 Live from San Francisco, it's theCUBE. Covering Google Cloud Next 19, brought to you by Google Cloud and its ecosystem partners. Hey, welcome back everyone. This is the live CUBE coverage here in San Francisco for Google Cloud Next 19. I'm John Furrier with Dave Vellante, here on the ground floor. Day two of three days of wall-to-wall coverage. We've got two great guests here. We've got Kartik, Lashmi Narayan, Product Management Director of Cloud Identity for Google and Kim Perrin, Chief Security Officer for Doctor On Demand. Guys, welcome to theCUBE. Appreciate you coming on. Great to be here. Thank you. So, honestly, we've been covering Google Cloud and Google for many, many years. And one of the things that jumps out at me, besides obviously the transformation for the enterprises, Google's always had great technology. And last year I did an interview and we learned a lot about what's going on, the chip level, with the devices. You got Chrome, Browse, all these extension, all these security features built into a lot of the edge devices that Google has. So, there's definitely a security DNA in there, in the Google world. But now when you start getting into cloud, access and permissions, yesterday in the keynote, Thomas Currie and Jennifer Lynn said, hey, let's focus on agility, not all this access stuff. This is kind of really where identity matters. Kartik, talk about what's going on with cloud identity. Where are we? What's the big news? Yeah, thank you. So, cloud identity is our solution to manage identity, devices and the whole access management for the cloud. And you must have heard of BeyondCorp and the whole zero trust model and access. One thing we know about the cloud is if you don't make the access simple and easy and at the same time you don't provide security, you can't get it right. So, you need security and you need that consumer level simplicity. Take a minute to explain BeyondCorp, this is important. Just take a minute to refresh for the folks that might not know some of the innovations there. Just starting. Awesome, yeah. So, traditional on-premises world, the security model was your corporate network, right? Your trust model was a corporate network. You invested a lot to keep the bad people out and get the right people on. And that made sense, your applications were on-premises, your data was on-premises. Now, with the internet being a new network, you work from anywhere, work is no longer a thing. You work from anywhere, work gets done, right? So, what does the new access model look like? That's what people have been struggling with. What Google came up with in 2011 is this model called BeyondCorp. It's a security access model where we rely on three things. Who you are as a user, authentication, the device identity and security posture, and last but not the least, the context of what are you trying to access and where are you trying to access from? So, these things together form how the security and access model, and this is all about identity, and this is BeyondCorp. And anyone who has a mobile device knows what two-factor authentication is, that's when you get a text message, that's just two-factor. MFA, multi-factor authentication, really is where the action is. And you mentioned three of them, but there's also other dimensions. This is where you guys are really taken to the next level. Where are we with MFA and some of the advances around multi-factor authentication? Yeah, so I think a key thing we want to highlight is we are always about customer choice. We meet customers where they are. So, customers today have invested in things like one-time use passwords and things like that. So, we support all of that here in Cloud Identity, but a technology that we are super excited about is security keys. And it's built on the Fido standard, and it's inserted just into your USB slot, if that makes sense. And we are just announced here at Next. You can now use your Android phone as a security key. So, this basically means you don't have to enter any codes because all those codes you enter can be phished. And we have this thing at Google, and we talk about it last time. Since we rolled out security keys, no Google account has been changed. It's harder for the hackers, it was a really good job. Kim, let's get to reality, you've run a business, you've been involved in a lot of startups, you've been cloud-native with your company now. Talk about your environment, because at the end of the day, you're the chief security officer. The buck stops with you. You've got to figure this out. How are you dealing with all these threats at the same time trying to be innovative with your company? So, for clarity, so I've been there six years since the very beginning of the company, and we started the company with zero hardware, all cloud, and before there was the beyond-corp where there was, it was called deprimerization. And that's effectively the posture we took from the very beginning. So, our users can go anywhere, and our, I always say, our corporate network is like your local coffee shop, you know, WiFi. Like, that's the way we view it. We want it to be just as secure there at the coffee shop, you know, like, we don't care. Like, we always have people assessing us, and they're looking at our corporate network saying, you know, where are your switches, that you're, you know, like, where are your hardware? Like, we want to come in and look at all, it's like, we don't have anything. There's no force to scan. It's like, we could just all go to the Starbucks and it'll be the same thing. So, that's part of it. And now, you know, when we started, like, we wanted to wrap a lot of our services into Google, but we had a problem with HIPAA compliance, so in the early days, Google didn't have, six years ago, in our early days, Google didn't have a lot of HIPAA compliant services. Now they