 From our studios, in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Everyone, welcome to this special CUBE Conversation here at the Palo Alto CUBE Studios. I'm John Furrier, host of theCUBE. We're here with Moritz Mann, who's the head of the product management team at Open Systems AG. Great to see you again. Thanks for coming in. Hey John, thanks for having me. So last time we spoke, you had your event in Las Vegas, you guys are launching. You have a new headquarters here in Silicon Valley, opened up this past spring. Congratulations. Thank you. Yeah, it's a great venue to start in and we set foot on the Silicon Valley grounds, so to make our way to Silicon Valley. I know you've been super busy with the new building and rolling out and expanding heavily here in the Valley, but you guys are in the hottest area that we're covering. Security, cloud security, on-premise security, the combination of both has been the number one conversation pretty much in the cloud world right now. Obviously, besides the normal, cloud native, cloud IT, hybrid versus multi-cloud obviously that continues to be the discussion. I think there's no more debate around multi-cloud and hybrid. Public cloud's great, people are going to still keep their enterprises. But the security equation still is changing this new requirements. What's the latest that you guys are seeing with respect to security? Yeah, so John, what we see is actually that a cloud adoption happens at different speeds. So you have usually the infrastructure as a service adoption, which happens in a quite controlled way because there's a lift and shift. You have your old data center, you take it and you transfer it into Azure, AWS or GCP. But then there's also uncontrolled adoption which is in the SaaS space. And I think this is where a lot of data risk occur, especially in the wake of GDPR and where we see that this adoption happens more in a sometimes controlled, but sometimes in a very uncontrolled way. Explain the uncontrolled and controlled expansion of how security in multi-cloud and cloud is going because this is interesting. Controlled means this plans to do stuff. Uncontrolled means it's just by other forces. Explain uncontrolled versus controlled specifically. Yeah, so controlled specifically means the IT team has a project plan and takes servers and workloads and moves them in a controlled fashion or in a dedicated project to the cloud. But what happened in the business world, the business IT is actually that users share content at any time with any device at any time and in all locations. So this is called the mobile enterprise and the cloud-first enterprise. So it means that the classical security perimeter and the controls in that are bypassed actually by the path of least resistance or the shortest path available. And this is the classic case. People use Dropbox with some, you know, personal things, they're at home, they're at work, API-based software, that's what you're getting at in the uncontrolled way. Exactly, yeah. And the issue with this is that the data that has been like contained in parameters where you know as it sees it where your data is, this has been deployed to many edge devices, to many mobile devices and it gets shared in an uncontrolled way. Well, I got a couple of talk tracks I'd like to drill down on that because I think this is the trend we're seeing. API is dominant and the perimeter on the infrastructure has gone away and it's only getting bigger and larger. You got IoT and IoT Edge and the networks are controlled and also owned by different people. So the packets are moving along, it's crazy. So that's the reality. First talk track is the security challenge. What is the security challenge and how does a customer figure out what to do from an architectural standpoint when they're dealing with hybrid and multi-cloud? So first of all, customers or VC enterprises need to rethink their infrastructure-centric view of the architecture. So the architecture that had been built around data centers needs to become hybrid and multi-cloud aware. So that means they need to define a new way of a parameter which is in cloud, but also in the covering still the old, so to say legacy hybrid data center setup which has the data still in the old data center. And at the same time, they need to open up and become a cloud themselves, so to say, but still draw a parameter around their data and their users and their applications and not so much anymore around the physical infrastructure. So changing their view of what a security product is, is that really what you're getting at? Yeah, so the issue is with the product point solution was that they fixed a certain part of a tactile issue. So if you take a firewall in itself, a firewall back then it was like a entry door to a big building. You could decide who comes out, who goes in. Now if the walls of the building are vanishing or are more more thick, you need to come up with a more integrated concept. So having these stacked appliance and stacked security solutions trying to work together and chain them doesn't work anymore. So we think and we see that. Why is that? Why doesn't it work? Because in the end, it's hardly to operate them. Each of those point solutions have their own end of life. They have their own life cycle. They have their own APIs. They have their own TCO. So all that needs to be covered. And then there's a human aspect where you have the knowledge pools around those technologies. So as an enterprise, you have to continuously keep the very scarce security experts to maintain continuously depreciating assets running, right? Yeah, and they weren't built for tying into a holistic gas border platform. Yeah, what we see is that enterprises now realize we have data centers and it's now an accepted reality that you can abstract it with the cloud. So you don't own your own servers and buildings anymore. So you have an OPEX model to subscribe to cloud services. And we think that this has to happen to security too. So shift from CAPEX to OPEX and the same way also for operational matters. Security as a service is a great business model. I want to ask you on that front, you mentioned mobile users. How do you secure the mobile users when they