Zero-Trust Cybersecurity: Trust No One? #zerotrust

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thank you for that for that introduction and thank you to the V lab Organization for putting this panel together and for asking me to to moderate it's a it is a real honor I was contacted by Ravi some time ago on LinkedIn and I was I was humbled and honored but I shot right back and said hey what qualifies me to do this this to come moderate this this conversation and he gave a great answer and it's a great certainly great panel that we get to work with tonight so regardless the outcome I've been told that I can put in my LinkedIn profile that I've lectured at Stanford after so [Applause] whether I'm rather I'm qualified or not I I'm gonna you'll see my LinkedIn status update tomorrow I do is a clicker up here Fred we talked about this so here's what we want to do we want to make this compelling where there's an opportunity to make this engaging a lot of that falls on my shoulders to keep things moving along and I promise to do that before we get started a couple housekeeping items there's going to be a Q&A session at the the last 30 minutes of this panel discussion we Q&A so questions coming from the audience and livestream so you'll have a chance to intergate interact and engage with the panel before that here's the format I'm going to do just a quick 6 or 7 slides to set the context and to sort of get a baseline understanding I appreciate that there's both business and technical folks in here so I want to establish a little bit of common ground there so about 8 minutes our featured company a mirror and company will have another eight minutes to take you through just kind of overview what they do and then the balance of the panel will have two minutes to give an introduction two to three minutes or 30 seconds and then we'll get right into the panel discussion that's about a half hour and then the balance of the time will be will be QA if you have questions you can text them to the number you see there and feel free to tweet out anything relevant or compelling that that you think of throughout the balance of the panel discussion so that's the number for text questions and I think we'll throw it up again at the end of these slides so let's jump right into this and and kind of start right here that the title of the panel tonight is zero trust and I sort of came up with what why how and when and maybe a little tongue-in-cheek how do you how do you trend to the top of a Google search because if you google zero trust today or tomorrow your results are gonna change and maybe change dramatically and I think that's representative of where this idea of zero trust is right now there's a lot of thoughts there's a lot of ideas there's maybe a little bit of theology if you old technical theology that's going to come out tonight in this panel discussion and so what we aspire to get to is some of that common ground what can we agree on with respect to zero trust and as it is transformational as maybe the industry is hyping it to be so I'm going to give you this slide this is for both the business folks and the technical folks and I'm not going to go deep and either but I want to just set the context in the foundation that this is the world we know and we're going to talk in terms of security and cyber security maybe this is an oversimplification but this is really where we come from and where we are today and so I win or do you introduce a couple of terms this idea of perimeter you're gonna hear a lot about the perimeter and the perimeter is that line that demarcation point in my enterprise with respect to what I trust and what I don't trust in terms of how we deploy security today think of it and I'll show you a graphic as a castle and a moat and maybe hot oil and if you're if you're inside my castle you're inside my perimeter and I trust you and the moat is that sort of middle ground we'll call that a DMZ or a demilitarized zone and then maybe that hot oil is up as a second-level DMZ and so I'll push some assets out there and if they get compromised that's okay they're a little bit disposable and I can replace them fairly cheaply and the thing that's keeping bad people out is that firewall and so you're gonna see the firewall at some of those different D mark points between the perimeter and where that zone of trust is and where those untrusted resources are we're going to talk a lot about this tonight in terms of what does this look like going forward some might suggest that the perimeter is dead and it's an outdated idea and some may disagree with that and say no we still need the perimeter and so we'll have that conversation and all I'll move that part of the conversation along so what is zero trust turns out that's gonna be my first question for the panel to everybody just sort of zero in on zero trust what do you think it is a couple of ideas here and I won't read through it but a couple things coming to mind first is location of a resource that is a person or an application or a device is no longer an attribute of security today and it used to be that if you're within my perimeter I trust you and it turns out that's how a lot of attacks are perpetrated and escalated by giving that level of trust and so what zero Trust says is we trust no one and no device no application and no person and so we're gonna take advantage of technology to establish identity to establish trust maybe on an application or workload basis and and maybe evolve from this idea of the perimeter so the last point here is just maybe a little provocative is this the end of perimeter thinking and again I'm gonna try and get to the panel with this and and really kind of kick these ideas around I included a quote from Forrester with respect to the perimeter so now that you have an understanding we have baseline understanding very simplistically of what the perimeter is I'll read it here as businesses monetize information and insights across a complex business ecosystem the idea of a corporate corporate perimeter becomes quaint even dangerous and that's from Forrester and some of their and some of their forward thinking about industry leaders in this space so again another sort of provocative approach about maybe what Jiro trust is here's what we know about the reality of enterprise security today at least three things the attacks that that enterprises are undergoing when when they occur are massive at massive scale whether it's a distributive denial of service attack and I'm just pumping a lot of data at you so that your website doesn't work or a bigger attack they're big and they're getting bigger second these attackers are increasingly persistent and they're patient and if you recall the owe the government opium data attack that was a particularly big and bad and damaging one that stands out if you don't know about it I'll give you a quick overview opium is the office of personal management Washington DC and they manage all information and security clearance for both government workers and contractors and that's millions of people turns out I'm a contractor at Akamai with the government and I hold a very high-level security clearance and I hold multiple polygraphs and this is how this process goes down I sit with an examiner and they dig way back into my history and they find out a lot of things about me and they take notes and then they hand jam it into a database and then it gets stuck in OPM and the no PM gets breached and the people who perpetrated that attack have all my information so these attackers are persistent and the consequences are serious and then finally the attack surfaces themselves are growing very big Equifax is a great example of that so the stakes are high we have to be right all the time and the bad guys are right just once three ideas I just plant quick seeds here when we talk about zero trust employment options and I'm going to ask this question there's sort of three schools of thought Network segmentation which is different than software-defined perimeters which is different still from application access proxies so is there a right way is there a long way is there the first way is there a fourth way we're going to talk about that tonight last slide here's the objectives and the outcomes of this conversation tonight three objectives first is to provide insight through a really really smart panel of industry leaders the second is let's be a little disruptive and let's create a little disruptive thinking and then finally let's talk about what's possible what's the possibility here if I had to talk about three outcomes three real tangible things we could do let's establish common ground let's take zero trust off the whiteboard and into action and finally let's figure out what to measure and how to make tangible improvements and here's the final thought the role of the moderator my role tonight is to ask compelling questions to maintain an engaging tempo and I think importantly to create controversy when possible good healthy controversy but I'm a big believer and everyone's thinking the same no one's thinking and I think we have four gentlemen here that that have different thoughts and different approaches and it's going to make for a good conversation so thank you for tonight and appreciate your time make sure you ask questions and with that I'm gonna ask a mirror to come up and take the mic Thank You Randy so I have eight minutes I'll have tried to get through to content pretty quickly I'm Amir Sharif I'm one of the cofounders of aparato and we work on identity powered cloud security basically ensuring that every entity within the network knows who they're talking to and it's through authentication authorization that we establish trust so why do we solve this problem the answer is that there are two major movements are happening Randy alluded to some of them one is that the private data center is migrating to the public cloud so what we used to do inside our Santa Clara data center or Equinix is now going to AWS