do, now we're moving, we're trying to move everything we do almost into Google. That's not because we just love everything about Google. It's, for me, I have assessed Google security. Our team has assessed their security. We have contracts with them, and in healthcare, it's very hard to take on new vendors and say, hey, is their security okay? Are their contracts okay? It's like a months-long process, and then, even at the end of the day, you still have another vendor out there that's sharing your data. You're sharing your data with them, and it's precarious for me. It just, it doubles my threat landscape. When I go from Google to one more, it's like, if I put my data there, I'm okay with it. Yeah. So, you're saying multi-vendor the old way. Yes. Is actually a problematic situation for you both technically and what, operate time-wise, or both? It's a problematic for me in terms of where we spread our data to. It just means that company, every hack against that company is brutal for us. And, you know, at the other side of the equation is, Google has really good pricing, comparatively. Yesterday, we were talking about BigQuery, for example, and they wanted to compare BigQuery to some other systems, and BigQuery is in GCP, and we looked at the other systems, and we couldn't find the pricing online, and Google's pricing was right there. It was completely transparent, easy to understand. Yeah. Security's been vetted. The security's been vetted. Exactly, exactly. Kim, can you explain, when you said that the multi-vendor creates problems for you? Yeah. Why is that? Is it not so much that one vendor is better than the other? It's different, it's different processes, or are there discernible differences in the quality of the security? There are definitely discernible differences in quality, for sure. Yeah. And then add to that the different processes, skill sets, is that right? Yes. Double click on that. Yeah. I mean, every vendor you deal with, there's always some, I mean, almost every vendor you deal with, there's always something that you're not perfectly okay with, and they're part of their security. There's something you don't totally like about it, and the more vendors you add, you have, okay, this person, they're not too good on their physical security at their data center, or they're not too good on their policies, they're not too good on their disaster recovery. Like, you always give a little bit somewhere, I hate to say it, but it's true. It's like, nobody's super perfect. So it's a multiplicative effects on the trade-offs that you have to make. Not that it's necessarily bad, but it's just not the way you want to do it, right? Correct. Okay. Well, it's time too, you got to get an SLA, you got to have meetings, you got to do some embedding. It's like going to the airport. It's like going to the airport, and taking your shoes off, and you got to get a good... And there's the other part, beyond the security, there's also downtime. Like, if they suffer downtime, how much is that going to impact our company? Right. Karthik, you talked about this new access model, it was three-layered. The who, authentication, that is the device trusted in the context. I want to understand how you balance the ratio between sort of false positives versus blocking. I think for authentication and device, it's pretty clear. If I can't authenticate you, or I don't trust this device, you're not getting in, but the context is interesting. Is that like a tap on the shoulder with when I'm looking at mail, like, hey, be careful, or how are you balancing that in the context realm? Yeah, I think it's all about customer choice. Again, customers have, when they look at their application footprint, they're making clear decisions on, hey, this is a payroll application, it is super sensitive. As an example, maybe a web-based meeting application, probably not as sensitive. So when they're making decisions about, hey, you have a managed device, I need a managed device in order for you to access the payroll application, but if you have, you're bringing your own device, I'm perfectly fine if you launch a meeting from that. So those are the levels that people are making decisions on today, and it's super easy to segment and classify your application. Talk about the people that are out there watching might say, hey, you know what, I've been really struggling with identity, I've had LDAP servers, I've got all this stuff out there, you name it, I've all kinds of access methods over the years, the perimeter's now gone, so I got to deal with the coffee shop kind of working experience and multiple devices, all these things are reality. I got to put a plan together. So the folks that are trying to figure this out, what's, you guys could both weigh in on an approach to take, or certain framework, what's, how does someone get the first few steps off towards good cloud identity? Sure, I wanted to go first. So I think in many ways that's what we've tried to simplify. It's one solution that we call cloud identity because in what people want is, I want that model, seems like a huge mountain in front of me, like how do I figure these things out? I'm hearing a lot of these terminologies. So I think the key is to just get started and we've given them lots of ways you can take the whole cloud identity solution back to Kim's point. It can be one license from us, that's it, and you're done. It's one unified UI, things like that. You can also, if you just want to run, say, three applications on GCP, we have something called Identity Aware Proxy. It's very fast to just load your apps, run them on GCP, and experience this beyond course style work. And this for a classic enterprise can work with this. Yeah, and you can run all your applications on GCP and you can, and now we're announcing some things that help you connect back with on-premise