Video size:

0:09 Miko Pawlikowski

Hello, and welcome to Conf42Cast, episode 4, the Great Dane Constellation. My name is Miko Pawlikowski and today my guest is Josh Stella, the founder and CEO at Fugue, the company transforming cloud security to help teams move faster and stay secure. Josh, this is a blast to have you here today. How are you?

0:29 Josh Stella

Oh, I'm doing great. And I think this will be fun. It's great to be here.

0:32 Miko Pawlikowski

So we have this little tradition, we typically start our guests off with asking, you know, if you could have any animal at all, what would you pick as your pet?

0:41 Josh Stella

Hey Sherlock, come here.

0:43 Miko Pawlikowski

That is a big dog.

0:46 Josh Stella

Yeah, he's about 200 pounds. He's our mascot, our company mascot. Czechoslovakian bloodline, and they breed them much thicker than the Americans and they're much healthier. Okay, now, that is enough. We adopted him and he came with the name Sherlock. But it's a perfect name for a security company mascot.

1:05 Miko Pawlikowski

And that looks like enough dog for the entire company too. It's massive.

1:10 Josh Stella

Kind of shocking in person. He's exceptionally large but such a nice guy.

1:15 Miko Pawlikowski

The gentle giant. That's awesome. Can you tell me a little bit more, maybe, about the background. I'm assuming this is not just a decoration. The synthesizer back there.

1:25 Josh Stella

This is my home office. On this side of the room, it's all business. And on that side of the room, it's a mix. Because I love to record music. I used to play in bands. I've got a synth, I've got bass guitars, guitars. I've been playing music most of my life. I'm kind of a hack. But my son is an actual record producer and mastering engineer. So he helps me out some. But yeah, this is my home office got to have both, because there's no more room in the house. So this is my recording studio office. Most of us who started the company, in our early days, you know, my co-founder, Drew Wright, is also a musician. He's a better musician than me. So Fugue is, of course, a musical term that we use to name the company. It's a way that you can have simple phrases that if you combine them and mutate them every time, you can get these extraordinarily complex compositions of very simple phrases. And we'd liked that idea of handling complexity by breaking things down into smaller problems. Very much what our software does for security.

2:21 Miko Pawlikowski

That is an awesome explanation. Basically, code reusability in music, I guess. Is that the right way of putting that?

2:28 Josh Stella

I think that's, that's really fair. I mean, Bach is the kind of widely recognized, you know, most famous master of the fugue. He just spent a lot of time perfecting that. But my favorite fugue is "Grosse Fuga" from Beethoven. And it is a lot like code reuse, because what you're doing in music, of course, is you're putting some logical components together. You know, every time you combine those things, you don't want to start fresh. Unless you're playing, like, free jazz.

2:54 Miko Pawlikowski

Yeah, sure. What's your most and least favorite thing about being a founder of a startup? And I keep saying startup, but it's been like, what, seven years now?

3:03 Josh Stella

About six months ago, took over as CTO. I don't know that in the long run, that is a sensible thing to put on one person, at least my wife doesn't think so. Because I work too much. But right now, that's what I'm doing. And you know, the technology is so dear to my heart, I just can't see bringing in a CTO or handing over the reins of that. So, yeah, we've been around seven years, we've really been through two big iterations. The first was really focused on national security stuff. So a lot of my background, when I was at AWS I was a Principal Solutions Architect focused on, like, Department of Defense and National Security. I've worked in that world a lot. In my past, really, at the beginning of 2019, we completely pivoted to a pure commercial SAS company. And so there are really two big phases of Fugue's history. As far as my least favorite part, it is honestly, when we've made a hiring mistake, and I have to let someone go. I really hate that. And so we try very, very hard to not make hiring mistakes. Yeah, that's easily my least favorite part. Most of the rest of its great.

4:10 Miko Pawlikowski

Everytime I appreciate it, you know, when people own up to they're hiring mistakes. Because it's easy to blame the person for, you know, "Oh, you're being a bad fit. You did a bad job". But it takes much more to actually, you know, appreciate that it goes both ways. So, you know, you've just scored extra points in my book.

4:26 Josh Stella

Doing the startup is so hard that if you're not really, really honest, I don't like the term brutally honest because a lot of times people when they say brutal honesty, what they really mean is they intend to be cruel. But real honesty. You know, It's not a big company where you can have processes or problems just kind of sit there, not working. Everyone has to be fully engaged, pulling in same directions.

