 from Union Square in downtown San Francisco. It's theCUBE, covering PagerDuty Summit 18. Now, here's Jeff Frick. Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're at PagerDuty Summit in the West and St. Francis, Union Square, San Francisco. We're excited to have our next guest. This guy likes to get into the weeds. We'll get some into the weeds, not too far in the weeds. Armand Daggar, he's the co-founder and CTO of Hashicorp. Armand, great to see you. Thanks so much for having me, Jeff. Absolutely. So you're just coming off your session. So how did the session go? What did you guys cover? It's super good. I mean, I think what we wanted to do was sort of take a broader look and not just talk too much just about monitoring. And so the talk was really about zero trust networking, the sort of the what, the how, the why. Right, right. So that's a very important topic. Did Bitcoin come up or blockchain? Or were you able to do zero trust with no blockchain? We were able to get through it with no blockchain. Thankfully, I suppose. But I think the kind of the gist of it when we talk about, you know, I think that the challenge is it's still sort of at that nascent point where people are like, okay, zero trust networking. I've heard of it. I don't really know what it is or like what mental category to put it in. So I think what we try to do was sort of not get too far in the weeds as you know I tend to do, but sort of start high level and say, what's the problem, right? And I think the problem is, we live in this world today of traditional flat networks where I have a castle in moat, right? I wrap my data center in four walls, all my traffic comes over a drawbridge and you're either on the outside and you're bad and untrusted or you're on the inside and you're good and you're trusted. And so what happens when a bad guy gets in, right? It's sort of this all or nothing model, right? But now we know the bad guys are going to get in, right? It's only a function of time, right? And I think you see it with the target breach, the Neiman Marcus breach, the Google breach, right? The list sort of goes on, right? It's like Equifax, right? It's a bad idea to assume they never get in. To assume they get in. So then if you know their bad guys are going to get in, you got to bake that security in all different levels of your applications, your data all over the place. So what are some things you guys covered in the session? So I think the core of it is really saying how do we get to a point where we don't trust our network? Where we assume the attacker will get on the network and then what? How do you design around that assumption, right? And what you really have to do is push identity everywhere, right? So every application has to say I'm a web server and I'm connecting to a database and is this allowed, right? Is a web server allowed to talk to the database? And that's really the crux of what Google calls beyond-corp, what other people call sort of zero trust networking is this idea of identity-based, where I'm saying it's not IP1 talking to IP2, it's web server talking to database. Right, right, because then you've got all the rules and the rules and everything associated at that identity level. Bingo, exactly, exactly. And I think what's made that very hard historically is when we say what do you have at the network? You have IPs and ports. So how do we get to a point where we know one thing as a web server and one thing as a database, right? And I think the crux of the challenge there, it's kind of three pieces, right? You need application identity. You have to say this is a web server, this is a database. You need to distribute certificates to them and say you get a certificate that says you're a web server, you get a certificate that says you're a database and you have to enforce that access, right? So everyone can't just randomly talk to each other. Right, well then what about context too, right? Cause context is another piece that maybe somebody takes advantage of and has access to the identity but is using it in a way or there's an interaction that's kind of atypical to what's expected behavior. It just doesn't make sense. So context really matters quite a bit as well. You're super, super right. And I think this is where it gets into, not only are we doing it to assign identity to the applications, but how do we tie that back into sort of rich access controls of who's allowed to do what, audit trails of, okay it seems odd, this web server that never connects to this database, suddenly out of the blue doing so, why? Right, right. And do we need to react to it? Do we need to change the rule? Do we need to investigate what's going on? But you're right, it's like that context is important of what's expected versus what's unexpected. Right. Then you have this other X factor called shared infrastructure and hybrid cloud and I've got apps running on AWS. I've got apps running at Google. I've got apps running at Microsoft. I've got apps running in the database. I've got some Dev here. I've got some prod here. That adds another little X factor to the zero trust. Yeah, I think, I aptly heard it called once, we have a service mess on our hands, right? Right, right. We have this stuff so sort of sprawled everywhere now. How do we wrangle it? How do we get our hands around it? And so as much as I think service mess is a play, play on sort of the language, I think this is where that emerging category of service mesh does make sense. It's really looking at that and saying, okay, I'm going to have stuff in private cloud, public cloud, maybe multiple public cloud providers. How do I treat all of that in a uniform way? I want to know what's running where. I want to have rules around who can talk to who. Right, right. And that's a big focus for us with console in terms of how do we have a consistent way of knowing what's running where? A consistent set of rules around who can talk to who and do it across all these hybrid environments, right? But wait, don't buy it yet, there's more. Because now you've got all the APIs, right? So now you've got all this application integration, many of which are with cloud-based applications. So now you've got that complexity and you're pulling all these bits and connections from different infrastructures, different applications, some in-house, some outside. So how do you bring some organization to that? No, that's a super good question. If you ever want to role change, take a look at our marketing department, you've got this down. I would say what it comes down to is heterogeneity is going to be fundamental, right? You're going to have folks that are going to operate different tools, different technologies for whatever reasons, right? Might it be historical choice, might it be just they have better relations with