Third Wave Security with Alex Marshall of Twingate

Alex is the Chief Product Officer of Twingate, which he cofounded in 2019. Alex has held a range of product leadership roles in the enterprise software market over the last 16 years, including at Dropbox, where he was the first enterprise hire in the company's transformation from consumer to enterprise business. A focus of his product career has been using the power of design thinking to make technically complex products intuitive and easy to use. Alex graduated from Stanford University with a degree in Electrical Engineering.

Announcer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.

Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig secures your cloud from source to run. They believe, as do I, that DevOps and security are inextricably linked. If you wanna learn more about how they view this, check out their blog, it's definitely worth the read. To learn more about how they are absolutely getting it right from where I sit, visit Sysdig.com and tell them that I sent you. That's S Y S D I G.com. And my thanks to them for their continued support of this ridiculous nonsense.

Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it’s hard to know where problems originate. Is it your application code, users, or the underlying systems? I’ve got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it’s more than just hipster monitoring.

Corey: Welcome to Screaming in the Cloud. I’m Corey Quinn. This promoted episode is brought to us by our friends at Twingate, and in addition to bringing you this episode, they also brought me a guest. Alex Marshall is the Chief Product Officer at Twingate. Alex, thank you for joining me, and what is a Twingate?

Alex: Yeah, well, thanks. Well, it’s great to be here. What is Twingate? Well, the way to think about Twingate is we’re really a network overlay layer. And so, the experience you have when you’re running Twingate as a user is that network resources or network destinations that wouldn’t otherwise be accessible to you or magically accessible to you and you’re properly authenticated and authorized to access them.

Corey: When you say it’s a network overlay, what I tend to hear and the context I usually see that in, in the real world is, “Well, we’re running some things in AWS and some things in Google Cloud, and I don’t know because of a sudden sharp blow to the head, maybe Azure as well, and how do you get all of the various security network models of security groups on one side to talk to their equivalent on the other side?” And the correct answer is generally that you don’t and you use something else that more or less makes the rest of that irrelevant. Is that the direction you’re coming at this from, or do you view it differently?

Alex: Yeah, so I think the way that we view this in terms of, like, why we decide to build a product in the first place is that if you look at, sort of like, the internet in 2022, like, there’s one thing that’s missing from the network routing table, which is authentication and authorization on each row [laugh]. And so, the way that we designed the product is we said, “Okay, we’re not going to worry about everything, basically, above the network layer and we’re going to focus on making sure that what we’re controlling with the client is looking at outbound network connections and making sure that when someone accesses something and only when they access it, that we check to make sure that they’re allowed access.” We’re basically holding those network connections until someone’s proven that they’re allowed to access to, then we let it go. And so, from the standpoint of, like, figuring out, like, security groups and all that kind of stuff, we’re basically saying, like, “Yeah, if you’re allowed to access the database in AWS, or your home assistant on your home network, fine, we’ll let you do that, but we’ll only let you go there once you’ve proven you’re allowed to. And then once you’re there, then you know, we’ll let you figure out how you want to authenticate into the destination system.” So, our view is, like, let’s start at the network layer, and then that solves a lot of problems.

Corey: When I call this a VPN, I know a couple of things are going to be true. One, you’re almost certainly going to correct me on that because this is all about Zero Trust. This is the Year of our Lord 2022, after all. But also what I round to what basically becomes a VPN to my mind, there are usually two implementations or implementation patterns that I think about. One of them is the idea of client access, where I have a laptop; I’m in a Starbucks; I want to connect to a thing. And the other has historically been considered, site to site, or I have a data center that I want to have constantly connected to my cloud environment. Which side of that mental model do you tend to fall in? Or is that the wrong way to frame it?

Alex: Mm-hm. The way we look at it and sort of the vision that we have for what the product should be, the problem that we should be solving for customers is what we want to solve for customers is that Twingate is a product that lets you be certain that your employees can work securely from anywhere. And so, you need a little bit of a different model to do that. And the two examples you gave are actually both entirely valid, especially given the fact that people just work from everywhere now. Like, resources everywhere, they use a lot of different devices, people work from lots of different networks, and so it’s a really hard problem to solve.

