 from downtown San Francisco. It's theCUBE, covering RSA North America 2018. Welcome back everybody. Jeff Frick here with theCUBE. We're at RSA Conference 2018 in downtown San Francisco. 40,000 plus people. It's a really busy, busy, busy conference. Talking about security, enterprise security, and of course a big new and growing important theme is cloud and how does public cloud work within your security structure and your ecosystem so we're excited to have an expert in the field who comes from that side. He's Tim Jefferson. He's a VP public cloud for Barracuda Networks. Tim, great to see you. Yeah, thanks for having me. Absolutely, so you worked for Amazon for a while for AWS so you've seen the security from that side. Now you're at Barracuda and you guys are introducing an interesting concept of public cloud firewall. What does that mean exactly? Yeah, I think from my time at AWS one of my roles is working with all the global ISVs to help them re-architect their solution portfolio for public cloud. So got some interesting insight to a lot of the friction that enterprise customers had moving their data center security architectures into public cloud. And the biggest friction point tend to be around the architectures that firewalls are deployed. So they ended up creating, if you think about how our firewall was architecting and created, it's really designed around data centers and tightly coupling all the traffic back into a centralized policy enforcement point that scales vertically. That ends up being kind of a real anti-pattern public cloud best practice where you want to build loosely couple architectures that scale elastically. So just from feedback from customers, we've kind of re-architected our whole solution portfolio to embrace that. And not only that, but looking at all the native services that the public cloud IS platforms, Amazon, Azure and Google provide and integrating those solutions to give customers the benefit of all the security telemetry you can get out of the native fabric combined with the compliance you get out of web application and next generation firewall. So it's interesting. James Hamilton, one of my favorite people at AWS used to have his Tuesday nights with James Hamilton at re-event, very cool. And what always impressed me every time James talks is just the massive scale that Amazon and the other public cloud vendors have at their disposal, whether it's for networking and running cables or security, et cetera. So I mean, what is the best way for people to take advantage of that security but then why is there still a hole where there's a new opportunity for something like a cloud firewall? I think the biggest thing for customers to embrace is that there's way more security telemetry available in the APIs that the public cloud providers do than in the data plane. So most traditional network security architects consider network packets the single source of truth. And a lot of the security architectures really built around instrumenting invisibility into the data plane. So you can kind of crunch through that, but the reality is the management plane on AWS and Azure and GCP offer a tremendous amount of security telemetry. So it's really about learning on all those services are how you can use the instrument controls, mind that telemetry out and then combine it with control enforcement that the public cloud providers don't provide. So that kind of gives you the best of both worlds. It's interesting. A lot of times we'll hear about a breach and it'll be someone who's on Amazon or another public cloud provider. And then you see, well, they just didn't have to care. They didn't have their settings in the right configuration, right? It's usually really kind of security 101 things. But the reality is just because it's a new sandbox, there's new rules, new services, you know, and engineers have to kind of, and the other interesting thing is that developers now own the infrastructure they're deploying on. So you don't have the traditional controls that maybe network security engineers or security professionals can build architectures to prevent that. A developer can inadvertently, you know, build an app, launch it, not really think about security vulnerabilities to put in. That's kind of what you see in the news. People kind of doing, you know, basic security misconfigurations, right? Some of these tools can pick up programmatically. Now you guys just commissioned a survey about firewalls in the cloud. I wonder if you can share some of the high level outcomes of that survey, would you guys find it? Yeah, it's similar to what we were chatting. It's just that, I think, you know, over 90% of enterprise customers acknowledge the fact that there's friction when they're deploying their data center security architectures, specifically network security tools, just because of the architectural friction. And the fact that it's really interesting, you know, a lot of those tools are really built because everything's tightly coupled into them, but in the public cloud, a lot of your policy enforcement comes from the native services. So for instance, your segmentation policy, the route tables actually get put when you're creating the networking environment. So the security tools, a network security tool, has to work in conjunction with those native services in order to build architectures that are truly compliant. So is firewall even