 Hello and welcome to this CUBE Conversation. I'm John Furrier, host of theCUBE here in Palo Alto, California. We got a hot startup doing new things differently, the new way, the cloud native way. Brendan Hannigan, CEO of Sunray Securities. They deliver an awesome new solution to platform on all clouds to change the game and how security is done. Brendan, thanks for joining me on this CUBE Conversation. Really nice to talk to you today, John. You know, I love showcasing companies that are thinking about their entire optimizing their efforts to bring in the new way to do things. And we certainly with the pandemic we've seen and everyone's validated in this general global consensus that cloud scale and DevOps and DevSecOps is generating a new kind of a modern application. And this is just clearly, it's been known for a while inside the industry, but now it's mainstream. You guys are building a company around this notion of security. So let's get into it. What do you guys do? Let's get right to it. What's the product? Well, firstly, to get going and before getting into the specifics of product John, just I like to frame it, which is the ways in which I started out as a software engineer, you know, long, long time ago, built a company based on, you know, classic traditional ways of developing software. The way we developed software has just changed dramatically. It's changed from stem to stern. We've gone from monolithic applications to microservices. We've gone from 18 month development cycles to two weeks from business units and IT controlling it to DevOps teams. And then the amazing, this is the incredible thing from a security perspective is we used to call up people in traditional networks and data centers to reconfigure the firewall so I could put my application to data center. But now I represented in code, infrastructure is code that basically represents the infrastructure I have shows up in, of course, the cloud. The reason why I like to explain this story is we talk about cloud security and the complexities of cloud security. That's just where it all comes together. The reality is everything has changed around it. And we've a simple belief. If everything has changed in terms of how it is you build technology value, deploy it and operate it, we have to change how it is we do security. And it has to be also from stem to stern. So that's what basically, that's why we started this business. Our mission is simple. We want to reinvent how it is people secure new technology in these new environments. And we do it by building a service that sits on top of company's usage of cloud, Amazon, Azure, Google Cloud. And we help find risks, automatically eliminate them, make sure they never come back and then deliver incredible new ways of continuously monitoring activity to prevent cyber security incidents from happening in the first place. So this reinvention is a big, big trend. We've talked about this on theCUBE, you know, with many guests, even Pat Gelsinger now the CEO of Intel, when he was at VM where told us, oh, you need to do over to security, you got to redo it all. Not just incremental improvement, fundamental revolutionary change was you're basically getting out here. So the question is top to bottom reinvention. Totally get that. How do you do it? Like, do you change the airplane engine out of 30,000 feet? I mean, it's hard. I mean, it's easier said than done. What are the elements to reinvent security in this? We have a magical opportunity here because of cloud. So what happens is in the traditional data centers and the traditional enterprise networks, there's kind of control points that are traditionally, which we understand in security, John, right? And it's built up over 20, 30, 50 years, right? And there are certain ways around which we rotate our security controls. And you're familiar with them, right? Firewalls, endpoint antivirus, security information, security event management systems. Think of all those things. Those control points are not relevant in the cloud. It's not, they're interesting. VPCs and network rules are kind of interesting in the cloud. Totally insufficient. So there's a necessity to reinvent and there's new control points. And I will then tell you why it leads with an incredible better result. The new control points of the cloud, we believe and strenuously push when we speak to our customers are identities. And it's not about Brandon and John. It's nearly always about non-people identities, serverless functions, pieces of compute, containers, all of these things have rights to like people. The second control point are data. Where is it? We used to have a data center. It's in the word, it says it, data center. But in this instance, I may have 20 DevOps teams, each one of them is using RDS, one of them is using Elastic Cache, one of them is using a different thing. So data is the second one, the third one is applications. Why is this so important? The service providers have done a great job with core infrastructure. They give us the mechanisms to set up these environments. We need to help our customers organize and reinvent their security around these three pillars. The reason why it's so important, I love what you said is, God, we got to start from scratch. You get to start from scratch. And when you do it, you actually can deliver a level of granularity and control and security that is unimaginable in the traditional enterprise network and data center. It's like golf. You get an extra mulligan off the tee if you hit it out of bounds and security you get a do-over. This is an opportunity. I love that concept because this is, I mean, it's not many times you get this clean sheet of paper or the opportunity to pivot or reinvent or refresh, replatform, refactor, whatever word you use. This is a unique time. Once in our life, this transition, we know digital transformation is transforming industries. Every industry is feeling it. We can see and understand the significance of the inventions like AWS. It's an amazing invention, the power of it and what it delivers to us. The opportunity, which is a must take opportunity is reinventing security from top to bottom. And by the way, if you don't do it, if you just do this kind of half, half-assed, you end up with a mess on your hands. If you do it properly, you end up in a better place than you would have in a traditional enterprise network and data center. And the old expression, you got to burn the boats to get people motivated to kind of get it done right with the cloud. Let me ask you a question. It's identity security and the data secure. I love that perspective because identity, the first thing that jumps in my head when you said that was I thought about the identity, the individual, their ID. And you could actually get down to the, you know, firmware of a phone or, you know, two-factor, multi-factor authentication, I get that access authentication. You're talking more