And so, the way that we look at it is that you really want to be running something or have a system in place that’s always taking into account the context that user is in. So, in your example of someone’s at a Starbucks, you know, in the public WiFi, last time I checked, Starbucks WiFi was unencrypted, so it’s pretty bad for security. So, what we should do is you should take that context into account and then make sure that all that traffic is encrypted. But at the same time, like, you might be in the corporate office, network is perfectly safe, but you still want to make sure that you’re authorizing people at the point in time they try to access something to make sure that they actually are entitled to access that database in the AWS network. And so, we’re trying to get people away from thinking about this, like, point-to-point connection with a VPN, where you know, the usual experience we’ve all had as employees is, “Great. Now, I need to fire up the VPN. My internet traffic is going to be horrible. My battery’s probably going to die. My—”

Corey: Pull out the manual token that rotates with an RSA—

Alex: Exactly.

Corey: —token that spits out a different digital code every 30 seconds if the battery hasn’t died or they haven’t gotten their seeds leaked again, and then log in and the rest; in some horrible implementations type that code after your password for some Godforsaken reason. Yeah, we’ve all been down that path and it’s like, “Yeah, just sign into the corporate VPN.” It’s like, “Did you just tell me to go screw myself because that’s what I heard.”

Alex: [laugh]. Exactly. And that is exactly the situation that we’re in. And the fact is, like, VPNs were invented a long time ago and they were designed to connect to networks, right? They were designed to connect a branch office to a corporate office, and they’re just to join all the devices on the network.

So, we’re really, like—everybody has had this experience of VPN is suffering from the fact that it’s the wrong tool for the job. Going back to, sort of like, this idea of, like, us being the network overlay, we don’t want to touch any traffic that isn’t intended to go to something that the company or the organization or the team wants to protect. And so, we’re only going to gate traffic that goes to those network destinations that you actually want to protect. And we’re going to make sure that when that happens, it’s painless. So, for example, like, you know, I don’t know, again, like, use your example again; you’ve been at Starbucks, you’ve been working your email, you don’t really need to access anything that’s private, and all of a sudden, like, you need to as part of your work that you’re doing on the Starbucks WiFi is access something that’s in AWS.

Well, then the moment you do that, then maybe you’re actually fine to access it because you’ve been authenticated, you know, and you’re within the window, it’s just going to work, right, so you don’t have to go through this painful process of firing up the VPN like you’re just talking about.

Corey: There are a number of companies out there that, first, self-described as being, “Oh, we do Zero Trust.” And when I hear that, what I immediately hear in my own mind is, “I have something to sell you,” which, fair enough, we live in an industry. We’re trying to have a society here. I get it. The next part that I wind up getting confused by then is, it seems like one of those deeply overloaded terms that exists to, more or less—in some cases to be very direct—well, we’ve been selling this thing for 15 years and that’s the buzzword, so now we’re going to describe it as the thing we do with a fresh coat of paint on it.

Other times it seems to be something radically different. And, on some level, I feel like I could wind up building an entire security suite out of nothing other than things self-billing themselves as Zero Trust. What is it that makes Twingate different compared to a wide variety of other offerings, ranging from Seam to whatever the hell an XDR might be to, apparently according to RSA, a breakfast cereal?

Alex: So, you’re right. Like, Zero Trust is completely, like, overused word. And so, what’s different about Twingate is that really, I think goes back to, like, why we started the company in the first place, which is that we started looking at the remote workspace. And this is, of course, before the pandemic, before everybody was actually working remotely and it became a really urgent problem.

Corey: During the pandemic, of course, a lot of the traditional VPN companies are, “Huh. Why is the VPN concentrator glowing white in the rack and melting? And it sounds like screaming. What’s going on?” Yeah, it turns out capacity provisioning and bottlenecking of an entire company tends to be a thing at scale.