or Azure and the second one is we're adopting new software architectures so with those come two problems one is as Randy said as the perimeter is disappearing I don't think it's dead yet but it might as well be because if it's disappearing its porous it's gonna create problems as some of our customers know and second is when I do go to an infrastructure or to a public cloud I no longer own that infrastructure I cannot define the perimeter physically as I used to before so is it wise to try to do it in software that's that's a question now when it comes to software architectures we're all after business agility we're trying to get out differentiation in terms of code instructions that make our businesses different so to do that we'd like to copy and paste a lot and that copy and pasting is done in terms of libraries of them source code and so forth we're just putting in a lot of stuff in our code and we don't really know what it is and second we're we are absorbing this new architectures micro services that basically allow us to very quickly update portions of our application for example AWS which is the world's largest cloud they release or in 2011 they were releasing a change of production every 11.6 seconds that's an insanely fast pace for something that large but to do that you have to have a different software architecture and that increases your your attack surface so if you look at the picture and frame it in this light we're on a journey to go from servers to serve a list servers is the stuff that we have in our data center and server less is basically what we want to have in a public cloud where our developers write code and check it in now there's a couple of things happening one is as we're migrating what we've done basically the migration from service to VMs but as we did this to never event points on a network increased by a factor met our order of magnitude factor of 10 we are in the process of adopting containers and eventually serverless will come so as the network surface is increasing we're also increasing the rate of change and when we resolve the network we're doing in a quadratic space that's a little bit of math but it's a quadratic equation that we're solving in order to make sure that things are talking well to themselves we used firewalls access control this network constructs that our IP address dependent in order to create those segmentations and my premise is that it's no longer wise to do that as we go up the food chain and what what's happening inside the industry is that the security teams are trying to use all technology the firewall was invented in 1994 a year after the pin your ticket was developed they're trying to use old technology in order to secure where we are today which is based on the cloud infrastructure microservices things that are very fast and moving and it's that tension between the enterprise wanting to move fast and the security teams that are holding slowed that creates opportunities for startups like me so why is an IP address IP addresses bad why is my and here is in a my brethren here are Network centric so I'm going a little poke a little but fun of them but you know but why is the why is the poor man's identity which is an IP address a bad thing one is when we're going to the cloud it's a fungible resource and because it spongeable IP addresses change all the time and IP addresses are like street addresses it's a location it's not an identity and it so happens that both my dog and I live in the same address and if you take my address as my identity you may get my and he's nicer than I am but you know that's that that'd be necessarily the person that you want a more colorful example would be that if I were to use an excuse with my wife is that I assume that the woman in bedroom was my wife you know I don't think that would fly really well you have to go beyond identity beyond location to to know what identity is and firewalls are so old that the ancient Egyptians were kind of worshipping it back then you know this is if we really need to get beyond this concept so it's this problem that we're trying to sell that aparato and we founded the company about three years ago I'm proud of a list of investors that we have wing Comcast ventures Norwest Venture Capital in-q-tel the governments of Randy the guys that are backing that you're selling to our backing us up so I'm really happy with the list of customers and informatica have to give a special shout out to them because they're our first customer and they're sitting here in the audience so thank you so much for that and what we do is we second applications and networks purely based on network purely based on the application identity not at based on IP address so you know we have a character called handsome Hank he doesn't like IP addresses that's to drive the point home that location information is not a good proxy for identity application identity is and this is not a new concept we use identity all the time every time we log in I say for Gmail we go to get a token that identifies who we are what a praetor does is effectively the same thing for applications so think of us as octa for applications where we create automatically create application identity and based on that identity we authenticate and authorize with it what application components do and this is how we create a zero trust model which hopefully will define in our panel so the net effect for the customers that we have is something that's as complex as what you see on the screen which is Sdn overlay segmentation with access control lists with east-west firewalls VPN tunnels all that that goes away with a probe it becomes a much simpler networking model everything can be flat we don't really care where application components are it's based on identity in that location that we care about have the capability of encrypting traffic completely translating transparently to the application so it's this simplicity that we create and our value premises stronger security simpler operations and better ROI so with that I'm going to hand the baton back to I guess the next person so thank you come here here's uh here's what I'd like to do for the balance of the panel we'll start with Andrew if we can just do a quick introduction kind of who you are what you do where you come from and whatever channel is commercial you want to provide no commercial the slide went away but I want to start off by saying the problem with cybersecurity is that every picture you ever see about it is somebody in a hoodie facing a bank of monitors in a dark room so if you want to know why it's considered such a morbid topic that picture that you saw up there that's the one that usually gets it going my name is Andrew Rubin I'm the co-founder and CEO of a software company called a loomio that obviously is in the cybersecurity space I'll give you 30 seconds or less on the company and then I'll tell you what we actually do I started the company with our CTO and co-founder a little over six years ago we spent about two years building the software privately we call it stealth mode out here and we've been in market selling the software for the past four or so years we're about 350 people globally we've raised a little over three hundred and thirty million dollars our largest investor is JP Morgan Chase and then there's a string of individuals and VCS that have been kind enough to join the team along the way what a loomio does is actually very simple or at least the simple explanation of it certainly explains why customers care about it we built a software platform that helps our customers predominantly large enterprises people like JP Morgan or Salesforce to be able to find things inside of their data center or cloud environment that don't belong there and then stop them from spreading or moving around and one of the ways that I've described the software since the very beginning since we literally pitched andreessen horowitz for the money to start the company is our software platform does two things the first thing it does is it's literally like an MRI machine in a hospital you walk in and you say I feel sick the doctor doesn't just slice you down the middle and start rummaging around inside to find out what's wrong they collect data they take pictures they try and figure out what's in there that shouldn't be or what's acting in a strange way so our first job when we arrive at a customer is not to stop anything or block anything or necessarily do anything other than to build a map that explains to you everything running inside of your datacenter and cloud tell you what each one of those things is and most importantly how they're all connected and talking to each other inevitably when you see that map for the first time you have a moment we call it the o fill in the blank moment when you realize there's all sorts of things connected in ways you could never have imagined and therefore talking to each other in ways that they shouldn't be and the second thing the software does is it allows you to write policy people call it segmentation nowadays but it's policy that simply says things should talk to each other or not talk to each other a certain way and the simplest example is there isn't a company left on planet earth that doesn't have a development environment think of it as sort of the cesspool where they build and test and play with things and a production environment which is where they run the things that matter those two things usually shouldn't talk to each other very often they do we build the map that allows you to see it and understand it and then we allow you to write policy that says these things over here shouldn't talk to these and of course the kicker and this is every single breach you've ever heard about everyone OPM Equifax go down the list target Home Depot the one common thread in all of them is something got attacked something got breached it wasn't the Holy Grail it wasn't the Golden Nugget but because that one thing was accessed they were able to move all