 So, uh, zero trust. Right? Yes. Yeah. Um, so, uh, well, first my memory again, what is the background for, you know, I'm sharing my thoughts on zero trust that I know, but there's an event or something coming up. Right. So we have, we're doing a round table or panel discussion, panel discussion next week. And, uh, Priyanka is going to be moderating it. And we've got a real variety of participants from encryption to identity management to get lab and, and I thought the, a good common denominator among such a diverse group would be zero trust. And so, um, that's kind of the, um, the galvanizing discussion or question that, uh, that we'll focus on. Priyanka, feel free to. Yeah. So, yeah, Cindy came up with this really good concept because it brings us all together like very diverse people. And so at this point it's the team of the entire event. And so it's a good lab connect day. Um, and traditionally I think this is these good lab days are just like, you know, sales people and their prospects and a few, and some good lab speaking, but this one's different. We are going to actually host it at general catalyst office in San Francisco and they're like a pretty well respected investor, Steve Herrod. He's going to do, uh, like opening remarks and then Jim Zemlin, who's the head of the Linux foundation is going to do a lightning talk. And then followed by the panel and at this point, Emily and I are telling Jim, Steve, everyone that, hey, the team of the event is zero trust. And so that's like, you know, all kind of connect on that. Now, one thing that I think would be really helpful to know in addition to the concepts of zero trust is just how we at GitLab as the products we can maybe advance. People who are help people who are trying to go in that direction or like doing things that operate in a zero trust way. I don't even know if I'm saying it the right way, but I want to in my head connect the zero trust philosophy and the GitLab products we can just so I have that link established. Yeah, so to take a couple steps back when when Cindy listed the topics all the way from encryption, the app sector, you know, other topics, probably zero trust wasn't the first thing that popped up for me in terms of a common denominator. Because the reason for that is because right now, very, very few companies have successfully or even started implementing zero trust. Okay. If you look at like the cloud native companies out there, only 20% have implemented little trust. And the reason for that low number is not because people are not aware or don't want to do it. It's because it requires a certain amount of awareness and also the right environment to successfully implement it. So if you are a very, very large enterprise company, or let's say you're a bank, right with a lot of legacy systems, and with a lot of physical work and water, you know, buildings and people coming into a physical location or VPNing into a particular subnet first before getting access. It can be really hard to take that paradigm and translate it over to zero trust. So I've talked to a lot of people about where they are with building zero trust and right now more than 50% of the time I get. Wow, I would love to be there. We are, it's going to take us a really long time. And first our culture has to change that happens as well. So get lab in many ways is an ideal environment to implement zero trust. And that's because we're 100% remote. There's no physical office. Everything is hosted in a cloud environment. Right, even our third party product that we use are in other SAS environments. There is no local data center that we maintain. Right, we don't run our own data centers. Many places do. So there, when you do that you're responsible for setting up all the physical assets in there and physical security comes into it as well. We don't have that. Right, so all we have to do is look at the the GCP environment, for example, and say, Okay, how many assets do we have there. What is the classification of the sensitivity of data stored a process on each of those assets and less prioritize so our focus should be on creating a boundary around every single host in that environment. And then making a risk based decision when someone tries to access that endpoint on whether they should be allowed access or not based on who they are. What their needs are for accessing that level of sensitive data and what the state of the device that they're using to access this data is up to date on all the patches does it have get lab. Is it a get lab owned hardware that has endpoint management on it. If it is and they are on a team that is supposed to have access to that data. Then yeah, we allow access. But if they don't fit those criteria, we deny access. That's that's fundamentally how zero trust works. Okay, okay, so a lot of environments are not ready for that. That's why they haven't rolled it out. And I see. Okay, so this sounds like from a narrative perspective, it sounds a little bit like where we were with DevOps, maybe two, three years ago, where people were like, Oh, we love the idea of it, and the possibilities but we have said silo developer and organization organizations are like the way we do software development is so like not conducive to devos that we're like just is probably not going to happen anytime soon. So would you agree that that is similar and maybe we can expect the same kind of movement in the industry for zero trust as well. I expect zero trust will become more and more of a hot topic and a pressing initiative for many see so over the next five years. Right now, it seems to me that the trend for going with zero trust is just starting to build. Yeah, 451 just did a webinar yesterday on key trends and forecasts for 2019 and zero trust trust was one of the five key trends. Yeah, exactly. So all of the analysts firms are well aware. And to be honest, zero trust is not a new concept. Right. That's exactly what Philip was saying and I was going to ask that because his I chatted with him I think yesterday. Yeah, it was like, Well, it's not a new concept and like we're all kind of in some way maybe doing it or and that was his perspective. So what do you think of that. So it isn't a new concept because back in the mid 2000s, there was a group called the Jericho forum. And during one of their meetings, there was a topic of look, we're all doing security in a way that makes it easy for the attacker, once they break through the perimeter. So we put as many defenses as we can on the perimeter of our network. And then let's say that's a firewall or some other device. But once they break in through there and they get access to the inside of the perimeter is really easy for them to move from one host to another and to gain access to data that