 From the CUBE Studios in Palo Alto in Boston, connecting with thought leaders around the globe, these are Cloud Native Insights. Hi, I'm Stu Miniman, the host of Cloud Native Insights. And when we started this weekly program, we'd look at Cloud Native and, you know, what does that mean? And of course, one of the most important topics in IT coming into 2020 was security. And once the global pandemic hit, security went from the top issue to, oh my gosh, it's even more important. I've said a few times on the program, while most people are working from home, it did not mean that the bad actors went home. We've actually seen an increase in the need for security. So really happy to be able to dig in and talk about what is Cloud Native security and what should that mean to users? And to help me dig into this important topic, happy to welcome back to the program one of our CUBE alumni, Dan Hubbard, he is the CEO of Lacework. Dan, thanks so much for joining us. Thanks Stu, happy to be here. All right, so we don't want to argue too much on the Cloud Native term. I agree with you and your team, it's a term that like Cloud before it doesn't necessarily have a lot of meaning. But when we talk about modernization, we talk about customers leveraging the opportunity in innovation in Cloud, security of course is super important. You know, most of us probably remember back, you go back a few years and it's like, oh well, I adopt Cloud, it's secure, right? I mean, it should just be built into my platform and I should have to think about that. Well, I don't think there's anybody out there, at least hopefully there's not anybody out there that thinks that anything that I go to will just be inherently fully secure. So give us a little bit if you would, you know, where you see us here in 2020, security is a complex landscape. What are you seeing? Yeah, so, you know, a lot of people, as you said, used to talk about what's called the shared responsibility model, which was the Cloud provider is responsible for a bunch of things, like the physical access to the data center, the network, the hypervisor, and you know, the core file system and operating system, and then you're responsible for everything else that you could configure. But there's something that's not talked about as much, and that's kind of the shared irresponsibility model that's happening within companies where developers are saying they're not responsible for it, security saying that they're moving too fast. And so what we are seeing is that, you know, as people migrate to the cloud, or of course are born in the cloud, this notion of DevSecOps or, you know, SecDevOps, whatever you want to call it, is really about the architecture and the organization. It's not just about technology, and it's not just about people. And it's more about layer seven and eight, and then it is about layer one to three. And so there's a bunch of trends that we're seeing in successful companies and in customers and prospects that we see in the market around how do they get to that level of cooperation between the security and the developers and the operation teams? Yeah, Dan, I first of all fully agree with what you're saying. I know when I go to like serverless comp, they've got everybody chanting that security is everyone's responsibility. You know, I think back to DevOps as a trend, when I read the Phoenix project, it was, oh hey, the security is not something that you do bolt on or look at after, it's something that you need to shift into everyone thinking about it. Security is just going to be baked in along the process all the way. So did DevOps fail us when it comes to security? Why do we need DevSecOps? You know, why are, you know, as you say, seven and eight, the political and organizational challenges still, so much of an issue, you know, decades into this discussion. Yeah, you know, I think there's a few moving parts here and kind of post COVID is even more interesting is that companies have incredibly strategic initiatives to build applications that are core to their business. And in post COVID, they're almost existential to their business. You think of, you know, markets like retail and hospitality and restaurants, you know, they have to figure out how to digitize and how to deliver their business without potentially physical, you know, access to locations. So as that speed has happened, some of the safety has been left behind. And it's easy to say you have to kind of, you know, one of our mattresses to run with speed and safety, but it's kind of hard to run with scissors and be safe at the same time. So some of it is just speed. And the other is that unfortunately, the security people in many ways and the security products and a lot of the security solutions that are out there, the incumbents, if you will, are trying to deliver their current solution in a cloud way. So they're doing sometimes what's called cloud built or what I call cloud washing. And they're delivering a system that's not applicable to the modern infrastructure and the modern way that developers are building. So then you have a clash between the teams of like, hey, I want to do this. And the other people are like, no, you can't do that. Get out of our way. This is strategic to the business. So a lot of it has just been, you know, kind of a combination of all those factors. All right. So Dan, we'll go back to cloud native security. You talked about sometimes people are cloud washing or they're just taking what they had, putting it in the cloud. Sometimes it's just, oh, hey, we've got a SaaS model on this. Other times I hear cloud native security and it just means, hey, I've got some hooks into containers or Kubernetes. What does modern security look like? Help us understand a little bit. You mentioned some of the legacy vendors, what they're doing. I see lots of new security startups, some in specifically in that Kubernetes space, there's already been some acquisitions there. So what do you see out there? What's good? What's bad in the trends that you're seeing? Yeah. So I think the one thing that we really believe is that this is such a large problem that you have to be 100% focused on it. If you're doing this, securing your infrastructure and securing your modern applications and doing other parts of the business, whether it's securing the endpoints and the laptops of the company and the firewall and authentication and all kinds of other things, you have competing interests. So focus is pretty key and it's obviously a very large, dressable problem. What the market is telling us is a few things. The first one is that automation is critical. They may not have as many people to solve the problem and the problem set is moving at such a scale that it's