 Welcome to this special CUBE conversation. I'm John Furrier here in the CUBE's Palo Alto studio. We're here remotely with Nick Halsey, who's the CEO of Ocaro. Hot startup doing some amazing work in cloud, cloud data, cloud security policy governance as the intersection of cloud and data comes into a real stable operations. That's the number one problem. People are figuring out right now is how to make sure that data is addressable and also secure and can be highly governed. So Nick, great to see you. Thanks for coming on theCUBE. It's great to be here, John. Thank you. So you guys have a really hot company going on here. You guys are in an intersection, an interesting spot as the market kind of connects together as cloud is going full kind of, whatever, 3.0, 4.0. You got the edge of the network developing with 5G. You got space. You got more connection points. You have more data flowing around. And the enterprises and the customers are trying to figure out like, okay, how do I architect this thing? And oh, by the way, I got it like a lot of these compliance issues too. So this is kind of what you could do. Take a minute to explain what your company's doing. Yeah, I'm happy to do that, John. So we've introduced a new category of software that we call universal data authorization or UDA, which is really starting to gain some momentum in the market. And there are really two critical reasons why that's happening. People are really struggling with how do I enable my digital transformation, my cloud migration, while at the same time making sure that my data is secure and that I'm respecting the privacy of my customers and complying with all of these emerging regulations around data privacy like GDPR, CCPA, and that alphabet soup of regulations that we're all starting to become aware of. I want to ask about the market opportunity because one of the things we see in the cloud coverage, normal conversations are like, hey, modern applications are developing. You're starting to see cloud native. You're starting to see these new use cases. So you're starting to see new expectations from users and companies, which creates new experiences. And this is throwing off all kinds of new kinds of data approaches and a lot of people are scratching their head. And I feel like, do they slow it down? They speed it up. Do I get a hold of the compliance side first? Do I innovate? So there's like a real kind of conflict between the two. Yeah, there's a real tension in most organizations. They're trying to transform, be agile and use data to drive that transformation. But there's this explosion of the volume, velocity and variety of data. We've all heard about the three Bs. You'll say they're five Bs. It's really complicated. So you've got the people on the business side of the house and the chief data officer who want to enable many more uses of all of these great data assets. But of course you've got your security teams and your regulatory and compliance teams that want to make sure that they're doing that in the right way. And so you've got to build a zero trust infrastructure that allows you to be agile and be secure at the same time. And that's why you need universal data authorization because the old manual ways of trying to securely deliver data to people just don't scale in today's demanding environments. Well, I think that's a really awesome approach having horizontally scalable data like infrastructure would be a great benefit. Take me through what this means. I'd like to get you to define, if you don't mind, what is universal data authorization? What is the definition? What does that mean? Exactly. And people are like, I don't understand security. I do data security over here and privacy. Well, I do that over here. But the reality is you really need to have the right security platform in order to express your privacy policies, right? And so in the old days, we used to just build it into the database or we build it into the analytic tools. But now we have too much data in too many platforms in too many locations, being accessed by too many VI applications, AI, ML, data apps, and so you need to centralize the policy definition and policy enforcement so that it can be applied everywhere in the organization. And the example I like to give, John, is we are just like identity access management, right? Why do I need Okta or SailPoint or one of those tools? Can't I just log in individually to Salesforce or to GitHub or sure you can, but once you have 30 or 40 systems and thousands of users, it's impossible to manage your employee onboarding and offboarding policy in a safest, secure way. So you abstract it and then you centralize it and then you can manage and scale it. And that's the same thing you do with Okira. We do all of the security policy enforcement for all of your data platforms via all of your analytic tools. Anything from Tableau to Databricks to Snowflake, you name it, we support those environments. And then as we're applying the security, which says, oh, John has allowed access to this data in this format at this time, we can also make sure that the privacy is governed so that we only show the last four digits of your social security number or we obfuscate your home address. And we certainly don't show them your bank balance, right? So you need to enable the use of the data without violating the security and privacy rights that you need to enforce. But if you can do both, what our customers are doing at incredible scale, then you have sort of digital transformation nirvana resulting from that. Yeah, I love what you're saying about the scale pieces. That's huge. At AWS has reinforced virtual conference that they had to run because the event was canceled due to the Delta COVID surge. Stephen Schmidt gave a great keynote, I called it a masterclass, but he mainly focused on cybersecurity threats. But you're kind of bringing that same architectural thinking to the data privacy, data security piece. Because it's not so much that you're vulnerable for hacking, it's still a zero trust infrastructure for access and management, but- Well, you need security for many reasons. You do want to be able to protect external hacks. I mean, every week there's another T-Mobile, you name it. So that's, but 30% of data breaches are by internal, but trusted users who have rights, so what you needed to make sure is that you're managing those rights and that you're not creating long tales of data access privilege that can be abused, right? And you also need one of the great benefits of using a platform like Okara, is we have a centralized log of what everybody is doing and when, so I could see that you, John, tried to get into the salary database 37 times in the last hour, and maybe we don't want to let you do that. So we have really