 from Las Vegas, it's theCUBE, covering AWS re-invent 2018. Brought to you by Amazon Web Services, Intel, and their ecosystem partners. Hello everyone, we are here live in Las Vegas for Amazon Web Service 8-Hips re-invent 2018. It's our sixth year covering re-invent. We've been there from the beginning as a customer using EC2 when they first launched in 2006, one of my first startups. What a scene it is here. Everyone in the industry's here, full-on. It's a super bowl of technology. Amazon is leading in the cloud game and we're breaking it down for you in theCUBE. Our next guest is Holland Berries, Senior Vice President of Cybersecurity, the Six Terrorists, a hot company. Welcome to theCUBE, thanks for joining me. Thanks for having me. So it's great to have senior people, startups, technical people on theCUBE, kind of extract and kind of squint through the volume of data that's being announced here at the show. Huge set of announcements already out the door. I'm expecting to hear a big connectivity announcement in 1130 involving satellite and remote coverage for IoT devices, VM containers, micro VMs, all this massive amount of tech. Putting it to reality is critical. This is what customers want to do. They want to lower their costs. They want more performance, lower costs, more capability, ushering in a true new programming model for DevOps. How do you guys fit here? What's your story? Why are you here? What's your story proposition? Yeah, so we're really focused, especially at this show around the DevOps community and enabling agility for those folks, right? 10 years ago, the word DevOps and the term DevOps came to life and there was this tug of war going on between the development teams and the operations team where development teams wanted to move fast and have all the agility and the operations team wanted to have stability and all these things. And so they came together in a matrimony and 10 years later, we're highly automated. Everything looks great from a DevOps perspective, but what we're seeing now is security, being a bit of a speed bump. They're having a hard time catching up with that. So that's our focus and the show is unleashing the DevOps folks and letting security move at the speed of DevOps. Let's drill down on security. Obviously cyber security is a global issue. It's also a national security issue in the United States, but other countries too. It's a global policy thing. There's tech involved, right? Cyber warfare, all those we hear about in the news. But for a basic enterprise, perimeter is no longer there with cloud. You've got to think differently around how you're going to secure things. Amazon is now seeing security, not a blocker. Used to be no cloud implementation. It's not secure at all. Now you're hearing people saying, it's actually pretty secure, but there's more things going on that keep raising the bar on capabilities that are needed. Could you share your expert opinion on state of security in the cloud? What are the key areas? Where have they kind of leveled out? What's the baseline now? How acceptable is that? And what are the gaps? What are people working on? I think we're seeing a lot more security components move into that infrastructure as code conversation. So Amazon is fantastic about launching stacks via cloud formation template or maybe using Terraform. And now we're seeing the need for security components to move into that as an extension of that infrastructure type deployment. And that's another area of deep focus for us. Is there a tech trend that's a tailwind for this? Is there anything helping? Or is there more headwinds and tailwinds? What's the big focus? I think one of the big trends that we're seeing, and we're getting a lot of analyst confirmation on this trend too, is the whole thing around software defined perimeter. So a new approach to describing access for the users, kind of getting away from the VPN model, right? Where you have a central concentration entry point and then having the traverse complicated to maintain backhaul lines, right? We're seeing software defined perimeter allow users and DevOps professionals access multiple environments simultaneously without the need of these more archaic architectures, if you will. Malware works great in VPN. Well, absolutely, absolutely. Very secure malware transmission to the endpoint. Absolutely. I mean, you think about the old style of connectivity and you've got a user that has nearly unfettered access once that VPN connection isn't created. They have way more access, now way more ability to spread malware laterally with the VPN connection. Software defined perimeter greatly reduces that attack surface by giving those users only access to those items within the corporate infrastructure that they're better to have access to and nothing more. So, how long? I got to ask you a question around cloud architects. The hottest area that we're seeing from an educational learning progression and knowledge seeking area and is what is a cloud architect and what are the things that make up? So how would you describe an ideal cloud architecture? So I'm an enterprise, I realize I'm going to shrink my data center down, using the cloud, a lot of great things about the cloud, a lot of great things about maybe having something on premise at low latency. Now I got IoT edge. Like I want to power that with power and then have connectivity now over the top. How do I architect this? Because data's going to live there. We're hearing compute's going to move around from Amazon. That's the direction that they're going. How do I lay it all out? What's your view on cloud architect these days and how they should be thinking? Well, the cloud architect role I think has evolved a lot to start off with, right? It's no longer just being an infrastructure person. You've got to be someone of an expert on security, someone of an expert on networking and a lot of storage, all these other components. I think it's different organization to organization. I think there's a series of best practices. I think AWS does a fantastic job of delivering templatized best practices to folks who are looking to adopt a cloud architecture. I think that's a great guidepost to go by is the recommendations that the public's giving. How about staffing? What are you seeing as the makeup of the kind of, you know, a ninja or a pirate or whatever metaphor you want