 Welcome back everyone to CUBE's live coverage here at RSA. It's day four at CUBE's wall-to-wall coverage. We've been here unpacking the stories, talking to the smartest people, the smartest people in the network, partners, customers, suppliers. Got a great set of two guests here from F5. Michael Rouse, senior vice president, general manager, distributed cloud platform and security services. Thanks for joining me today. Great title there. Brian McKenzie, vice president of product management at F5. You get the keys to the kingdom. He's the general manager. Networking is a big part of security. Not, I got to say, normally it's a front and center, but now we're hearing platforms here, a lot of discussion around politics. The White House was here, had some briefings. I saw Microsoft friends in with the White House. Security obviously has moved from being a department to like being the thing. And rightfully so, with the network. So we've been saying on the CUBE all week, network security, the network folks and security are the core. They're enabling developers, everything, that's all that matters. Ops-wise, you've seen a lot of reconfiguration. You guys are in the middle of it, with a great product, it's very clouds friendly, very multi-cloud, super cloud-like. So you guys are the center with some great products. So what's your take on the current state of RSA? Yeah, I mean the current state of RSA and the customer conversations that we've had is that there are more and more customers trying to solve the security problem for their apps and their APIs as they distribute their applications around a variety of different infrastructures. Certainly there are still a lot of private data centers out there, but applications moving into multiple public clouds to the edge. And most of the concerns we're seeing from customers is like how do I consistently secure all of that and protect both my apps and my APIs. And we're excited because we've launched a secure multi-cloud solution based on our distributed cloud platform that's specifically targeted at being able to provide consistent security policy end to end no matter where the app is running. So, and customers are really resonating with the idea of one policy goes anywhere that I take my app to. Brian, I want to dig in because you're the product guy. You've got the keys to the kingdom on the features, the customer and the engineering side of it. This is like a huge thing because the bad guys have to use the network. There are footprints that we're laying on. The network is the ultimate source of truth, but also it's an opportunity on both sides, the bad guys and the good guys. This has been a big theme. Everyone kind of knows that already. But the word distributed computing comes back more and more when we talk about the current cloud evolution. Today we reported that Dropbox is laying some people off like everybody else, but that's important because they were the first cloud native, first SaaS kind of crop of companies that were born in the cloud. And they're laying off. So that's points to this next gen cloud. Where networking is going to be a big part of it. What is that piece of the puzzle for distributed cloud? Because if you got public clouds to AWS and you got on-premise and now the edge, whether it's industrial or a windmill, that's distributed computing. So cloud ops has to run seamlessly in all that. That's the current definition of cloud. Why does F5's product work well in that environment when someone says, hey, how do you work in a distributed way? Well, we have our own regional edge infrastructure, but we also offer what we call customer edge node as well. So we're able to put our services anywhere the customer is, whether it's in a public cloud, in their private cloud. They can run in conjunction meshed with our infrastructure or just completely in their own mesh, but they get all the security services brought along with it and one of the big things with that is that it enables them to tap into the AI and ML analytics complex that we have powering our web app firewall and API security. How about that AI piece, what's in there? Well, traditionally, we've done well at network security. We've gotten good at five tuple ACLs, but application security and API security has been far too complex to really effectively secure it at massive scale. So thousands of policies of web app firewall or API security can be very onerous to operate, but when you get AI and ML involved, you can do the analysis not only of the application, but also of potentially malicious user intent that makes it a lot easier to secure the application layer, which is vulnerable because it's complex and gets targeted more and more by the attacker. Yeah, to add to it, I mean, I think that when we look at AI and ML, it's about protecting for things that haven't happened yet. Or they're happening to you the first time by looking at behavioral type characteristics. So we use all of the AI and ML for discovery of vulnerabilities based upon behavior, things that aren't in a signature and kind of a rule set in a traditional way. But the other thing we use it for is doing API discovery and really path discovery for an application. So giving the customer really, really unique visibility, but then also understanding what's a normal