applications. That's a great way to get started. Kim, Cartek paid this picture of, okay, there's no perimeter, you can't just dig a moat, the queen wants to leave her castle, all the security, you know, metaphors that we use. I'm interested in how you're approaching response these days. Because you have to make trade us, because there are discernible differences with different vendors, make the assumption that people are going to get in. So response becomes increasingly important. What have you changed to respond more quickly? What is Google doing to help? Well, yeah, so in a model where we are using a lot of different vendors, we are having to, like they're not necessarily giving us response and detection. Google, every service we wrap into them automatically gets, effectively gets wrapped into our security dashboard. There's a couple of different dashboards we can use and we can do reporting. We do a tremendous amount of compliance, content compliance controls on our DLP out of email, out of drive, and there's detection. It's like we don't have to buy an extra tool for detection for every different type of service we have. It's just built into the Google platform, which is, it's phenomenal for us. So the detection's baked in. It's just baked in. We don't have to pay extra for it. In fact, I mean, we buy the enterprise license because it's completely worth it for us. You know, as soon as that came out, the enterprise part of it and all the extra tools, we were just immediately on that. Because the vault is a big thing for us as well. It's like not only the response, but how you dig through your assets to look for evidence of things. And like, if you have some sort of legal case, you need vault to, you know, make the proper data store for that stuff. It's prioritization too, is it not? Like figuring out, okay, which threats do I actually go after and step out? And I guess other automation. I mean, I don't know if you're automating your run book and things of that nature, but. Automation is our friend. It's a big friend for us, yeah. Karthik, on the product management side, what's the roadmap look like? Can you share any insight into what your priorities are? To go to the next level, obviously, the enterprise focus for Google Cloud is clear. Customers on stage, you guys have got a lot of integration points, from Chromebooks, G Suite, all the way down through, you know, BigQuery with AutoML, all the stuff's happening. What's on your plate for roadmap? What things are you innovating around? I mean, it's a beyond-core vision that we are continuing to roll out. So we've just rolled out this beta with G Suite access, for example, where all these conditions come in. We want to take that to GA. We're going to look, we're looking at extending that context of our framework with all the third-party applications that we have. We've announced this thing called Beyond-Corp Devices API and the Beyond-Corp Alliance, because we know it's not just Google security posture. Customers have made investments in other security companies. And we want to make sure all of that inter-operates really nicely. So you'll see a lot more of that coming out. Integration with other security platforms, certainly enterprises require that. They buy everything in the planet these days to protect themselves. Yeah, like there's another company, let's say that you're using for securing your devices, that sends a signal saying, I trust this device, it's secure, it's passing my checks. You want to make sure that that comes through. I know we got to go, but what's your boss's title, Kim? CEO. Okay, you report to the CEO. Yeah. Awesome. Good question, thank you. We've seen a lot of shifts in where security is usually IT. Now it's pretty much right strategic as core for the operations. With their own practices. So guys, thanks for coming on. Thanks for the insight. Thank you, thanks for the opportunity. What do you think of the show so far? What's the takeaway? Kim, I'll go to you first. What's your, what's the vibe of the show for you? It's a little tough for me because I have one of my senior security engineers here and he's been going to a lot of the events and he comes to me and just says, look at all this stuff that they have. Like, and we were just going over before this and was like, oh my God, we want to go back to our office and bake it all in right today. You know, if we could. So yeah, it's a little tough cause. Get in the candy store. Yeah, we love it. Cause again, it's like, it's we're already paying for it. It's like they're just adding on services that we wanted that we're going to pay for. And now it's. And Karju quickly just get the last word in. I know I was commenting on our opening this morning around how Google's got all, I mean, I've been following Google since really the beginning of the company. And I know for a fact it's a ton of big data, a ton of security all spread through the company. It's a matter of just kind of getting it. Yeah. Share some insight quickly about what's inside Google from a security asset standpoint, IP software. Absolutely. Security is built from the ground up. We've been saying that. And going back to your candy store analogy, it feels like we've always had this amazing candy, but now there's like a stampede to get it. And it's just built in from the ground up. I love the solution focus that you saw in the keynotes and all the sessions that's happening. Nice to have some connective tissue like Anthos, maybe the kind of all together. Yeah. And that's really nice. That's really nice. Yeah. Don't you like that? Thanks for coming on. I really appreciate it. Kim, thanks for coming on. It's a huge live coverage here on the ground floor. We're on the floor here. Day two of Google Cloud Next here in San Francisco. I'm Jeffery DeValante. Stay with us for more coverage after this short break.