Alex: And so, you’re right, like, that is exactly the conversation. We’ve had a bunch of customers over the last couple years, it’s like their VPN gateway is, like, blowing up because it used to be that 10% of the workforce used it on average, and all of a sudden everybody had to use it. What’s different about our approach in terms of what we observed when we started the company, is that what we noticed is that this term Zero Trust is kind of floating out there, but the only company that actually implemented Zero Trust was Google. So, if you think about the situations that you look at, Zero Trust is like, obvious. It’s like, it’s what you would want to do if you redesigned the internet, which is you’d want to say every network connection has to be authorized every single time it’s made.

But the internet isn’t actually designed that way. It’s designed default open instead of default closed. And so, we looked at the industry are, like, “Great. Like, Google’s done it. Google has, like, tons and tons of resources. Why hasn’t anyone else done it?”

And the example that I like to talk about when we talk about inception of the business is we went to some products that are out there that were implementing the right technological approach, and one of these products is still in use today, believe it or not, but I went to the documentation page, and I hit print, and it was almost 50 pages of documentation to implement it. And so, when you look at that, you’re, like, okay, like, maybe there’s a usability problem here [laugh]. And so, what we really, really focus on is, how do we make this product as easy as possible to deploy? And that gets into, like, this area of change management. And so, if you’re in IT or DevOps or engineering or security and you’re listening to this, I’m sure you’ve been through this process where it’s taken months to deploy something because it was just really technically difficult and because you had to change user behavior. So, the thing that we focus on is making sure that you didn’t have to change user behavior.

Corey: Every time you expect people to start doing things completely differently, congratulations, you’ve already lost before you’ve started.

Alex: Yes, exactly. And so, the difference with our product is that you can switch off the VPN one day, have people install a Twingate client, and then tomorrow, they still access things with exactly the same addresses they used before. And this seems like such a minor point, but the fact that I don’t have to rewrite scripts, I don’t have to change my SSH proxy configuration, I don’t have to do anything, all of those private DNS addresses or those private IP address, they’ll still work because of the way that our client works on the device.

Corey: So, what you’re saying is fundamental; you could even do a slow rollout. It doesn’t need to be a knife-switch cutover at two in the morning where you’re scrambling around and, “Oh, my God, we forgot the entire accounting department.”

Alex: Yep, that’s exactly right. And that is, like, an attraction of deploying this is that you can actually deploy it department by department and not have to change all your infrastructure at the same time. So again, it’s like pretty fundamental point here. It’s like, if you’re going to get adoption technology, it’s not just about how cool the technology is under the hood and how advanced it is; it’s actually thinking about from a customer and a business standpoint, like, how much is actually going to cost time-wise and effort-wise to move over to the new solution. So, we’ve really, really focused on that.

Corey: Yeah. That is generally one of those things, that seems to be the hardest approach. I mean, let’s back up a little bit here because I will challenge—likely—something that you said a few minutes ago, which is Google was the first and only company for a little while doing Zero Trust. Back in 2012, it turned out that we weren’t calling it that then, but that is fundamentally what I built out of the ten-person startup that I was at, where I was the first ops hire, which generally comes in right around Series B when developers realize, okay, we can no longer lie to ourselves that we know what we’re doing on an ops side. Everything’s on fire and no one can sleep through the night. Help, help, help. Which is fine.

I’ve never had tolerance or patience for ops people who insult people in those situations. It’s, “Well, they got far enough along to hire you, didn’t they? So, maybe show some respect.” But one of the things that I did was, being on the corporate network got you access to the printer in the corner and that was it. There was no special treatment of that network.

And I didn’t think much of it at the time, but I got some very strange looks and had some—uh, will call it interesting a decade later; most of the pain has faded—discussions with our auditor when we were going through some PCI work, and they showed up and said, “Great. Okay, where are the credentials for your directory?” And my response was, “Our what now?” And that’s when I realized there’s a certain point of scale. Back when I started as an independent consultant, everything I did for single-sign-on, for example, was my 1Password vault. Easy enough.