throughout the inside usually for a long time without ever being detected and eventually get to the vault and steal the gold and so segmentation is a way to prevent that from being so easy or hopefully ever happening that's us Andrew thanks so i'm Penniman clues I'm the CTO in the network and security business unit at VMware and the story of me and what is an interesting one in the sense that it was the company that created the notion of virtualization for the enterprise's leveraging some of the concepts that came before from IBM's and mainframes and so on and it established the name in the industry on how to create these compartments virtual machines that essentially what I'm gonna emulate what the server though in a kind of a way that would be easier to operate and isolate from the other ones the company has been transformed in the last four or five years essentially with the entrance into this what we call Network and security but it was more about this notion of saying you cannot think in terms of compute storage networking and then add security on top and think security in terms of network security because as we were describing before this is a much more complex problem it's a matter of understanding identity understanding relations understanding lifecycle of things so as VMware kind of went from being a virtualization company to what we call a software-defined infrastructure company or even like a multi cloud company the problems became bigger and bigger in the sense that once you have a set of assets that have been put in data centers for companies for over 20 years when a new revolution comes in terms of how to reinvent security how to reinvent computing how to go to containers how to alter serverless we look always at the problem of what's the unique security model that is needed in terms of how to define an entity how to define who make changes to certain applications life cycles how to discover relations between things but at the same time there is this notion of how do you carry the existing environments into this new future and how do you bridge between what you have and what you're going to have and essentially be the transition into this new to one so we are going to discuss it over the panel but essentially we help of customers to go towards this future that we say about any device any app any cloud and help them along the way to do all the transitions in terms of infrastructure in terms of security in terms of automation that will allow the future enterprises to essentially become more agile multi cloud and seneschal more secure because otherwise there's no such thing as providing infrastructure without security and there's no such thing as providing networking without security anymore especially in this in this motovlog department so that's what kind of what VMware is is doing and now cover little bit more details as we speak Thank You Randy David and team for inviting us it's zero trust wondering who to trust here definitely it was Perry for sure not sure what Andrew we have history yeah we have a heavy average yeah I learned zero trust concert from Andrew like six years ago first so Val technologies capital is the venture capital investment arm for Dell technologies which is the holding company of Dell VMware RSA secure works pivotal and a bunch of others so we have financial investors and enterprise IT so we try to invest in the best possible companies in all different categories of Enterprise IT from cybersecurity devops to raid semiconductors and so on cybersecurity is about 25 percent of our investment portfolio we have been in business as a team for about seven to eight years two of my partners were there from the beginning are here in the audience Raman and Scott so I joined two years ago from another venture firm General Catalyst partners we try to combine the best of financial investors and corporate leverage so as being an extended part of the devil family we have access to a lot of CI o CI o--'s DevOps heads VP of infrastructure and so on and a lot of our investments are informed by what C is NCIS was CIOs and CIO so C we probably spend more time with customers than we spend with startups to inform our investment decision-making we talking a little bit about cyber I'll share a little bit about about a portfolio we were the first investors in Z scalar we one of the early investors in netskope silence red lock zing box Jaz add Alam and a bunch of others so we believe that in a zero trust should be a part and parcel of every cyber product and every infrastructure product every application layer product and also part and part of our in a compartment parcel of us to the zero trust is also a human problem as much as it is a technology and a product problem and I'll give you like a very very basic first principles example you know when we when we are teaching our kids do we ask them to trust everybody by default as infants or toddlers or do we say don't go to strangers you know that's a fundamental thing that you know humans are doing when they teach the kids but IT security is not in that way today so I think we need to bring some of those concepts that we have learnt as humans about trusting others into IT security as well and then maybe we don't need that man the hoodie there if you do that all right Deepak Thanks so so here we are we're right on time by the way that was flawless gentlemen thank you very much I mean we're exactly where we need to be so we're gonna get rolling we're gonna roll fast and we're gonna start hitting hard so easy question a little bit of softball if you guys could just be sort of quick here two parts first is in your own words a sentence or two Andrew maybe three what is the meaning of zero trust for for frame what's the meaning of zero trust and back to this perimeter idea is the perimeter firewall still relevant so we'll just go down the line okay have a privilege of being first so the Russians have an expression trust and verify I think the better expression especially if you're dealing with the Russian is that never trust and always verify that's what that's what zero trust means says just because something is within what you perceive as your domain of control your data center it doesn't mean that it's okay and you have to look for signatures that verify that this component does what it's supposed to do and connects to what it's supposed to do and talk to get some day access to the data so that's the notion of the zero trust sorry the second question remember firewall is it relevant you know you have a you have a jacket this is idealized right you have a jacket you know that's a say you're throwing the firewall away now to be realistic I think there is a role for a firewall still in the enterprise but I have to be provocative as a start-up Bay I would say throw it away no but really there is a use for firewall especially north south firewalls but I think that role is getting more and more diminished you wouldn't see it though if you look at Palo Alto z-- stock price you know it's entering I have I have more than a few friends at Palo Alto back home in Washington DC and I poke them in the chest with that hole and they get a little scared but rich you're right there there's still firewalls are being consumed at a at a at a massive clip so okay Andrew so I think zero Trust is a strategy I think it's a framework I think it's evolving and becoming in architecture but what it's not is it's not a product or a vendor it's not one thing it's not one solution it's a set of security controls that when blended together and used in conjunction end up providing you with a framework or an architecture where you can say I'm now achieving something called zero trust and to be clear I think it's very very early and nobody knows what that end result is going to look like and vendor names and logos will go in and out of filling those different control points over time the firewall comment to me is really funny because there's a very well-known analyst firm that actually went out on a very very long limb a long time ago and said the firewall is dead except not just Palo Alto stock price but quite frankly more importantly their revenue number keeps going up every year and it's not just them for it and checkpoints you need to pull off the same stunts as well I mean the reality is this security has never been a single layer it's probably never going to be a single layer because there's no one layer that should be trusted that much and the same way that nobody goes home and says I have motion detectors and an alarm in my house therefore I'll take the lock off the front door because well the alarm is going to save me people like to have different security controls in order to feel like when you layer them all together when one fails the other one's going to save me and the lock on the front door is still on the front door of every building and house that I've ever walked through I think what's changing is that there are new places to put things new buildings in this case it's new clouds there are new places to put things where the firewall is not as relevant or the architecture no longer is as relevant but simply say that a perimeter is gone or dying or dead is sort of stretching it to the extreme and the reality is usually somewhere closer to the middle I wish my young daughters with acknowledges their lock in the front door I'm sure I'd like switch to it yeah good parent maybe I'll start with the firewall question first and then I'll go to the zig addressed so imagine that you live in Manhattan and you say I'm going to secure Manhattan ones forever and I'm going to put the Army in every single bridge and I'm going to stop any single bad guy crossing the bridge would the crane disappear from Manhattan yes or no and what happens is that going back to Andrews company's security is a complicated topic because it's about layers is about understanding different levels of inspection different levels of behavior different levels of things but the notion that blocking the entry