 Hello everyone, welcome back to theCUBE's presentation of the AWS startup showcase. This is season two, episode four of the ongoing series covering the exciting startups from the AWS ecosystem. Talk about cybersecurity. I'm your host, John Furrier, excited to have two great guests, Ed Kazmer, founder and CEO of Cloud Storage Security, back CUBE alumni and also James, John's an AVP of research and development, iPipeline here talking about cloud storage security, antivirus on S3. James, thanks for joining us today. Thank you, John. So the topic here is cloud security, storage security. Ed, we had a great CUBE conversation previously earlier in the month. Companies are modernizing their apps and migrating to cloud, that's fact. Everyone kind of knows that, been there, done that. Clouds have the infrastructure, they got the OS, they got protection, but the end of the day, the companies are responsible and they're on the hook for their own security of their data. And this is becoming more prominent now that you have hybrid cloud, cloud operations, cloud native applications. This is the core focus right now in the next five years. This is what everyone's talking about, architecture, how to build apps, workflows, team formation, everything's being refactored around this. Can you talk about how organizations are adjusting and how they view their data security in light of how applications are being built and specifically around the goodness of, say, S3? Yep, absolutely, thank you for that. So we've seen S3 grow 20,000% over the last 10 years and that's primarily because companies like James or Thive Pipeline are delivering solutions that are leveraging this object storage more and above the others. When we look at protection, we typically fall into a couple of categories. The first one is we have folks that are worried about the access of the data, how are they dealing with it? So they're looking at configuration aspects. But the big thing that we're seeing is that customers are blind to the fact that the data itself must also be protected and looked at. And so we find these customers who do come to the realization that it needs to happen, finding out like asking themselves, how do I solve for this? And so they need lightweight cloud native built solutions to deliver that. So what's the blind spot? You mentioned there's a blind spot, they're kind of blind to that. What specifically are you seeing? Well, so when we get into these conversations, the first thing that we see with customers is I need to predict how I access it. This is everyone's conversation. Who are my users? How do they get into my data? How am I controlling that policy? Am I making sure there's no East-West traffic there once I've blocked the North-South? But what we really find is that the data is the key packet of this whole process. It's what gets consumed by the downstream users, whether that's an employee, a customer, a partner. And so it's really the blind spot is the fact that we find most customers not looking at whether that data is safe to use. It's interesting, you know, when you talk about that, I think about like all the recent breaches and incidents they call them. They've really been around user configurations. S3 buckets not configured properly. And this brings up what you're saying is that the users and the customers have to be responsible for the configurations, the encryption, the malware aspect of it. Don't just hope that AWS has the magic to do it. Is that kind of what you're getting at here? Is that the similar? Am I correlating that properly? Absolutely, that's perfect. And we've seen it. We've had our own customers. Luckily, iPipeline's not one of them that have actually infected their end users because they weren't looking at the data. Yeah, and that's a huge issue. So James, let's get in. You're a customer partner. Talk about your relationship with these guys and what's it all about? Yeah. Well, iPipeline is building a digital ecosystem for life insurance and wealth management industries to enable the sale of life insurance to underinsured and uninsured Americans to make sure that they have the coverage that they need should something happen. And our solutions have been around for many years in a traditional data center type of an implementation. And we're in process now of migrating that to the cloud moving it to AWS in order to give our customers a better experience, better resiliency, better reliability. And with that, we have to change the way that we approach file storage and how we approach scanning for vulnerabilities in those files that might come to us via feeds from third parties or that are uploaded directly by end users that come to us from a source that we don't control. So it was really necessary for us to identify a solution that both solved for these vulnerability scanning needs as well as enabling us to leverage the capabilities that we get with other aspects of our move to the cloud and being able to automatically scale based on load and based on need to ensure that we get the performance that our customers are looking for. So tell me about your journey to the cloud, migrating to the cloud and how you're using S3. Specifically, what led you to determine the need for the cloud based AV solution? Yeah. So when we looked to begin moving our applications to the cloud, one of the one of the realizations that we had is