behavior for that application. Are there new APIs that have popped up that were unknown the day before? That's a concern, that's a potential security vulnerability that needs to be protected. This is an operational impact, expand on that. I think that's a huge point. And then there's benefits there too and consequences for not getting it right. Talk about the ops impact of what you just said. Yeah, so the ops impact, and it actually came through a customer conversation Brian and I had yesterday, he says, my app developers, right, they changed their application and then they changed the threat surface of the application without me as the security practitioner knowing it's going to happen. And so the operational impact is whether or not you've opened a door to an intruder without any protection. So this particular customer is very interested in the idea that we have constant visibility of what is a new path in the application, being able to discover that and being able to respond to it to make sure that the right security controls are in place. So operationally it's about not only just having visibility, but it's also being able to understand if it's creating a vulnerability with you. And that's a safeguard piece that you were just talking about. Right, right. Talk about the F5 solution. You brought this up before we came on camera about Kubernetes because you guys have a standard way to give policy or layer three through seven. Yeah. Networking, stability, what's the word? Reliability of performance. Take us through, this is a huge point because this is a big feature. Yeah, so in our distributed cloud, in our distributed cloud platform, we have a multitude of different ways to deliver our services. But fundamentally, if you have compute networking and storage, you can run one of the nodes for our distributed cloud platform, what we call a customer edge node. And you can employ that on bare metal, you can employ that on a hypervisor, any flavor of hypervisor, but we can also deploy as a pod inside of a multi-vendor Kubernetes infrastructure, right? So if you are all end-to-end Kubernetes, you deploy our customer edge node as a pod inside your clusters. At that point in time, you have layer three through seven capabilities for that cluster. So you provide all the internet working capabilities with layer three, four controls like fast ACLs. We can do all your load balancing functions in and inside and out of the cluster. And then we can provide a full application security stack for web and API protection. So now all of a sudden, a Kubernetes node is really part of your infrastructure and has complete visibility and control through it. And who deploys it? The developer doesn't touch it or is there a network ops to it? Do they provision themselves? No, so it can be deployed as part of your tool chain for deployment. And by default, the policy that's defined for your organization gets automatically applied as part of that provisioning. So even those that are in operation or DevOps don't have to have security expertise to deploy the service securely for your application. There's jokes that put a network layer in there. It is full network layer, yeah. Yeah, okay, great. Now talk about the distributed application deployments that you're seeing from multi-cloud, because this comes up a lot. So what is multi-cloud? We call it super cloud because it's multiple environments, but it's app related to heavy duty application support needed. So you got network to app security needs, but it's on a hyperscaler cloud or an on-premise or edge or another multiple clouds. Essentially it's multiple, I don't say multi-vendor, multi-environment. But we'll call it multi-cloud. How do you guys look at that? What's your view of the definition and how does it render itself into a solution? Well, so our view of it, it's fundamental to modern applications. The modern applications are, first of all, we know broken into microservices and sometimes those microservices are running across a variety of infrastructure. And so the way we've built our solution is, is that regardless of where you deploy, we can provide the same visibility and control end to end, including if you move application workloads between clouds or between cloud or on-premise, on-premise the edge. So it's actually core to the way we've built our distributed cloud platform is the thought that in the name, the goal of a distributed cloud platform is to service distributed applications. And our view of everything is everything will be distributed much harder to secure, so also fundamental to the way we do it is to include security in everything we do. It seems like very political in the sense of the cloud players because now that cloud moves into this next gen, you're seeing examples of it with people building on top of clouds that don't have any CapEx, that have ecosystems, they have people developing on it. So you have Apple, like a robust app, modern app development environment, seeing that everywhere. That's going to make more complexity through the network. This is a really important point and it's almost as if the cloud should just, look at themselves, it's already won. You know, something like they've already kind of won. There's only four, right, three, maybe four, five. Okay, maybe three, two. Microsoft