 Hello, and welcome to theCUBE Conversations here in Palo Alto, California in theCUBE Studios. I'm John Furrier, the co-host of theCUBE and co-founder of SiliconANGLE Media. Junaid Islam is the president and CTO of VITR. Supports the public sector as well as the defense community as well as other perimeter-less oriented security paradigms expert in the field. Also part of accompanying VITR that's doing a lot of work in the area. Thanks for sharing your time here with us. Well, thanks for having me. We had a segment earlier on cyber security in the government, so that was phenomenal. But also, we talked about the impact of hacking on business. So the number one issue on the boardroom agenda is security. Data security, it's all, it's a big data problem. It's an AI opportunity. Some things that are out coming out. It's embryonic, it's an early shift. Security is a challenge. The old model of a firewall, a moat, doors, access you get in, then you're done. It's over, it's a perimeter-less world. People can get access to these networks. Security is screwed right now. Everyone kind of generally feels that. So the question for you is, in the enterprise and in businesses who are looking to show up security, is it a do-over? Yeah, yeah. I think, like other industries, whether you talk about the PPS. Yes, yes. Yes, yes. It's a do-over. Or you talk about computers shifting to the data center and then the cloud. I think, you know, last year, or I think this year, Gartner said 100 billion will be spent on security. I cannot believe anybody who is involved in that $100 billion expenditure is happy. In fact, we have something interesting. Security expenditure has risen consistently over the past five or six years. And cyber attacks have also risen consistently. So that's not the kind of correlation you want. Yeah, they're buying anything that moves, basically, they're desperate. So it seems like they're like drunken sailors, just like, give me something. They're like thirsty for a solution. So they're groping for something. Yeah. What we're seeing is a couple of things. One is the attackers have gotten much more sophisticated and they basically can bypass all of the existing security appliances. So what we need is a new approach or a new security stack that really fits both the architectural environment of American companies where they use clouds and data centers and they have employees and contractors, but also cyber attacks, which have gotten much more sophisticated. And the classic cyber attack used to be connecting to the server remotely or stealing a password. We still have the classics, but we have some new ones where we have malware that can actually like go from the user's device to inside the network. And you find that existing security products just don't work well in this environment. And so it's- So what is something to do over ideas? I mean, obviously malware, we see it ransomware, super hot, the HBO example recently, they didn't give in, who knows what they actually did. They weren't public about it, but I'm sure they did maybe give a little bit in, but these are organized businesses, right? I mean, they're targeting when the Sony hacks well documented. But again, businesses have not always funded this. And then you get to move to the clouds, a couple of dynamics. Cloud computing, Amazon's done extremely well. They're leading now, getting a lot more in the enterprise. They won the CIA deal a few years ago over IBM and you've seen a lot of GovCloud rocking and rolling. And then you've got the on-premise data center challenges. So that's kind of the situation of the customer. But then now you have potentially an understaffed security force. Well, actually, so I think let's start with that point. And in terms of our theme of a do-over, talk about that first and let's talk about the technopark. I think one do-over that America needs is security has to move out of the IT department and become a standalone department. Reporting ideally to the executive staff is not being on it. I think one of the unfortunate things is because security is a cost center within IT, it competes with other IT expenditures, such as new applications, which are revenue generating. It's very hard to be a cost center asking for money when there's a guy sitting next to you who's doing something to make money. But unfortunately, unless security is properly funded and staffed, it never happens. And this unfortunately is a chronic issue through all US companies. One of the things we've seen that has worked, for example, in the financial world is most financial institutions, probably all now security is a pure organization to IT and that helps a lot. This is actually not a new idea. This was something the intelligence community probably started 15 years ago. I mean cost structures is just a cost structure. Reduce the cost, is the optimization behavior. What you're saying is just like applications are tied to top line revenue, which gives them power and mojo, you got to think of security as a money saving table stake. Because people are losing money. I mean, the costs are now becoming obvious. In some cases crippling. Yeah, so I think people need to think of security as fundamental to the life of a company, number one. I think the other thing that needs to happen from a security perspective, now that we've broken off this entity, is that security needs to become threat based or risk based. Too much of security in the United States is based on compliance models. Unfortunately, cyber attackers do not follow that model when they want to attack us. They basically work outside the model and come up with creative ways to get inside of organization. Basically blind side to the companies. Yeah, so I can't tell you how many meetings, probably all, where I meet the security team and they're totally busy just going through this list of 20 or 50 things they're supposed to do. So when you talk about attack vectors, they say, you know, that's really great and I know it's important, but we can't get to it. So this is another important shift organizationally. First, break it out. Second, get focus on something that's important. Once we have that, we get to the next part, which is technologies. And right now, what happens is people buy a security point product for different networks. One for data center, one