4:51 Miko Pawlikowski

I'm pretty sure people appreciate on this feedback like that. So let's talk a little bit more about Fugue. So, you mentioned the National Security background and that sounds pretty serious. I'm wondering what's the actual, like, unique proposition? Because cloud is a very crowded place right now. And there's like a new startup coming up every other day. So what makes you different from the crowd?

5:14 Josh Stella

I'm going to start with some non-technical differences. From some cultural differences in what our customers tell us. Our customers really love us. And they tell us so by expanding. We have NPS scores, Net Promoter scores that are off the charts. It's a customer obsession. I really fully drank from that firehose at Amazon. But it's very much part of the Fugue culture, and the customers feel it. So one big difference we hear, there are a bunch of kind of newer imitators of stuff we've been doing for years that have come out. And maybe some are a little different, but not so much. They are usually doing a little, small piece of what we've been doing for some time. The big guys out there, obviously Palo Alto, in our space with Palo Alto Networks. And what we hear from our customers is, not only is our product much more thorough at finding actual and helping them solve security issues than theirs, but they love working with us. They love the team, how we approach them. We treat our customers like partners. On the technical side, nobody has taken the approach we've taken from the beginning in cloud security. So, what other guys are doing is they're just looking at a small number of data around a cloud environment or a cloud deployment, and looking for kind of known bad things. And that's fine, but it doesn't get you nearly far enough in cloud security. You have to know the entire state of the system. So what Fugue does, we capture every single field of every API that is accessible in that customers cloud and build a complete model of their entire working cloud infrastructure. And then we can do things like visualize. We have, like, Google Maps for your cloud infrastructure as part of our product. And I don't want to go on and on about differentiations and such, and make this salesy. But it's just that our philosophy is very different. We're also a developer first. My background is not a Cisco. My background is developing software. It's security tools for engineers who are building stuff. So yeah, I mean, I started the company, because when I was at AWS, I saw what was coming. Cloud deployments, where folks hadn't considered all the ramifications of their decisions. Their learning was evolving. And I was watching the hackers do things that most security professionals just never think about anyone doing. You know, most of these hacks are not over the TCP IP networks space, they're different. They're of the cloud API layers. If I have s3 list and get permissions, I can suck all the data into s3, and not a single packet is going to traverse the customer visible network. And so obviously, that's a recipe for disaster. And we've seen this disaster. So that's why I started Fugue. Because cloud is potentially the most secure computing environment humans have ever made. But you have to know what you're doing. And you have to understand what the hackers are doing. And so that's, that's why I started Fugue.

8:02 Miko Pawlikowski

Right, so saying that it's not just like a "Hooray! Let's do cloud". And then you go, you quickly read up on the AWS, API's, and you're golden. There's like some more work to do?

8:13 Josh Stella

You know, I've been doing this pretty much for over a decade now. Just this, just focused on security cloud patterns. You know, I'll get asked to talk on a subject at an event or something. And if it's not one that I really know, I'll be like, "Hey, I'm not an expert in that". The topic is so vast, that you really have to have a culture of learning about all these topics. And what we've done in Fugue, of course, is we put all of our knowledge about this into code and can help there, but it's a lifetime journey. And that's what's awesome about computing, right? You wake up in the morning, and unless you're learning something, you're irrelevant. Some people might not like that. I love that. Because I'm an old guy, and it keeps me young.

8:51 Miko Pawlikowski

On a more serious note now. It's certainly, you know, when you were describing this kind of model that takes into account the entire state, rather than just taking like CIS off the shelf, benchmark and running that. I'm guessing that makes a real difference. But then I guess, now you have all of that state. We have to really trust you that you're doing the right thing to move your own security.

9:15 Josh Stella

Early investors in Fugue were In-Q-Tel, which are the investment arm of the American intelligence communities. Yeah, so they invested in us, they trusted us. When we bring on somebody who's really, really concerned about that, the first thing is we very much limit what data we retain. In the sense that we don't have access to anyone's discs. We don't have access to anyone's network traffic, or customers network traffic. We don't have access to their databases. None of that. We don't want it. We are collecting the metadata about the configuration of the system. Our own security practices are well, let's just say from with my background, I'm extremely paranoid in how we architect systems. And so far, we've never gotten a no for procurement because we were not secure enough with customer data. I think we do a really good job. But your mileage may vary.

