 Live from San Francisco, it's theCUBE, covering Informatica World 2017, brought to you by Informatica. Okay, welcome back everyone. We are live in San Francisco for Informatica World 2017. This is theCUBE's exclusive coverage. Two days, we're on day two, meeting all the top executives, customers, Accenture, system integrators, all the best guests here at Informatica World, part of Informatica's three-year coverage with theCUBE. I'm John Furrier with Peter Burris. Our next guest is Bala Kamarassan, who's the Senior Vice President and General Manager of Data Security for Informatica, formerly in charge of engineering, been in R&D, super technical, knowledgeable. Thanks for spending the time to come on theCUBE. Appreciate it. Thank you. We have to ask you all the tough questions under the hood. What's in the engine of innovation? First question. The innovation engine for Informatica. What is it? Describe it quickly. So the innovation engine of Informatica is entirely metadata driven. It's a data-centric, metadata-driven engine. We call this concept Clare. It's AI-driven, and in a sense, in order for you to make better decisions, you really need to look at your metadata. You really need to, one of the most important things in security, which actually current traditional systems lag behind, is the lack of data-centricity and resulting in lack of accuracy. If you really want a highest time to value and the ability to respond quickly, you really need to be smart enough, not only out-of-the-box accuracy, but also, over a period of time, learn and look into the inputs that are specific to your ecosystem, specific to that particular environment, and be able to provide actionable insights, actionable, actionable without accuracy is basically disaster. One of the big drivers in today's market is some of the penalties around governance. So there's some, what's it called, GDPR? And in Europe, it's different than North America, but bottom line is if you're not, you get penalized. So there's a risk management piece of it, that's around the governance. But that's because you've been hacked, right? So let's talk about the security is fundamental to governance. They play hand in hand. What bet did you guys make on security, and what should people watching know about what Informatica's doing with respect to security, data security? I think, great, great point. I mean, general data protection regulation at Europe, that's a regulation that's actually going to go effective May, 2008, 2018. And it's going to be like 4% of your annual revenues are going to be the fines in case for every non-compliance and so on. So we believe that part of the problem that exists today, with or without GDPR. GDPR is today, tomorrow it could be something else, is that lack of visibility, lack of visibility. The entire traditional data security is all about perimeter. You secure the perimeter, and everybody inside the perimeter is trusted. I was just telling you, where trust begins, vulnerability seeps in. So you really need to trust and verify. And what are you protecting? You're really protecting data. So insights into the data is super critical. Our investment on security source is centered around that. Informatica, we are a data company. And insights into the data, how do you translate that into a security perspective? That is precisely what we have done. So what kind of data you have classified the data? And how is it being used? Where all it is present? Who the users are? Everything is changing. So data is the fundamental centroid for security. Because perimeter is gone, right? I mean, you got the cloud. I mean, I'm not gone, but it's not the fundamental. It becomes the primary citizen in a security regime. Yes, yes. Well said. Absolutely. And it doesn't matter where your data is. It could be in your relational databases. It could be in the cloud. It could be in your big data systems. It does not matter. It's all about data. So let me give a couple of examples as to the problems that exist today. Once you are inside the perimeter, and you are an authorized user, you pretty much are a trusted person. And then nobody is monitoring your behavior. Are you still the same person or somebody hacked into your account? Or did the person turn into, did his role shift? I mean, none of that is being, so basically two main things we are delivering part of our innovation. Role-based access control. It's not user identity-based access control. It is actually role-based access control. If your role is in an IT, versus if your role is in a development organization, you within a company could move, but your privileges actually should be based on the role. That's number one. The second thing is that, I mean, look, you have, let's say you have access to all the Salesforce because you're a Salesforce, you're actually part of our sales team. And your typical patterns are that you are looking at 10 records, 20 records a day, even though you have access to the million records, right? But the baseline and the behavior changes that actually indicate something. So this is part of trust and verify. You trust the person, but you also need to verify, keep up with the changes, and that's fundamental to the data-centric security. I want to amplify a piece of that and tell me if I'm doing so appropriately. Role-based security, I would actually ask, are we going to move to something that we might call context-based security? Where context is, what do you do? The role is part of what you do. So it says, what do you do? And who are you? And how are you doing it? And so that's number one. And number two is, and then how does this relate back to some of the metadata initiatives that you guys have, where increasingly some of the most crucial metadata will be the metadata that ultimately is used to put bounds on how the data gets employed? Let me answer that question in three different dimensions. Number one, yes, absolutely role is part of the context. It's not the entire context, but role is part of the context. And any protection and any access to the protected information needs to be role-based. Number two, the data context that we have in our product, where we go and catalog and classify all the data. That is very much used in prioritizing. For example, an alarm that goes on in a school, during the school hours, versus an alarm that goes on in a junkyard, they're both alarms. Today, most of the traditional security actually kind of categorized them as a similar, an alarm went off. But are they the same? No, they are not. So that's where the second level of the context. The third level of the context is, in terms of the real, basically the third level of the context is actually what do you need