for cloud. And this doesn't work. So I think we have to move to security solutions that can work across hybrid environments and can also work across different roles. I think that is kind of critical. And unless we get that in technically. Yeah, this is the dynamic with cloud and the data center. I want to bring this up. I had a multiple chance to sit down with Andy Jazzy, the CEO of Amazon Web Services. Fantastic executive, built a great business there. What's on his mind and what's been important for him for many years has been security. And Amazon's done an amazing job with security. But that's in the cloud. Now Andy Jazzy and Amazon thinks everyone should be in the public cloud. Now they have a deal with VMware, but they're just powering VMware's on-prem in their cloud. It's not really their VMware issue, but Amazon's world is everything's in the public cloud. But they've done really, really good on security. But yet most of the buyers would say, hey, the cloud is unsecure, I can't trust it. So you have the dynamic between the data center on-premise resource. So people kind of default to the behavior of, I'm leaving everything on-premise. Or I'm going to put a little bit in the cloud, a little bit of workloads here, a little bit in the Microsoft. Google's got some, I'll kick the tires on Google. But they're never really leaving the home base of the data center. But yet some are arguing and Dave Vellante, my co-host on theCUBE talks with us all the time, there's actually more scale in the cloud, more data sharing going in the cloud. And that the cloud actually has got better security. So how do you see that resolving? Because this is a key architectural opportunity and challenge for enterprises. So actually I think there's an optimal model. Which is if you think about what the data center gives you, it gives you a lot of visibility and physical control as in with your hands. The problem is when you put everything in the data center, you don't have enough people to manage it all properly. The cloud on the other hand gives you a lot of scale, but you can't actually touch the cloud. So the optimal mix is imagine your encryption and access control solutions live in your data center. But what they control access to is to cloud resources. So you can actually, if you just open your mind conceptually. It's like segmenting a network, you're segmenting capability. That's right. So now you don't need a gigantic data center because what's in your data center which can be a lot smaller now are things like your identity-based access management solution, you can keep your cryptographic elements, you can have your HSM, things that generate random numbers and search there. But now this is actually going to be very tiny. It could just be a rack of gear. But through that rack of gear, you can have very fine control of people accessing cloud resources. And I think this idea of building, it's not so much a hybrid network, but it's a notion that a small physically locked down asset can control a lot of virtual assets is gaining a mind share in the banking world. In fact, just this summer, there was a bank that implemented such an architecture where the control elements for the cloud were in their FFIC data center and it basically managed access to Amazon VPCs and it worked well. So interlocking is a strategy. I can see that playing, by the way, I see that playing out pretty well. So I got to ask the next question which kind of comes to mind as that sounds great on paper or actually in certain situations, it might be perfect. But what about the geopolitical landscape because Amazon has people that develop on the cloud that aren't US citizens. So the government might say, wait a minute, you got to only employ Americans or they got to carve out and do some whatever weird things with the numbers to get the certification. But they need data centers in Germany because the German government wants certain things. So you have geopolitical issues now on the companies. How does that affect security? Because now a cloud like Amazon or a multinational company has two things going on. I have multiple offices and I'm operating in multiple geopolitical landscapes with these regional centers. The regional clouds are at Amazon, they're called regions or zones. So actually Amazon actually has done a great job. They basically have their global market but they also have data centers now which are only open to US persons and US companies like GloveCloud as well as they support C2S which is the intelligence community's black cloud which is basically off-net. So I think now- So they're doing a good job you think? Yeah, they're doing a good job but the key thing is how you use that resource is really still up to the enterprise. And that's where enterprises have to get good at creating the architecture and policies to be able to harness Amazon's kind of compute capacity. Amazon can, it's kind of the foundation but you really have to finish off the solution and the other thing going back full circle to your first question, unless the security team has the freedom and the mandate to do that, they'll actually never get there. So we kind of- So staffing and architecture and both architectural issues is one's organizational architecture and funding and one is more of a hardcore virtual and physical touching and understanding. Yeah, and you know what I'd put in the middle? I'd say know your risks and then develop countermeasures to them because if you go to that security team and you say you have to build a countermeasure for every attack, that's not going to work either. A company has to be realistic is what is really important? Maybe it's the data of our customers. So the answer to the first question then obviously is yes, a security do-over is needed but there's no silver bullet. You can't buy an application. It's an architectural framework holistically that everyone has to do. Okay, cool. So the question I have on the Amazon I want to get your thoughts on this because the debate we have all the time on theCUBE is and certainly Amazon has competitors that say, oh, Amazon's really not winning in the enterprise. They've got thousands of enterprise customers. They are winning in the enterprise. So, you know, Oracle's catching up barely in fourth place but you know, trying to get there and they're