they shouldn't have access to. So what can we do differently to counter that paradigm. And the thought process was, you know, what if we treated the perimeter as a non entity. Let's say that we don't care about the perimeter. There's no perimeter to break into every single host inside this environment should have its own perimeter. Right. So now there's no one perimeter to break into to get access to a whole bunch of everything. Yes. Right. For every host you want to try to get to you got to re authenticate and re authorize. Right. So that makes it very hard for an attacker who, for example, steal someone's passwords. So okay, so I've got your account login in your password. So what I still have to authenticate for every system. Right. Maybe you don't have access to that system. Right. So identity management is a big part of the zero. Well, so the most famous example of a company that have has implemented zero trust and they're not even done is Google. So like back in 2010, 11 timeframe, Google had a massive breach. Okay. The Gmail was breached and it was done by a nation state adversary. Right. So very sophisticated, very big. So after that, they rolled out what they call beyond court, which is their term for zero trust, but it's the same idea. So they wrote that out, wrote a series of white papers, which you can go and read about if you just Google beyond court. It's there. But they were probably the most prominent company to implement it back in 2011. Gotcha. My understanding is they're not done. They're still doing it now. Right. So it's a big effort, huge effort. That lends itself to the, to the comparison with DevOps because nobody's really done with DevOps either. I mean, it's a journey. Right. It's, it's a journey. So process. Yeah. But I think that I think with the diminished perimeter and with cloud, the, I, there are some things that become bigger and more important identity management application security, data encryption, being able to encapsulate those, you know, the data and the logic around it to better protect those. And so that's where I was coming at with those are kind of the common denominators among this really diverse group. In terms of, I think it's good to ask their perspective of zero trust is becoming a bigger issue. We can, we can point to the 451 research that says, you know, it's the, they're saying it's the big thing for the year. Right. And so what does that mean? What is, what does that mean for each company and from each perspective. Yeah, I'll also cite another example why zero trust is so hard for most companies to build. There isn't a single commercial off the shelf product that you can buy today that will slap zero trust into your network. That's not how that works. Right. It's a process. And it's custom, depending on what your environment looks like everyone has a different environment. It's dependent on your organization as well, like how do you decide who gets access to what data in your organization that could be different across multiple companies. It's also about whether you process and store other customer data in your environment. If you do, then you've got more problems to worry about as well. So, you know, there's a lot of considerations that come into how you would even implement zero trust in your network. And that's why there isn't a vendor product that you just buy and slap in and now you got zero trust. That's not, you know, I have a question. We're all agreeing zero trust work in progress. People are just starting to think about it. What is the status quo, just so because I like I've internalized the zero trust story a bit more now but I have no idea where where we before where will we get lab or the industry. Oh, the industry. It depends on the sector, really. Probably the most forward thinking sectors would be the cloud native companies by necessity they're already more modernized systems tend to be, you know, more up to date. And they have to rely on using cloud services of a major provider like Google or AWS or, you know, Azure, and that forces you to think differently. Then if you operated your own data center, set up your own physical servers and decided what to install and all that. It sounds very connected to whether you're in on the cloud computing trend or not. If you're using your own if you have your own server farms or whatever then it's because it becomes more important when you don't have that perimeter that you can protect. So the traditional non zero trust sort of approach was I've got a data center that I can put you know protections around I've got a network. I'm going to look at the network traffic and stop any network traffic that I don't trust that it's it's very different when you think of porting your application. And you've got now with containers and Kubernetes you can take that application and you can run it anywhere you can run it on AWS you can move it to to Azure. It makes it very portable so you have to think about I don't have that physical perimeter. So what are you going to protect. Okay. Yeah, so the kind of corporate entity that would be the opposite of what we are at get lab would be a large bank, for example, that has their own physical facilities. And they do everything on prem and they don't go with any cloud services because they host their own environment they you know make people VPN into that environment to then connect to other data systems. And then also if they were even to use a third party product like Salesforce or anything else that we use it would all be on prem they would maintain that themselves they wouldn't put it on someone else's sass environment. So, so that paradigm is the opposite of what we are. I would argue that even that one's changing because people are doing private clouds in order to use their resource pool better. Right, but the private clouds are still being maintained by them. Right. But it still represents another potential attack. After that, of course, of course, there's always a tax factor, no matter what you do, even, even zero trust isn't 100% secure about what we're talking about is raising the bar. So that is more challenging, and it takes more resources and time for the attacker. So you detect them before they get to something sensitive. That's also part of it right like if they get in here they're as subtle as an elephant marching across the room. That doesn't help them either right so the ability for them to persist in our environment is very important. Once they, the attack factor typically is break in and then persist and wait and then do other things right in the background. So if they're not able to do that successfully, it's not worth their time. Gotcha. So now I have a very naive question. Don't laugh at me, you both. Do people do this a