 Hey everyone, welcome to theCUBE's presentation of the AWS startup showcase. This is season two, episode four, where we continue to talk with the AWS ecosystem partners this topic, cybersecurity, protect and detect against threats. I'm your host, Lisa Martin. I've got a new guest with me. Ryan Ferris joins me, the VP of products and engineering at Anishian. Ryan, welcome to the program, great to have you. Thank you so much for having me. So let's dig right in. Why are software vendors turning to Anishian to help them address and access the merely for over $200 billion market, public sector, federal market for cloud services? What is that key event? Yeah, if you know anything about FedRAMP and if you've looked into it, it takes a long time to achieve FedRAMP. So when customers kind of go into this cold and they're from Mars and they're like, what is FedRAMP? They usually find that it's an 18 month journey, maybe a 24 month journey. And so Anishian helps shorten that journey with lower cost and faster time to market. So if you're waiting for a revenue stream from say a government entity, we can get you there faster and get you to a state of FedRAMP certified in a shorter time period. And that's the value problem. Faster time to value is critical for organizations. So let's look at this journey as you talked about it. What does the path to compliance look like for specifically for AWS customers with Anishian and without help us understand the value add? Yeah, so if you're doing it without Anishian or if you're just kind of doing it yourself, which some customers choose to do, then they have to go on that journey and kind of learn about three primary things. One thing is how do I just write the entire package? Like there's a thing called an SSP or a system security plan. And that thing is maybe seven or 800 pages long and you have to offer that all by yourself. So you can get help with that or not. That's sort of the academic and tech writing piece of it. There's another piece of it around what does my environment look like? So as I'm rolling out this FedRAMP solution, what are each piece in my environment that needs to be compliant with FedRAMP? And it's a voluminous amount of things can be either a dozen or maybe up to 100 things that you have to tweak and change. So there's a technical deployment store here as well. And then the third thing is keeping you compliant in your AWS environment after you've achieved kind of that readiness state. So the journey does not stop once you achieve FedRAMP ATO, it goes on and on and on. And Anishian helps customers kind of maintain and keep them there in that fully compliant state after achieving ATO. What's the timeframe for AWS customers in terms of going, all right, we realize we're going on this journey, it's challenging, we need Anishian's help. What's the timeframe to get them actually certified? Yeah, we look at the timeframe between the moment you deploy and the moment you start writing about that FedRAMP package and when you're audit ready. And in the best case scenario, that could be a few months, right? But you're always, your mileage may vary based on kind of your application readiness and how ready you are to pursue that journey. So the fastest happy path is a few months to audit ready state. But then you kind of have to go through a process whereby you're in the queue for FedRAMP and that can kind of take maybe an extra few months. But it really is that three month accelerated timeframe in the best case scenario. Got it, three months accelerated timeframe. Are there other compliance standards that besides FedRAMP that you help organizations get compliance with? Right, it's a great question. So FedRAMP in and of itself is just really hard to get to. It's just so many things that you have to do. But if you get to that state, it's based off of a standard called NIST 853 specifically read for. That's kind of a mouthful. But once you achieve that state, there's basically 325 controls that come along with FedRAMP moderate. And that buys you a lot of leverage in leeway and mapping and sort of cross walking to other compliance levels. So if you achieve that state, you buy a lot of kind of goodness with things that map to either PCI or even HIPAA or SOC too. And so you kind of get a big benefit and sort of a big bang for your buck by having achieved that state for FedRAMP. So from an AWS customer, talk to me about, obviously we talked about the time to value the speed with which you enable organizations to achieve compliance and readiness. What's in it for me in terms of working with Anishin as an AWS customer? Yeah, so for AWS specifically, our stack, well, we have kind of two versions of our stack. One is meant for Azure and it's kind of cookie cutter and meant for folks that haven't entrenched Azure footprint. The other is, that's the majority of our market, it's folks that want to an accelerator footprint in AWS. So what's in it for you is that Anishin kind of presents something that looks pretty similar to a landing zone, but it's a little bit more peppered with complexity and with tuned configurations. So if you're an AWS customer and let's say you've had an environment for the last five, six, seven years, we help you kind of take that environment and enhance it and become FedRAMP-ready in a much faster state. And we are leveraging and utilizing a lot of native AWS core services like ECR, for example, as one, we're just starting to lean into AWS inspector for bone scans, those types of things. And then kind of when you get up to that audit-ready state and through ATO, we aggregate a lot of that vulnerability information and vulnerability