and exit of a complex system would completely secure you is I mean we've been in this industry for about 40-50 years and we are still not secured right so somehow we've proven the point that firewalls are not going to solve the problem by themselves now you go to a city and what do you have you have the fireman you have the police you have the armored cars to move money and then you have limits for the executives and you have taxes for people to move so essentially with just that to a set of tools and capabilities for every single use case depending on the risk that you are willing to tolerate on the asset that you're moving in the city so now why until now we were being able to survive with firewalls because applications were fairly static because the port that we're exposing outside were fairly limited because enterprises would not expose all their assets all their applications and all their customers being outside in the internet we were like serving a community that was fairly well contained and you had internal attacks but then there was a question about dress so far well serve a purpose when Enterprise were not as open as a sport and you didn't have as many applications and as dynamic as applications as we have right now so now you live in a new wall where I have container based applications with containers coming and going IP address don't mean anything I have my legacy the end that now have to be connected to containers that are running in the Internet and exploits are coming in so now is what do I do so two means zero trans now going back to the second question is this notion of saying what answer do we provide to the new environment where we live were developers are developing new applications faster and faster they are taking the matter on their own hands putting it into public clouds identity models and policy models in public clouds may be different from the ones you've had in the enterprise management teams in terms of operations and security tend to be in different sides of the spectrum people that understand cloud may not understand infrastructure and visa versa so now going back to how do we define cedras is this ability to say what kind of new tools new capabilities new perimeters new edge environments do repeat that we can understand not only who do we have in our networks but what do we have those assets - in our networks and and we understand the problem and when so it's a set of looking at the new environment looking at what's coming and what tools and capabilities doing it you know to have some confidence in our infrastructure because it's becoming more and more critical in the place where we live thanks so so Deepak is a as a as an investor I suppose you have a different maybe a different view of the world with respect to zero trust the parameter kind of what you guys look at what you think about how does that contrast as long as the startup cancel is zero trust product would like to invest in it that is the truth of the matter right so but let me give you like a more deeper answer so when startups come and pitch to us you know it's our job to evaluate a few different things are their pitching a concept are they pitching a technology as you're pitching a product are they're pitching a business and sometimes you have a combination of all and no zero trust is definitely a framework or an applicator or it's a concept it's not a technology it's not a product it's not a business for sure so we have seen zero trust and again in the context of the micro segmentation for sure and somebody would agree here we have seen zero trust no no VMware has been like a pioneer in applying zero zero trust principles like you know how does a good ward behave in the context of app defense and the the challenge though is you know Google's paper while the beyond card paper very far-reaching you know in my opinion is pretty narrow in its interpretation of na0 trusses a lot of focus on devices and users but the primary atomic entities in an IT infrastructure are not just users and devices there are workloads which change and and the half-life of workloads has consistently decreased and also the workloads are not any longer in your own premise if you are outsourcing to a company in China India Brazil your workloads are sitting there how do you even trust those so we have seen now coming to the network parameter the network parameter has both collabs and also expanded at the same time so the network perimeter has collapsed into smaller workloads this was more of an application or workload parameter now and it was expanded beyond the borders of an organization so how do you safeguard things you know beyond the borders so we we have taken bets in all of these you know collapsing a network in a collapsing the network parameter into a workload parameter or a container parameter or whatever right so we are investors in a company called twistlock which provides container security you know in terms of expanding the borders of an organization we are investors in a company called risk recon that provide security for things outside your organization so and they are all applying 0 trust concepts to solving a business problem and that's what we look like that's what I look for we look for startups which are trying to identify a business problem that is at top 5 C is so issue and not like it number 25 on a CIS was a list of problems to solve and it's I would say there is still some huge areas in enterprise security where zero trust concepts have not been applied yet email security every email comes in by default all right and I I think you know in many aspects of web security to zero trust if not has not been applied you can browse any website by default you are blocked from accessing a few websites but you can browse in most web set by default okay so show of hands RSA was the three weeks ago how many folks attended RSA well so just about the whole place in the whole panel I was at RSA the first thought I have when a good RSA is it's uh I mean it's useful but it's almost carnival like it's this carnival atmosphere and I don't know everybody's telling be thrown at cognitive oh what's that venture capital fund economy it's a VC funded carnival and I think there are 1200 vendors at RSA so I went sort of like a one thought one word answer from each of you here with respect to kind of what we saw at RSA and then zero trust how does an organization how does a kind of the company assess zero trust vendors and compare them there were 1,200 folks telling a similar version of the story in a different accent what's the one thing I'm throwing it out there if you had to go tell your customer here's the one thing you got to look at I'll give you an anecdote just from a customer two years ago I was walking on the floor of RSA there were about twelve hundred vendors two years ago - it's not like it was 200 and now it's 1200 and I'm walking with the CEO of one of the ten largest banks in the United States and the CEO who I know very well turns to me and says so in a really good year an aggressive year I can maybe take three strategic bets that fundamentally changed the risk posture of my bank there were 1,200 vendors on this floor I'm reasonably certain they're all not going to grow up the point was I get to take two or three bets a year by the way all of those banks probably take with almost 100% overlap the same two or three bets a year 1200 vendors aren't going to each be deployed at global scale inside of every one of those banks it's too many vendors trying to chase very real but very small problems and part of the exercise of us starting these companies and trying to build them is to grow up it's too many yeah so but so I want to be the one that the customers remember if I'm a vendor there I'm Akamai and I want you to remember Akamai and I want to tell a story that's different and I want my story to become yours and then I'm compelling and maybe I'm memorable so with respect to zero trust what do you what do you have were your thoughts well again no for us zero Trust is about never trusting and always verifying and how do you operationalize that in a way that makes sense for the customer that where they don't have to rewrite applications they don't have to redeploy a lot of old tools so going back to your original question if I'm a vendor I want to look for the solution that fits my operational model that gives me better security that I have today and ultimately doesn't break anything those are the three criteria security is there that doesn't get in the way that's transparent but does what it says is it said operationally fits yep doesn't break things and improve security those are that's if I were C C so that's what I would choose so maybe my take is that why there are 1200 companies or 2500 companies right and I think in the 50s there was no I'm Chomsky that was studying grammar and syntax and everything and was defining the the dimensions of communications and essentially you had sender receiver a message a message carried over a channel with some sort of code and then a context context of the communication right and it's not the same to say how are you today of how are you today so that the context of how I explained a message can change the meaning of the communication right so what happens is what we see is that everybody looks at security problems from one of the dimensions of communication and all of them are valid solutions that bring some meaningful value but now what we have to always remember is that when we go to enterprises when we go to our customers and we say buy my product because it's best than anybody else right and the next guy is saying the same and the next guy is the same so there are some cases where products look alike they play in the same space but a lot of times it's like coming from different dimensions so that the way we looked at at RSA and batgirls in courtesy of VMware was they're talking about this problem of why so many and can the industry consume so many and what do we do about about