to be in compliance with? I mean, what kind of usage is allowed? What kind of, it's actually nothing to do with that particular usage itself. It has actually got to do with a whole bunch of other safeguards that you need to manage. And that's where our central policy management comes in the picture. So with these three contexts, the business context, the user context, and the category or the classification of the data, the data context, it is totally... All that has to be part of the security regime. Absolutely. And that's actually the metadata that we have which drives those accurate decisions, accurate decisions for prioritization, as well as detection and the right protection. So here's a question then. I mean, again, I'm going to test this on you. Historically, people have separated data, metadata, data security. In the future, how do we keep those separate? We have to start seeing how they come together, right? I think a fantastic, fantastic question. Our view is that data governance is about, governance actually has a slice across many dimensions. Absolutely. One of them is the data stewardship, the provenance and the quality of the data and so on. The other part is actually about the data security governance in terms of what kind of safeguards, the role-based access control, really what kind of risk that you're entitled to and how are you managing the risk? So that's our view. So all of this is... So when we look at metadata, the metadata is actually driving multiple decisions. One of them is quality, the other one is risk, the other one is protection. So we see this as a unifier bringing things together and Informatica is uniquely positioned with our axon, EIC, and security source products. In fact, one of the things that we are announcing in Informatica World is actually about our GDPR bundle because GDPR is actually as much about data governance as about privacy and also it is about policy-driven data protection. Well, privacy, policy inform the governance regime. Yeah. You can't separate it, it's not just about compliance. And I'll give you, I'm going to test one more thing on you. At some point in time, as we think about digital business and the idea that a digital business is defined more by its use of data assets, otherwise it's just a business, and we want to protect our data. We're also worried about how we share our data and how others share data with us. We want to make sure that we are not inappropriately exploiting somebody else's data because we don't want to create a billion-dollar business that fundamentally upon inspection was predicated on the misappropriation of somebody else's data. Absolutely. You are touching upon the consent and the consent control and what kind of validations we have in place to evaluate. You know, this may not be popular. What I'm going to say is not necessarily popular, right? I think it goes back to data ethics as well. I think companies consider customer data, partner data as their asset. And 20 years, 30 years of how that has been used, I think the realization is going to sink in. The realization is already sinking in with respect to the ethics, with respect to the process. But it's not their data. It's not their asset. The asset, what's sinking in is that it's not their data asset. It's not their data. They are, in fact, they are, in fact, obligated. They are, in fact, supposed to use that with care. They are, in fact, accountable for that data. So while regulations are starting to put those things in place, with GDPR being one, and then every other geography is going to come up with its own set of modifications similar to that, I think this is a fantastic opportunity for companies to go to that higher order and really start to think about this as why they are ethical. What is the ethics that they want to put in place? Above and beyond what the regulations talk about. And I think Informatica is uniquely positioned with our metadata-driven strategy, with our metadata-driven Clare engine, which is driving solutions across quality, governance, and security, as well as consent control, yeah. Well, let me make one more point on that. It comes back to this fundamental notion of your brand is the promise you're making to the marketplace. What you just described will have more impact on company brands in 10 years, probably even five years, than the characteristics of the products they sell very often. Absolutely. If I'm an investor, I'm thinking about reputation. Like, you know, what is the company's reputation? What kind of pull effect the reputation has towards expanding the business? And that is where the ethics actually is in higher order of existence, where people want to partner with you, people want to do business with you. And I think that's actually where we can be very helpful. I mean, the very intelligent solutions use them intelligently. It's interesting you bring up the ethics because I wanted to jump in on that because if digital transformation, if we believe that is happening, and of course everyone's talking about business transformation, which is the outcome of digital transformation, ethics transforms too, digitally. Digitally, yes. So where is, in your mind, the ethics with data? I mean, is there, I mean, there's articles of thought leadership around it, but is it actually in use to actually people have data ethics in your opinion? Is it something that's talked about but not walked your thoughts on that reaction to? I think it's an evolving concept. So far, companies have been taking advantage of the data and the evolving concept is going to catch on. It is actually catching on. Analysts are talking about it. And I think we are thinking about it. We are thinking, I mean, what we are building is actually going to help customers go there. But I want to also separate, and there is actually something that is a higher order existence versus what is really absolutely necessary and needed today. Policy-driven data protection while we are able to standardize the policies across the enterprise, across all your data silos, that is super critical to get the immediate problem resolved while we can start to build on, build on that success towards that ethics. There's just economies of scale. You can't just jump to data ethics and be ethical. You got to build your way up and have a trajectory and track record foundational. Here's what I'd say, John, and Bolly, tell me if you think I'm wrong, but you said it. Make sure you say, think he's wrong if he's wrong. Yeah, please do. Because I have been wrong in the past. You said something very interesting. You said, yeah, everybody's talking about data, or digital business, and that's just it. They're doing it, but they're not