Now, that we’ve scaled up beyond that, I’m starting to see the value of things like single-sign-on in a way that I never did before, and in hindsight, I’d like to go back and do things very differently as a result. Scale matters. What is the point of scale that you find is your sweet spot? Is it one person trying to connect to a whole bunch of nonsense? Is it small to midsize companies—and we should probably bound that because to me, a big company is still one that has 200 people there?

Alex: To your original interesting point, which is that yeah, kudos to you for, like, implementing that, like, back then because we’ve had probably—

Corey: I was just being lazy and it was what was there. It’s like, “Why do I want to maintain a server in the closet? Honestly, I’m not sure that the office is that secure. And all it’s going to do—what I’m I going to put on that? A SharePoint server? Please. We’re using Macs.”

Alex: Yeah, exactly. Yeah. So it’s, we’ve had, like, I don’t know at this point, thousands of customer conversations. The number of people have actually gone down that route implementing things themselves as a very small number. And I think that just shows how hard it is. So again, like, kudos.

And I think the scale point is, I think, really critical. So, I think it’s changed over time, but actually, the point at which a customer gets to a scale where I think a solution has, like, leveraged high value is when you get to maybe only 50, 75 people, which is a pretty small business. And the reason is that that’s the point at which a bunch of tools start getting implemented a company, right? When you’re five people, you’re not going to install, like, an MDM or something on people’s devices, right? When you get to 50, 75, 100, you start hiring your first IT team members. That’s the point where them being able to, like, centralize management of things at the company becomes really critical.

And so, one of the other aspects that makes this a little bit different terms of approach is that what we see is that there’s a huge number of tools that have to be managed, and they have different configuration settings. You can’t even get consistency on MDM is across different platforms, necessarily, right? Like, Linux, Windows, and Mac are all going to have slight differences, and so what we’ve been working with the platform towards is actually being the centralization point where we integrate with these different systems and then pull together, like, a consistent way to create those authentication authorization policies I was talking about before. And the last thing on SSO, just to sort of reiterate that, I think that you’re talking about you’re seeing the value of that, the other thing that we’ve, like, made a deliberate decision on is that we’re not going to try to, like, re-solve, like, a bunch of these problems. Like, some of the things that we do on the user authentication point is that we rely on there being an SSO, like, user directory, that handles authentication, that handles, like, creating user groups. And we want to reuse that when people are using Twingate to control access to network destinations.

So, for us, like, it’s actually, you know, that point of scale comes fairly early. It only gets harder from there, and it’s especially when that IT team is, like, a relatively small number of people compared to number of employees where it becomes really critical to be able to leverage all the technology they have to deploy.

Corey: I guess this might be one of those areas where I’m not deep enough in your space to really see it the same way that you do, which is the whole reason I have people like you on the show: so I can ask these questions directly. What is the painful position that I find myself in that I should say, “Ah, I should bring Twingate in to solve this obnoxious, painful problem so I never have to think about it again.” What is it that you solve?

Alex: Yeah, I mean, I think for what our customers tell us, it’s providing a, like, consistent way to get access into, like, a wide variety of internal resources, and generally in multi-cloud environments. That’s where it gets, like, really tricky. And the consistency is, like, really important because you’re trying to provide access to your team—often like it’s DevOps teams, but all kinds of people can access these things—trying to write access is a multiple different environments, again, there’s a consistency problem where there are multiple different ways to provide that, and there isn’t a single place to manage all that. And so, it gets really challenging to understand who has access to what, makes sure that credentials expire when they’re supposed to expire, make sure that all the routing inside those remote destinations is set up correctly. And it just becomes, like, a real hassle to manage those things.

So, that’s the big one. And usually where people are coming from is that they’ve been using VPN to do that because they didn’t know anything better exists, or they haven’t found anything that’s easy enough to deploy, right? So, that’s really the problem that they’re running into.

Corey: There’s also a lot of tribal knowledge that gets passed down. The oral tradition of, “I have this problem. What should I do? I know, I will consult the wise old sage.” “Well, where can you find the wise old sage?” “Under the rack of servers, swearing at them.” “Great, cool. Well, use a VPN. That’s what we’ve used since time immemorial.” And then the sins are visited onto yet another generation.

