 Welcome back to theCUBE's live coverage. Day four, RSA conference, I'm John Furrier, host of theCUBE. Dave Vellante has left the building, he's flying back to Boston. We had four days of great coverage, a lot of content coming out. And one of the big themes has been the platformification. You know, seeing cloud native become very important. A lot of open source, a lot of consciousness around hardening the infrastructure by enabling agility. We've got two great guests, we're going to talk a lot about that right now. Travis Stanfield, the co-founder and CEO of Stacklet, and Agoko Srinivasan, the senior partner of the Exclusion Architect at AWS. Gentlemen, thanks for coming on. Thank you for having us, John. So first, let's introduce you guys. We know AWS, Stacklet, what do you guys do? What's the company? Why do you guys exist? Sure, we are the cloud governance solution. We help organizations manage and reduce their costs and risks. We do that through our governance as code platform, right? Which can be delivered and available to customers through a very easy to use software as a service. And we've got a few other things which we'll get into. And you've got the open source angle too. Open source, that's correct. So we are based off of an open source project called Cloud Custodian that we are the core and creative team behind. My co-founder is the creator and lead maintainer. And certainly, as we will discuss here, it gives us a number of unfair strategic advantages. And by the way, just a shout out, super cool work, congratulations. Goko, what's your role as a solution architect? What are you putting together at AWS? I'm the senior partner solution architect supporting our global startups, such as Stacklet. And as part of the global startup program, we help the partners, essentially the startups with the co-build activity where we engage them and promote their activities. And then we support them in the go-to marketing and support them with the co-sell. Essentially, we wanted to ensure that the partner solutions that are being promoted by AWS are meeting all the security guardrails are the best in the class so that way the customer get the experience of just not the core AWS services. But also the benefits from the partner solutions. Yeah, great stuff. By the way, we're very familiar with the work you guys are doing with our startup showcase. We've been showcasing a lot of your success stories. So good job, well done. So let's turn to the governance. What is cloud governance? How do you guys define that? Define what is cloud governance today? So in a simplistic term, cloud governance is essentially a set of framework that helps the customer establish the processes and select the right set of tools for the overall management and the governance of their cloud ecosystem. And the customer look into the cloud governance into two different aspects. The first one, providing them the better control of their cloud management. And second aspect is the agility to build newer applications and innovate faster. And with AWS services, you do not have to choose either the control or the agility. You can have both for the scale of your organization. And slicing the cloud governance even further, the cloud governance is formed by four major pillars. First, to begin with the security control, which focuses on areas like the encryptions and also the permissions and their identities. And then comes in the cost control, where the customers want to achieve the cost control of their overall cloud operations. And then the most important aspect when it comes to the cloud governance is around the compliance. And compliance can come in variety of form. Either it could be a regional compliance like a SOC2 or a GDPR or an regulated industry governance like a HIPAA or a PCI compliance. And finally, the customer wants to ensure that the cloud governance is in alignment with their overall corporate governance. They do not want to have a multiple governance model. So the alignment of the cloud governance with the overall corporate governance model becomes very important. So in a nutshell, what our customers are looking out for is end-to-end visibility tool that provides all the aspects of the cloud governance that caters to all levels of the organization from a CXO to a DevOps engineer. That's awesome. And then you want to also have the governance and have agility and not slow things down at the same time. Cloud governance, what's your definition? Sure, and I think Gokul gave an amazing definition of it. I would add a few things, certainly the policies themselves, right? They're kind of the heartbeat of your governance definition as it is implemented and you want those to be as easy to use for all of the different stakeholders that get involved with governance. You don't want to create a high technical bar, right, for the organization to continue to contribute and collaborate around this important topic. And then also making sure that the governance, the policies can be deployed using techniques like CICD, that the organization is already using and perhaps Git, right, which is already well-known across multiple organizations for how folks can collaborate, right? Continue to use the best practices that developers use for making sure that your cloud is well-governed and you're well-managed in the cloud. It's certainly important. And globally too, we're seeing a lot of global activity, governance is huge, compliance, governance. Most people say, oh my God, it's so much hassle. But you want to make it fast, but yet hit all the numbers, not make it slow down, but also hit the compliance. Totally, totally get it. How do you guys help? What's the differentiation for Stacklit? What's your piece on this? And how do you make it better and go faster and differentiate? Sure, I'd say I'd start off with we help the organization unify several of these disparate teams towards the shared objectives around governance. So the different teams can be the cloud engineering team, the compliance and risk team, the FinOps teams, the DevOps teams. All of those, if they are working together, can help the organization achieve their efficiency goals around financial governance. They can achieve the compliance goals. They can achieve the security goals. That's kind of the first piece. The second is we do, which can be a bit of a controversial subject in security circles, we do the automated real-time remediation and prevention. We do that both in event-based and periodic modes and combination of both. And we do that by making action a first-class citizen in our policy language. You don't have to do anything else to, let's say, construct a workflow to integrate, to communicate with your team around your policy findings. You simply can dial that in and what it does is give you a declarative experience. You can design the instate of your