that right so the way we are looking at is more about how not only to focus about the basic dimensions of communications like a sender a receiver a message which is kind of the obvious one on the transport but almost like to start thinking about the context is like how can I understand not how are you behaving but why are you changing behavior did you have a change of control a change of management event or is the binary that is being deployed got a check in for a develop from a developer and what was the reputation of the developer and I was talking to a large vine in New York and they were using lots of open source and they were even going to the point of creating a risk score on open source developers contributing to specific projects to understand if that code was worthy to put it in production so as we go into this new world that we will not even know what components are coming from by putting gate over get over get over gate as even pushing gates even more towards the perimeter is going to eventually hit certain limits so now is back to the context thing is how do we understand what was the intent of what some application or some user or some complex system of suppose to do and what do we do in terms of deviations to that and can we track it to events and justify that behavior so that's why VMware may be and being a larger company we are forced kind of to look at multiple dimensions because because we have kind of a sovereign fruss structure with multiple levels of the stack but we are trying to look at the security on this is like what's the context that I can aggregate about multiple sources in order to take better decisions or better risk management because security is not about black and white is it's always about the score and a prioritization of what events to take a look so Deepak I'm gonna I'm gonna ask you a slightly different question because I think you have a obviously a different perspective and so it may be a little bit harder hitting so statistically we're back to this RSA thing we're spending and I think I'm asking a customer a question that everybody in this room wants to ask there's one question you guys let me know if if it showed up on the iPad here's the burning question and everybody's mine and it's yours the answer we're spending five times as much on security as we were five years ago and VC's like yourselves are investing four times as much and most of us would agree if we're not less secure we're not any more secure right so it's not there maybe it's it doesn't feel like it's paying off so they're spending a lot of money feels like there's a lot of investment there so why is that what from-from your view as an investor and kind of what you look for as you try and find the next big thing in the context of zero trust I'm not going I'm not going to debate on specifics of those I think that actually you're right like you know we are not any more secure than then maybe four or five years ago but the world today is also very different from four or five years ago or ten years ago right there was no public cloud ten years ago and public cloud by default everything is public as an example right there was no globalization or outsourcing so the number of attack vectors a number of places where you can attack an organization has increased dramatically we have a huge mobile workforce and they're not sitting in a corporate promises and many of them don't even have a VPN access you know you could argue that you know Google is trying to get out of VPN through it to beyond carp and so on so I actually think the demand for security is still far outstripping good products that can solve these problems and that's definitely the bed that we are making and by investing in cyber security startups and our goal is to figure out which are those products which are have which have a pervasive demand which is solving pervasive problems and not niche problems and that's that's what our problem of a problem is in life it's not easy I'm not claiming we have solved that but I I think that we should probably as an industry be investing far more in cyber security innovation yeah for sure I remember the chart I put up where I showed this is where we're going yep so this is precisely the problem we're using yesterday's technology to address the problems that we're facing today that's why we have to dump so much money it's ineffective spending we can get a lot better at it so if you try to feed hay to our cars cars don't go very far you know we have to have the right tools in order to address it and to get the efficiency that we want so it's a mismatch impedance mismatch of the capabilities of existing security technologies and the needs of the business from a security perspective that's creating the difference I'll add the controversial comment which is there were 1,200 vendors on the floor of RSA let's say there were a thousand that were quote-unquote startups most of them aren't gonna be around in ten years great I mean I'll just say it like I know that it's a taboo thing to say sitting in the middle of Palo Alto but the reality is that it has nothing to do with how smart the people are or how interesting the technology is it's that you can't build a billion-dollar company solving a niche problem and to the question around what separates out the companies that the seaso walk in the floor of RSA remembers it's the one that solves the biggest most pressing problem in a way that fits into the enterprise's operating model like if they walk by a thousand booths and they see a thousand interesting things at some point they all blend together even if they're interesting but if one of them is a problem that they get on a plane fly back to New York and the regulator shows up the next day and says if you don't do this I'm going to shut you down the one that they attach in their mind to that can solve that problems they're against the one they're gonna run a consistent big bet problem that bubbles to the top with respect to the answer you just gave we're all probably highly biased and let me hear that just I want to hear I mean what do you think what's the I don't look at it through technology I look at it through the problem and in our minds the problem that the customers trying to solve in security is always driven by one of three things it's either regulatory and compliance nothing to get a customer to act faster and spend money quicker than when a regulator shows up and says I'm going to shut you down if you don't do this HIPAA PCI sorry about any of the frameworks that you hear about second one is a breach tends to be reactive it's usually not the most intelligent spend but they do a lot the day after they were on the front page of The Wall Street Journal or the third one is in the event that there is a realization that from a risk perspective there is real risk that they cannot tolerate any more on their quote unquote balance sheet the board shows up and says this equifax thing what are we doing to make sure that if this happens to us it's not that bad I want a real plan and so to the extent that you can bubble those things up that's how you start to get them to look at it's not a technology conversation it's actually a business conversation there has to be a business conversation these are not insignificant investments that are being made there were asking customers to make and so it has to tie back to solving real business problems right so at some point it becomes a business conversation Ahmir what do you think i think andrew is absolutely right and that's right as he is it's that's a really depressing answer so because everything he's talked about is regulatory requirements or you know a breach or the fact that it's a risk we're doing it out of fear not because we're trying to do the right things for our customers so you're saying security is this simply a reactive responsive thing is that the world we're in right now why we go to the gym is we're being reactive we're trying to lose the weight we gain or Christmas but maybe so so it's really reacting is that is that is that what you're seeing Deepak are we reacting they're companies that you're funding I think the companies that fastest growth know how to exploit the reactionary piece well now the reactionary piece comes from all the drivers that you know Andrew a number you know I alluded to I'm gonna take a slightly different frame framework of that right so threat slash regulatory driven where okay the big incident has happened okay I have unlimited budget and I need to go figure out what what caused that issue and I need to go solve it the problem is this that most enterprises have come to a realization that it's not a question of if you're going to get hacked the answer is yes it's not a question of when the answers always it's not a question of how bad it is going to be when it again when it is bad is going to be very bad it's really a question of how fast can you respond to bad situations and how and if there's an epidemic in healthcare there's only a question of how fast you can respond to it and how and how good is your response strategy so in and again the context of cyber security it's instant response that is one bucket and there's regulatory compliance piece to it and like I don't want to get I want a 100 million dollar fine not a billion dollar fine right so that's a trailer trying to making some in some in some in some situations there's the other IT trend piece outside the control of a CIS organization adoption of virtual machines adoption of containers about adoption of serverless adoption of SAS applications like in adoption of SAS applications led to the establishment of the Caspi industry as a new category a new budget line item but an adoption of IAS has led to the establishment of like a gardener pusher in three different categories like CWPP and a bunch of other things the similarly adoption of containers has led to a few things so so these are new attack surfaces of a CSC ISO has to secure but it's again reactionary they had no