 From the ARIA Resort in Las Vegas, it's theCUBE. Covering AWS Marketplace, brought to you by Amazon Web Services. Hey, welcome back everybody, Jeff Frick here with theCUBE. We're at AWS re-invent 2018, wrapping up day one. We're going to do four days of coverage. We have four sets, three locations, and we're kicking things off here at the AWS Marketplace and Service Catalog event here at the ARIA. We're excited to be joined by our next guest, first time on theCUBE, but he's been working on the security stuff for a long time. He's Brandon Traffinstel, he's the Global Director of System Engineering for CyberArk. Brandon, great to see you. Thank you very much, glad to be here. Absolutely, so we started the conversation. First off, let's just give us a quick overview of CyberArk for people that aren't familiar with the company. Definitely, so CyberArk does privileged access security. That is the vaulting rotation and management of incredibly powerful accounts. Both traditional ones, say domain admin, to ones that exist in a more ephemeral or cloud state. Access key, secret key pairs, root access into your console. So our goal is to take those out of the minds of users, out of those spreadsheets, out of hard-coded code stacks, place them in a secure location, rotate them, and then provide secure access to people as well as non-people to. So you really segregate the privileged access as a very different category than just any regular user kind of admin type of person. Absolutely, the focus is key. When we look at the general spectrum of accounts in an organization, I guess you've got the lower ones that are identity-driven. Attackers might use those to get in, but really the creamy, new giddy center are those high-value credentials. It's what brings down organizations. It's what we see kind of involved in breaches every single day. So the focus there on those powerful ones is what gets us the most security posture increase with the least amount of effort. You know, it's interesting, because I always think of security as kind of like insurance. You know, you can't absolutely be 100% positively. You can't spend every nickel you have on security, but you want to have a good ROI. So what you're saying really is this is a really good ROI investment from your security investment because these are really the crown jewels that you need to protect first. Absolutely, and like insurance, we often want to plan for the absolute worst to occur. There have been breaches in the past where, yes, there were dollars that were spent on things like remediation, but if you have a huge customer base, even the postage alone to notify folks that you've had a compelling event, tends to cost up into the seven figures. Never even thought of that. It's not a trivial expense. Absolutely. So you said you've been doing this for 20 years. So a lot of change. There was no AWS re-invent 20 years ago. There was not cloud computing as we know it today. So, you know, we'll talk about kind of the current state, but I'd love to get more kind of your historical perspective, you know, being a security export, how, you know, your challenges have changed as this kind of continual escalation of war accounting, you know, strike counter strike, I think in a Mad Magazine spy versus spy, right? Has continued to escalate over these 20 years. Definitely. So, years and years ago, organizations were very monolithic for both the application side, as well as their more kind of human focused infrastructure, right? We had one or two domain controllers, typically physical systems, but what happened is the architecture broke down. So, like 10 years ago, virtualization was the biggest thing. Same types of accounts, but more systems, more automation flows. So, as we replaced humans with non-humans, what happened was more human users got overprivileged, right? They were empowered to get their jobs done, but we had more and more robots that began doing their work. So, one of the things that we saw was the breaking down of the application stack to the point where now, you can spin up thousands of instances in a matter of clicks, over a matter of seconds, move that into a more microservices model, and you now have tens of thousands of nodes that can exist in the blink of an eye, all having the same type of access restrictions, but just being far more distributed. Right, and so many more tax surfaces with IoT, and all these things all over the place, and so much more complex environment. Definitely, and one of the things about all this beautiful automation and centralization that's occurring is that now attackers don't have to go through that same type of flow they used to, right? Compromise an end user, escalate privilege on a laptop, for instance, move laterally and continue to perform that dance. Now, all it takes is one compromise into your cloud management console, for instance, and a lot of times that's game over. Our attack, er, is also changing a little bit, so I'm proud to say, but I'm a millennial, and the thing about millennials is we tend to be very, some would say lazy, but I would say efficient in how we perform tasks. So for me, performing that lateral movement versus one-stop shop for a publicly-facing entity, I'm going to choose the one-stop shop, for sure. So one of the hot topics in today's world is RPA, robotic process automation, and we are at Automation Anywhere, we are at the UI Paths show this year, it's getting a lot of buzz, both those companies have raised a ton of money, hot, hot, hot space. It adds a whole new level of complexity and opportunity on the security side. So how should people be thinking about RPA and security? So when it