 Live from Las Vegas, it's theCUBE, covering AWS re-invent 2017, presented by AWS, Intel, and our ecosystem of partners. Welcome back to AWS re-invent 2017. I'm Lisa Martin with theCUBE, our day two of continuing coverage of this event that has attracted 44,000 people. Keith Townsend is my co-host, and we're very excited to welcome to theCUBE family Simon West, the CMO of Sixterra. Welcome, Simon. Thank you, great to be here. So Sixterra, six-month-old company. Tell us about it. What do you guys do? Sure, so as you said, we're just six months old. It feels a little longer than that now, born at the intersection of five simultaneous acquisitions. So one part of that was the acquisition of 57 data centers and a global co-location business that was formerly owned and operated by CenturyLink. Into that, we've added the security and analytics capabilities of four kind of modern startup software companies. And the vision is to provide a secure infrastructure solution, both within our data centers. But interestingly, even though I've got 57 data centers around the world, I want to be location agnostic. We recognize that today's enterprises are running multi-clouds, running hybrid environments. So we extend our security solutions on-prem and into public clouds, which is why we're here at AWS re-invent. Fantastic. One of the big challenges at the hybrid IT is that the controls that exist at AWS, how do you guys help even that out? Well, so you're exactly right. Well, we would go so far as just gently suggest that the core method by which we protect access to infrastructure and applications, which is still predicated on a physical perimeter, is just fundamentally flawed in a 2017 world where your applications are everywhere, your users are everywhere, connecting on myriad devices. You can't build a wall around that which doesn't exist. You've also, obviously, as you say, you've got that problem of heterogeneous platforms, each with their own method of control. So our flagship product in that area is a product called AppGate, SDP. SDP stands for Software-Defined Perimeter, which is an emerging specification born out of the US government's DISA. And now a number of companies offering software-defined perimeter solutions. The basic premise that we hold is that security should be user-centric rather than IP-centric, right? A firewall is still predicated on grounding access from one IP block to another IP block. VPN may capture who's coming in, but once you're in, we give you basically unfettered access to flat corporate internal networks, and we track you as an IP address rather than as a user. So we think it should get more user-centric. The user should be at the center of our policy. We think it should be more like cloud in the way we run security. So rather than these hardware-based static central choke points, we think security should be real-time, it should be adaptive and intelligent, and it should be as agile as the cloud. You build cloud applications that are capable of spawning multiple copies of themselves, auto-scaling up and down, moving from availability zone to availability zone, yet our typical network security posture is still highly static. And when you have some of the high-profile attacks that we've seen over the last few months, our ability to change policy, immediately we recognize a problem. Particular operating system absent a particular service pack is incredibly out of set with how agile the rest of our IT is. So more like cloud in terms of the way it operates. And finally, we think, and so does the software-defined perimeter spec, we think that access needs to be thought of as conditional rather than just a X, Y, yes or no. Jim has access to sensitive financial systems, should be dependent on what operating system Jim's using, whether Jim's on a coffee shop Wi-Fi network or on a trusted corporate network, the time of day, the day of week, our overall security posture. So the way AppGate works is when a user tries to access a system, the policy can ingest any one of these different conditional items. It can interrogate the device the user is using for the right software revisions. It can look at environmental variables. It can even look at internal business systems and check anything it can get to via an API. And only if those conditions are met will it provide access to a specific system. And then it can monitor that in real time. So if your context changes, you move from trusted network to an untrusted network, we can alter access, we can prompt for a one-time multi-factor re-authentication or take any other step the user wants. We offer that in cloud, on-premise, integrated into our data centers to provide one central policy mechanism no matter what platform you're running on. And in the case of AWS, we integrate with features like security groups, like AMI machine tagging, so you can build policy natively out of those Amazon features as well. So talk about that transition to this user-based approach. I would imagine that a user could migrate their legacy systems into one of your 56, 57 data centers. And then as they start to expand out to the cloud, they have to change their operating model from, they may migrate their traditional big firewall into your data center. What does that migration process look like? Is that a application by application spec, network by network? How do I transition? You know, it really varies. It feels a lot like, I'm an old cloud guy, so it feels a lot like cloud did in the late North since 2008, 2009. We think the software defined perimeter is going to have that big an impact, a cloud-like impact on network and application security, but the way in which organizations will choose to implement it is going to vary, right? One of the things we did very early, almost to integrate AppGate as a service into the data centers, if you think about co-location environments, when you bring new gear into a data center, you rack it and stack it, the very first thing you do after that is drag a VPN back to the corporate office so you can access it remotely, which we would respectfully suggest is not necessarily the best way to do it in 2017 out of the chute. So we've integrated AppGate, so organizations can just avail themselves of that as a service and instantly have a kind of easy on-ramp. One of the big areas we see and we've seen with customers here at ReInvent is customers who are moving workloads to cloud and want to make sure that they can have that same sense of fine-grained access control common to those on-prem and off-prem environments, whether that's an app migration or whether it's just an extension of an app into cloud environments. So it's kind of all over the place. Sorry, Simon. What differentiates SixTera's approach to the software-defined perimeter from your competitors? A couple of things. It's extremely robust in terms of being at one, being able to run on multiple environments. So a native AWS version, versions that run natively in other public cloud environments, obviously we think the ability to offer it deeply integrated into the data centers is important. It's also capable of granting access to more than just web applications. You've got some solutions out there that are really web proxies and that are built for SaaS apps and born on the cloud apps. This is more of a fundamental network platform by which you can get access to any system or application you choose. And finally, we've introduced the concept of what we call scriptable entitlements, which is the ability to interrogate third-party systems via API and bring back those results as part of building