very, very hard to keep up. So a lot of people ask me, what do I worry about? How do I stay awake at night? Or how do I get to sleep? And really the things I worry most about and the way where I spend most of my time with the product side is about how fast are builders building? Not necessarily both the bad guys. Now the bad guys are coming and they're doing all kinds of innovative and interesting things, but usually it starts off with the good guys and how they're deploying and how they're building. And you know the cloud providers literally are releasing APIs and new acronyms almost weekly it seems. So like new technologies being created at such a scale. So automation, the ability to adapt to that is one key message that we hear from the customers. The other is that it has to solve or go across multiple categories. So although things like Kubernetes and containers are very popular today, the cloud security tackle and challenges is much more complex than that. You've got infrastructure as code, you've got serverless, you've got kind of fragmented workloads, whether some are containers, some are VMs, maybe some are Omnis, and then some are Kubernetes. So you've got a very fragmented world out there and all of it needs to be secured. And then the last one and probably the most consistent theme we're hearing is that as DevOps becomes involved because they know the application and the stack much better than security, it has to fit into your modern workflow of DevOps. So that means deep integrations into JIRA and Slack and PagerDuty and New Relic and Datadog are a lot more important integrating to your Palo Alto firewall and your Cisco IDS system and your endpoint antivirus. So those are the real key trends that we're seeing from the customers. Yeah, Dan, you bring up a really important point leveraging automation. I'm wondering what you're hearing from customers because there definitely is a little bit of concern, especially if you take something like security and say, okay, well, automation, is that something that I'm just going to let the system do it or is it giving me to getting me to a certain point that then a human makes the final decision and enacts what's going to happen there? Where are we along that journey? Yeah, so I think of automation in two lenses. The first lens is efficacy, which is, do I have to write rules and do I have to tune, train and alter the system over time or can it do that on my behalf or is there a combination of both? So the notion of people writing rules and building rules is very, very hard in this world because things are moving so, so quickly. You know, what is the KMS threat surface? The threat attack surface is just changing and typically what happens when you write rules is they're either too narrow and you miss stuff or they're too broad and you just get way too much noise. So there's automating the efficacy of the system. That's one that's really critical. The other one that is becoming more important is in the past it was called enforcement. And this is how do I automate a response to your efficacy? And in this scenario, it were very, very early days. Some vendors have come out and said, you know, we can do full remediation and blocking and typically what happens is the DevOps team kind of gives the Heisman to the security team and says, no, you're not doing that. You know, this is my production servers in my infrastructure that's, you know, running our business. You can't block anything without us knowing about it. So I think we're really early. I believe that, you know, we're going to move to a world that's more about orchestration and automation where there's a set of parameters where you can orchestrate certain things or maybe an ops assist mode. You know, for example, we have some customers that will send our alerts to Slack and they have a Slack bot and they say, okay, is it okay that Bob just opened an S3 bucket in this region? Yes or no? No. And then it runs a serverless function and closes it. So there's kind of a, what we call driver assist mode versus, you know, full, you know, no one behind the steering wheel today. But I think it's going to mature over time. Yeah, Dan, one of the other big challenges customer has is that their environments are even more fragmented than they would have the past. So often they're leveraging multiple cloud providers, multiple SaaS providers, they have their hosting providers and security is something that I need to have holistically across these environments but not have to worry about, okay, do I have the skill set and understanding between those environments? Hopefully, you know, that's something you see out there and want to understand, you know, how the security industry in general and maybe Lacework specifically is helping customers get their arms a little bit more around that multi-cloud challenge, if you will. Yes, so I totally agree. Things are, you know, I think we have this Silicon Valley or West Coast bias that the world is all, you know, great and it's just utopia, Kubernetes, modern infrastructure, everything runs up and down and it's all, you know, super easy. The reality is much different. Even in the most sophisticated sets of infrastructure and the most sophisticated customers are very fragmented and diverse. The other challenge that security runs into is security in the past and a lot of traditional security mindsets are all about point in time and they're really all about inventory. So, you know, I know, used to be able to ask, you know, a security person, how many servers do you have? Where are they? What are they doing? They say, oh, you know, we have 10 racks with 42 servers in each rack and here's our IP addresses. Nowadays, the answer is kind of like, I don't know. What time is it? You know, how busy is the service? It's very ephemeral. So you have to have a system which can adapt with the ephemeral nature of everything. So, you know, in the past, it was really difficult to spin up, say, 10,000 servers in an Asia data center for four hours to do research. You know, security probably know if that's happening. You know, they would know through a number of different ways because big, big change control window would be really hard. They'd have to ship the units. They'd bake them in, you know, et cetera, et cetera. Nowadays, that's like three lines of code. So, the security people have to know and get visibility into the changes and have an engine which can determine those changes and what the risk profile of those in near real time. Yeah, it's what we've seen is the monitoring companies out there now talking all about observability. It's real time. It's streamings, you know, it reminds me of, you know, my physics, you know, Heisenberg's uncertainty