control in the adoption of these these technologies so reactionary in terms of incidents or regulation or compliance or reaction in terms of new IT trends so let me let me sort of branch from there I mean some some maybe we'd all agree that in the context of business relevance the application is king right in some ways it's all about the application I think all roads somehow lead back and traditionally we've done a really bad jobs carrying the application and the movement to the cloud is real I think we can agree on that so in the context of zero trust what are the opportunities to get it right the first time secure DevOps for example from a zero trust perspective because we've not done that before security was always an afterthought and here we are in 2019 and we're reacting and we're spending a lot of money to react so is zero is the sweet spot for zero trust secure DevOps and this move to the cloud pair maybe going back to the previous question I was in the past working in a last networking company on security products and there was always this discussion about designing secure networks versus implementing network security and designing secure networks is if you had the opportunity to think it through ahead of time and do it properly you would create a system but nobody does that you create the network and then you have to patch it with boxes and that's network security right so if you take it to what the Deepak was saying Security's reactive because you cannot stop innovation I mean core is going to happen service is going to happen applications are going to be king application is evolving into new frameworks kubernetes isolation model is not there yet there's issues in there so but it's very powerful and it brings significant value in terms of agility and business innovation so now when you start thinking in terms of how to roll security security is always going to be to support the business not a fundamental pillar of the business so if the reason is supposed to be more agile if I have to compete with a company a web to that or three auto company that is disrupting my business first and foremost I have to succeed as a business I have to be agile and then I have to secure it so that's why I don't believe it's possible two things security ahead of time because the people that are going to be in the forefront of innovation driving new business creations are going to go without waiting for security and then there's going to be a team secure ops whatever that we're going to patch it behind so I'm going to challenge that yeah so maybe just just a second how to fix that right how to bring these two things together so right now what we are doing is we are changing the way the development methodology in the enterprise is happening so if you think in terms of what does CI CD means continuous integration continuous delivery is if I can type the life cycle of the application creation process to the implementation of connectivity network network virtualization whatever you want to call it and realizing that network and security are not two different things because imagine if I go to a customer and say yeah I'm going to sell you the best Network solution in the industry is going to connect Google cloud with a non-prime environment but by the way is not secure so it's not going to work so if we get to realization that natural and security are one and the same and that we have to tie to the life cycle of the creation process of applications then is when we start having a way to maybe attempt to solve the problem but if we have security as an afterthought we will never be able to solve it and I'm not sure Manik I'm certainly not going to challenge it but no challenge come on I'll add a layer on top a little bit of controversy not a lot so we sit with customers at a loomio and they tend to be large enterprises big City JPM see big companies Salesforce workday and one of the things that in all honesty I think we got as wrong as we possibly could have when we started the company was the assumption that everything in the world is going to be clean and shiny and new and especially when you sit in Silicon Valley it is incredibly easy to delude yourself into believing that everything is going to be clean shiny and new so if you're building security for what's called the greenfield the new things you have an unbelievable advantage because it's declarative from the beginning you are literally figuring out what you're going to build you can bind the security to the process from the very beginning you're declaring what it is and how it should behave and how it should be secured and then we got on a plane and we flew a couple of thousand miles east of here and we started going to New York and then a few thousand miles east of there and went to London and these companies walked in and they said yes so here's our reality we have a hundred thousand servers in the world about ninety nine thousand nine hundred and ninety of them have been in existence for some version of the last 20 years they run six thousand applications most of which were built by people that literally left this organization ten years ago and there's a post-it note under a keyboard somewhere that tells us how it works and we're really scared that that environment is going to get breached because that's actually where we run everything and store all the data and yes we're on this path where over a long horizon we're going to take this brownfield mess and turn it into this shiny greenfield thing but like we got to live with this thing and we're running the whole plant on this thing for the next ten years while that happens and fixing that world is inherently reactive but it's also by far and away the most complicated thing to fix and so there's this struggle that's going on because there are these organizations that are much more forward-leaning and they are doing all the right things to make sure that they don't recreate the problem of the past but the problem is 99% of the world runs on the problems of the past and we can't ignore it and say well we'll just worry about that later or we won't worry about it at all because everything's going to be over here eventually the ability you know if you ask the simple question how many applications you have in production today I I don't I'm not sure anybody could tell you so we sat at RSA a year ago with a very large Bank and for the first time in the history of our engagement with them which has been basically the four years we've been in market they brought the cloud team in and they have an AWS public deployment and we said to the cloud team out of the six thousand or so apps that run in this Bank give or take how many are actually really running in AWS today and the number was this literally like and that's how they actually told us the answer and they're not embarrassed by it that is the pace that they're on and it's not that it'll be three a year for the next two thousand years it will accelerate dramatically but there's still the 50 997 of them back home that they have to secure and make sure that if they're breached don't end up putting them on the front page of the journal then it's safe to say Ameri want your thoughts on this it's safe to say that the thing that's controlling limiting throttling the movement of applications to the cloud is the confidence and the secure experience I as an organization I'm just not confident I can secure this application as I move it to the cloud so I'm either not going to or I'm going to slow the pace of movement is that is that the essence of the problem is that one big problem I would like to expand it a bit I mean when we say application scheme I think data is king okay an application access data is this that application today doesn't have the transaction that the transitive property of carrying who owned whose behalf you are touching data so we have created an Network industry about applications but at the same time there is a data component that when acute Equifax stock crash it was not because an application was compromised was because data was breached so that's why we have to start thinking that it's not about just applications and connectivity but is the data aspect associated to the applications that we are touching here so to answer your question there are a number of things that are slowing the microsomes of cloud security concerns are certainly one of them but in my opinion the biggest one is lack of skills in order to create the right cloud environment isn't that the reason to go one driving compelling factor to go to the cloud in the first place is skill sort of shortage right it's not met core competency so let me take it where it is but that's a type of skill it's an infrastructure management that you're referring to right but in order to do cloud right you need to have cloud architects you need to have site reliability engineers you need to treat infrastructure as code and that's developers and that's in short supply getting that right is incredibly hard it's a it's a rarefied skillset so what people try to do is do the lift and shift which is whatever I have in my physical data center I'm going to replicate the same thing over there then done you know I'd have to think about it but now what you've done is apply an old model to a new infrastructure and you end up spending the 5x city we're talking and I best-case exacerbated the problem I haven't solved the problem and solved the problem exactly so it's not the lack of security its lack of skills for a new domain okay so everybody cheer up we're gonna we're gonna lift this conversation up we're going to talk about the good news and the opportunity I'm going to go to audience questions but first I have one more question just sort of wrap up this this phase of the of the Q&A and panel discussion here's this kind of the next burning question what do you do zero trust what do you do first what do you do next what's that one thing let's keep it short keep it if you know make it different and unique but if you