lot? Like I don't understand why people would attack systems. A lot of it is, you know, just some stealing data about maybe your customers or maybe stealing your intellectual property. Right. There's a lot of reasons for people. Also, there's cyber crimes, right, financial gain, that sort of thing. So it depends on. Oh, sorry. Oh, go ahead. You were saying how often. Yeah, like how often does this happen? Or is this more like an insurance policy for something that happens once in five years, once every year, or like every day we're seeing something. This happens every day. Really? Yeah, every single Fortune 500 company in the United States has already been breached at least once. Wow. Yeah. I can send you some, I was putting together some more recent attacks on that were cloud or Kubernetes based or container or Kubernetes based. And the other aspect is with GDPR in Europe, the consequences can be, can like take your company out. Yep. There can be a company extinction level type of event with a breach. Oh, Jesus. Okay. And so it's like, basically people are having to fight criminals on their own. Like there is no like police force here. You have to have your own, like Cathy, you and your team are police force, right? Effectively. Yeah. Wow. Yeah. We're the first line of the fence, right? Wow. That is so crazy when you think about it, right? Because in the physical world, there is like a public utility of someone's going to help you if you get robbed. I'm not going to tell you now you don't get to own a house, but that's kind of what it sounds like happens. Well, there are processes in place for us that were US based company. GitLab Inc. It's based in the US. So because of that, if someone attacks GitLab.com and we have evidence of that, we can contact, I mean, I have contact at the FBI that I can reach out to and they will conduct the investigation and prosecute. If they, you know, discover who it is. Assuming that they have jurisdiction in wherever the attack originated from, right? Okay. Yeah. If they originated from Russia or China or whatever, they have no jurisdiction there. We can't do anything then. No. Wow. That's why there's so much incentive for these attackers to act. There needs to be like a TV show about this. This is like really cool. There's a really good one called Mr. Robot. You should watch it. I didn't realize it was about this stuff. Okay. Got it. Yeah. Absolutely. So I wanted the best in terms of being realistic. Okay. I'm going to now. I didn't know what Mr. Robot was about and I was like, what's the fuss? Yeah. Check it out. I get it. Okay. This is a good book to call Cyber Storm. Okay. That. Okay. It's on my list and love like, like crime. Not like to do it, but. I've liked all the books that have been written by Mark Rosinovich. He's a former sis internal school developer at Microsoft, but he retired and decided to write cybersecurity novels. Really good ones. Yeah. What? Mark Rosinovich. R-U-S-S-I-N-O-V-I-C-H. Yeah. Okay. Got it. Got it. So cool. This is like great. This new world has opened up to me. I was just going to go learn something about security and now I'm like, this is way cooler than cloudy. What are you real doing? Totally. This is awesome. Cool. Okay. This helps a lot. Thank you. And so last question. Sorry. I'm asking so many. GitLab as the company, we, when you joined the company, were we already kind of thinking zero trust? Because like we're always, like we have all these clouds. Okay. So we always were like this. So when I first joined GitLab, I was a team of one for two months at the beginning. Right. I had to build up a team, which we have an awesome team now and so hiring more people. But you know, with a team of one, you really can't build a lot, right? You win a lot of different hats. Yes. But zero trust is something that came on our radar because we have to think more proactively about how to do defense in depth than how GitLab was doing it before I came on board. So this was not something GitLab was already planning before I came on board, but afterwards one of the first things I set out to do was fix the security mitigation process so that we can start fixing our vulnerabilities faster. Correct. Okay. And then this is part of the plan to proactively build out a defense in depth mechanism before we have a major breach here because of the 20% of cloud native companies that have built out zero trust, almost all of them did it after a major breach. Yes. So I'm trying to get us ahead of that. Right. Right. And build this out before a major breach. Got it. Okay. Do we use any of the GitLab secure and defend products for GitLab? Well, so defend is still very much in progress. Yeah. We haven't really put together a formal team for that yet. So that's still going on for secure, for scanning. We definitely want to dog food it. And I'm working with Philippe to make sure we get looped in to do that. Right now, I need them to, we can't, we don't have the cycles to keep going over and looking at scan results. So what I want is an automated process where the scan results get added to a GitLab issue and then the security team gets tagged in the issue to go with you. Gotcha. So we can work with that, but just to go in and look at every result manually is hard for us. Totally. Okay. So that's what you need as a customer. Yes. That's what we need as a customer. And that's what our customers would want. Right. Right. It aligns. Gotcha. Okay. Super helpful. Thank you. Anything else like you folks recommend I should know about or like, you know, to hide my complete ignorance. So I'll be upfront. I'll be like, I'm not the expert in this room. I'm just excited by Mr. Robot. Defender Kathy and Cindy. I'll be upright about it. But I think this prepares me to have at least like, you know, some understanding and I think I'll be able to like, comment a good discussion. So I'm really grateful for all this effort. Yeah. So I would just recommend if you're moderating a really good question to ask is always what are the top one or two challenges that you face as head of security, right? Because that's got to be for most people is going to be. I'm worried about a breach or I'm worried about, you know, that we don't, we have all these vulnerabilities in our applications that we don't know about. That's what most people are worried about. So that is a great lead in for you to talk about apps up about zero trust. Right. That's a great idea. Yeah. The panelists have a security like offering, but I'll turn it on them and kind of be like, what's your security concerns? That makes a lot of sense. Okay. Got it. Cool. All right. Well, thank you so much, Kathy. I appreciate it. We're setting this up Cindy. Also appreciate it. And I'll talk to you guys later. Bye. All right.