There’s a sense that I have that companies that are started now are going to have a radically different security posture and a different way of thinking about these things than the quote-unquote, “Legacy companies.”—legacy, of course, being that condescending engineering term for ‘it makes money—who are migrating their way into a brave new world because they had the temerity to found themselves as companies before 2012.

Alex: Absolutely. When we’re working with customers, there is a sort of a sweet spot, both in terms of, like, the size and role that we were talking about before, but also just in terms of, like, where they are, in, sort of like, the sort of lifecycle of their company. And I think one of the most exciting things for us is that we get to work with companies that are kind of figuring this stuff out for the first time and they’re taking a fresh look at, like, what the capabilities are out there in the landscape. And that’s, I think, what makes this whole space, like, super, super interesting.

There’s some really, really fantastic things you can do. Just give you an example, again, that I think might resonate with your audience quite a bit is this whole topic of automation, right? Your time at the tribal knowledge of, like, “Oh, of course. You know, we set up a VPN and so on.” One of the things that I don’t think is necessarily obvious in this space is that for the teams that—at companies that are deploying, configuring, managing internal network infrastructure, is that in the past, you’ve had to make compromises on infrastructure in order to accommodate access, right?

Because it’s kind of a pain to deploy a bunch of, like, VPN gateways, mostly for the end-user because they got to, like, choose which one they’re connecting to. You potentially had to open up traffic routes to accommodate a VPN gateway that you wouldn’t otherwise want to open up. And so, one of the things that’s, like, really sort of fascinating about, like, a new way of looking at things is that what we allow with Twingate—and part of this is because we’ve really made sure that the product is, like, API-first in the very beginning, which allows us to very easily integrate in with things, like, Terraform and Pulumi for deployment automation, is that now you have a new way of looking at things, which is that you can build a network infrastructure that you want with the data flow rules that you want, and very easily provide access into, like, points of that infrastructure, whether that’s an entire subnet or just a single host somewhere. I think these are the ways, like, the capabilities have been realized are possible until they, sort of like, understand some of these new technologies.

Corey: This episode is sponsored in part by our friend EnterpriseDB. EnterpriseDB has been powering enterprise applications with PostgreSQL for 15 years. And now EnterpriseDB has you covered wherever you deploy PostgreSQL on-premises, private cloud, and they just announced a fully-managed service on AWS and Azure called BigAnimal, all one word. Don’t leave managing your database to your cloud vendor because they’re too busy launching another half-dozen managed databases to focus on any one of them that they didn’t build themselves. Instead, work with the experts over at EnterpriseDB. They can save you time and money, they can even help you migrate legacy applications—including Oracle—to the cloud. To learn more, try BigAnimal for free. Go to biganimal.com/snark, and tell them Corey sent you.

Corey: This feels like one of those technologies where the place that a customer starts from and where they wind up going are very far apart. Because I can see the metaphorical camel’s nose under the tent flap being, “Ah, this is a VPN except it doesn’t suck. Great.” But once you wind up with effectively an overlay network connecting all the things that you care about within an organization, it feels like that unlocks a whole universe of possibility.

Alex: Mm-hm. Yeah, definitely. I mean, I think you hit the nail on the head there. Like, a lot of people approach us because they’re having a lot of pain with VPN and all the operational difficulties they were talking about earlier, but I think what sort of starts to open up is there’s some, sort of like, not obvious things that happen. And one of them is that all of a sudden, when you can limit access at a network connection level, you start to think about, like, credentials and access management a little differently, right?

So, one of the problems that well-known is people set a bastion host. And they set bastion host so that there’s, like, a limited way into the network and all the, you know, keys are stored in that bastion host and so on. So, you basically have a system where fine, we had bastion host set up because, A, we want limited ingress, and B, we want to make sure that we know exactly who has access to our internal resources. You could do away with that and with a simple, like, configuration change, you can basically say, “Even if this employee for whatever reason, we’ve forgotten to remove—revoke their SSH keys, even if they still have those keys, they can’t access the destination because we’re blocking network access at their actual device,” then you have a very different way to restrict access. So, it’s still important to manage credentials, but you now have a way to actually block things out at a network level. And I think it’s like when people start to realize that these capabilities are possible that they definitely start thinking about things a little bit differently. VPNs just don’t allow this, like, level of granularity.

