 Over the past 18 to 24 months, Chief Information Security officers have dramatically changed their priorities, they had to, to support the remote work trend. So things like endpoint security, cloud security, and a particular identity and access management became top of mind, and a whole shift occurred. And we're going to talk about that today. Hi everybody, this is Dave Vellante, and you're watching theCUBE. We're here at AWS Reinvent 2021. Katie Curtin Mestre is here. She's the Vice President of Marketing at CyberArch and Bar Lavi, Lavi, Lavi, Lavi. Say Lavi. Say Lavi, Bar Lavi, Senior Product Manager, Cloud Identity and Security. Bar, sorry for botching your name, but folks, welcome to theCUBE, great to see you. Glad to be here. So Katie, up front, I talked about some of those trends. It's been a hugely dramatic shift away from kind of traditional approaches to cyber. What are some of the trends that CyberArch has seen? Well, Bar's going to take the first part of this. There you go. Yeah, so one thread that we are seeing is that Cloud Migration Project, the salary, as organization, turbo charge, the digital transformation, is there a looking to take advantage of the agility and operational efficiency of the cloud providers? Some of the concerns that I can think about are one of those, reducing the potential loss of data that caused due to excessive access to resources. Another one is provision secure and scalable access to resources. And the third one be implementing least privilege for all type of identity, whether if it's a human identity or a non-human identity. And on that end, Dave, we recently commissioned a survey with the Cloud Security Alliance. We co-sponsored a survey and found that 94% of respondents said that securing human permissions was a top security challenge, and machine identities weren't far behind as 77%. Another challenge that we're hearing from our customers is the need to secure the secrets used by applications. So we're really excited by today's news from AWS. They announced some new capabilities with a code guru called Secret Detector that helps to find unsecured secrets in applications. And the other concern that we're hearing from our customers is the need to monitor and audit the activity of all of their cloud identities. This is really important to help their security operation teams with their investigations and also to meet audit and compliance requirements. So the definition of identity is now more encompassing and includes, like you say, machines. It's not just people anymore. Of course, we've seen fishing has always been problematic. It's escalated daily, right? We get fished. I mean, are we going to see the day where we finally get rid of passwords? Is that even possible? But maybe we could talk a little bit about sort of identity, how identity is evolving. Are we, this notion of zero trust, right? Zero trust used to be a buzzword. So maybe, Bar, you could talk a little bit about what you're seeing in terms of identity access management, maybe privilege access management of those things coming together. How does CyberArc think about those things? You want to take this one, Katie? Well, what CyberArc sees is we definitely see a trend where access management and privilege access management are coming together. Security teams are struggling with too many security tools and they're really looking to standardize on a small handful of vendors and get more bang for their buck from their security investment. So we're definitely seeing that trend of unified platforms across access and privilege access management to secure any identity, whether human or machine, from kind of like your standard workforce identity to those who have highly privileged access. Yeah, I don't know if you've ever seen that chart. I think Optif puts it out, it's consultancy and it's this eye chart, it's a taxonomy of all the different security I've published it a number of times. It's mind boggling. So CISOs, SecOps teams, they have to manage all this complexity, all these different tools and you ask CISOs what's your biggest challenge? They'll tell you a lack of skills. I just, we just can't find people, we can't train them fast enough. So what's CyberArc working on? What are some of the key initiatives that you guys are focused on that people should know about? Well, one of the things that we're working on is actually, and we see a great adoption of it, is something that was actually started as an initiative within our innovation lab. It's a CyberArc cloud entitlements manager which helped to detect and remediate excessive permissions to cloud resources. For any type of identity, I mentioned before, both the human and the non-human, which are the something that you're looking to secure. Another solution that we have, that we see a great adoption is our secret manager, which helps organization to remove the necessity of having a hard-coded credentials within application. It can be either traditional applications for their own premise or even cloud-native applications and bake this also into your CICD pipeline. And we are actually innovating in this type of area with AWS as well. So this is one of the great things that we are doing. Also, we're investing on a new solution for just-in-time access for cloud VMs and cloud consoles. And all of these solutions that to mention and more to that are part of our identity security platform, which came to provide you with a suite of solution to reduce, to apply list privilege and secure access to any type of resource from any device for any type of identity. So is that best practice? I mean, if you had to advise a customer on best practice in identity, how should they think about that? Where should they start? Well, on the best practices front, we recently published an e-book with AWS and it's focused on the shared responsibility model and foundational best practices for securing cloud access. And it's all part of an initiative that CyberArch has, which is our identity security blueprint, which guides customers on how best to move forward with their identity security initiatives. So where do they start? I mean, so that sounds like a pretty, first of all, how do they get that? Just go to your website or? It's available on our website and we detail some of the steps that customers can take. So for example, one of the steps that we recommend to our customers is to limit the use of the root account and also to very much lock down the root