scanning information into a parsable, readable, actionable format. And most of those things, those gatherings of data are AWS specific functions that we kind of piggyback on. So we're heavily into cloud trail and quite heavy into kind of using the things that are already at our fingertips just by deploying into AWS. Yeah, leveraging what they already are familiar with kind of meeting the customers where they are, I think these days is such an important factor to help organizations make the changes as quickly and dynamically as they need to. That's right. Yeah, that's perfect. Yeah, a lot of customers, when they start on the journey, they sort of uncover the details around, well, I have an application and this application has existed for six or seven years. How do I get this thing FedRAMP-ready and what does onboarding mean to your stack? We try to make that specific step as easy as possible. So when I'm on the phone with prospects and I'm talking to them about embarking on a journey, I kind of get them to a mental model where they treat their application VPC or their application environment as sort of A and we deploy a separate VPC into their cloud account. And then we peer that information. It's kind of getting into the mechanics a little bit, but we try to make it as easy as possible to start doing the things that we're obliged to do for FedRAMP for their application like balance scans and operationalization of logging and things like that. And then we pull that information into our niche and manage VPC. And I think once customers really start to understand and sort of synthesize that mental model, then they kind of have this Baha moment. They're like, oh, okay. Now I really understand how your platform can accelerate this journey into a period that is no more than say two or three months of onboarding. No more than two or three months. That's a nice kind of guarantee for organizations. Who are you typically engaging with? Is it the CISO level or are there other folks involved in this conversation? Yeah, the CISO is probably the best persona to engage with, but it so varies from customer to customer. And you never really know who's really gonna, oftentimes it's the CEO or sometimes it's a champion that might be the CFO or someone that's incentivized to really start getting market share for federal customers that they don't have access to. That might even be a VP of engineering that we're conversing with. But most often I think the CISO is central because the CISO of course wants to give in details of what does the staff consist of and exactly how are you helping me with this big burden of continuous monitoring that FedRAM makes me do. And where do you fit in that story? So usually the CISO. Usually the CISO, but some of the other personas that you mentioned sounds like it's definitely a C level or at least an executive level conversation. It is, yeah, I'll try to divide that a little bit. From my persona, like I run engineering and products I'm usually dealing with or rather talking to and engaging with the CISO. But the folks that cut the check are either the CEO or the CFO that really want to widen that kind of revenue stream that they don't have access to. And they're the real decision-making personas in the steel. Now after the decision is made, then they're vetting through VPs of engineering or engineering leaders or the CISO. So like the folks that pull the purse strings are usually the ones that are cutting the check to make this investment. That is usually the CISO or rather CEO and the CFO. Got it, okay. So if I'm an AWS customer and I'm on this journey for FedRAMP certification I've been on it for a while. How do I know it's time to raise my hand or pick up the phone and call Anishin? Yeah, some customers that we speak with have already tried to do it and maybe they failed. Maybe they've been like 12 or 14 months into the journey and they've said things like we just don't know how to put the package together or maybe they've engaged with the third party auditor and the third party auditor has said, sorry, you guys need to go back to the drawing board or maybe they missed a good percentage of the technical requirements and they need some consultation and advice or a cookie cutter approach. So kind of every journey is different when we're engaging. Sometimes folks are just coming in completely cold or maybe they failed. But the more interesting ones and I think when we can look a little bit more like heroes are the ones that have tried it and then a year later they come back to Anishin and they want that accelerated goodness. Do you have a favorite customer story that you think really articulates the value either from a customer who came in cold or a customer who came in after trying it on their own or with another partner for a year that you think really demonstrates the value that Anishin delivers? Yeah, there is a customer story that's sort of top of mind and it's, I think they got primarily stuck in what tooling anonymize the customer but this customer kind of chose the wrong level of tooling as they embarked on their journey. And by tooling, I mean, let me get a little bit more specific here. You can't just choose any vulnerability scanner for instance, if it's a SaaS product or if it's sending data or requests outside of your FedRAM boundary, then you're going to run into trouble. And this reference customer and this prospect at the time kind of had a lot of friction there. So as they were bumping up against that 3PAO deadline they realized they had a lot of work to do. And we simplified that part of the journey substantially for them by essentially selecting and spook