policy. An example there is we've got service provider customers who are running large multi-tenant environments. You then have a technical support organization who needs to support a huge multi-thousands of servers environment with multiple customers running in multiple VLANs. And typically the way you have to do that is a jump box in the middle and then giving these technical support folks access to that entire backend management network, which is a security risk. With AppGate, you can actually integrate into a ticketing system. And when John in support asks for access to a customer database server, at runtime we can find out whether there's a trouble ticket open on that box assigned to that rep, and only then will we grant access. And we don't grant network level access, we grant access to that specific application. We call it a segment of one, securing cryptic connection between the user's device and the application or the applications they have access to, but to nothing else. Everything else on the network is literally dark. It can't be port scanned, it doesn't show up at all. So it's a much narrower sense of control, much narrower sense of access. And again, it's dynamic. If that trouble ticket gets shut off, the access goes away automatically. So we think the integration into business systems is a critical piece of the puzzle and an area where I think we've innovated with AppGate. So let's talk about security in depth. Obviously you guys are putting the software security program around the data center, what we would classify as the data center, which is kind of disappearing in a sense. And the edge, you talked about end user protection, end user, where do you guys pick up and drop off when it comes to MDM, mobile device management, and which is much more important now with mobile, and then laptops, desktops, et cetera, and you mentioned third parties, pieces of data center equipment that's not in your data center, like a wind farm. Sure, so you're right. We're absolutely moving to the edge. I think we continue to think the data center will be as important as it ever was. The more cloud we have, the more data centers it needs to run in, the more public cloud we have, the more people want to move some of their machines that might have historically run on-prem to cloud data centers with low latency, direct connect to public cloud environments. If you look at our data center footprint with regard to the edge, we're not just in the major markets, although in major metropolitan markets, I've got half a dozen data centers all linked together, but I'm also in markets dotted across the country. So I've got half a dozen in New York, New Jersey, half a dozen in DC, half a dozen in the Bay Area, but I'm in Tampa, I'm in Columbus, Ohio, I'm in Dallas, I'm in Denver, and so that distribution becomes particularly important as more customers move data to the edge. From a security perspective, again, we think of that data center as the nexus of enterprise at IT and the cloud. The data center is where our conversation about security in terms of access control starts. It is a physical security message of biometrics and ID checks and so forth, but there we think there's a missing piece of the puzzle. The principle point of ingress and egress into a data center today is not the front door, the back door of the loading dock, it's the massively clustered multi-carrier network core. So if you're not providing some level of access control in and out of the network, I'd offer you're not providing a truly secure infrastructure solution. So we start there, we're focused mainly at this point with AppGate on controlling the conversation between the user device and the system applications themselves. One of our other acquisitions, a company called Catbird, has done some innovative work in terms of east-west segmentation in virtual environments, which is notoriously difficult otherwise to see, to stop the spread of how machines can talk to each other in large, virtualized farms as well. And so it's the infrastructure where we principally focus. Where are we, or maybe where are you guys in this revolution of information security? Are we at the forefront of massive change? What is 6Tera's view on that? I think we're at the beginnings of a revolution that's about 20 years late. So if you can kind of carbon date year zero of modern IT at around 1996, which is the advent of the internet as a commercial and consumer force, that was the revolution for enterprise IT. That was the moment that we had to move IT outside the four walls of the machine room on the corporate campus. Prior to that, the applications all ran on big beige boxes in one room. The users were largely tethered to them by smaller beige boxes in other rooms, and the notion of perimeter security worked. It was a valid construct. As soon as enterprises had to start thinking about an increasingly global user base, as soon as users started to connect from all over the place, the concept of this perimeter goes away. Over the last 20 years, you've seen revolution after revolution in the way in which we design, provision, deploy, manage, and operate our business applications, our development frameworks, and our infrastructure. We've revolutionized for availability, revolutionized agility. We've turned IT into a real-time API-driven motion, and we've revolutionized for scalability with platforms like AWS just industrializing this real-time IT on a global scale. And if you took a systems administrator from 96 and you showed him IT today, I think you'd have some explaining to do. If you took a security administrator from 1996 and showed him 2017, I think the construct would be familiar. We're still hardware-driven in a software-defined world. We are still assuming that access is static, that it's never changing, that it's predicated on the users being someplace, the applications being another. And again, in a world of real-time IT, a world in which our underlying application footprint changes without any human intervention whatsoever. And I think you see with WannaCry, with NotPet, with all of these attacks, the commonalities that they have in terms of the reason they were so devastating is one, they take advantage of lateral spread. They take advantage of riding unauthorized access into a corporate network where port scans show up 10,000 of ports where you can rattle the handles, break the locks and spread like wildfire. And two, in the case of something like WannaCry, days after we realized what the problem was, we were unable to simply alter as an institution, as an industry, or as an enterprise, access policy at the press of a button until we could get things patched. We had to sit and wait and watch the fires continue to burn. So it's a question of security being insufficiently agile, insufficiently automated and adaptive and insufficiently software-driven. We think that's just starting. I think on the SDP side, we've noticed in the last six months the conversation changing. We've noticed customers who now have SDP mandates internally who are seriously starting to evaluate these technologies. Wow, it sounds like Sixterra is at the beginning of being potentially a great leader in this security revolution. We wish you, Simon, and the entire company the best of luck. We thank you so much for joining us on theCUBE. And I look forward to hearing great things from you guys down the road. Much appreciated, thank you both. Absolutely. For my co-host, Keith Townsend, I'm Lisa Martin. You're watching theCUBE's continuous coverage of AWS re-invent 2017. Stick around, guys. We'll be right back.