Corey: I am a firm believer in the idea that any product with any kind of longevity gets an awful lot of its use case and product-market fit not from the people building it, but from the things that those folks learn from their customers. What did you learn from customers rolling out Twingate that reshaped how you thought about the space, or surprised you as far as use cases go?

Alex: Yeah, so I think it’s a really interesting question because one of the benefits of having a small business and being early on is that you have very close relationships with all your customers and they’re really passionate about your product. And what that leads to is just a lot of, sort of like, knowledge sharing around, like, how they’re using your product, which then helps inform the types of things that we build. So, one of the things that we’ve done internally to help us learn, but then also help us respond more quickly to customers, is we have this group called Twingate Labs. And it’s really just a group of folks that are outside the engineering org that are just allowed to build whatever they want to try to prove out, like, interesting concepts. And a lot of those—I say a lot; honestly, probably all of those concepts have come from our customers, and so we’ve been able to, like, push the boundaries on that.

And so, it just gave you an example, I mean, AWS can be sometimes a challenging product to manage and interact with, and so that team has, for example, built capabilities, again, using that just the regular Twingate API to show that it’s possible to automatically configure resources in AWS based on tags. Now, that’s not something that’s in our product, but it’s us showing our customers that, you know, we can respond quickly to them and then they actually, like, try to accommodate some, like, these special use cases they have. And if that works out, then great, we’ll pull it into the product, right? So, I think that’s, like, the nice thing about serving a smaller businesses is that you get a lot of that back and forth to your customers and they help us generate ideas, too.

Corey: One thing that stands out to me from the testimonials from customers you have on your website has been a recurring theme that crops up that speaks to I guess, once I spend more than ten seconds thinking about it, one of the most obvious reasons that I would say, “Oh, Twingate? That sounds great for somebody else. We’re never rolling it out here.” And that is the ease of adoption into environments that are not greenfield because I don’t believe that something like this product will ever get deployed to something greenfield because this is exactly the kind of problem that you don’t realize exists and don’t have to solve for until it’s too late because you already have that painful problem. It’s an early optimization until suddenly, it’s something you should have done six months ago. What is the rolling it out process for a company that presumably already is built out, has hired a bunch of people, and they already have something that, quote-unquote, “Works,” for granting access to things?

Alex: Mm-hm. Yeah, so the beauty is that you can really deploy this side-by-side with an existing solution, so—whatever it happens to be; I mean, whether it’s a VPN or something else—is you can put the side-by-side and the deployment process, just to talk a little bit about the architecture; we’ve talked a lot about this client that runs on the user’s device, but on the remote network side, just to be really clear on this, there’s a component called a connector that gets deployed inside the remote network, and it does not have to be installed on every single destination host. You’re sort of thinking about it, sort of like this routing point inside that network, and that connector controls what traffic is allowed to go to internal locations based on the rules. So, from a deployment standpoint, it’s really just put a connector in place and put it in place in whatever subnet you want to provide access to.

And so you’re—unlikely, but if your entire company has one subnet, great. You’re done with one connector. But it does mean you can sort of gradually roll it out as it goes. And the connector can be deployed in a bunch of different environments, so we’re just talking with AWS. Maybe it’s inside a VPC, but we have a lot of people that actually just want to control access to specific services inside a Kubernetes cluster, and so you can deploy it as a container, right inside Kubernetes. And so, you can be, like, really specific about how you do that and then gradually roll it out to teams as they need it and without having to necessarily on that day actually shut off the old solution.

So, just to your comment, by the way, on the greenfield versus, sort of like, brownfield, I think the greenfield story, I think, is changing a little bit, I think, especially to your comment earlier around younger companies. I think younger companies are realizing that this type of capability is an option and that they want to get in earlier. But the reality is that, you know, 98% of people are really in the established network situation, and so that’s where that rollout process is really important.