doing it planfully because we often don't understand exactly what it is. And the process of thinking through the ethics is crucial to informing that planful approach to thinking about digital business. At least that's my perspective. What do you think about that, Bala? I think the visibility, the visibility at the board level, the visibility at the senior execs level as to where you stand. What is your risk? What is your compliance scorecard? And do you have a plan in place where there is an informed remediation plan? Did we actually allocate sufficient budget? It's not about budget justification, it's actually about did you allocate budget for this risk? And also, do we have systems in place that are continuously assessing and reassessing to basically drive towards risk reduction and towards maintaining that compliance? Those are key. And I think that addresses what you're saying, and I think I agree with you. Well, so let's take this very practically. If you look at the industry, you see companies like Apple and Microsoft being very clear about how they're going to use their customers' data. Facebook. You see Facebook and Google being less clear about how they're going to use your data. We see Amazon right in the middle and people wondering which way they're going to go. This is a huge issue, not to talk about it's security level, but just overall business model. This is going to have an enormous impact on a global basis of how we think about digital business and the role that data's going to play in creating new shareholding. That's the value. So here's my take on this, love to get the reaction. If data's the new oil, data's the new gold, it's a new heartbeat, whatever metaphor you use. If it's the new gold, let's just say it's the gold. That's valuable. So the value will shift to whoever has the data. So someone's going to wake up and say, hey, wait a minute, that's my data. And I think you're starting to see that a little bit with Facebook certainly. Less Google, because the utility is pretty well integrated. But at some point, the utility value has to be greater than the value of the data gold, if you will, because otherwise, I will demand the data back. So I think this is the end user or the primary use of the data, the primary user of data. This is a very coarse view, but I wonder if Uber right now is wondering how they could have used data security different relative to the $200 million or whatever this lawsuit that Waymo's bought against them. So this issue of ethics and the role the data is going to play is going to have a more misimplication. I love that conversation on the ethics side. Yeah, I think actually, if you look at the way companies use data and then the way you laid out in terms of where different companies are, there is actually a spectrum of how you could position them. One is actually how they can help the consumer. That's something that we all love. And then there's actually an absolute exploitation. And then there is something in the middle. And ethics is actually not about exploitation. Ethics is actually about keeping people informed, letting them know exactly how they need transparency. There's always an underbelly everywhere. Well, you can have a bad ethics. You can have. All those bad actors out there. Okay, we got to wrap it up. I want to get one quick comment from Bala. Obviously, I can't help but jump to blockchain when I start thinking about security. Thoughts on blockchain, how is that going to be relevant? If any, obviously supply chain, you're seeing some indications there, blockchain as a potential mechanism. The blockchain technology is very compelling. It has the integrity. It's basically one of the things that I had always talked about with my team and in general for product development is that, look, security has always been in the past as an afterthought, as something that sits outside. And if you were to go back and design some of the systems that we built in the last 20, 25 years with so much emphasis on privacy and compliance and security and protecting breach, wouldn't security be built in part of the design? Part of the core part of the design, right? So very appealing from that point of view. The applicability of blockchains today is mostly around the transactional ledgers and basically transfer of value and so on. I think one of the, you know, it also has its, it also comes with certain baggage. The blockchain remembers everything, you know. But, so let me zero in on, I think everybody's trying to figure out how to actually apply blockchain beyond the traditional, beyond the ledger and so on. I think it's going to have a place. It's going to have a place in, we're already starting to see that some applications where short term contracts like, for example, you're doing a building contract, there is a supplier, there is actually a valuer, and it is a project. It exists for a temporary period and it goes away and all of the coordinating parties are coordinating with confidence. They are sharing and collaborating with confidence and blockchain actually gives it confidence because it has, you know, it's relevant but it's emerging, still not, it's early innings. It's relevant, it is emerging, we are very closely looking at it and I think we already have a play there where one of the main and most important things blockchain needs is a identity, is a unique identity. And if you look at some of our products, you know, customer 360, I mean, it's all about quality of customer data, data quality for customer data, right? There, perhaps there is a way for us to integrate with blockchain. The other place where we are already looking at is that, can we consume the information in the blockchain to enhance our metadata? Of course we can. So those are two low-hanging fruits and of course we'll keep it, you know, we will stay on top of it. We will have to get you down to our studio in Palo Alto, we'll do a whole segment on unpacking blockchain. I love blockchain, I think my personal belief is, yeah, there's some low-hanging fruit, little use cases, but if there's money to be had and reconfiguring parties working together. I have some crazy words on this actually, to be honest with you, right? Because, I mean. You're definitely coming to Palo Alto, we're going to go to where you are. Don't know, are you in a lot of time or, I mean, but you know. We're running out of time. Let's follow up, Bala. Great conversation, great fireside, just like a fireside chat, that was phenomenal. Thanks for sharing the data and the insight. We're live here in San Francisco for Informatica World 2017. More exclusive coverage from theCUBE. I'm John Furrier with Peter Burris. After this short break, stay with us.