had you had five minutes in front of someone that had a lot of money to solve a problem and it's zero trust you're talking about what do you do what do you do for the conversation actually a and II got it right it's visualized what you have understand where things are that's number one Wow can you just agree with him please yeah I'm gonna so I'm gonna I'm gonna say and I'll do it quickly that I think that what cyber has failed on most miserably is ignoring every single lesson we've ever learned from physical security in the physical world so take a really easy example it doesn't matter who the president is or whether we like them or not or her or not but there is this person called the president United States there's this organization called the Secret Service there are two things they do insanely well one they do not let the person go somewhere without understanding the entire telemetry and environment that the person is going to be in they understand every ingress every egress they have maps they understand the building the infrastructure they spend a lot of time learning about the place no matter whether there's a security incident or not that's the visualization but the second thing that we screw up in the cyber world all the time is we think that we can peanut butter the investment and secure everything evenly in the physical world we do the exact opposite we say the stuff in the vault in the bank is by far the most valuable stuff if they rob us let them steal the paperclip sitting on the desk we don't want to be robbed at all but the paperclips are easy to replace the stuff in the vault is hard if there's one thing that we say to a customer do it with whatever vendor you want figure out your crown jewels your most valuable assets and go and over invest in protecting those things first okay so we got we've got visualize and we've got crown jewels know your crowns they're your core competency right if I'm if I'm a bank at your payments right if I'm a law firm it's my client a client database deeper what are your what's that one thing there's another take on what Andrew mentioned I think zero first first needs to be enforced on privileged users and their actions administrators so I think you're talking about all you know random devices here and so on but privileged users administrative users they need to be then they need to be under zero trust methodology and it's not just zero trust it also needs to be just-in-time trust maybe growing out of the visualization is we've gotten years to have a perimeter firewall and everybody knows things if you get breached and you didn't have a firewall you may get fired but applications have become complex and we are completely fine running applications is worse with lateral movements without internal perimeter so is West security or micro segmentation whatever you want to call it so it's I would say that the BG's you better understand the value that your application is where this happening is bringing to organization and all the breaches that that can bring because if you don't have an east-west security solution your north-south firewall is as good as the hole that you have for port 80 or four places help so there's a I think that's for good wise pieces of advice I'll give you a fifth not because anyone but five is better than four so from my view of the world its its decommission privilege Wi-Fi and legacy VPN find a way we're again it's back to that parameter model there's no good reason to let people into our organizations and parameters the way we've always done it instead expose an application and then use identity access management to understand who these people are that's not the end-all be-all but that's certainly one thing if you're gonna do something now think about privileged Wi-Fi legacy VPN access all right so five I think good good things remember one goal is how you get this off a white board and get it into action what do you do and I think those are great that's great great advice okay so I've got a bunch of good questions for the audience and for seemed to have trended to the top here so I'm gonna take these a little bit out of order and these these are probably these are really compelling and the questions I didn't think about so 90% of the IOT Internet of Things devices have no security we could probably agree ninety percent are insecure in a large number of tax originated from IOT devices how do we address this problem in the context of zero trust is it the same way Weavin is it different or is it just an extension of the same same problem it's it's it's an extension of the same problem but at the same time is different because there are assets that you have into your hospitals into your industrial floors that you may not even know that you have so now you have to be able to discover them and profile them in a way that you can attach kind of a synthetic identity based on how they behave and then apply the right policies so I would say it's not that different it says that again the tools that we have to use in order to establish identity and policy may be slightly different but conceptually you want to understand who's who and who's doing what and be able to have some sort of enforcement just a scale problem in other words it is an extension of the same problem it's the same sort of use case but I think the difference is that if you have a hundred thousand servers you may have four hundred thousand or maybe even five hundred thousand or a million devices that theoretically are floating around in the world that in some way shape or form interact with that ecosystem and so it becomes a i'ma scale that's what we hear very often from customers is it's not that I expect that I'm gonna know and understand and control every one of these things but there's a lot of them out there and I really need to have some way of being able to put a fence around them and understand what they are even if it's not each individual one I'm not an expert on topic so I'm not gonna comment I do think it's a scale problem yeah but it's it's a complex and rich enough problem that I'm probably not qualified to comment on okay Deepak any thoughts there just the IOT thing has to be an emerging interesting area for for investors you know we have made in Batson IT security and a company called zing box III think IOT security you know the problem is IOT is not a uniform thing so I already security cannot be uniform it's like a bunch of different things together right so the problem of discovery and visibility is much much harder in IOT and today's security is going by I need to be proactive in saying I have this asset baton Dana Center asset or is it an IOT asset and I think automatic visibility is like this is the key thing and then too is the new differentiate the importance of the asset and like is it an MRI machine is it like a video camera is it like a doorbell or whatever that is and I think and that differentiation also needs to be automatic we don't go and register our website on Google search Google search just goes it automatically and and a sense of PageRank automatically so I think we need to get the same concept in two eyes ITSs an IOT assets do so let's let's stay on the topic of emerging like white-hot emerging technology trends and talk about the intersection of zero trust and artificial intelligence and machine learning what what comes to mind what are the benefits what are the thoughts there are they complimentary does one does AI make zero trust more of reality or is it is it the opposite I'm just glad you laugh when I do what do you say so I know what natural stupidity is I don't know what artificial intelligence is but so AI is really pattern matching it's a way of discovering relationships so if you have the right training data training set then right algorithms you can get insights but that's a very broad statement I'm making I mean we have to understand what is the domain what is but what are the problems that we want to solve what's a data set and then go solve that with a AI it's not a magic pill yep okay I mean it's security it's getting a lot of airplay but if you actually dig under the covers there's not a lot of reality to somebody being able to walk in and say this is what my AI or my ml is doing and this is the effect on the outcome yet I think as there's better datasets as the algorithms get better there will be better outcomes but if you really press people on if you use this ml or AI that you're claiming is built into your platform of your product show me the differential and the outcome why am i safe or what is it finding that otherwise wouldn't be found it's still a tenuous connection between those two it will get better over time the datasets will get bigger and the algorithms and get smarter but it's still very early days you know what freaks me of the most is when companies claim that I ml is so good we don't know what it's doing I think if we enforce zero trust on all the AI models at other startups and companies are peddling that's that's actually good business there's running joking you don't go out and raise money nowadays without saying that I have ml nai you don't have to actually define what it is or how it works but you definitely want to make sure it's part of your pitch attack all right so let's go back let's go back to the perimeter idea of a little bit here I want to dig in on this a little bit and I think the audience does too I think we're probably 50/50 on whether the perimeters dead or still needed or a perimeter firewall but it seems increasingly that maybe the the person is the perimeter right I'm fond of saying work is what we do not where we go and I can work independent of time and space I need this and application and a connection and so maybe the person is the perimeter so this is a little bit of a subtle question what role do people play in zero trust what's what's the intersection with people and zero trust I mean maybe going back to identity the question is what is identity right and you are a human using a