strong stakeholder constituencies in the security and regulatory side of the house because they can integrate us with Splunk and have a single pane of glass on weird things are happening in the network and people are trying to hit these secure databases. I can really do event correlation and analysis. I can see who's touching what PII when and whether it's authorized. So people start out by using us to do the enforcement, but then they get great value after they've been using us for a while, using that data, usage data to be able to better manage their environment. It's interesting. You bring up the compliance piece as a real added value and I wasn't trying to overlook it, but it brings up a good point, which is you have multiple benefits when you have a platform like this. So take me through like who's using the product? You must have a lot of customers kicking the tires and adopting it because architecturally it makes a lot of sense. Take me through a deployment of what it's like in the customer environment. How are they using it? What are some of the first mover types using this approach? And what are some of the benefits they might be realizing? Yeah, now as you would imagine, our early adopters have been primarily very large organizations that have massive amounts of data and they tend also to be in more regulated industries like financial services, biomedical research and pharmaceuticals, retail with tons of consumer information. Those are very important. So let me give an example. We work with one of the very largest global sports retailers in the world. I can't use their name publicly and we're managing all of their privacy rights management, GDPR, CCPA worldwide. It's a massive undertaking. Their warehouse is over 65 petabytes in AWS. They have many thousands of users and applications, right? On a typical day, an average day, Okira is processing and governing 6 trillion rows of data every single day. On Black Friday, it peaked over 10 trillion rows of data a day. So this is scale that most people really will never get to, but one of the benefits of our architecture is that we are designed to be elastically scalable to sort of we actually have a capability we call end scale because we can scale to the nth degree. We really can go as far as you need to in terms of that. And it lets them do extraordinary things in terms of merchandising and profitability and market basket analysis because their teams can work with that data. And even though it's governed and redacted and obfuscated to maintain the individuals, privacy rights, we still let them see the totality of the data and do the kind of analytics that drive the business. So large scale, big customer base at one scale. Obviously data is huge. What are some of the largest data lakes that you guys are working with? Because sometimes you hear people saying, are data lakes got zettabytes and petabytes of content? What are some of the, give us a taste of the order of magnitude of some of the size of the data lakes and environments that your customers were able to accomplish. I want to emphasize that this is really important no matter what size, because some of our customers are smaller tech savvy businesses that aren't necessarily processing huge volumes of data, but it's the way that they are using the data that drives the need for us. But having said that, we're working with one major financial regulator who has a data warehouse with over 200 petabytes of data that we are responsible for providing the governance for. And one thing about that kind of scale that's really important, when you want to have everybody in your organization using data at that scale, which people think of as democratizing your data, you can't just democratize the data. You also have to democratize the governance of the data, right? You can't centralize policy management in IT because then everybody who wants access to the data still has to go back to IT. So you have to make it really easy to write policy and you have to make it very easy to delegate policy management down to the departments, right? So I need to be able to say, this person in HR is going to manage these 50 data sets for those 200 people. And I'm going to delegate the responsibility to them, but I'm going to have centralized reporting and auditing so I can trust but verify, right? I can see everything they're doing and I can see how they are applying policy. And I also need to be able to set policy at the macro level, at the corporate level that they inherit. So I make just say, I don't care who you are, nobody gets to see anything but the last four digits of your social security number. And they can do further rules beyond that, but they can't change some of the master rules that you're creating. So you need to be able to do this at scale, but you need to be able to do it easily with a graphical policy builder that lets you see policy in plain English. Okay, so you're saying scale and then the smaller use cases are more refined or is it more sensitive data, regulated data or more just levels of granularity? Is that the use case? You know, I think there's two things that are really moving the market right now. So the move to remote work with COVID really changed everybody's ideas about how do you do security because you're no longer in a data center, you're no longer have a firewall. You know, the imaginary line of security has gone away, right? And so in a zero trust world, you know, you have to secure four endpoints, the data, the device, the user and the application. And so this pretty radical rethinking of security is causing everybody to think about this big, small or indifferent, you know, and like Gartner just came out with a study that said by 2025, 75% of all user data in the world is going to be governed by privacy policy. So literally everybody has to do this. And so we're seeing a lot more tech companies that manage data on behalf of other users, companies that use data as a commodity, they're transacting data, you really, really understand the needs for this. And you know, when you're doing data exchange between companies, that is really delicate process that has to be highly governed. Yeah, I love the security redo. We asked Pat Gelsinger many, many years ago when he was the CEO of VMware, what we thought about security and Dave Vellante, co-host of theCUBE said, is it a do-over? He said, absolutely it's a do-over. I think it was 2013. He was around that timeframe. It's kind of a do-over and you guys are hitting it. This is a key thing. Now he's actually the CEO of Intel and you know, he's still driving forward. Love Pat's vision on this early. But this brings up the question, okay, if it's a do-over and these new paradigms are existing and you guys are building a category, okay, it's a new