actually making that transformation looking pretty good. We'll have more analysis on that Oracle open world but Amazon has won great cloud, gov cloud deals. So they've kind of convinced the government that they could do it. So to me, that's my argument is if the government's winning with Amazon that should be a no brainer for the enterprises. So this comes back down to the number one question that's been, quote, holding back cloud growth. Whoa, security, I don't want to put it in the cloud. How real is that objection now? Because, you know, the nature of reaction is, you know what, I got it on prem. I don't trust the cloud, but it seems like the cloud is getting more trust. What's your thoughts on that objection? Yeah, actually, so one of the things is even though we use the word cloud kind of generically or Amazon generically, Amazon has evolved a lot in the last three to four years that I've been working on it. The number of embedded tools in Amazon is vast now. I mean, if we were having this conversation two years ago the notion that granular encryption modules would be there in Amazon as a part of an offering, it would have been science fiction. Or the fact that- More than S3 and EC2, what else could they do? That's right, or they have things like VirtualHSM, they have embedded identity access control tools all there. So I think, first of all, all of the building blocks that you would want are there. Now, unfortunately, there's no shortcut. Amazon's aren't going to do the work for you. You still need a staff that knows how to use digital certificates. You still need your own identity based access control system to manage access of your employees and contractors and people in India to these assets in the cloud. But having said that, we now actually have a model that is much cheaper than the classic data center model. That's basically usable. I mean, I'm smirking because some people think I'm an Amazon web services fanboy, but besides the fact that I love the company that they've done well, they've added so many new services and they've literally been skating rings around the competition. If you look at the complexity that they've been dealing with and the innovation, so I'll just put that out there and a little bit biased because I think they're doing a great job, but now the game starts to shift as Amazon continues to add more services, welcome to the big leagues called the enterprise and government which they're doing some business in now. So the question is, besides Amazon, there's other guys. Verizon, the telcos have been really kind of trying to figure out what to do with over the top for years. Now they're also powering a lot of multi-tenant workloads as well, including their own stuff. So telcos and service providers out there, what are they doing? Because they're still critical infrastructure in the around the world. So actually, I think if we just use Amazon as a reference point or example, Amazon initially didn't worry about security but then over the last few years worked hard to integrate security into their offering. We're now in the early stages of seeing that from, for example, carriers like Verizon, where in the past Verizon was saying first, secure it yourself, then in the last two years, Verizon said, okay, here's some products and services you can buy, but now where we're heading is what they're trying to make the network inherently secure. A lot of the basic components like device matching to identity matching, basically, making that a part of the underlying fabric. So I think the good news is, as a bleak- So they're making advances there. Well, they have networks, they know networking. Yeah, so the good news is as bleak as this all seems is we are making significant progress as an industry and as a country, having said that my only kind of warning is you still need an executive team, a security team that knows how to leverage all of these components and pull them together. And that goes back to having a risk-based approach and protecting the most important things. And I think if you can do that, I think the tool set that's come out now is actually pretty sophisticated. So final question, I want to get your thoughts and then we can end the segment and then we'll talk a little bit about Vitter and your company. But I asked Pat Gelsinger, CEO of VMware at VMworld just recently about the security duo because Dave Vellante asked him years ago. He said, absolutely, it's going to be a duo. So Pat Gelsinger is right again. The guy's like, no stradamus when it comes to tech trends. He's a wave guy from Intel, so he gets the waves. But I asked him about that question again this year and I'll send the clip on Twitter, I'll put it out on Twitter, I'll make a link to it. He said that 5G is going to be the big kahuna of the next 30 years. And he thinks that 5G starts to get out, it's going to deliver a 10X number of antennas, 100X to band with new spectrum allocations, 100X new devices that are going to be connected as well, as you mentioned, we're a connected world. This brings up the edge of the network. He says, next 30 years is going to be massive build out. So okay, 5G's coming. Industrial IoT, IoT Internet of Things is happening. How is this going to change the security game because now you have networking and you see VMware doing NSX and Cisco's been trying to get into the enterprise, figuring out the virtualizations of network level. Everything comes back down to the network. Is that where the action is? Because it seems to me that the network guys have to figure this out and that seems to be the point of reference in terms of opportunity. Or is it a challenge? Or is it moving up the stack? How does all the networking changes happen? So for IoT, we really need two things to happen. I think one is we actually don't have a security standard for IoT devices. And specifically the issue is malware. IoT devices and their software is made worldwide. And I think one of the biggest policy weaknesses we have right now is there's no minimum standard. This needs to be solved. Otherwise, we're in a lot of problem. But in parallel to that, there is a lot of technical development. One of the things that's happening in the networking world is for the past 20 years we were driven by what's called a network VPN or layer three VPN, it's your classic