 Hey guys and girls, welcome back to Motor City. Lisa Martin here with John Furrier on theCUBE's third day of coverage of KubeCon CloudNativeCon North America. John, we've had some great conversations over the last two and a half days. We've been talking about identity and security management as a critical need for enterprises within the cloud native space. We're going to have another great conversation on that. We've got a great segment coming up from someone who's been in the industry a long time, expert running a great company. Now it's going to be one of those pieces that fits into what we call super cloud, others are calling cloud operating system, some are calling just cloud 2.0, 3.0. But there's definitely a major trend happening around how cloud is going next generation. We've been covering it, so this segment should be great. Let's unpack those trends. One of our alumni is back with us, Omriq Azit, co-founder and CEO of Assertio. Omriq, great to have you back on theCUBE. Thank you, great to be here. So identity moved to the cloud, access authorization did not. Talk to us about why you founded Assertio, what you guys are doing and how you're flipping that script. Yeah, so back 15 years ago, I helped start Azure at Microsoft, one of the first few folks that really focused on enterprise services within the Azure family. And at the time I was working for the guy who ran all of Windows Server. And Active Directory, he called it the linchpin workload for the Windows Server franchise. Like big words, but what he meant was, we had 95% market share and all of these new SaaS applications like ServiceNow and Workday and Salesforce.com, they had to invent login and they had to invent access control. And so we were like, well, we're going to lose it unless we figure out how to replace Active Directory. And that's how Azure Active Directory was born. And the first thing that we had to do as an industry was fix identity, right? So we worked on things like OAuth 2 and OpenID Connect and SAML and JOT as an industry. And now, 15 years later, no one has to go build login if you don't want to, right? You have companies like Auth0 and Okta and OneLogin, PingID that solve that problem, solve single sign-on on the web. But access control hasn't really moved forward at all in the last 15 years. And so my co-founder and I, who were both involved in the early beginnings of Azure Active Directory, wanted to go back to that problem. And that problem is even bigger than identity and it's far from solved. Yeah, this is huge. I think self-service has been a developer thing that's everyone knows, developer productivity. We've all experienced click, sign in with your LinkedIn or Twitter or Google or Apple handle. So that's single sign-on, check. Now the security conversation kicks in. If you look at with this no perimeter in cloud, now you got multi-cloud or super-cloud on the horizon, you got all kinds of opportunities to innovate on the security paradigm. I think this is kind of where I'm hearing the most conversation around access control, as well as operationally eliminating a lot of potential problems. So there's one, clean up the siloed or fragmented access. And two, streamline for security. What's your reaction to that? Do you agree? And if not, where am I missing that? Yeah, absolutely. If you look at the life of an IT pro, back in the 2000s, they had LDAP or Active Directory, they had one place to configure groups and they'd map users to groups and groups typically corresponded to roles and business applications and it was clunky, but life was pretty simple. And now they live in dozens or hundreds of different admin consoles. So misconfigurations are rampant and over-provisioning is a real problem. If you look at zero trust and the principle of least privilege, all these applications have these coarse-grained permissions and so when you have a breach and it's not a matter of if, it's a matter of when, you want to limit the blast radius of what happened and you can't do that unless you have fine-grained access control. So all those reasons together are forcing us as an industry to come to terms with the fact that we really need to revisit access control and bring it to the age of cloud. You guys recently, just this week, I saw the blog on Topaz. Congratulations. Talk to us about what that is and some of the gaps that's going to help Serto to fill for what's out there in the marketplace. Yeah, so right now, there really isn't a way to go build fine-grained, policy-based, real-time access control based on open source, right? We have the open policy agent, which is a great decision engine but really optimized for infrastructure scenarios like Kubernetes and mission control. And then on the other hand, you have this new generation of access control ideas, this model called relationship-based access control that was popularized by Google's Zanzibar system. So Zanzibar is how they do access control for Google Docs and Google Drive. If you've ever kind of looked at a Google Doc and you're a viewer or an owner or a commenter, Zanzibar is the system behind it. And so what we've done is we've married these two things together. We have a policy-based system, OPA-based system, and at the same time, we've brought together a directory, an embedded directory in Topaz that allows you to answer questions like, does this user have this permission on this object? And bringing it all together, making it open