to use? You're seeing kind of a new breed of DevOps engineering. Absolutely. It's with app developer emerging. Yeah, I think you got it. I think that matrimony that happened between the development and the operations team has continued to evolve and we're seeing this new kind of combined specialty where you've got great programming chops. You know, you're a Python or a JavaScript ninja and you also know a lot more about the infrastructure than traditionally, you know, your development role would have necessitated in the past. What are the top security conversations are you having in a DevOps environment? Because remember, there's some really great DevOps shops and DevOps thinking in a lot of companies and then you got the people who are now learning DevOps. They're kind of getting cloud native. They see Kubernetes around the corner. They see, okay, I can put containers around things. I can keep my workloads on premises. Okay, got some cloud. What is some of the thinking around that? What's your view on all this? So I think access is a big piece. I think, you know, developers needing to get to a heterogeneous set of hybrid environments. They might have some legacy or new stuff on-prem. They might have a couple of clouds they're working with. So how do you have a single unified policy construct that talks about how those users can interact with it? And we're also hearing a lot about DevSecOps to moving that detection of vulnerabilities and code imperfections earlier on in that development cycle. And we're enabling a big compliment to that. We're not DevSecOps ourselves, but we're involved in that conversation from an access perspective. Let me explain what you guys do. I want to get that out there because it's important. So what do you guys actually do? How do you make money? What's your business model? What's the product? Yeah, so Sixterra is a cybersecurity company that also happens to have a co-location data center footprint in 29 markets. We've got 50 plus data centers. We're here focused on one of our access products called AppGate STP. AppGate is a secure access solution that was really built with developers in mind that allows that simultaneous secure access to a multitude of environments. So if you're an AWS customer and you've got 20 or 30 accounts, we can seamlessly allow that connectivity with a very robust policy structure to allow those developers, those users to interact with those environments without having to do that VPN switching thing that we discussed earlier. Real, real clean and sophisticated way to connect your users into your internal and sensitive infrastructure. And who's the buyer of the product and why are they using you guys? Yeah, so it's typically going to be the security team. Sometimes we'll have the networking and the cloud infrastructure teams involved in the conversation as well, but this is a security product. It's a secure access product. And this is really an evolution of what people are using for the VPN and jump boxes and things like that for these days. So how dead is the VPN? Have you had to put it on a scale? One being, you know, on life support, 10 being like the state of the art. I mean, VPNs are still around. People are using VPNs a lot. Totally. There's a role for VPNs. Is it a rip and replace or is it more of a functional? Some spots VPNs are great, some they're not. What's the role of the VPN? We're seeing them and I think Gardner has a statistic that, you know, 60% of VPNs will be dead by 2021, something in that. We're seeing that evolution occur. Looking simple environments, a VPN might be a really appropriate approach, but when you have cloud workloads everywhere, you've got on-premise data, you've got your users everywhere, it simply can't keep up. And so that's really the problem space. Where's the action for security in terms of good, good developing trends? Is it at the network layer? Is it the virtualization layer? Is it at the identity layer? Where are you seeing security really advancing and accelerating with cloud? What specifically, where's the action happening? I think it's at all layers. I mean, we've seen the identity access management, you know, identity provider market explode. We're seeing great new technologies around, you know, container security, virtual machine security. So I can't pick any one category that's exploding. I would argue though that this access category in the software to find perimeter trend is something. We're tuned into it obviously, maybe a little more than most, but we are seeing a huge uptake. Well, what's the alternative? I mean, most IT guys are, I would say they're scared. I mean, they're not, they're kind of running scared. I mean, they've been doing perimeter-based security for years, you know, firewalls and, you know, routers, all plastic, all locked down. Right. Now incomes API economy. And now they're like, okay, I got to figure out, buy everything on the planet to figure it out. Yeah. What are they doing now? What's state of the art for people who are moving off the perimeter completely? I think the adoption of more cloud native controls, you know, a lot of folks right now are very familiar with their traditional firewall vendor and they'll tend to take that and implement a software version of that hardware box up in the cloud. And we're not arguing that you need to get away from something like a next generation firewall. You know, it does traffic inspection. It does a lot of things that our solution specifically doesn't do and a lot of the SDP solutions don't. So taking that layered approach and seeking out those solutions that are cloud native, we're seeing an uptake on that. And it's really changing the way people think about the architecture of their environments too. We're familiar with one thing from on-prem. We try to shoehorn that methodology and the cloud is simply. So single sign on is critical. SSO is critical. We're seeing a huge take up on that. Yeah, absolutely. How do I handle the sprawl of new environments with IoT Edge for instance? You can see a lot more things connect in. How do you do that? Is it manual? Was there automation or machine learning? How are you guys bringing that to scale because that's a big challenge. We hear a lot. Absolutely. I mean, one of the things we're doing at 6Tera is allowing you to templatize what secure access should look like for these new environments. So