10:04 Miko Pawlikowski

Yeah, I'm beginning to build my own mental model of what your house must be like. No Internet of Things,

10:10 Josh Stella

No Internet of Things. Absolutely. No smart speakers. That's madness. In my view.

10:15 Miko Pawlikowski

Yeah. I'll just go and trash my Alexa.

10:19 Josh Stella

Hey, look, it's better to not know. It's better to live in blissful ignorance. Unfortunately, I don't have that luxury.

10:25 Miko Pawlikowski

One more question. It kind of sounds like it requires a certain level of maturity, on your own part, to appreciate the fact that you need to invest into security. Do you find that, you know, you mentioned all this, like very serious institutions. Do you find that this is slowly spreading as a more commonplace practice for other startups and in general, like smaller companies to pay attention to that? Or is there still a lot of "Hooray!" regarding Amazon, and you know, we'll be fine?

10:54 Josh Stella

It's evolved a lot over the last few years. So one of our best markets are small to mid size, fast growing tech companies. Our technology fits well into modern CICD pipelines. We talk the same language, it's designed for fast moving. I mean, you can pull your entire cloud configuration into Fugue in 10 minutes, and understand where you're vulnerable. So that fast moving startups really love us. So I've been in this business too long. I started out as a programmer in like 1991, professionally. So I've been around for a while. I have never seen the industry be as security-conscious at the developer and engineer level, as I'm seeing it now. Yeah, I think that's very encouraging. The flip side is that because everything is moving into the cloud, the blast radius of making an error is much greater, right? If somebody can steal the data off my laptop, who cares? But if somebody can do an IM role assumption, and suck all the data out of 700 s3 buckets in an hour, that's bad. And it's just a single configuration. We kind of have two groups of companies that love us. One are large enterprises. And maybe they love us because of compliance issues, like, they have to go through a SOC 2 audit. And then fast growing tech companies.

12:13 Miko Pawlikowski

That's good for you. So you get interest from both sides of the spectrum. Let's talk a little bit more about clouds in general. You know, like you mentioned, you've been on the block for a while and you've kind of seen all of this evolve. I think on the website you work with, basically the big three. Do you start working with like the smaller providers, I don't know, don't want any name drop, but do also expand on to, like, OpenStack internal deployments? Or is it... do you find that, basically, trying to streamline and cope with the big boys?

12:45 Josh Stella

We're very customer-driven on those things. There are parts of doing a startup and really inventing something that are pure invention. I mean, we have fundamental patent on using policy as code in cloud environments, because we started doing that a long time ago. So there are some things that are pure invention. But when you're talking about features, and you're talking about things like service coverage, and which clouds to cover, we don't have an opinion. We listened to the market, we listened to the customer, and we do what they want. That's how you make things that people want to use. Right now we're AWS, Azure and Google. We just launched Google few weeks ago, and I was thrilled. One of our large customers brought in almost 1000 Google projects in an afternoon the first day. So gave us a little stress test, which was fine. As far as OpenStack, I started writing code for few, almost 10 years ago, now. I had an OpenStack cluster in my basement, in a rack. And I started working on it there. I don't see a lot of OpenStack out there anymore. My perception of what people are doing in the data center is less trying to emulate AWS anymore. And OpenStack was very much an emulation in some ways of the AWS basic service breakdowns. You had object storage and virtual machines, and so on. I think Kubernetes has kind of taken the place in a way of OpenStack, where everyone's saying, "Well, it's just all going to be containers". We do support Kubernetes. And we'll be adding additional and more support for different things in Kubernetes, because it's popular. As far as, like, smaller cloud providers. I mean, the big three are the big three. But you know, Ali Baba cloud is huge, too. We're looking at that. We'll see. But it's very much customer-driven for us.

14:29 Miko Pawlikowski

Yeah, that makes sense. It kind of, you know, loops back into the customer-obsessed approach. That sounds very Amazony too. So you mentioned the "K" word - Kubernetes. Do you love it? Do you hate it? Do you not care?

14:44 Josh Stella

I think most people shouldn't be doing it themselves. I think it's a bunch of undifferentiated heavy lifting is what we used to call those kind of things at Amazon, you know. If you're a car company, you're not going to sell more cars because you did Kubernetes really well. You're not. So why take on the complexity? It is very complex. It has all kinds of inobvious complexities too. Like, it's one thing to get it running and working. It's another thing to have it working in a way that's secure and efficient, and so on. There's just, you know, it's a lot to take on. Personally, we don't use any virtual machines. Well, except for like databases, which are RDS on AWS. Fugue is a pure SAS, we're hosted in AWS, it's almost all lambda. And the reason is, why should I bother with harboring myself?