source is a real game changer from our perspective. Real game changer, that's good to hear. What are some of the key use cases that it's going to help your customers address? So a lot of our customers really like the idea of policy-based access management, but they don't know how to bring data to that decision engine. And so we basically have a very opinionated way of how to model that data. So you import data out of your identity providers. So you connect us to Okta or Auth0 or Azure Active Directory. And so now you have the user data. You can define groups, and then you can define your object hierarchy, your domain model. So let's say you have an applicant tracking system. You have nouns like job descriptions or candidates, and so you want to model these things and you want to be able to say who has access to the candidates for this job, for example. Those are the kinds of rules that people can express really easily in Topaz and in a sort of. What are some of the challenges that are happening right now to solve, what are you looking at to solve? Is it complexity, sprawl, logic problems? What's the main problem set you guys see? Yeah, so as organizations grow and they have more and more microservices, each one of these microservices does authorization differently. And so it's impossible to reason about the full surface area of permissions in your application. And more and more of these organizations are saying, you know what, we need a standard layer for this. So it's not just Google with Zanzibar, it's Intuit with OZ, it's Carta with their own OZ system, it's Netflix, it's Airbnb with Himeji. All of them are now talking about how they solve access control, extract it into its own service to basically manage complexity and regain agility. The other thing is all about time to market and TCO. So how do you work with those services? Do you replace them, you unify them? What is the approach that you're taking? So basically these organizations are saying, you know what, we want one access control service, we want all of our microservices to call that thing instead of having to roll out our own. And so we give you the guts for that service, right? Topaz is basically the way that you're going to go implement an access control service without having to go build it the same way that large companies like Airbnb or Google or Carta have. What's the competition look like for you guys? I'm not really seeing a lot of competition out there. Are there competitors? Are there different approaches? What makes you different? Yeah, so I would say that, you know, the biggest competitor is Roll Your Own. So a lot of these companies that find us, they say we're sick and tired of investing two, three, four engineers, five engineers on this thing. You know, it's the gift that keeps on giving. We have to maintain this thing. And so we can use your solution at a fraction of the cost, a fifth, a tenth of what it would cost us to maintain it locally. There are others like Styra, for example. You know, they are in the space, but more on the infrastructure side. So they solve the problem of Kubernetes submission control or things like that. So Roll Your Own, there's a couple of problems there. One is, do they get all the corner cases? Who built it? Are they still at the company? Exactly. It's heavy lifting, it's undifferentiated. You just got to check the box so it probably will be not optimized. That's right. As Daniel says, only focus on the things that make your beer taste better. And access control is one of those things. It's part of your security, you know, posture. It's a critical thing to get right. But, you know, I want to work on access control, said no developer ever, right? So it's kind of like this boring, you know, like back office thing that you need to do. So we give you the mechanisms to be able to build it securely and robustly. Do you have a customer story example that is one of your go-tos that really highlights how you're improving developer productivity? Yeah, so we have a couple of them actually. So there's the largest third party B2B marketplace in the US free-tail. Instead of building their own, they actually brought in a CERTO. And what they wanted to do with the CERTO was be the authorization layer for both their externally facing applications as well as their internal apps. So basically every one of their applications now hooks up to a CERTO to do authorization. They define users and groups and roles and permissions in one place. And then every application can actually plug into that instead of having to roll out their own. I like to switch gears if you don't mind. I want to get to, first of all, great update on the company and progress. I'd like to get your thoughts on the cloud computing market. I'll see your legendary position, Azure. I mean, look at the progress over the past few years. It's just been spectacular from Microsoft and you set the table there. Amazon web services still, you know, thundering away, even though earnings came out the market's kind of soft still. You see the cloud hyperscalers just continue to differing from software to chips. Yep, across the board. So the hyperscalers kicking ass, taking names, doing great, Microsoft right up there. What's the future? Because you now have the conversation where, okay, we're calling it super cloud, somebody calling it multi-cloud, somebody calling it distributed computing, whatever you want to call it, the old is