VPN that connects a device to a server. The problem with that is if you have malware on the device, it gets through. So there's this new kind of VPN which is an application VPN or we call it a layer four, which is basically a software process in the device to a software process in a server. So that's kind of the new model which is... So make the network as dumb as possible and go up the stack and attack it? Yeah, well, not so much. I am over simplifying, the network guys are going to roll in the gap, are you? I'm just going to use a different term. I was going to say make the... The dumb pipes. Make the network application aware so that it only lets applications get through not any kind of connection. But, so I think that is something happening. Well, the networks have to be smarter. Yeah, so... That's to enable the smartness. So smarter networks are happening and it's an area that I work in, it's very excited. And I mean to offend you by saying dumb network. Yeah, but the application of it. So, but you know, to be clear though, that's just one piece of the puzzle. The other piece of the puzzle, which unfortunately is a little bit lacking, is there's no standards for IoT software today. And unless we have concepts like secure boot, that is the software can't be tampered with, I think unfortunately there's a bit of risk, but I'm hopeful that... And then IoT for the folks watching that might not be in the inside baseball, it's a surface area problem. There's more points of attack vectors. So talk about the compliance thing. Not only are there more attacks, by and large, IoT devices are made outside the United States. Physically they're made in China and a lot of the software comes from India and there's nothing wrong with that. But the global supply chain provides plenty of opportunities for cyber attackers to inject in their code. And this is something we need to watch very carefully. And then like I said... So this is actually one of those weird derivative results of outsourcing. That American companies have realized that it's a problem. That drives it up, right? Yeah, so it's something we need to watch carefully. Okay, thanks for coming on theCUBE. We really appreciate you sharing your perspective. Talk about Vitter, you're the president of the CTO, you guys are in the security business, obviously you're an expert with great color. We'll have you back on multiple times. We'd love to get your comment here as we follow all the security trends. We have a cyber connect conference with Centrify coming up in New York. We're covering GovCloud, AWS and all the other players out there. What's Vitter doing? What's the company do for products? How do you guys sell? Who's your customers? And what are the cool things you're doing? We've developed a access control solution based on a new standard called software defined perimeter. And there's two things that are unique about it. First, with a name like technology like software defined perimeter, we work in the cloud and the data center. But more importantly, we're able to stop existing attacks and emerging attacks. So things like password theft, credential theft or server exploitation. We stop because we don't allow connections from unknown devices or people. But the other thing is say you're known and you connect to a server, we basically look inside your laptop and only allow the authorized process to connect to the server. So if there's malware on the device it can't actually make it through. So it shuts down the malware. That's right. So they're trying to sneak through. You guys shut that down. The malware, I mean we can stop the malware from getting on the device, but we can make sure it doesn't get to the other side. So it doesn't cross pollinate. It just doesn't go viral. That's right. So a lot of the stuff we do is very important. We work with a range of- You have government obviously contracts. I'm sure you have that, can't talk about, but you do, right? Yeah, we do a little bit of work with the government and we're just working with Verizon, which is publicly, where they wish to create services where malware actually can't go through the connection. So we're doing exciting stuff and we're- Enterprise customers at all? Yeah, yeah, we have banks. People who are on high alert. That's right. You guys are the tier one. That's right. Where it's the houses are burning down, you're there. So we do banks and we just started doing some work at a hospital where, again, it's HIPAA compliant and they need to make sure that data doesn't like leave the hospital. So what's the number one thing that you guys have? Is ransomware something that you solve? What areas do you guys being called in? And what's the fire bell, if you will? They ring the bell. When do you come in? What's the thing, just in general? Our number one reason for existing is stopping attacks on application servers or servers that hold data. That's kind of our focus. So if you have data or an application that someone is after, we will make sure that nobody gets to that data. In fact, we'll even make sure if there's a spy or inside of attacker who comes into your organization, they'll only be able to do what they're allowed to do and won't be able to do anything else. So on the Equifax news that was big, would you guys help there if they were a customer or was that just a different thing? I know, we could have helped because one of the things that happened is they used a server exploit to basically propagate through their data center. So we probably wouldn't have done much on the initial exploit, but we would have kept it from going deeper into the system. And they hid for four months and they were poking around so you would have detected that as well. Yeah, and we certainly would have stopped all the poking around because we basically, you could think of us as an identity-based access control mechanism. So based on your identity, you can only do very specific things. And in their case, they had the identity of a user. We wouldn't have let them do anything except maybe just go to one website. Yeah, you would have shut them down. That's right. They should have been doing business with Vitter. Jene, thank you for coming on theCUBE here for theCUBE Conversation. In Palo Alto, California, I'm John Furrier with theCUBE Conversation. Thanks for watching.