Corey: As you take a look throughout what you’re seeing customers doing, what you see the industry doing as a result of that—because customers are, in fact, the industry, let’s be clear here—what do you think is, I guess, the next wave of security offerings? I guess what I’m trying to do here is read the tea leaves and predict what the buzzwords will be all over the place that next RSA. But on a slightly more serious note, what do you see this is building towards? What are the trends that you’re identifying in the space?

Alex: There’s a couple of things that we see. So one, sort of, way to look at this is that we’re sort of in this, like, Third Wave. And I think these things change more slowly than—with all due respect to marketers—than marketers would [laugh] have you believe. And so, thinking about where we are, there’s, like, Wave One is, like, good old happy days, we’re all in the office, like, your computer can’t move, like, all the data is in the office, like, everything is in one place, right?

Corey: What if someone steals your desktop? Well, they’re probably going to give themselves a hernia because that thing’s heavy. Yeah.

Alex: Exactly. And is it really worth stealing, right? But the Wave One was really, like, network security was actually just physical security, to that point; that’s all it was, just, like, physically secure the premises.

Wave Two—and arguably you could say we’re kind of still in this—is actually the transition to cloud. So, let’s convert all CapEx to OpEx, but that also introduces a different problem, which is that everything is off-network. So, you have to, like, figure out, you know, what you do about that.

But Wave Three is really I think—and again, just to be clear, I think Wave Two, there are, like, multi-decade things that happen—and I’d say we’re in the middle of, like, Wave Three. And I think that everyone is still, like, gradually adapting to this, which is what we describe it as sort of people everywhere, applications are everywhere, people are using a whole bunch of different devices, right? There is no such thing as BYOD in the early-2000s, late-90s, and people are accessing things from all kinds of different networks. And this presents a really, really challenging problem. So, I would argue, to your question, I think we’re still in the middle of that Wave Three and it’s going to take a long time to see that play through the industry. Just, things change slowly. That tribal knowledge takes time to change.

The other thing that I think we very strongly believe in is that—and again, this is, sort of like, coming from our customers, too—is that people basically with security industry have had a tough time trying things out and adopting them because a lot of vendors have put a lot of blockers in place of doing that. There’s no public documentation; you can’t just go use the product. You got to talk to a salesperson who then filters you through—

Corey: We have our fifth call with the sales team. We’re hoping this is the one where they’ll tell us how much it costs.

Alex: Exactly. Or like, you know, now you get to the sales engineer, so you gradually adopt this knowledge. But ultimately, people just want to try the darn thing [laugh], right? So, I think we’re big believers that I think hopefully, what we’ll see in the security industry is that—we’re trying to set an example here—is really that there’s an old way of doing things, but a new way of doing things is make the product available for people to use, document the heck out of it, explain all the different use cases that exist for how to be successful your product, and then have these users actually then reach out to you when they want to have more in-depth conversation about things. So, those are the two big things, I’d say. I don’t know if those are translated buzzwords at RSA, but those are two big trends we see.

Corey: I look forward to having you back in a year or two and seeing how close we get to the reality. “Well, I guess we didn’t see that acronym coming, but don’t worry. They’ve been doing it for the last 15 years under different names, so it works out.” I really want to thank you for being as generous with your time as you have been. If people want to learn more, where should they go?

Alex: Well, as we’re just talking about, you try the product at twingate.com. So, that should be your first stop.

Corey: And we will of course put links to that in the show notes. Thank you so much for being as forthcoming as you have been about all this stuff. I really appreciate your time.

Alex: Yeah, thank you, Corey. I really appreciate it. Thanks.

Corey: Alex Marshall, Chief Product Officer at Twingate. I’m Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you’ve enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you’ve hated this podcast, please leave a five-star review on your podcast platform of choice, along with a long angry ranty comment about what you hated about the episode, which will inevitably get lost when it fails to submit because your crappy VPN concentrator just dropped it on the floor.

Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.

Announcer: This has been a HumblePod production. Stay humble.