 Welcome back to HPE Discover 2021. My name is Dave Vellante and you're watching the CUBE's virtual coverage of Discover. We're going to dig into the most pressing topic, not only for IT, but entire organizations. And that's cyber security with me is Cineal James, Senior Director of Security Engineering at Hewlett Packard Enterprise. Cineal, welcome to the CUBE. Come on in. Dave, thank you for having me. I appreciate it. Hey, you talked about Project Aurora today. Tell us about Project Aurora. What is that? So I'm glad you asked. Project Aurora is a new framework that we're working on that attempts to provide the underpinnings for zero trust architectures inside of everything that we build at HPE. Zero trust is a way of providing a mechanism for enterprises to allow for everything in their enterprise, whether it's a server, a human, or anything in between, to be verified and attested to before they're allowed to access or transact in certain ways. That's what we announced today. Well, so in response to a spate of damaging cyber attacks last month, President Biden issued an executive order designed to improve the United States security posture. And in that order, he essentially issued a zero trust mandate. You know, it's interesting, Cineal. Zero trust has gone from a buzzword to a critical part of a security strategy. So in thinking about a zero trust architecture, how do you think about that? And how does Project Aurora fit in? Yeah, so zero trust architecture as a concept has been around for quite some time now. And over the last few years, you've seen many a company attempting to provide technologies that they purport to be zero trust. Zero trust is a framework. It's not one technology. It's not one tool. It's not one product. It is an entire framework of thinking and applying cybersecurity principles to everything that we just talked about beforehand. Project Aurora, as I said beforehand, is designed to provide a way for ourselves and our customers to be able to measure, attest, and verify every single piece of technology that we sell to them, whether it's a server or everything else in between. Now, we've got a long way to go before we're able to cover everything that HPE sells. But for us, these capabilities are the root of zero trust architectures. You need to be able to, at any given moment's notice, verify, measure, and attest. And this is what we're doing with Project Aurora. So you founded a company called Sightail and sold that to HPE last year. And my understanding is you were really the driving force behind the secure production identity framework. But you said zero trust is really a framework. That's an open source project. Maybe you can explain what that is. I mean, people talk about the NIST framework for cybersecurity. How does that relate? Why is this important? And how does Aurora fit into it? Yeah, so it's a good question. The NIST framework is a broader framework for cybersecurity that couples and covers many aspects of thinking about the security posture of an enterprise, whether it's network security, host-based intrusion detection capabilities, incident response, things of that sort. Spiffy, which you're referring to, secure production identity framework for everyone, is an open source framework and technology base that we did work on when I was the CEO of Sightail that was designed to provide a platform agnostic way to assign identity to anything that runs in a network. And so think about yourself or myself. We have identities in our back pocket, drivers license, passports, things of that sort. They provide a unique assertion of who we are and what we're allowed to do. That does not exist in the world of software. And what Spiffy does is it provides that mechanism so that you can actually use frameworks like Project Aurora that can verify the underpinning infrastructure on top of which software workloads run to be able to verify the Spiffy identities even better than before. Is the intent to productize this capability within this framework? How do you approach this from HPE's standpoint? So Spiffy Inspire will and always will be, as far as I'm concerned, remain an open source project held by the Cloud Native Computing Foundation. It's for the world. And we want that to be the case because we think that more of our enterprise customers are not living in the world of one vendor or two vendors, they have multiple vendors. And so we need to give them the tools and the flexibility to be able to allow for open source capabilities like Spiffy and Spire to provide a way for them to assign these identities and assign policies and control regardless of the infrastructure choices they make today or tomorrow. HPE recognizes that this is a key differentiating capability for our customers. And our goal is to be able to look at our offerings that power the next generation of workloads, Kubernetes instances, containers, serverless and anything that comes after that. And our responsibility is to say, how can we actually take what we have and be able to provide those kinds of assertions, those underpinnings for a zero trust that are going to be necessary to distribute those identities to those workloads and to do so in a scalable, effective and automated manner, which is one of the most important things that Project Aurora does. So a lot of companies, Sunil, will set up a security division and so, but is HPE strategy to essentially embed security across its entire portfolio? How should we think about HPE strategy in cyber? Yeah, so it's a great question. HPE has a long history in security and other domains, networking and servers and storage and beyond. The way we think about what we're building with Project Aurora, this is plumbing. This is plumbing that must be in everything we build. Customers don't buy one product from us and they think it's one company and something else from us and they think it's another company. They're buying HPE products and our goal with Project Aurora is to ensure that this plumbing is widely and uniformly distributed and made available. So whether you're buying a Ruby device, a primary storage device