cloud and if anything goes bump in the night, you know that it's going to get gracefully course-corrected in line with what your organization would like it to be. So, and then the third, last but not least, is the massive community that we have around cloud custodian. It is the de facto industry standard for governance and for policies. And, you know, certainly why this is important is folks like AWS continue to innovate at light speed. You want to keep up with that pace of innovation and you certainly want to do so across all of the different, the long tail of all the different things that Amazon offers. And then, oh, by the way, if you're multi-cloud, that long tail gets even longer and the challenge becomes even more compounded. Couple follow-ups, Travis, you don't mind. First of all, please give some color to the governance, the open source project. What's the success? Well, I know it's successful. Congratulations. I think it's now an event. Is it now an event? Yes, so the project is now part of the CNCF, right? It's in the incubation stage of the CNCF maturity cycle for open source projects. So that's- Right in line. Yeah, exactly. The next step is against indoors. That's exactly. The next step is the last step and certainly we are well on our way towards achieving that final stage. The community in terms of how wide and large and diverse it is, we've got almost 400 contributors all time in use by thousands of organizations. We've got thousands of people in our chat groups and that sort of thing, so it's already as mentioned, like the industry standard. It was a pretty fast rise, too, by the way. We just pointed out, good job on that. My other question is you went back to this, something that's controversial. What you were saying sounded great to me. Why would that be controversial? Declarative? Look, I think there's still some organizations for which the CISO or the security group maybe isn't empowered to take action, right? They want to perhaps cut a ticket, flip it over the fence, and that's okay. But at a certain level of scale in the cloud, you need the automation. Yeah, yeah, yeah. Well, you just said if the ideal preferred steady state, you want to have action built into the workflow, you've got automation, you've got corrections, self-healing, tuning, I mean, all that. You don't just want it, you need it at a certain level. That doesn't sound like country to me. It sounds like a preferred state. But WebAssembly, why don't we let that happen sooner? Yeah, exactly. It's obvious. It's kind of like, hey, don't brain it. All right, let's get into the Amazon side. The tool chain involved, you guys know this on the compliance side. It comes up all the time when I do Amazon interview, Amazon Web Services interview. Compliance is not easy when you're looking at regional, but you have a lot of region. You can make things work better across the cloud. How important do you see this piece of it? Because you got, now open source and developers coding in line, get the new preferred method. You guys are used to this undifferentiated heavy lifting being automated away. Absolutely. Can you get some color to how that works with the Amazon tool chain? Okay, so within the Amazon tool chain, there are two or three important aspects, right? Even internal to AWS, our recommendation is to automate and go with the API and the cloud formation and the infrastructure as a code, as the fundamental building blocks. Because essentially what we have seen is just not the success story of our customers, but also where our customers and partners had challenges. To give an example, we have a lot of customers who start bundling a lot of their business workloads into a single AWS account, and then without no governance. And then when they really want to scale and grow their business, there is a lot of opportunity coming in, but they are unable to scale and that slows down their business growth prospect because the governance was not in place. So they didn't, they was an afterthought relative to the deployment. Exactly, they started with the business functionality. And that causes a lot of problems for them. Exactly, so they started with the business first approach. The solution was great, the technology was good, but there was no governance in place. As you rightly brought up, there are multiple regions. When they want to scale across these different regions, there are different teams operating these workloads. So these different teams and departments, they look for their own set of controls, their own set of governance policies, and also they wanted to manage the cost because of the different geographies and the different compliance that are required in those geographies. So in order to manage it, this is essentially where the governance becomes an essential part. And this is one area where we found that governance platforms like Stackler really plays the differentiating role. And one of the- It's governance as code. It is, that's basically what it is. It's infrastructure as code to governance. You built your cloud with code, you should govern your cloud with code as well. Take us through on the Stackler side. So I'm a developer, say I screwed up and I didn't do the compliance, I bought a Bolton on after as an afterthought. You have to go back and redo it or should take me through that scenario and then what happens? I want to be more proactive. Is it built into my CICD pipeline? I mean, can you take me through the developer aspect of it? Yeah, so one of the things that we have just announced and just launched is what we refer to as our infrastructure as code governance. So as we are describing in this conversation, the way you get to cloud today predominantly is going to be through an infrastructure as code technique. And when you're doing that, as you're mentioning, there's a developer experience that you want to engage with and you want to have your controls engage with as well, your governance and compliance policies. So the way we do that is we give you the ability at the developer workstation, at the CI and at the CD level, right? The pre-merge, pre-commit, pre-deploy and then also at runtime ability to dial in these policies, right? We do that through the same experience that cloud custodian gives you. That's very easy to use, human readable, YAML DSL. And what that does is it unlocks a prevention story, right? You can fix things at the source, no pun intended, right? Are you shifting left? We are shifting left, yes, absolutely. That is exactly what we're doing. We have already shifted the challenges of governance left by embracing governance's code and creating a platform around that. Now we're also embracing that and making that possible right where the developer lives in the workstation, the pipeline and the deploy, right? You can now have that complete control inclusive of what's