and Azure. And Google's coming up and up fast, which I like what they're doing. But generally, they've already won. So what's the issue? Like customers that I talked to all have multiple clouds, either by default from acquisitions or by accident, they didn't even know they had them. So like it's kind of like an environment. I don't think they woke up and said, we're going to build a multi-cloud strategy. I mean, that doesn't really, I haven't seen any of that going on other than that they've inherited the cloud. Yeah, we're clenching it from a security perspective. I'll take it from a visibility perspective. All right, on this or no? Yeah, so I mean, I think, part of this is just the pace of modern app development is so much faster than anything we've ever seen before. New apps, new APIs are just popping up all the time in a variety of different modes of operation and business value, right? So the thing of it is that that's happening so fast. Sometimes the developers are selecting the cloud without consulting their networking or security counterparts. And then in so doing, dragging network, making decisions about whether the security tools they're going to use because they're going to select whatever AWS or Azure offers as security tools and networking tools. So we're really seeking to solve that problem for the network and security operators to say, hey, we're not going to get in your way of choosing whatever cloud you want that might be most suitable for your application or API. But we are going to ask that you standardize on a certain type of security policy and networking capability. So you're basically saying, your clients saying, don't fight the tie, it's coming. Developers are driving everything, all right? That's pretty much, we've been reporting that. You guys would agree with the developer in charge. From an application productivity standpoint. Okay, so then that means that ops have to flex to that, enable that, guardrail it, policy, things that are automated. These are known concepts in networking. Okay, I see that, check, awesome. Why F5, what do you guys do differently than the competition? What's your approach? Why are you guys winning? Can you take this through that? Yeah, so simply, we have just a tremendously long positive heritage in delivering very sophisticated application visibility solutions, control solutions with our big IP load balancing product. And so we've taken all of those learnings and with our distributed cloud platform, we've applied that to more modern applications that are broken into microservices and distributed across multiple clouds. So first of all, our expertise in layer seven at the application layer, and not only for delivering reliability and at scale, but also securely, is what we're applying to the distributed cloud platform. I think why we're winning is uniquely we, in a lot of customer environments, they're spread across multiple clouds, they can't see their environment. They don't know where their involvement is. So the first thing we do in our solution, and I think it blows most customers' ways, we can give them end-to-end visibility of their entirety of the environment, right? And then the second thing is, because we have visibility, and we can put ourselves within the data path end-to-end, we can also provide all the security controls that they need to protect their applications. And I'll give you an example. We have customers in multiple clouds, they use the native security tools in those clouds, and then a security event like Log4J comes up. Now they have to go to each one of those individual native tools to configure a policy to be able to block a Log4J attack. With our distributed cloud solution, right, they have a policy that's in one place, irregardless of the cloud that they've deployed the application on. They just have to change the policy in one place, or even better yet, they get an automatic policy update, or a behavioral protection that protects all applications across multiple clouds. You've got three through seven stack, that's key, one key point, not just three or four, all layers. And you're end-to-end, you're embedded. You're just building an abstraction layer architecturally to see the data path, right? Yeah, so if you think of a customer... It's an architectural advantage. Yeah, if you think of a customer proudly showing their knock years ago, where they would show their big network map, right? It's very hard to show a network map anymore. While we actually out of the box, once you deploy our solution, we'll give you a full network map, all the way to layer seven of your particular application. That's really unique, that visibility that we provide. You make it more agile. Absolutely. While maintaining, so it's an architectural decision. And you've got the product to back it up. That seems to be the key. And now you've got the new AI over the top. Right, and I think the other reason we're winning is when you look at other web app and API protection vendors who are trying to offer layer three, four, DDoS protection, bot defense, web app firewall, and API security, you look at them and they're mostly rooted in a CDN platform. Whereas we're coming at it from this multi-cloud networking platform, managed Kubernetes environment that is designed from the ground up