use cloud collaboration? Because this is really what users expect and they want. How do you secure it? So we secure it by actually monitoring the data where it actually gravitates. And this is usually in the cloud. So we enforce the data that is in transit through proxies and gateways towards the cloud from the endpoint devices, but also then looking via APIs in the cloud themselves to look for threats, data leakage and also sandbox certain activities that happen there. Or the next talk track I want to get into is the expansion to hybrid and multi-cloud. Something that you guys do from a product standpoint solution for your customers. But in general, this is an industry conversation as well. How do you look at this from a software standpoint? Because we've heard Pat Gelsinger at VMware talk about software to find data center, SDN, everything's now software based. You talk about the perimeter goes away. You guys are kind of bringing up a different approach as a software perimeter. What is the challenge for expanding the multi-cloud and hybrid cloud? So the challenge for an enterprise and customers we talked to is that they have to run their old business. Gardner once called it bimodal business. And it's still adopting not one cloud, but we see in our surveys, and this is also what market research confirms is that customers end up with two to three cloud vendors. So there will be one or two platforms that will be primary to their major majority of applications in data gravity, but they will end up and become much more flexible with running AWS, their old A-Bus Center, but also GCP and Azure or Alibaba Cloud, even side by side, right? To cover the different speeds at what their own enterprise runs at. So I got to ask you about cloud native. It's one of the things that you're bringing up that just jumps in my head. I got to ask because this is what I see as a potential challenge. It might be a current challenge is when you have Kubernetes growing in such a rapid rate, you see the level of services coming online, much higher rate. So, okay, people, mobile users are using the drop boxes, the boxes and using all these API services, but that's just, those are apps. There's hundreds and thousands of microservices being stood up and torn down in there. You guys are taking, I think an approach of putting a perimeter, software perimeters around these kinds of things, but they get turned on and off. How do you know what's clean because it's all done automatically. So, this is becoming a challenge. So, is this what you guys mean when you say software perimeter that you guys can just put security around things at any time? Is that, explain this type of thing, because it's a big deal. So, if you talk about the service mesh, so really meshing cloud native functions, I think it's still in a phase where it's, I would say, chaotic when you have specific projects that are being ramped up, ramped down. So we draw a perimeter in that specific context. So, let's say you have, you were ramping up a lot of cloud and function AWS. We can build a perimeter around this kind of containment and look especially for threats in the activity logs of the different companies containers. But from a design perspective, this needs to be, we need to think ahead of the future because if you look at Microsoft and AWS strategy, those containers will eventually move also back to the edge. So, we are preparing that to support those models and also cover, bring these functions closer back again to the edge. And we call that not any longer the WAN edge, but it will become a cloud edge actually. So it's not an extension of the land that comes to the data. It's actually the data and the applications coming back to the user and much closer. Yeah, I mean in that case you can define the on-premises environment as an edge big edge because this is all about moving workloads and data around. This is what the new normal is. So I go, okay, I got to ask you the next question which is okay, if that's true, that means that Kubernetes becomes a critical part of all those in containers. How do you guys play with that at all? So we play with this by actually looking at data coming from that. At the moment we are looking at this from a data transit perspective, but we will further more integrate into their APIs and actually become part of the CI CD process that will then actually become a security function in the proof and rolling out a cannery to a certain service mesh. And we can say, well, this is safe or this is unsafe. This is I think the eventual goal to get there. But for now it's really about tracking the logs of each of those containers and actually having a parameter and segmentation around the service mesh cloud. I think you guys got a good thing going on when you talk about this new concept that's of software defined perimeter. You can almost map that to anything. Everything has its own little perimeter. Workload could be moving around, still it needs to be secure. So I got to ask you on the next talk track is this leads into hybrid cloud. This is the hottest topic. Hybrid cloud to me is the same as multi-cloud, just kind of get together a little bit different, but hybrid cloud means you're operating both on premises and in the cloud. This is becoming a challenge. Most CISOs, Chief Information Security Officers, don't want to fork their teams and have multiple people coding different stacks. They don't want the vendor lock in. And so you're seeing a lot of people pulling back on premises, building their own stacks, deploying in the cloud and having a seamless operation. What is your definition of hybrid? Where do you see hybrid going and how important is it to have a hybrid strategy? So I think the key success factors of a hybrid strategy is that standardization is a big topic. So we think that a service platform to secure that, like the SD-WAN service platform we built, needs to be standardized on operational level, but also from a baseline security and detection level. And this means that if you run and create your own workloads on-prem, you need to have the same security and standard security and deployment standard for the cloud and have the seamless security perimeter and level of security, no