in terms of other naming spaces and naming systems, like specifically around services and applications identity, not just users, right? Can you expand more on that? We understand this at a, many people now understand this at a superficial level, but they haven't truly understood what's under the hood of what's happening inside cloud. When you have reinvented applications, microservices applications, auto-scaling applications, it's what cloud is about. Incredible innovation happening across teams. What happens in the cloud is you have developers, administrators, creating workloads. Those workloads have huge numbers of compute functions, which could be a container, a compute instance, a serverless function. They're gaining access to resources, other compute resources, hues and data. To give you a sense of scale, John, you could have a company, it's not unusual, 80,000 pieces of compute, 20,000 active at a particular point in time. We've got companies, and then they assume these roles which give them access and rights to do things on these cloud services. It's not unusual to have 10,000 roles in a cloud environment across multiple different accounts. Now you see the identities. These pieces of compute have rights to do things. That's good because I can restrict what they do. It can be bad because if I don't have a handle on it, it's a mess. By the way, when you talk about this scale, human beings can't process this much information. We must be able to understand the risks, configure and automate remediation of these risks. The cloud providers give us the tools to build these flexible workloads. They're incredibly flexible. The dark side of it is inexperience and basically inefficient deployment of those tools can lead to a whole host of risks that quite frankly, a lot of customers don't fully appreciate yet. Yeah, and then people call that day two operation, but I love this idea of identity, the thousands and thousands of services out there because with microservices and you're seeing come in this other cloud native world is these new kinds of services could be stood up and torn down very quickly. So the observability trend is a great indicator in my opinion of this whole manic focus on data. Because you need machines to know, some things could be terminated and stood up, not even knowing about it. It could be errors. How do you log it, right? So this is just an example. What's your thoughts on that? What's your reaction? Is that right? The federal nature is the beauty of cloud, right? Because there's problems that even now we've a cloud native application ourselves. And when we have a problem sometimes, of course we can go in and spin up 400 servers to go solve a problem and spin them back down a half an hour later. We couldn't do that before cloud. We can actually have developers doing these incredible, rapid work with serverless functions to go and interrogate data, to go out of data lake, to go and do analytics. It's wonderful. But what you said is they're ephemeral. Now just think about an environment. 20,000 pieces of compute, 10,000 active, lots of 20 different teams across say 50 Amazon accounts. Somebody comes in and basically during a period of time compromises something and gets access to data. But it's ephemeral. It just comes and goes. We have to know that. We have to know what's possible. We have to know if it's happened. And then we have to basically greatly minimize the possibility of that happening. My promise, because I'm a security people I was trying to scare everybody, which is valid. However, my promise, the power of this cloud has created complexity opportunities but actually it also gives us the solution. Because using analytics, machine learning, in our case, graphing technologies, we can actually find these things and give micro control to workloads. So that actually we can see these things and automatically eliminate these risks. And that was impossible in the old world. The automation is programmable. You can actually set policies around automation. Pretty cool. I got to ask you about, I'll get to the technical in a second. I want to understand the graphing and the platform more but I want to ask you the question on the reinvention. If I follow your playbook, what's the end results? Can you take me through the all in bet, the redo? What happens? Can you just take me through the day in the life of an outcome? What's it look like and walk me through that? So firstly, the outcome I want to give our clients is they have these complex cloud environments spreading across any, even a moderate size enterprise. What I basically want to be able to give our clients and what we have delivered for our clients is they've basically managed to break that cloud from being this amorphous thing into specific workloads. Each and every one of those workloads have specific controls in place that understand how that workload should operate in this environment across staging, development and production. And actually we're able to essentially lock down what it is these workloads can do from an identity perspective, a data access perspective, a platform rights perspective and then monitor anything that changes. That's one thing. So the complexity, we're actually able to push away the complexity, leverage the plower to give that level of granularity at very deep levels, identity data platform. The second thing actually, and this is John again, what's possible with cloud, it doesn't, it can't be all security teams. It's security teams, it could be audit teams, it's developers. So we have customers who have onboarded tens and tens and tens of teams onto our platform. Why do we do that? When we're finding issues and finding things that need to be resolved, we're directing it directly to the development teams. So we're saying developer to get into production, you're going to have to fix your identity setup in this environment. It's too risky, but it doesn't have to go to the security team. The security team will only hear about it if the developer doesn't fix it. Got it. So they're proactive. We're involving the teams responsible for creation and resolution of issues. The security and cloud teams are setting up the ground rules for a workload to operate in this environment. And now we've got a level of granularity across workloads, whether they're in production or not, that basically is wonderful. That's the ultimate end game. What's the status of the vision and product on execution? Where are your customers at now? How do you feel about it? Where is it going? Can you share a little bit about the roadmap and kind of where the product is? It's a huge vision. It is. Sounds easy to do, but it's not. It's not actually. And you know, underlying, you know, so we actually, we've a production service, we've wonderful, very large customers who are deployed and operational on our platform. And, you know, an example of one of them would be World Fuel Services, Fortune 