that our approach to storing certain types of data was a bit archaic. We were storing binary files in a database which is not the most efficient way to do things. And we were scanning them with the traditional antivirus engines that would have been scaled in traditional ways. So as our need grew, we would need to spin up additional instances of those engines to keep up with load. And we wanted a solution that was cloud native and would allow us to scan more dynamically without having to manage the underlying details of how many engines do I need to have running for a particular load at a particular time and being able to scan dynamically and also being able to move that out of the application layer being able to scan those files behind the scenes. So just scanning when the file has been saved in S3, it allows us to scan and release the file once it's been deemed safe rather than blocking the user while they wait for that scan to take place. Awesome. Well, thanks for sharing that. I got to ask Ed and James same question next. It's how does all this factor into audits and self-compliance? Because when you start getting into this level of sophistication, I'm sure it probably impacts reporting, workflows, can you guys share the impact on that piece of it for the reporting? Yeah, I'll start with a comment and James will have more political things to say but we're seeing two things. One is you don't want to be the vendor whose name is in the news for infecting your customer base. So that's number one. So that you have to put something like this in place and figure that out. The second part is we do hear that under SOC2, under PCI, different aspects of it, there are scanning requirements on your data. Traditionally, we've looked at that as endpoint data and the data that you see in your on-prem world. It doesn't translate as directly to cloud data but it's certainly applicable. And if you want to achieve SOC2 or you want to achieve some of these other pieces you have to be scanning your data as well. James, what's your take as practitioner? You're living it. Yeah, that's exactly right. There are a number of audits that we go through where this is a question that comes up both from a SOC perspective as well as our individual customers who reach out and they want to know where we stand from a security perspective and a compliance perspective. And very often, this is a question of how are you ensuring that data that is uploaded into the application is safe and doesn't contain any vulnerabilities? James, you don't mind me asking. I have to kind of inquire because I can imagine that you have users on your system but also you have third parties, relationships. How does that impact this? What's the connection? That's a good question. We receive data from a number of different locations from our customers directly, from their users and from partners that we have as well as partners that our customers have. And as we ingest that data from an implementation perspective, the way we've approached this, there's minimal impact there in each one of those integrations because everything comes into the S3 bucket and is scanned before it is available for consumption or distribution. But this allows us to ensure that no matter where that data is coming from that we're able to verify that it is safe before we allow it into our systems or allow it to continue on to another third party whether that's our customer or somebody else. Yeah, I don't mean to get in the weeds there but it's one of those things where this is what people are experiencing right now. Ed, we talked with this before. It's not just siloed data anymore. It's interactive data, it's third party data from multiple sources. This is a scanning requirement. Agreed. I find it interesting too. I think James brings it up. We've had it in previous conversations that not all data is created equal. Data that comes from third parties that you're not in control of, you feel like you have to scan and other data that you may generate internally, you don't have to be as compelled to scan that, although it's a good idea. But it's, you can kind of, as long as you can sit through and determine which data is which and process it appropriately, then you're in good shape. Well, James, you're living the cloud security, storage security situation here. I got to ask you, if you zoom out and not get in the weeds and look at kind of the boardroom or the management conversation, tell me about how you guys view the data security problem. I mean, obviously it's important, right? So can you give us a level of, how important is for iPipeline and with your customers? And where does this S3 piece fit in? I mean, when you guys look at this holistically, for data security, what's the view? What's the conversation like? Yeah, well, data security is critical. As Ed mentioned a few minutes ago, you don't want to be the company that's in the, because some data was exposed. That's something that nobody has the appetite for. And so data security is first and foremost in everything that we do. And that's really where this solution came into play, making sure that we had not only a solution, but we had a solution that was the right fit for the technology that we're using. There are a number of options, some of them have been around for a while, but this is focused on S3, which we were using to store these documents that