a particular vendor. So our view has been, how do you interop with all these things? Part of it is focused on open source, part of it is focused on API-driven, part of it is focused on sort of, you have to do API integrations with all these systems because you're never going to get sort of the end user to standardize everything on a single platform. Right, right. It's funny, we were at a show talking about RPA, a robotic process automation, and they treat those processes as employees in the fact that they give them identities. So they can manage them, you hire them, you turn them on, they work for you for a while and then you might want to turn them off after they're done or whatever doing them, that you put them in place for, but literally they were using, treating them as an employee, treating them as like an employee that identity that they could have all the assigned rules and restrictions to then let the RPA do what it was supposed to do. It's like an interesting concept. Yeah, and I think it mirrors, I think what we've seen a lot of different spaces, which is what we were maybe managing before was the sort of very physical thing. Maybe it was like we called it Robot1234, or in the same way we might say this is server at IP1234 on our network. And so we're managing this really physical unit, whether it's an IP, a machine, a serial number, how do we tick up the level of abstraction and instead say, actually all of these machines, whether IP1, IP2, IP3, they're a web server. Whether it's Robot12 or 3, they're a door attach. And so now we start talking about identity and it gives us this more powerful abstraction to sort of talk about these underlying bits. And I think it sort of follows the history of everything, which was like how do we add new layers of abstraction to let us manage the complexity that we have. Right, so it's interesting, right? And Ray Kurzweiler's keynote earlier today, hopefully you saw that, he talked about basically exponential curves and that's really what we're facing. So the amount of data, the amount of complexity is only going to increase dramatically. We're trying to virtualize so much of this in abstracted a way, but then that adds a different layer of management. At the same time, you're going to have a lot more horsepower to work with on the compute side. Is it kind of like the old wind tunnel? I got a faster PC, it's getting eaten up by more windows. I mean, do you see the automation being able to keep up with kind of the increasing layers of abstraction? Yeah, I mean, I think there's a grain of that. Are we losing, just because we're getting access to more resources, are we using it more efficiently? And I think there's some fairness and with each layer of abstraction we're sort of introducing additional performance costs sort of reduces it, but I think overall, what we might be doing is increasing the amount of compute tenfold, but adding a 5% additional management fee. So it's still, I think it's still net net, we're able to do much more productive work go to much bigger scale, but only if you have the right abstractions, right? And I think that's where this kind of stuff comes in is, okay, great, I'm going to have 10 times as many machines. How do I deal with the fact that my current security model barely works at my current scale? How do I go to 10x the scale? Or if I'm pointing and clicking to provision a machine, how does that work when I'm going to manage a thousand machines, right? You have to bring in additional tooling and automation and sort of think about it at the next higher level. I think that's all part of this process of adopting cloud and sort of getting that leverage. It's so interesting, just the whole scale discussion is at the end of the day, right? Scale wins and there's a great interview with James Hamilton from AWS talking in his old, but he's talking about kind of scale and he talks about how many servers that were sold in this whatever calendar year it was, versus how many mobile phones were sold. And it's many orders of magnitude different and the fact that he's thinking in terms of these types of scale as opposed to, you know, which was a big number in the service sales side, but really the scale challenge introduced by these giant clouds and Facebook and the like really changed the game fundamentally and how do you manage these things? Totally, totally. And I think that's been our view at HashiCorp is that when you talk about kind of the title shift of infrastructure from on-premise, relatively static VMware centric to AWS plus Azure plus Google plus VMware, it's not just a change of, okay, it's a one server here to one server there. It's not going from one server here to 50 servers that I'm changing at every other day rather than every other year, right? And so it's this sort of order of magnitude of scale, but also an order of magnitude in terms of sort of the rate of change as well. And I think that puts downward pressure on how do I provision? How do I secure? How do I deploy applications? How do I secure all of this stuff, right? I think every layer of the infrastructure gets hit by this change. Right, right. All right, so you're a smart guy. You're always looking forward. What are some of the things you're working on down the road that, you know, big challenges that you're looking forward to tackling? Ooh, okay, that's fun. I mean, I think the biggest challenge is how do we get this stuff to be simpler for people to use? Because I think what we're going through is this, you get this sort of seesaw effect, right? Which is, okay, we're getting access to all this new hardware, all this new compute, all these new APIs, but it's not getting simpler, right? It's getting exponentially more complicated. And so I think part of it is, how do we go back to sort of looking at, what's the core of drivers here? It's like, okay, well, we want to make it easier for people to deliver and deploy their applications. Let's go back to sort of, in some sense, the driver said, how do we abstract all of these new goodies that we've been given, but make it consumable and easy to learn? Because otherwise, you know, what's the point? It's like, you know, here's a catalog of 50,000 things and no one knows how to use it. Right, right, right. Yeah, it's funny. I'm waiting for that next abstraction for AWS instead of the big giant slide that Andy shows every year. It's just, I just want to plug in and he figure out what connects on the back end. I can't even hardly read that stuff. Maybe AI will save us. I hope so. All right, Armand, well, thanks for taking a few minutes out of your day and sitting down with us. My pleasure, thanks so much, Jeff. All right, he's Armand, I'm Jeff. You're watching theCUBE. We're at PagerDuty Summit in downtown San Francisco. Thanks for watching.