comes to RPA, one of the things that is simply par for the course is that in order for robots to do their jobs, to build this automation that folks are looking for, they've got to authenticate the stuff. A lot of times we'll see that authentication happen as kind of an isolated secret that's stored, say, inside of Automation Anywhere, for instance. The goal there is, well, we can rotate it, maybe, but now we have to update it here and there and a number of other spots. So one thing that we see as being a very prevalent thing is, well, let's find a centralized and secure source to manage them and allow the robotic process automation to authenticate securely to that entity, pull the secrets as they need. Now, we can rotate that as many as, what, 10, 12 times a day if we wanted to without our RPA missing a beat. At CyberArk, we have what's called the C-Cube Alliance where we brought together a number of RPA vendors, all the ones that you mentioned, as well as other automation platforms, security vendors too, to where you don't have to do the work of integrating, it's already there and has been built. And we're taking a huge direction from our customer base there to tell us what's hot, what's new for them, to let us broker those conversations. Because though the robots are actually treated inside the system, I believe, is like a person, right? They say it's kind of like your own personal assistant. So in terms of the identity and the access, it's managed very much as if it was just a new hire. For sure. And if you look at it, for instance, using something like another automation platform like Jenkins, Jenkins is personified by a Butler. Jenkins task is to go out and perform all these tasks for you. But I'll submit to you, if I were to offer you, hey Brandon, you can come to my house, vacuum my floor every Friday, that sounds like a pretty good deal. Especially if it's open source, if I do it for you for free. But you encounter risk by giving me the keys to your house. The same is true for those automation platforms. A lot of times we divorce that robot from a human so we don't do the same level of due diligence to give the robot an identity, to instantiate least privilege. It's one of the things we've seen be a very huge theme in successful customer deployments, as well as automating their security too. That's pretty, well at least they're not going to give away the security when somebody calls up and says, can you please give me the URL for the company picnic? I can't get in. Definitely, I'll be out. Hopefully I didn't train the robots to answer that question and let that social engineering answer. But is there social engineering for RPA? There is. When you look at RPA or even code that exists in public repositories, one of the quickest attacks you can do is to pop onto GitHub, search for your secret of choice. Maybe it's Postgres, maybe it's vendor name underscore secret. If you sort that code by recent commits, you'll find people's hard-coded secrets that exist inside of public repositories. It's not because our developers are malicious, it's because it wasn't top of mind for them. They didn't have a more compelling solution. So that's one of the quickest attacks and I think that's social engineering. But it could be as easy as compromising one of say your AWS administrators who happens to have a privileged key in a text file on his desktop. Same is also true there. Yeah. Right, Brandon. So we're here at AWS Marketplace Experience. Share us a little bit about how you work with AWS Marketplace and what's that meant for your company. Been around for 20 years, so you didn't need them to get started, but how are they helping you change your business? So one of the things that has been very top of mind for us over the past couple of years is supporting the community. In many cases, folks will come to us with a project, whether it be post-peach mediation, audit and compliance, whatever it may be, they have some indicator of moving forward. A lot of times when developers are building out processes, there may not be that driver from the business. So the goal was we need to be able to support the community to provide open source secrets management and do so very quickly. So there doesn't need to be a project or a red tape. AWS Marketplace has helped us provide our open source solution in a beautifully deployed package to as many folks as possible so that at least they have some secure place to store those secrets without altering the way they do things. They have to go outside of the marketplace flows that they're used to, it's extra work and we never want security to be a constraint to building good quality automation development practices. And how's Amazon been as a partner? A lot of flood out there, be careful, they're going to see what you do and copy it and knock you out of business. How have they been working with as a partner? They've been fantastic, highly supportive from both the programmatic secrets management perspective but also in providing best practices for how to deploy our core stack into AWS, how to handle things like auto scaling, as well as providing some APIs to extend our secrets management capability based on customer asks on both sides. Right Brandon, well thank you for taking a few minutes. I'm sure we're both going to be dog tired in a couple of days. We can hope so, yeah. So we started while we were fresh, so appreciate you taking a few minutes and stopping by. Always a pleasure, thank you again for the invite. All right, he's Brandon, I'm Jeff, you're watching theCUBE, we're at AWS Marketplace and service catalog experience here at the ARIA. Thanks for watching, see you next time.