are coming from many different sources. And we have to take all the precautions we can to ensure that something that is malicious doesn't make its way into our ecosystem or into our customers' ecosystems through us. What's the primary use case that you see the value here with these guys? What's the aha moment that you had? With the cloud storage security specifically, it was really, it goes beyond the security aspects of being able to scan for vulnerable files, which is there are a number of options and they're one of those. But for us, the key was being able to scale dynamically without committing to a particular load, whether that's under committing or over committing, as we move our applications from a traditional data center type of installation to AWS, we anticipated a lot of growth over time and being able to scale up very dynamically, literally moving a slider within the admin console was key to us to be able to meet our customer's needs without overspending by building up something that was dramatically larger than we needed in our initial rollout. Not a bad testimonial there, Ed. I mean, this is really highlights the applications using S3 more in the file workflow for the application in real time. This is where you start to see the rise of ransomware, other issues and scale matters. Can you share your thoughts and reaction to what James just said? Yeah, I think it's critical. I mean, as the popularity of S3 has increased, so has the fact that it's an attack vector now and people are going after it, whether that's to plant bad malicious files, whether it's to replace code segments that are downloaded and used in other applications, it is a very critical piece. And when you look at scale and you look at the cloud native capability, there are lots of ways to solve it. You can dig a hole with a spoon, but a shovel works a lot better. And in this case, we take a simple example, like James, they did a weekend migration. So they've got new data coming in all the time, but we did a massive migration, 5,000 files a minute being ingested. And like he said, with a couple of clicks, scale up, process that over a sustained period of time and then scale back down. So I've said it before, I said it on the previous one, we don't want to get in the way of someone's workflow. We want to help them secure their data and do it in a timely fashion so that they can continue with their proper processing and their normal customer responses. Yeah, frictionless has to be key. I know you're in the marketplace with your antivirus for S3 on AWS, people can just download it. So people are interested to go check it out. James, I got to ask you, and maybe Ed can chime in over the top, but it seems so obvious, data, secure the data. Why isn't it so hard? Why isn't this so obvious? What's the problem? Why is it so difficult? Why are there so many different solutions? It just seems so obvious. You know, it got ransomware, you got injection of different malicious payloads. There's a ton of things going around around the data. Why is this so obvious? Why isn't it solved? Well, I think there have been solutions available for a long time that the challenge, the difficulty that I see is that it is a moving target as bad actors learn new vulnerabilities, new approaches and as new technology becomes available that opens additional attack vectors. That's the challenges keeping up on the changing world, including keeping up on the new ways that people are finding to exploit vulnerabilities. And you got sensitive data, iPipeline, you do a lot of insurance, wealth management, all kinds of sensitive data, super valuable. You know, it just brings me up, reminds me of the Sony hack Ed years ago, companies are responsible for their own militia. I mean, cybersecurity is no government help for sure. I mean, companies are on the hook, as we mentioned earlier at the top of this interview. This really is highlighted that IT departments and I have to evolve to large scale cloud, cloud native applications, automation, AI machine learning all built in to keep up at the scale, but also from a defense standpoint. I mean, James, you're out there, you're in the front lines, you got to defend yourself basically and you got to engineer it. 100% and just to go on top of what James was saying is, I think they're one of the big factors and we've seen this their skill shortages out there. There's also just a pure lack of understanding when we look at Amazon S3 or object storage in general, it's not an executable file system. So people sort of assume that, oh, I'm safe. It's not executable. So I'm not worried about it traversing my storage network and they also probably have the assumption that the cloud providers, Amazon is taking care of this form. And so it's this aha moment, like you mentioned earlier that you start to think, oh, it's not about where the data is sitting per se. It's about scanning it as close to the storage spot. So when it gets to the end user, it's safe and secure and you can't rely on the end users, the environment and system to be in place and up to date to handle it. So it's really that lack of understanding that drives some of these folks into this. But for a while, we'll walk into customers and they'll say the same thing you said, John, why haven't I been doing this for so long? And it's because they didn't understand that it was such a risk. That's