tablet that runs an operating system with a set of libraries and you are exhibiting a behavior so is your identity yourself or something else and if you go to the nationís how do we behave as humans right we have a government-issued ID and a passport and an award patch so we have multiple identities and those identities carry metadata about us that in certain environments may behave differently right so the Russian the notion of the human is is always like is it really you when your tablet is misbehaving is it rid of you or is an open-source component or a commercial software that has been hacked and compromised so that's why the thing is is as the perimeter goes closer and closer to the user because as you are going back with a VPN example you don't want to have a tunnel to your enterprise that everybody can come in so it will be better understand this is when this tablet doing something misbehaving but going back to two porous identity and how do we add context to that identity to understand how the end-user applies to the security area so you know I this is where your bias starts to come in I I think that one of the challenges that we have is that there isn't enough money in there on enough days to sort of go around to protect everything it's just sort of a fact of life I think that's why in the physical world we sort of approached the way that we do the reality is that we don't have the same security at Boise Airport that we do at SFO because there's just more tax surface at SFO and there's more likelihood of something bad happening and I think to try and imagine a world in which we somehow have figured out a security model that works on 250,000 employees at JPMorgan Chase and every one of the eight devices that they carry and somehow be able to mate that posture and a highly dynamic changing world it just feels like the task sort of becomes overwhelming and so you relook at it through the lens and this is where I acknowledge my bias and you sort of say at the end of the day if one or every single one of those million-and-a-half devices got breached into right now is it the stuff on the device or is it what the device connects to in the data center that has the customer credit card records that really is the problem and if we're gonna over invest in understanding and protecting something shouldn't it be the end state of the attack not the starting state and and and I acknowledge it's a biased view because that's what we talk to our customers about for the most part is protecting and helping them to understand these crown jewels but there is sort of an economic reality to the fact that we may not be able to protect every single device in every single users hands and understand in real time all these things but we certainly can understand the narrow scope of things that everybody's trying to get to so it is I don't know if it's controversial but it is sort of a little bit of an antithetical view to the notion that we're gonna figure all of this out and solve the whole problem of every person and every device they carry so I've tried to synthesize what Peter and Andrew said the more general setting by the notion of my birth and some overseas work related I've lived in police states and I know what the security theater looks like and it turns out that if you live in police states you're actually not as secure u.s. is not a police state but I feel a lot more secure here and why is that because it comes down to an individual and as that I mentioned it's really what the individual does and the context of they're doing it and the actions and the devices that are using if you understand these then it can profile risk pretty easily while leave an individual alone until they become a risk that's not a police state that's just looking at signatures and say ah at this point this individual is displaying risky behavior otherwise leave them alone and let them be free and do whatever their what you want to do so yeah coming back to him individual the individual does matter but how that individual is interacting with devices and how that device is interacting with the world that matters so I promised Fred I was going to leave him five minutes five minutes we I have 10 I have their we have 10 left so I have 5 minutes yeah so actually I have a question for you oh we're all wearing jeans what happened to you I I didn't get the the spiffy Silicon Valley memo to wear my I do have the fancy jeans I just probably should have worn them I actually I don't have to be fancy I always bought Levi's and then one day my wife marched me into Nordstrom and I got a pair of the over white jeans that they actually hemmed up I've never had my jeans tailored before so I left them at home next time I thought about the black t-shirt and the cool jeans and so next time that's how I'm asked my age too I much prefer the jeans the stretchy jeans at my age they're the calm vanity sighs all right so final question and this is for everybody in the panel and whoever jumps in first have at it and we'll just go from there what what does is zero are we still talking about zero trust in five years is it reality and if so or if not what a cyber security look like what is it I know I'm actually to look into the future and be a little bit of a little bit of fortune teller but are we still talking is it reality like we look back five years say I remember when that that panel set on the stage and they were talking about that we're seeing now or is this all just a bunch of nonsense and never talking about something else I think we'll be talking about something else talking about something else and maybe the argument is because like these cycles of transformations and new concepts last five to seven years max and then you need a new cycle and a new set of marketing terms otherwise we would be writing about the same thing and my bet is that we may be doing the same things having like the same problems but it's going to become something else but but AI keeps coming back it was hard to 70s and the hot native-like I think we're only talking about distributed trust exactly and identities the new the new boundary the new perimeter identity I think something sticks when it becomes actionable I mean that's what it boils down to so if zero trust ends up becoming something that is actionable if there's a set of security controls that really large and sort of meaningful organizations get their hands around and they can implement it it'll stick whether the term sticks or not I mean that's probably marketing and I know that's way over my head but I it is actionable it will become real if it turns out that it's this big sort of amorphous concept and in reality nobody can figure out what to do about it or how to implement it it'll died sort of a quick death that it deserves if it can't become reality I think it depends on the hands of either a big company or a startup company to make to be the flagbearer of zero trust when things don't become trends by themselves like some companies the flagbearer of a trend right social networking didn't become a trend it became a trend because of Facebook so social networking was the consequence of Facebook rather than the other way around and it's a the same way like in an online gaming was the consequence of Zynga in some ways and indeed the first generation gaming was the consequence of Nintendo and other consoles so the real question is you know which company made a startup or a big company is going to be the flagbearer of zero trust and of course you know Trust can mean different things for different people but this one we're looking forward to that so I think if one if a company is going to build the first IP orrible company in the startup world that is going to say we became big because of zero trust and this is what zero trust is and there's what customers should adopt then we're probably going to be talking about everybody implementing zero trust if not I guess we're going into distributed trust under distributed traceur yeah so I'll just again cuz no one asked me my belief is and I'm not I'm not so much of an optimist I believe 2019 this year and into next year is truly the year for to see zero trust implementation the real tangible substantive zero trust manifestation whether it's in the context of what a fraternal loomio do or or Akamai for example I think and I think that the key is not to overcomplicate it with fancy fancy names I think the principles are sound I think the problems we're trying to solve are real and big but I do think this is the year that we take some of this off the whiteboard and we start seeing it in action and I don't think it's one solution I think it's it's a combination of solutions that all home back home back to the same principle the same fundamentals that we all sort of started off and talked about and so I have just a few closing comments I did want to give a shout out to the audience member who asks I think the best question we won't answer but it's given the legacy and complexity is winter coming so that's an indication of maybe that was the V labs team having fun with me that's a great question I do think it's it goes to show how complex and shapeless this conversation is and how big the problem is the good news is there's a lot of really smart people in a lot of really good aggressive investors that are working to solve this problem and again I started off by saying if everybody's thinking the same no one's thinking and I think a lot of people are thinking differently and there's a lot of good thought out there that together starts to solve this problem so gentlemen thank you this was this is ago we could have gone three hours so thank you you

Info

Channel: vlabvideos

Views: 1,154

Rating: 5 out of 5

Keywords: VLab, Stanford, Akamai Technologies, Aporeto, Illumio, VMware, Plumgrid, Dell Technologies Capital, Randy Wood, Amir Sharif, Andrew Rubin, Pere Monclus, Deepak Jeevankumar

Id: ooAPzzYkyaE

Channel Id: undefined

Length: 80min 20sec (4820 seconds)

Published: Sat Jun 01 2019