principle when you try to measure something, it's, you already can't because it's already changed. So what does that mean? You know, what does security look like in my, you know, real-time serverless, ever-changing world? You know, how is it that we are going to be able to stay secure? Yeah, so I think there are some really positive trends. The first one is that this is kind of a reboot. So this is kind of a restart. You know, there are things we've learned in the past that we can bring forward, but it's also an opportunity to kind of clean the slate and think about how we can rebuild the infrastructure. The first kind of key one is that over time, security in the traditional data center started understanding less and less about the application over time. What they did was they built this big fortress around it, some called it defense in depth, the security onion, whatever you want to call it, the M&Ms, but they were really lacking in understanding of the application. So now security really has to understand the application because that's the core of what's important and that allows them to be smarter about what are the changes in their environment and if those are good, bad or indifferent. The other thing that I think is interesting is that compliance was kind of a dirty word that no one really wanted to talk about. It was kind of this boring thing where auditors would show up once every six months and go through a very complex checklist and say, you're okay. Now compliance is actually very sophisticated and the ability to look at your configuration in your real time and understand if you are compliant or following best practices is real. And we do that for our customers all the time. We can tell them how they're doing against the compliance standard within a minute timeframe and we can tell them if they're drifting in and out of that. And the last one and the one that I think most are excited about is really the journey towards lease privileges and minimizing the scope of your attack surface within your developers and their access in your infrastructure. Now, we're pretty far from there. It's an easy thing to say. It's a pretty hard thing to do but getting towards and driving towards that journey of lease privilege I think is where most people are looking to go. All right, Dan, I want to go back to something that we talked about early in the conversation that relationship with the cloud providers themselves. So talking AWS, Azure, Google Cloud and the like how should customers be thinking about how they manage security, dealing with them, dealing with companies like Lacework and the ecosystem you met in companies like DataDog and the New Relic? You know, how do they sort through and manage how they can maintain those relationships? So there's kind of the layer eight relationships, of course, which are starting in particular with the cloud providers. It's a lot more about bottoms up relationships and very technical understanding of product and features than it is about being on the golf course and eating steak dinners. And that's very different. Security and buying IT infrastructure was very relationship driven in the past. Now, you really, especially with SaaS and subscriptions, you're really proving out your technology every day you know, I say kind of trust is built on consistent positive results over time. So you really have to have trust within your solution and within that service and that trust is built on obviously a lot of that go to market business side but more often than not, it's now being built on the ability for that solution to get better over time because it's a subscription. You know, how do you deliver more features and increase value to the customer as you do more things over time? So that's really, really important. The other one is like how do I integrate the technology together? And I believe it's more important for us to integrate our stack with the cloud provider with the adjacent spaces like APDM and metrics and monitoring and with open source because open source really is a core component to this. So how do we have the APIs and integrations and the hooks and the visibility into all of those is really, really important for our customers in the market. Well, Dan, as I said at the beginning, security is such an important topic to everyone out there. We've seen from practitioners we talked to for the last few years, not only is it a top issue, it's a board level discussion for pretty much every company out there. So I want to give you the final word as to in today's modern era, what advice do you give to users out there to make sure that they are staying as secure as is possible? Yeah, so first and foremost, it's people often say, hey, when we build our business, it'll be a good problem to start to have to worry about customers and all kinds of people using the service and we'll worry about security then. And it's easy lip service to start it as early as possible. The reality is sometimes it's hard to do that. You've got all kinds of competing interests and you're trying to build a business and an application and everything else, depending obviously the maturity of your organization. I would say that this is a great time to kind of crawl, walk, run. And you don't have to think about it if you're building in the cloud, you don't have to think of the end game right away. You can kind of stair step into that. So my suggestion to people that are moving into the cloud is really think about compliance and configuration of best practices first and visibility and then start thinking of the more complex things like triaging alerts and how does it fit into my workflow and how do I look at breaches down the line? Now for the more mature orgs that are taking an application or a new application or a stack and just dropping it in, those are the ones that should really think about how do I fit security into this new world order and how do I make it as part of the design process? And it's not about how do I take my existing security stack and move it over. That's like taking a centralized application moving into the cloud and calling it cloud. If you're going to build in the cloud, you have to secure it the same way that you're building it in a modern way. So really think about modern new generation vendors and solutions and a combination of kind of your provider, maybe some open source and then a service of course like Lacework. All right. Well, Dan Hubbard, thank you so much for helping us dig into this important topic, cloud native security. Pleasure talking with you. Thank you. Have a great day. And I'm Stu Miniman, your host for Cloud Native Insights and looking forward to hearing more of your cloud native insights in the future.