where that blind spot comes in. James, it's just a final note on your environment. What's your goals for the next year? How's things going over there and your side? How do you look at the security posture? What's on your agenda for the next year? How are you guys looking at the next level? Yeah, well, our goal as it relates to this is to continue to move our existing applications over to AWS to run natively there, which includes moving more data into S3 and leveraging the cloud storage security solution to scan that and ensure that it's, that there are no vulnerabilities that are getting in. And then ingestion, is there like a bottlenecks, log jams? How do you guys see that scaling up? I mean, what's the strategy there more? Just add more as S3. Well, S3 itself scales automatically for us. And the cloud storage solution gives us a leverage to pull to do that. We've, as Ed mentioned, we ingested a large amount of data during our initial migration, which created a bottleneck for us as we were preparing to move our users over. We were able to make an adjustment in the admin console and spin up additional processes entirely behind the scenes and broke the log jam. So I don't see any immediate concerns there and being able to handle the load. You know, the term cloud native and, you know, hyperscale native, cloud native, one cloud, hybrid, all these things are native. We have antivirus native coming soon. And I mean, this is what we're, you're basically doing is making it native into the workflows, security native. I mean, soon there's going to be security clouds out there. We're starting to see the rise of these new solutions. Can you guys share any thoughts or vision around how you see the industry evolving and what's needed? What's working and what's needed? Ed, we'll start with you. What's your vision? So I think the notion of being able to look at and view the management plane and control that has been where we're at right now. That's what everyone seems to be doing and going after. I think the, there are niche plays coming up. Storage is one of them, but we're going to get to a point where storage is just a blanket term for where you put your stuff. I mean, it kind of already is that, but in AWS it's going to be less about S3, less about work docs, less about EBS. It's going to be just storage and you're going to need a solution that can span all of that to go along with where we're already at at the management plane. We're going to keep growing the data plane. James, what's your vision for what's needed in the industry? What's the gaps, what's working and where do you see things going? Yeah. Well, I think on the security front specifically, Ed's probably a little bit better equipped to speak to that than I am since that's his primary focus. But I see the need for just expanded solutions that are cloud native that fit nicely with the Amazon technologies, whether that comes from Amazon or other partners like cloud storage security to fill those gaps. We're focused on the financial services and insurance industries. That's our niche and we look to other partners like Ed to help be the experts in these areas. And so that's really what I'm looking for is the experts that we can partner with that are going to help fill those gaps as they come up and as they change in the future. Well, James, I really appreciate you coming on, sharing your story. Ed, I'll give you the final word. Put a quick, spend a minute to talk about the company. We know cloud storage security is an AWS partner with the security software competency and is one of, I think 16 partners listed in the competency and the data category. So take a minute to explain, you know, what's going on with the company where people can find more information, how they buy and consume the products. Put the plug in. Yeah, thank you for that. So we are a fast growing startup. We've been in business for two and a half years now. We have achieved our security competency, as John indicated, we're one of 16 data protection, security competent ISV vendors globally. And our goal is to expand and grow a platform that spans all storage types that you're going to be dealing with and answer basic questions. What do I have and where is it? Is it safe to use? And am I in proper control of it? Am I being alerted above it? You know, so we're building this storage security platform very laser focused on the storage aspect of it. And if people want to find out more information, you're more than welcome to go and try this off. We're out on Amazon Marketplace. That's basically where we do most of our transacting. So find it there, start a free trial, reach out to us directly from our website. We are happy to help you in any way that you need it, whether that's storage assessments, figuring out what data is important to you and how to protect it. All right, Ed, thank you so much. Ed Casper, founder and CEO of Cloud Storage Security and of course, James Johnson, AVP, Research Development, iPipeline customer. Gentlemen, thank you for sharing your story and featuring the company and the value proposition certainly needed. This is season two episode four. Thanks for joining us, appreciate it. Thanks, John. Okay, I'm John Furrier. That is a wrap for this segment of the cybersecurity season two episode four, the ongoing series covering the exciting steps from Amazon's ecosystem. Thanks for watching.