now new again. It just looks different. As cloud becomes now the next computer industry, you got an operating system, you got applications, you got hardware. I mean, it's all kind of playing out just on a massive global scale, but you got regions. You got all kinds of connected systems, edge. What's your vision on how this plays out? Because things are starting to fall into place. WebAssembly, to me, just points to, you know, app servers are coming back. Middleware, Kubernetes, containers, VMs are going to still be there. So you got the progression. What's your take on this? How would you share your thoughts to a friend or the industry, the audience of, what's going on? What's happening right now? What's going on? Yeah, it's funny because, you know, I remember doing this quite a few years ago with you, probably in, you know, 2015, and we were talking about, back then we called it hybrid cloud, right? And it was a vision, but it is actually what's going on. It just took longer for it to get here, right? So back then, you know, the big debate was public cloud or private cloud. And, you know, back when we were, you know, talking about these ideas, you know, we said, well, you know, some applications will always stay on-prem and some applications will move to the cloud. I was just talking to a big bank and they basically said, look, our stated objective now is to move everything we can to the public cloud. And we still have a large private cloud investment that will never go away. And so now we have essentially this big operating system that can, you know, abstract all of this stuff. So we have developer platforms that can, you know, sit on top of all these different piece of infrastructure and, you know, kind of based on policy, decide where these applications are going to be scheduled. So, you know, the operating system- Schedule, something like an operating system function. Exactly. I mean, like we now, we used to have schedulers for one TPU or, you know, one box. Then we had schedulers for, you know, kind of like a whole cluster. And now we have schedulers across the world. My final question before we kind of get run out of time is, what's your thoughts on WebAssembly? Because that's getting a lot of hype here. Again, to kind of look at this next evolution, again, that's lighter weight, kind of feels like an app server kind of direction. What's your, what's your, it's hyped up now. What's your take on that? Yeah, it's interesting. I mean, back, you know, what's, what's old is new again, right? So, you know, I remember back in the late 90s, we got really excited about, you know, JDMs. And, you know, this notion of right once, run anywhere. And, you know, I would say that WebAssembly provides a pretty exciting, you know, window into that where you can take the, you know, sandboxing technology from the JavaScript world, from the browser essentially, and you can, you know, compile an application down to WebAssembly and have it really, really portable. So, you know, we see, for example, policies in our world, you know, with OPA, one of the hottest things is to take these policies that can compile them to WebAssemblies so you can actually execute them at the edge, you know, wherever it is that you have a WebAssembly runtime. And so, you know, I was just talking to Scott over at Docker and, you know, they're excited about kind of bringing Docker packaging, OCI packaging to WebAssembly. So, we're going to see a convergence of all these technologies. Right now, they're kind of, each of them are in a silo, but, you know, like, we'll see a lot of the patterns, like, for example, OCI is going to become the packaging format for WebAssemblies. As it is, becoming the packaging format for policies. So, we did the same thing. We basically said, you know what? We want these policies to be packaged to OCI assembly so you can sign them with Cosine and bring the entire ecosystem of tools to bear on OCI packages. So, convergence is, I think, what we're going to see in the future. Yeah, and I love your attitude, too, because it's the open source community and the developers who are actually voting on the quote de facto standard, you know, if it doesn't work right, people know about it. It's actually a great new production system. So, great momentum going on to the press released earlier this week, clearly feeling the gaps there that you and your co-founder saw a long time ago. What's next for the assertive business? Are you hiring? What's going on there? Yeah, we are really excited about launching commercially at the end of this year. So, one of the things that we wanted to do that we had a promise around and we delivered on our promise was open sourcing our edge authorizer. That was a huge thing for us. And we've now completed, you know, pretty much all the big pieces for assertive. And now it's time to commercially launch. We already have customers in production, you know, design partners. And, you know, next year is going to be the year to really drive commercialization. All right, we will be watching this space. Omri, thank you so much for joining John and me on theCUBE. Great to have you back on the program. Thank you so much. It was a pleasure. Our pleasure as well. For our guest and John Furrier. I'm Lisa Martin. You're watching theCUBE live on the show floor of KubeCon CloudNativeCon 22. This is day three of our coverage. We will be back with more coverage after a short break. See you back.