account to use federated identities whenever possible. And Barr already alluded to some of the other best practices that we recommend, such as removing hard-coded credentials from secrets. Another best practice that we really recommend to our customers is to have a consistent set of controls across their entire estate, both from on-premises to the cloud. And this really helps to reduce complexity by having a unified and consistent set of security controls. And in fact, one of our customers who is one of the world's largest convenience chains, they're using CyberArch to secure the credentials, both for their on-premises servers and their AWS EC2 instances. And they're also using us as well to secure the credentials used by applications in the CI-CD pipeline. So getting to those consistent controls is another best practice we highly recommend. So a consistent identity across your estate, whether it's on-prem or in the cloud, and then also reference CI-CD a couple of times. It's developer-friendly, designing security in as opposed to a bolt-on after the fact. And then you mentioned root accounts access. Is that where privileged access management comes in? And are we going to treat everybody as privileged access? Or how do you deal with machines? You mentioned hard-coded. Some machines are hard-coded, like I would imagine a lot of these internet cameras are exposures. How do you deal with all that? I mean, do you just have to cycle through and modernize your fleet of machines? Are there ways in which CyberArch can help sort of anticipate that or defend against that? Well, CyberArch can help on multiple fronts. Of course, you need to secure the root account, but that's just only one example of needing to secure privileged access. And one thing that customers need to understand is that now going forward, any identity can have privileged access at any point in time, because at any point in time, you yourself could have access to a highly sensitive system or have access to highly sensitive data. So with CyberArch, we help our customers understand which of their applications and infrastructure have the most sensitive data and then work with them to secure the access through that data, whether that access be human access or machine or programmatic access. So what are the customer implications of all this? I mean, again, pre-pandemic, this whole zero-trust thing was buzzword, now it's like fundamental premise. You trust and verify. One of the customer implications as we enter this new era, ransomware through the roof, the adversaries are well-funded, highly capable, they're living off the land, they're island hopping, they're doing self-forming malware, it's just, it's a new world. So what are the customer implications? What should they be thinking about? They don't have unlimited budget, so what's the advice? Well, eventually at the end of the day, there are all kind of best practices of how I apply security. I think that both eight of us have their own best practices and also our own best practices calling the blueprint, which help organization to focus on, to crown jewel on the most important stuff and then going deeper and lower it within each and every initiative. And on each and every level, try to investigate what you're trying to protect and what kind of security mechanism can be applied in order to protect both access and maintaining that in no one, whatever it's internal, external attacker can gain access to. Yeah, I think the other implication for customers, and you already alluded to it, is really to continue to move forward with their zero trust initiatives. I think that that is foundational going forward now that remote work is kind of the de facto norm and we can no longer rely on the traditional network perimeter. And so in this new environment, securing your identities is the new perimeter. So that's an important implication for customers. And then another one that I would mention is that security teams need to work more closely with their dev and DevOps counterparts to bake in security earlier. It really can't be that security is brought in after the fact. Security very much needs to shift left and be included in the very early stages of application development before an application comes to production. I mean, I think that last point, all good points. The last point was a huge theme at KubeCon this year, that notion of shift left developers. You've mentioned the CICD pipeline several times. I mean, I think that is, you know, especially when you think about machines and the edge and IoT, I often, I used to say all the time, you know, you used to put a moat around the castle, build a wall, protect the queen. Well, the queen has left the castle, right? So, but now with the pandemic, we've seen, you know, the effects of that. And as I say, the adversaries are seeing huge opportunities, well-funded, super sophisticated. It's like, it makes Stuxnet look like kindergarten, right? So, I know, no, still pretty sophisticated. Pretty, still pretty sophisticated. But I mean, look what we saw with the government hack and SolarWinds, you know, huge, huge, if you talk to CISOs about that, they're like, you know, that's, we have to move fast, but they don't have unlimited budget, right? Cybersecurity is their number one initiative in terms of priorities, but then they have all these other things to fund. They have to fund a force march to digital transformation, machine learning and AI. They're migrating to the cloud. They're driving automation. They're modernizing their application portfolio. So, security's still number one, isn't it? So, it's a good business that you're in. Yes, and we really want to work with our CISOs so they can get the most investment out of what they're putting into cyber art and the rest of their strategic security vendors, because as you mentioned, there's a talent shortage, so anything that we can do as vendors to make it easier for them to use our products and get more value from our solutions is something that's really important. And automation's part of the answer, but it's not the only answer, right? You got to follow the NIST framework and follow these best practices and keep fighting the fight. Guys, thanks so much for coming on theCUBE. It was great to have you. I'd love to have you back. Thank you for having us. Thanks for having us. All right, our pleasure. All right, this is Dave Vellante for theCUBE. You're watching our coverage of AWS re-invent 2021.