going on at runtime and do so in a way, as mentioned, that's going to 10x the organization because they're going to be more engaged in the policy creation. And how does the developer know that they got the governance as code? Is it more education? It's just got to know it's there? I mean, or is it more of, they don't really have to think about it? Well, so the experience is going to be very similar to another coding standard, right? Hey, you made this violation, this misconfiguration. This is not aligned to best practice. This being, let's say, the infrastructure as code that you, let's say, we're developing right there and your workstation are trying to merge in or deploy out, right? You will detect all of those things, inform the developer, hey, do you realize where you perhaps violated our best practice? Here's the recommended way of doing that and that creates the reinforcement learning that ultimately changes the culture for the developers to be more aligned in embracing of the organization best practice and what it does is it gets them going faster. What's the market like? Cause this is one of those things where I can see enterprise missing the boat on this and not paying attention. It kind of reminds me of the old days when the enterprise where backup was not thought about to like, oh, we're going to back this stuff up. They put bolted on as an afterthought and then that became, they flipped the script now with ransomware and security. No one talks about backup as an after this, all on the front end, it's all designed in. This is designing it into the beginning. That's right, this is what's happening. That's right. How aware are the customers on this? Cause imagine it must be some going, hey, I get this and some saying, wait a minute, I didn't know I needed to do that. And then so where are we on the progression in the mind share of the customers? You guys could share some commentary on that. I'll start. So I think my go-kool made an astute observation that a lot of the early approaches to cloud may not have appropriately taken into account, like how do I prevent these things, right? So there can be oftentimes with a customer journey, the need to let's say dial in some remediation and reduce the technical debt that may have been accumulated from the early entry approaches into cloud. But then I think everybody can appreciate, hey, if I can avoid that technical debt through preventative controls, we would absolutely do that. So there's a lot of resonance towards that approach and we do that in as easy to use and a way that embraces and unifies the organization. Yeah, as Travis rightly said, what we are observing from our end customer and partner side is that the detection earlier in the stages is really increasing the productivity of the developers by multi-fold. Because this is just not about the technical aspect, also from the overall DevOps process, it eliminates a lot of the unnecessary tickets and also unnecessary meetings. So it enables the developers and empowers them to experiment with a variety of aspect. And then in a lot of organization, the responsibility is spread across multiple teams. The developers probably don't have much insight into the security needs or the compliance needs because they are probably fully focusing on the technical aspect. So this shift-left approach helps them identify. It's a matter of time, I mean, no one does tickets. I mean, come on, it's just like, it's so antiquated, it's so vulnerable, it's, I mean, I think it's a wake-up call. I'm sure you guys are going to do really well. Talk about your customer base. I know you guys have a lot of confidential big customers. I know you can't say their names, but give them a taste of some of the organizations that are working with you. Sides, scope, needs, the residents, are they leaning in? What's the feedback? Can you share some information? We actually just had a customer advisory board a few weeks ago. It was amazing and very invigorating. Our customers love our product. They are growing in users, usage, use cases. They're becoming public advocates on our behalf. It's really a movement. And certainly that's exciting for us because we know and are passionate about the challenge that we're solving and making an impact in their lives. So in terms of the diversity of the customer base, we do have one of Amazon's largest customers. So we know that we can achieve the level of scale at cloud scale or cloud size, right? And then we also have customers across other diverse different verticals, like all verticals kind of face this challenge in the cloud. Once we do it. It's a horizontal solution. Every developer, organization needs this. That's right. And I got to say just my observation in covering Amazon's cloud and just knowing how the global landscape is, this is only going to get more pressure to be more sovereign in international areas. You're going to have to stay within regions. More policy is coming. That's not ticket friendly. Get me on the tickets thing. It's triggered me. It's just so old. I mean, it's not controversial. It's like it's going to happen. I think people who are not going to align with actual and self-ealing kind of thinking is going to be out of business. You get to a place in the cloud and we've seen a lot of that attachment happen at a certain point where the infrastructure just isn't knowable in a single person. It's mind. You can't throw enough people at the problem. Some of the existing toolkit, as you mentioned, perhaps doesn't scale as appropriately as our solution does or has proven itself to have accomplished. And you just get overwhelmed, right? And that's a big part of the journey that we take folks on is again, let's clean up some of the debt that you may have already accumulated and then let's really start to prevent it going forward. And that is the business velocity improvement that Gokul referenced. Yeah, it's first, awareness operationalize it and then it's going to self-tune itself. It's now part of the operation. It's obviously, you know that. And part of the culture, right? Part of the culture. I mean, and the fact that you're open source project has so much traction. Shows that it's not just tire kicking techies and you got real practitioners in that community. I think that's a tell sign. Obviously, Amazon, you know the cloud's global and has an opportunity. Absolutely. Travis Gokul, thanks for coming on theCUBE. Appreciate the breakdown of governance as code. Again, another sign that cloud is going to be at the center of the security equation. We know what's going to happen here. It's just a matter of time. Cloud edge on-premise as one operating model. Security will be with network. The key platform, the platformization, platformification of securities coming. This theCUBE will be right back with more on day four after the short break. Thank you.