the right name anymore? Should I have a different name? Because really, we always think, all right, firewall was like a wall, and now it's really more kind of this layered, kind of risk management approach. There's definitely a belief, you know, among especially the cloud security evangelists to make sure people don't think in terms of perimeter. You don't want to architect in something that's brittle and something that's meant to be truly elastic. I think there's kind of two, two, you know, the word firewall is expanding, right? So more and more customers now embracing web application firewalls because the applications are developing are, you know, poor data for three, they're public facing web apps. And those have a unique set of protections into them. And then next generation firewalls still provide, you know, ingress, egress, policy management that the native platforms don't offer. So they're important tools for customers to use for compliance and policy enforcement. The key is just getting customers to understand thinking through specifically which controls they're trying to implement and then architect the solutions to embrace the public clouds they're playing in. So if they're in Azure and they need to think about making sure the tools they're choosing are architected specifically for the Azure environment if they're using AWS, the same sort of thing. Both those companies have programs where they highlight vendors that have well architected their solutions for those environments. So Barracuda has, you know, two security companies this is Amazon Web Services. We are the first security vendor for Azure. So we are their partner of the year. So it's just, the key is just diving in and there's no sale or bullet, just re-architecting the solutions to embrace the platforms they're deploying on. What's the biggest surprise to the security people at the company when they start to deploy stuff on a public cloud? There's obviously things they think about but what do they usually get caught by surprise? I think it's just the depth and breadth of the services. There's just so many of them and they overlap a little bit. And the other key thing is, especially for network security professionals a lot of the tools are made for software developers and they have APIs and their tooling is really built around software development tools. So if you're not a software developer it can be pretty intimidating to understand how to architect in the controls and especially to leverage all these native services which are all tied together. So it's just bridging those two worlds, software development and network security teams and figuring out a way for them to collaborate and work together. And our advice to customers have been, we've seen some comical stories where there's battles between the two those are always fun to talk about but I think the best practice is around getting, instead of security teams saying no, I think everybody's trying to get culturally around how do I say yes? Now the burden can be back to the software development teams the security teams can say, hey, here are the list of controls that I need you to cover in order for this app to go live HIPAA or PCI, here are these compliance controls. You guys choose which tools and automation frameworks work as part of your CI CD pipeline or your development pipeline and then I'll join your sprints and you guys can show incrementally how we're making progress to those compliance. How early do they interject those, that data in kind of a pilot program that's on its way to a new production app? How early did the devs need to start baking that in? I think it has to be from day zero because as you embrace and think through the service and the native services you're going to use depending on which cloud provider, each one of those has an ecosystem of other native services that can be plugged in and they all have overlapping security values so it's kind of thinking through your security strategy and then you can be washed away by all the services and what they can and can't do but if you just start from the beginning like what policies or compliance frameworks, what's our risk management posture and then architect back from that. Start from the end in mind and then work back say hey what's the best tool or services I can instrument in and then it may be starting with less cloudy tools just because you can instrument in something you know and then as you build up more expertise depending on which cloud provider you're on you can sort of instrument in the native services that you get more comfortable with them so it's kind of a journey. But you got to start from the beginning bake it in from the day zero. It's not a bolt on anymore. All right Tim, last question what are you looking forward to at RSA this week? I'm very cloud biased so I'm always looking at the latest startups and how creative people are about rethinking how to deploy security controls and just kind of the story and the pulse around the friction with public health security and seeing that evolve. All right, well I'm sure there'll be lots of them. It never fails to fascinate me the way that this valley keeps evolving and evolving and evolving. Whatever the next kind of big opportunity is. All right, he's Tim Jeffersen. I'm Jeff Frick, thanks for stopping by. You're watching theCUBE. We're at RSAC 2018 in San Francisco. Thanks for watching.