or a Perlian server, Project Aurora's capabilities are going to provide a consistent way to do the things that I've mentioned beforehand to allow for those zero trust architectures to become real. So as I alluded to President Biden's executive order previously, I mean, you're a security practitioner, you're an expert in this area. It just seems as though, and I'd love to get your comments on this. I mean, the adversaries are well-funded. You know, they're either organized crime, they're nation states. They're extracting a lot of very valuable information. They're monetizing that. You've seen things like ransomware as a service now. So any knucklehead can be in the ransomware business. It's just this endless ex-escalation game. How do you see the industry approaching this? What needs to happen? So obviously, I like what you're saying about the plumbing. You're not trying to attack this with a bunch of point tools, which is part of the problem. How do you see the industry coming together to solve this problem? Yeah, it's, if you operate in the world of security, you have to operate from a standpoint of humility. And the reason why you have to operate from a standpoint of humility is because the attack landscape is constantly changing. The things and tools and investments and techniques that you thought were going to thwart an attacker today, they're quickly outdated within a week, a month, a quarter, whatever it might be. And so you have to be able to consistently and continuously evolve and adapt towards what customers are facing on any given moment's notice. I think to be able to, as an industry, tackle these issues more and more so, you need to be able to have all of us start to abide, not abide, but start to adopt these open source patterns. We recognize that every company, HPE included, is here to serve customers and to make money for its shareholders as well. But in order for us to do that, we have to also recognize that they've got other technologies in their infrastructure as well. And so it's our belief, it's my belief, that allowing for us to support open standards with Spiffy Inspire and perhaps with some of the aspects of what we're doing with Project Aurora, I think allows for other people to be able to kind of deliver the same underpinning capabilities, the plumbing, if you will, regardless of whether it's an HPE product or somebody else along those lines as well. We need more of that generally across our industry. And I think we're far from it. I mean, this sounds like a war. I mean, it's more than a battle. It's a war that actually is never going to end. And I don't think there is an end in sight. And you hear CISOs talk about the shortage of talent. They're getting inundated with point products and tools. And then that just creates more technical debt. It's been interesting to watch. Interesting, maybe it's not the right word, but the pivot to zero trust, end point security, cloud security, and the exposure that we've now seen as a result of the pandemic was sort of rushed. And then of course we've seen the adversaries really take advantage of that. So I mean, what you're describing is this ongoing, never-ending battle, isn't it? Yeah, yeah, no, it's going to be ongoing. And by the way, zero trust is not the end state, right? I mean, there was things that we called, you know, the final nail in the coffin five years ago, 10 years ago, and yet the attackers persevered. And that's because there's a lot of innovation out there. There's a lot of infrastructure moving to dynamic architectures like cloud and others that are going to be poorly configured and are going to not have necessarily the best and brightest providing security around that. So we have to remain vigilant. We have to work as hard as we can to help customers deploy zero trust architectures, but we have to be thinking about what's next. We have to be watching, studying, and evolving to be able to prepare ourselves to be able to go after whatever the next capabilities are. What I like about what you're saying is, you're right, you have to have humility. I don't want to say, I mean, it's hard because I do feel like a lot of times the vendor community says, okay, we have the answer to your point. You know, okay, we have a zero trust solution or we have an security solution and there is no silver bullet in this game. I think what I'm hearing from you is look, we're providing infrastructure, plumbing, the substrate, but it's got an open system. It's got to evolve. And the thing you didn't say, but I'd love your thoughts on this is we've got to collaborate with who some of you might think is your competitor because they're still, they're the good guys. Yeah, I mean, our customers, our customers don't care that we're competitors with anybody. They care that we're helping them solve their problems for their business. So our responsibility is to figure out what we need to do to work together to provide the basic capabilities that allow for our customers to remain in business, right? If cybersecurity issues plague any of our customers, that doesn't affect just HPE. That affects all of the companies that are serving that customer itself. So I think we have a shared responsibility to be able to protect our customers. And you've been in cyber for much, if not most of your career, right? Correct, that's good. So I gotta ask you, did you have a superhero when you were a kid? Did you have sort of a save the world thing going? Did I have a, you know, I didn't have a save the world thing going, but I had two parents that cared for the world in many, many ways. They were both in the world of healthcare. And so every day I saw them taking care of other people and I think that probably rubbed off in some of the decisions that I made too. Well, it's awesome. You're doing great work. Really appreciate you coming on theCUBE and thank you so much for your insights. I appreciate that. Thanks, David. All right, and thank you for being with us for our ongoing coverage of HPE Discover 21. This is Dave Vellante. You're watching theCUBE, the leader in digital tech coverage. We'll be right back.