matter where these deployments are. And the second factor of this is actually how to ensure a secure data transfer between those different workloads. And this is where SD-WAN comes into play, which acts as a fabric together with a WAN backbone where we connect all those pieces together in a secure fashion. Moir, it's great to have you on the queue and sharing your insight on the industry. Let's get into your company, Open Systems. You guys provide an integrated solution for DevOps and secure service and security platform. Take a minute to talk about the innovations that you guys are doing, because you guys talk a lot about CASB, talk a lot about integrated SD-WAN, but first define what CASB is for the audience that doesn't know what CASB is. It's an acronym CASB. It's kicked around all in the security conversation. So if you're new to security, it's an acronym that you should pay attention to. So define CASB and talk about your solution. CASB is in the abbreviation means cloud access security broker. So it's actually becoming this centralized orchestrator that allows and defines access based on a trust level. So saying, first of all, it's between networks saying I have a mobile workforce accessing SaaS or IS applications. CASB is in the middle to provide security and visibility about where is my data moving? Where do I have exposure of GDPR compliance or PCI or HEPA risks and where is it exposed to? Which is a big deal. And it's kind of the lowest level to start with. But then it goes further by, we can use the CASB to actually pull in data that is about IS workloads and to identify data that's being addressed and stored. Are there any incidentally shared data artifacts that are actually critical to the business and are they shared with external resources? And then going one step further where we then have a complete zero trust access model where we say we know exactly who can talk to which application at any time and give access to. But as everything this needs to be embedded in an evolution. And the benefit ultimately goes to the SaaS applications to have security built in. That's the first thing that you need to tackle nowadays. It's get your SaaS cloud security or policy enforced but without disrupting service and business and to actually empower business and not to block and keep out the business. I keep the business. And it's a classic application developer challenge which is they love to code, they love to build applications. And what cloud did with DevOps was abstracted away the infrastructure so that they didn't have to do all those configurations just to write apps. You guys are enabling that for security. Exactly, yeah. So coming back to this multi-point product cloud which is not keeping up anymore with the current reality and needs of a business. So we took the approach and compared DevOps with a great service platform. So we have engineers building the platform this integrated security service platform which provides SD-WAN, managed detection response and CASP services on the one platform which is tightly integrated. But in the customer focus that we provide them an OpEx model which is very predictable, very transparent in their security posture make that a scalable platform to operate and expand their business on. And that's great, congratulations. I want to go back for the final point here to round up the interview. For the IT folks watching or the folks who have to implement multi-cloud and hybrid cloud. They're sitting there, it could be a cloud architect, it could be an IT operations or an IT pro. They think multi-cloud and hybrid cloud, this is the environment they have to get their arms around. How, what should they be thinking about around multi-cloud and hybrid cloud? What is, is it real? What's the reality now? What should they be considering for evaluation? What are some of the key things that that should be on their mind when they're dealing with hybrid cloud and all the opportunity around it? So I think there are like four key pieces. One is they think they have to start to think strategic. So what is a platform and a partner that helps them to plan ahead for the next three to five years in a way that they can really focus on what their business needs are. This is the scalability aspect. The secondly, it's do we have a network and security architecture that allows me to grow confidently and go down different venues to actually adopt multi-clouds without worrying about the security implications behind it too much and to implement that. And third is have this baseline and have this standardized security posture around wherever the data is moving, being it mobiles, being it SaaS or being it on-prem and in-cloud workloads. The fourth piece is again really thinking of where do I spend most of my time? Where do I create value by defining this framework so it really can create a benefit and value for the enterprise? Because if you do it not right, you're not right, you will end up with an architecture that will break the business and not accelerate it. Where it's made head of product at Open Systems here inside the Cube Studios. Great job, love your job, you got the keys. A lot of pressure. Security, being a product head of product for a security company is a lot of pressure. Before we wrap up, just give a quick plug for the company. You guys hiring, you guys have a new office space here in Redwood City, looks beautiful. Give a quick, share a quick plug for the company. Yeah, so Open Systems is a great company to work with. We are expanding in the U.S. and also EMEA with all the workforce so we are hiring, so go on our website. We have a lot of open positions, exciting challenges in a growth oriented workspace. And yeah, as you said, security at the moment is one of the hottest areas to be in, especially with all the fundamental changes happening in the enterprise and architecture, IT landscape. So yeah. And cloud security specifically, not just endpoint, the normal stuff that people used to cloud security as hot as could be right now. Thanks for coming on theCUBE, thanks for the insights. I'm John Furrier with theCUBE. We're here at Palo Alto with Morris Man who's the head of product management for Open Systems. Thanks for watching.