thing. Okay, so I have to ask you, I'm sure the customers would say, hey, I already got that on another platform. So how do you address that? Because when you're new, you have to convince the customer. But this is a new thing. Like, I'll- Yeah, so look, if somebody is still running on Teradata and they have all their security in place and they have a single source of the truth and that's working for them, that's great. We see a lot of our adoption happening as people go on their cloud transformation journey because I'm lifting and shifting a lot of data up into the cloud. And I'm usually also starting to acquire data from other sources as I'm doing that, right? And I may be now streaming it in. So when I lift and shift the data, unfortunately all of the security infrastructure you built gets left behind. And so a lot of times that's the forcing function that gets people to realize that they have to make a change here as well. And we also find other characteristics, like people who are getting proactive in their data transformation initiatives, they'll often hire a CDO, they'll start to use modern data cataloging tools and identity access management tools, and when we see people adopting those things, we understand that they are on a journey that we can help them with. And so we partner very closely with the catalog vendors, with the identity access vendors, with many other parts of the data lake infrastructure because we're just part of the stack, right? But we are the last mile because we're the part of the stack that lets the user connect. Well, I think you guys are on a wave that's massive and I think it's still going to be bigger coming forward. Again, when you see categories being created, you're just at the beginning of a bigger wave. And I got to ask you because one of the things I've been really kind of harping on on theCUBE and pounding my fist on the table is these siloed approaches. And you're seeing them everywhere. I mean, even in the consumer world. LinkedIn's a silo, Facebook's a silo. So you have this siloed mentality, certainly in the enterprise, they're no stranger to silos. So if you want to be horizontally scalable with data, you got to have it free. You got to break the silos. Are we going to get there? Is this the beginning? Are we breaking down the silos, Nick? Or was this the time? Or what's your reaction to that? Yeah, I'll tell you something, John. I have spent 30 years in the data and analytics business and I've been fortunate enough to help launch many great BI companies like Tableau and Brio software Jasper Soft and Alpha Blocks we were talking about before the show. Every one of those companies would have been much more successful if they had Okara because everybody wanted to spread those tools across the organization for better, more agile business analytics, but they were always held back by the security problem. And this was before privacy rights were even a thing. So now with UDA and I think hand-in-hand with identity access management, you truly have the ability to deliver analytic value at scale. And that's key. You need simplicity at scale and that is what lets you let all parts of your organization be agile with data and use it to transform the business. I think we can do that now because if you run in the cloud, it's so easy. I can stand up things like Hadoop like Databricks, like Snowflake. I could never do that in my on-prem data center but I can literally press a button and have a very sophisticated data platform press a button, have Okara, have enforcement really almost any organization can now take advantage of what only the biggest and most sophisticated organizations use to be able to do. I think Snowflake's an example for all companies that you could essentially build in the shadows with the big clouds and build your own franchise if you nail the security and privacy and that value proposition of scale and good products. So I love this idea of security and privacy managed through a single platform. I'd love to get your final thought while I got you here on programmability because I'm seeing a lot of regulators and people in the privacy world putting down all these rules, you got GDPR and I want the rights to be forgotten and all these things. There's a trend towards programmability around extraction of data and managing data where just a simple query could be like, okay, I want to know what's going on with my privacy and we're a media company so we record a lot of data too and we got to comply with all these weird requests like, hey, on June 10th, can you take out my data? So that's programmatic. That's not a policy thing. It's not like a lawyer with some privacy policy that's got to be operationalized. So what's your reaction to that as this world starts to be programmable? Right, well, that's key to our design. So we're an API first approach. We are designed to be part of a very sophisticated mesh of technology and data. So it's extremely simple to just call us to get the information that you need or to express a policy on the fly that might be created because of the current, you know, state-based things that are going on. And that's very, very important. When you start to do real-time applications that require geofencing, you're doing 5G edge computing, it's a very dynamic environment and the policies need to change to reflect the conditions on the ground, so to speak. And so to be callable, programmable, embeddable, that is an absolutely critical approach to implementing UDA in the enterprise. Well, this is super exciting. I feel you guys are on, again, a bigger wave than it appears. I mean, security and privacy operating system, that's what you guys are. Oh, it sounds good. It is. It is what it is. Nick, great to chat with you. I thought it better. Love the category creation, love the mojo. And I think you guys are on the right track. I love this vision, merging data security policy together into one to get some enablement and some value creation for your customers and partners. Thanks for coming on theCUBE, I really appreciate it. Now it's my pleasure and I would just give one piece of advice to our listeners. You can use this everywhere in your organization, but don't start with that. Don't boil the ocean. Pick one use case like the right to be forgotten and let us help you implement that quickly so you can see the ROI and then we can go from there. Well, I think you're going to have a customer in theCUBE. We will be calling you. We need this. We've got a lot of digital events now with the pandemic, so a lot of data that we didn't have to deal with before, but thanks for coming on and sharing. Appreciate it. Okay, a hot start. My pleasure, John. Thank you so much. It's a great conversation. I'm John Furrier here in Palo Alto. Thanks for watching.