with more here, live at AWS. We're at ReInvent, live at Las Vegas, back with more on theCUBE, just a bit.