to address these new challenges. So we're bringing not only our pedigree and application security and delivery to this new platform, but we're doing it in a way that other vendors in the same space can't when it comes to security. You get the full suite, basically. So this is kind of like, remember the old days, moving up the stack, Cisco always got hammer for that. Like they could never move up the stack. The point solution layered products are probably eating the dust right now in this market because they can't have multiple views and they can't make the claim to be architecturally relevant in the constellation of the deployment. Whether you're putting it into Kubernetes pod or putting it in an app or in Azure. Yeah, yeah. Or even putting it in a traditional data center. So look, it is becoming a platform play, right? And I know that there's some positives and sometimes customers perceive some negatives about being part of a platform. But when you're doing what we're doing, we provide a layer three through seven stack. It's obvious that we're going to add more and more services to that stack. More and more controls, whether it be visibility, network layer controls, security controls. But what we're going to do is give you a simple way to deploy all those things with a similar look and feel and capability that's consistent across all those services. So we're going after somebody that is looking to lower their total cost of ownership by having a simpler way to do things. Yeah, and at the end of the day, they got to be secure. So the old perimeter is gone, but now the perimeter is replaced by embedded architecturally relevant stack. Yeah, you're virtualizing the perimeter as maybe a way to think about it, right? Like we can make the perimeter, as long as you're connected, the perimeter exists and you have control of the perimeter. The perimeter is always changing and it's dynamic. It's just the packet flows. However, you, but you guys ensure that because you got the end to end. You got the suite and three through seven gives you guys different approach. Exactly right. Yeah, I think this is going to be back to the programmable network. Remember the old kind of like self-healing? Sure. Remember the old self-healing network is programmable. But now you got APS and you got GNA. It's actually happening right now. And then data is going to be interesting. And one of the things that I'll end on with you guys get your thoughts because since we're looking at the current landscape and trying to project to the future is I put this out there during the KubeCon developer conference is that developers are flipping the script. You guys highlighted that earlier. What if they flip the script on how to program the data and then the network? So developers are kind of shifting left and kind of being enabled. But what if they can decide how to program the data? Meaning that means where it's stored, how data is stored and managed. Most of the database folks handle that piece. What if the developers could decide where data is stored? And so this brings up kind of a rethinking of what you guys are, how you guys are looking at which is you're not changing networking. You just rethinking it a little bit. That's kind of what's happening. And look, I mean, I think you're hitting on a key point with some of the privacy laws, data sovereignty, data localization, having a global footprint of an infrastructure and being able to see traffic globally and being able to manage traffic globally. Gives us a very unique way to be able to deal with any customer requirements they have about where their data goes as it transits the global. I'm a big believer in de facto standards. You look at all the major success stories over the years, things become de facto and you enable people to do their jobs. Right now from here and security and network and then app space, people just want to get busy doing their job, right? Here it's the threat detection, the prevention, remediation, they don't want to spend time configuring machines, and you guys enable that by having some reliability. And one of the things that we're really bringing to bear in the distributed cloud platform when it comes to the security component is that our customers that are onboarding, they're going into blocking mode right away. Which is something that not a lot of our competitors can claim and we can do it not just for traditional web applications but for APIs as well. So we're incredibly API fluent, which I think we all acknowledge that's where things are going. We're going to say apps in the future but we're really going to mean APIs. That's really how we're going to keep pace. And speed and agility is key because there's something to say of preaches that's going on. You can look at critical systems and go sequence into, okay shut down those, let's keep those up and running, let's lock and contain. It's very much network is the key strategy, piece of it, big piece of the puzzle, the piece. Yeah, yeah. Guys thanks for coming on theCUBE, really appreciate it, F5, great stack, three through seven layers across end to end data suite of infrastructure for developers, it's cloud native, multi-cloud, super cloud. This is theCUBE here at RSA, I'm John Furrier, host. We'll be right back with more after this short break.