feeding them and sort of accelerating that part of the deployment and technical journey for them. And they were very delighted by that part of it. When you're talking with customers who are in a state of change and fluxes who isn't these days, we've seen the acceleration of digital transformation considerably over the last couple of years. How do you talk with them about Anishin as an enabler of their digital transformation overall? Yeah, digital transformation. It's a broad word, isn't it? Like for customers that are moving from an on-prem world into the cloud world, you have this great opportunity to kind of start from scratch. And so for Anishin, we are deploying and maybe not start from scratch, but when you're moving from an on-prem environment into the cloud, your footprint, you have this really nice opportunity to embrace more of AWS core services and to kind of rebuild things, kind of make your architecture drastically improved or like look different to be more supportable and like less operational overhead. And so when Anishin presents itself as sort of this platform in a walled garden environment, some customers have this aha moment that like if you're going to move either a portion of your environment or a specific application to the cloud, Anishin really helps you establish that security within that boundary and that footprint in a much more accelerated fashion than if you were selecting each part of your security infrastructure and then trying to implement it by hand. And that's kind of where we're showing. Got it. We talked about the personas that you're typically engaging with depending on the organization, but how do you help enterprise companies who say, Anishin, we want to improve DevOps efficiency. We want to get our applications secure that are running on AWS and those that we may want to move to AWS in the future. Yeah, this gets into futures a little bit but part of our roadmap, a little bit of a kind of a look around the corner for our roadmap is that since we know so much about the FedRAMP environment and FedRAMP moderate and the standard called NIST 853, it's a really powerful security view and it's also a really powerful compliance view. So, as I was saying before that if you achieve a lot of depth and excellence in NIST 853, it buys you a lot of kind of crosswalk and applicability for SOC2 and HIPAA and PCI. So for DevOps organizations and for just engineering organizations that want more pre-prod insight, there's no reason why you can't just deploy our platform and our stack in a pre-prod environment to get that security signaling such that you can catch things early and prevent maybe spillage or leakage or security issues to go into production. So one of the things that we're doing on a roadmap is a feature that we call compliance insights whereby we present a frame of NIST 853, RAV4 that you can deploy into any environment. And that particularly helps the DevOps role by saying, well, if I just, for example, exposed an S3 bucket to the world, then I can catch that configuration and that compliance violation pre-product and catch it, trap it and fix it before it leaks out to fraud. So you talked a little bit about kind of some of the things that are coming up on the product side. What's next for Anishin as we look at we're rounding out calendar year 22, coming into 2023. There's still so much change in the market we've got to embrace that. What's next for the company? What can we expect from the VP of products and engineering? Yeah, I think in two big areas here we're going to double down on our FedRAMP offering and just continuously improve it and improve it. We're pretty tempted to lean in more heavily to CMMC. We hear a lot about CMMC kind of on the periphery but we just haven't quite felt the market pressure to really go after that but there's definitely something there and I would anticipate some offering maps to that specific compliance framework. And then in the enterprise we just month after month we discuss more about how we can create more flexibility in our platform such that commercial customers can get more of that goodness and sort of more of that consolidation and time to market particularly for small and mid-sized customers. So we'll be releasing more of those pieces of functionality in 2023 as well. So the commercial folks be on the lookout for that. Yes, absolutely. That's a huge untapped market for us. We're super excited about it and we'll be a little cagey in our plans until we kind of get through this early availability period and then probably make a bigger splash in the first half of 2023. That sounds appropriate. Where can the audience go to learn more about what you guys are doing and maybe get ahead on some of those teasers that you just mentioned? Yeah, I think our marketing folks will push out some more data sheets and marketing material on what's to come. And if you ever wanted to be part of this really availability program that I just discussed or that I mentioned, you can always go to Anishin.com and ping us and we'd be happy to have a conversation with you and we'll lift up the hood and allow you to look under there for and just carry on the conversation around what's to come. All right, getting a peek of what's under the hood. That's always exciting. Ryan, thank you for joining me on this program, AWS startup showcase. We appreciate your time, your insights and a peek into what's going on at Anishin. Awesome, it was a pleasure. Thank you so much. Likewise, we want to thank you for watching the AWS startup showcase. For Ryan Ferris, I'm Lisa Martin. Stick right here on theCUBE for great content coming your way. Take care.