93 company. We're the center of their kind of new security environment and operating model for everything they're doing in cloud. It's a beautiful story job. They've gone from in, you know, a few years ago, they 20 due to data centers to date of two. It's unbelievable. And now for all that future real estate, we're the center of that cloud security operating model. What does it mean? They've 50 plus different teams on board and onto the platform, following the rules that are owed. If they don't follow the rules or all the exceptions are coming in and we're doing the continuous monitoring process underneath it. What is it that we've done that's interesting? We actually have this incredible unique way of collecting information from the cloud so that we can gather it in a very continuous way. So we're constantly seeing what's happening in addition to interrogating APIs or clouds or actually monitoring logs so we can see all the actions. What you just said, by the way, something comes and goes, we see it. The second thing which we do is we gather the information, we build a graph. This was actually, this was hard because it's not just as simple as sticking things in a graph, we'd all love it to be. But what is the graph doing? The graph is basically understanding the intricacies of all the identity and access management models. I can see everything that can do anything to any other resource in the cloud, whether it's a serverless function, a container, or a VM. And we boil it down to very simple things. So underneath it's complex, we represent the graphs, we boil it to simple things. Then we run analytics across the graph to find and eliminate platform risk, find and eliminate identity risk, get customers to lead privilege in forced separation of duties. Find data that you may not know is there that has incredible amounts of things capable of accessing it and help our customers lock down that access. And then finally, how do we get it into an operational automation kind of pipeline so that basically on an ongoing operational perspective, it's efficient. So we're actually doing this for customers. We've got some very large financial institution customers. We've got large customers like World Fuel Services. And now actually our mission this year is to actually help simplify a lot of what we're describing so that other companies and maybe companies not as sophisticated as a big financial institution or World Fuel Services is able to just very quickly get the value out of a solution like this. You know, when you have these new technologies, new way of doing things, it's exciting. At the same time, you have to kind of vector into an environment where the customer is ready to be operationalized. So I got to ask you about how teams are forming. I mean, I've been having a lot of conversations with VPs of engineering, large enterprises and also big companies and hyperscalers as well. And they're all talking about how because of what you're doing and the kind of the general philosophy that you guys have is changing how teams are organized. You have a platform engineer now who can work on a platform and then flex and go work with other say feature engineers. And so it used to be just you do your features, you got your platform guys, you got your networking people. Okay, now you don't have to talk to the networking people because you can extract the way the network. You now have more composite, more composable applications with all the observability. And now you can actually build that foundational platform, redeploy the platform engineers with the other teams. So you're seeing like, and then you got SREs embedded into teams and so you kind of got this new engineering formation going on, new kind of ways to organize. The new modern era is here. What's your thoughts on this, how people organize their teams to excellent? It actually is there's no, there's no entire recipe at John because you go to different customers and customers are basically experimenting with different ways to organize their teams. There's no question. But actually, I think one thing that's changed even the last 18 months is companies realizing we definitely need to change how it is we've organized our teams. I'm going to give you a simple example. Again, in the old world, they would have network teams and network security teams you call up, oh, let me reconfigure the firewall. That doesn't work. It's just, it's just so broken. It can't work in cloud. You can't be calling on people to reconfigure a firewall. That's an example. Another example actually which companies are realizing leads to identity, they will go through an approval process and they'd go through a governance and certification process. Well, these teams in the cloud, they want to get the workload in in two weeks. They need to get it in in a month, in an hour. In an hour, they can take a month and manual approval processes. So they're realizing that you need to skill set to set the ground rules. And then the teams should be allowed to innovate within the ground rules. That's what the platform teams need to do. And so what we see emerging, which I think is a really best practice is cloud centers of excellence. They're responsible for what I would call the shared infrastructure of the enterprise. The 250 Amazon accounts, the 50 Azure subscriptions, whatever it is, that is key. Then the DevOps teams are using this shared infrastructure. The question is, how do you interface? How do you help coordinate between these different responsibilities from a security and governance and risk perspective? And that's actually what a big part of what our product is. Helping teams coordinate your activities. That's a big part of what our product is. Love the first principles there. You're setting those ground rules. I mean, there's been a chef and a cook, you know, you're working with the environment and putting the new ingredients together and then getting that operational. So a huge opportunity, great stuff. Brendan, I got to ask you a final question while I got you here. Sunray securities, the name, Sunray. Where'd that come from? What does it mean? It actually means, it's a Gaelic word and it means data. And it's just so central to, you know, what are people trying to steal? Like we can talk about security, but we'll do it in a face. But at the end of the day, they're trying to do damage. They're trying to get access to data. That's the most valuable thing we're trying to protect. So that's why we put it in our name. Yeah, digital transformation, everything's data. Now everything's data. Contents data, securities data, data is everything. It is. And identity. Great stuff. Brendan, thank you for sharing the story here on theCUBE conversation. Brendan Hannigan, CEO of Sunray Secure. Thanks for joining me. Thank you very much, John, it was a great pleasure. Okay, it's theCUBE from Palo Alto, California. Remote still, thanks for watching.