just like you're deploying that infrastructure as code, we're just a secure access piece of that. All the connectivity has already been described by the security team. So back to the comment about DevOps or operations team needing to move fast, they can now deploy a brand new environment with that access for me and you described. So you're spinning up the auto building, the environment, you're spinning it up, standing it up quickly. Yeah. All built in on pre-configured policy just goes out. Absolutely. Datadog, one of our big AWS customers is a great example of someone who has highly automated everything. They don't even touch our UI. They use APIs for everything. They've codified all the elements of our platform. And so when they spin up a new environment, they'll actually check out a configuration from their whatever GitHub, GitLab they're using and inject that into the spin up of the new environment. So a super sophisticated high level of automation. And really at the end of the day, what's it helping them do? Why are we doing any of this? Why are we doing DevOps? It's so we can move faster to the live product and services quicker to our customers. So you guys are basically DevOps version of security. You're instrumenting everything. I mean, Datadog's a great example. They're into instrumenting every, all the application areas. You guys are taking a DevOps approach to security. Is that all you guys? DevOps approach to security and user access, yeah. Very much so. And what's the big conversation you're having here at ReInvent? Obviously a lot going on. What's the most exciting for you here at ReInvent? I think it's everything that we just talked about. We're hearing people finally get ready for this message. You know, we're practitioners and users of this platform ourselves and the SDP spec. I use it every day. I flip up my laptop in the morning. I get instantly connected from anywhere to seven and 10, what we call sites, right? So we're familiar with the power. We're leveraging the power internally. Now seeing other people come over, seeing what, you know, people like Datadog and Voicebase, we're two of our big AWS clients. Seeing what they've done, see their story, and having to say, hey, how did they do that? We want to do that too. And how about a global scale? Do you guys are agnostic on geography or did they play into it? Completely neutral to the underlying infrastructure. The geography, our solution acts the same. Doesn't matter, public, private, cloud, bare metal. It's a unified policy framework that allows you to, to whatever level of granularity you want, describe access from the user, even including ingredients from a third party system. For instance, I may have a developer that's assigned to a task or a story or an epic inside a Jira project, for instance, right? Popular development tool. I can dictate his or her access to the infrastructure and the projects are working on, based on an API call to Jira saying, okay, this person has access to these things. Now I have a very conditional response to should someone have access to this resource, it's well, it depends. You know, are they working on this project? Are they in the office? Is their machine patched, right? Who are they in the identity provider? All these things should feed in to- And they're automated too, right? They're automating in- This is all completely automated and all these checks that I just described are actually done in our system, pre-authentication. So you're vetted first, and then you're handed an access passport we call live entitlements. And that gets you to the infrastructure and only the infrastructure and applications you're vetted to do based on that evaluation that happened for you. How agile are you guys when new things have to change? There's a security threat or something on the landscape or surface area changes. How do you guys respond to it from an agility standpoint? Yeah, so our system can take hints via an API as well. So if you have a threat system or something giving you signals that something might be going on, you could come into our system, for instance, and revoke everyone's access. You could prompt someone maybe for a step-up authentication to make them re-proof where they are via a one-time password. So a lot of options. So we want to take hints from third-party systems. We're designed that way. So we can adjust network access and program the network based on other things that are happening. Final question, we're going to wrap up here. Let's get a plug-in for the company. How old is the company? How many people? Talk about some of your customers. Give the plug for that for Sixterra. Yeah, so 1,500 employees. I think I mentioned 50-plus data centers across 29 markets, hundreds and hundreds of customers on the security access product that I talk about, you know, many thousands of customers in our data centers. The business is good. The business is good. Yeah, yeah, in terms of like focus areas for next year, we're all in on DevOps. We're investing heavily in this area. Expect to hear more about, you know, a richer API set, more pre-bundled integrations, and also a bigger focus on containers. Well, I think you guys are a great example of success in using cloud. Lot more work to do. I mean, you got global, you got all kinds of new landscape changes. Final question, what's the one problem that you solve? Some arise in the soundbite. Why do people buy Sixterra? Why do they use you? Full network platform access for your user with a single security construct. I can't stress that. It's a huge competitive differentiation versus some of the web application proxies that are out there. So I invite everyone to dig into the details about what we provide. You can go to appgateforaws.com if you want to test drive the product, get a feel for the admin UI, the client set up all that stuff. It's really simple and it'll give you a real good taste. And please come by the booth and see it done as well. Tell them, John sent you get a 10% discount. I'm only kidding. Hey, thanks for sharing your insight on theCUBE. We're here at Reinvent. A lot of action happening. Obviously we're out of great people. Lot of great networking, but more importantly, the industry continues to power forward with cloud on premise in the world. It's cute bringing you all the action here in Las Vegas. We'll have more after this short break.