15:33 Miko Pawlikowski

And do you find that they overhead the extra cost they charge you in AWS for running that for you? It's worth it?

15:42 Josh Stella

So when Fugue launched, you know, seven years ago, the company got going seven years ago, we were building on virtual machines. Because that's all there was. Our costs went down like 80%, by switching to lambda.

15:55 Miko Pawlikowski

So you had some inefficiencies probably and this way you don't pay for them? Or did you change the model?

16:01 Josh Stella

The nature of our product, I mentioned a moment ago when we launched Google support, we had a big customer, bring in almost 1000 Google projects, which are like an AWS account in an afternoon. So when that happens, what Fugue is doing is we're spawning a whole lot of instances of lambdas. Because we're going to interrogate every single object in their cloud environments that they've brought in. And we're gonna compare every single one of those to like, hundreds of security checks. And so you think about that model of computing, it's super bursty. And then we just shut all the lambdas down, so you know, or they shut down. And so it's it's incredibly cost-effective for us.

16:38 Miko Pawlikowski

You basically have like the perfect usecase for lambda, which is really awesome.

16:41 Josh Stella

Yeah, yeah, that's true. We're getting like a billion policy evaluations a day or so. We use open policy agent, which is CNCF stuff. We actually started using that real early in its lifecycle before, like the Pinterest of the world, and so on, started doing that, and it's still cool. It's awesome. It's a query language based on data log. It's like a real language. One of the things that drives me nuts about computing now is you have all these, kind of, pseudo-languages that are hacks, rather than real, thoughtful design of language. And OPA has real thoughtful design of language and I love that. We actually completely re-implemented the OPA runtime, using Pascal as the language to re-implement it. And we did that because we needed it to go 100 times faster than it went in the OPA ships. It's an open source project called Frego, which is the Fugue rego toolkit. It also has things like the ability to set breakpoints and do more friendly debugging. But the main reason we wrote that thing is, it's 100 times faster for large datasets. So, you know, using lazy evaluation and techniques like that. So we're obsessive about driving efficiencies and leveraging software, lead design software, to both please our customers and also to keep our costs down. And for the system to never really fall over. It's been really interesting for me having, you know, I was the CTO of, in like 1998. And we were running everything on one big or two big son servers, hot one and a spare one. That's what we needed to do. And I had fun with it. I mean, I enjoy tinkering with that. But back in the day, if you had a serious outage, you would have an engineering team, you know, typically like working through the night to get things back on track. Fugue, the only time we've ever had outages is due to AWS or other vendors having issues and the system just reconstitutes itself with almost no touch. And, so that's another beautiful benefit of doing things in a serverless way.

18:39 Miko Pawlikowski

How does one start with you? Is there like a free tier? You said developer friendly, so I'm assuming there's gonna be some kind of sandbox that you can access.

18:48 Josh Stella

There is a free tier. It's free forever. It is a true free tier. It's not like a, you know, an expiring credit kind of thing. And it has the new features in scale. I think it's up to maybe 1500 cloud resources it's free. You go to our website, you do have to register to use the product. But once you do that, all you do if you're on AWS, you pass in an IAM role Arn. You can create the IAM role yourself. We have a tool that will just help you do that, to have it be a least privileged IAM role. And then Fugue will go in 10 minutes, look at your cloud environment, come back to you with really nice visualization, like a Google map of your cloud environment. All drawn out with all the places that we found issues. And you're welcome to use developer forever. I mean, a big chunk of the usage of our product is in that Developer Zone. But then when you go up into, like, enterprise features, like, Single Sign On and more compliance regimes and more rules and larger scale, we have millions of resources that we're managing now for our customers. So a resource being something like, an easy to instance or network, whatever. You know, then we ask you to pay. But developers free forever. Go for it.

19:59 Miko Pawlikowski

Just to kind of wrap up. We typically want to, you know, squeeze a few golden nuggets of wisdom out of our guests. If someone asked you, for like, one single item that made, like, the biggest difference for your tech career. Whether it's a book you read, or you know, a course you took, or programming language that you liked, what would it be? And, you know, would you recommend other people doing that now?

20:28 Josh Stella

If I had to pick one thing, it wouldn't be a book or language. It would be an attitude: never give up. This should be absolute in your mind. Because this is a very challenging thing to do. And people will doubt you. But you have to have that perseverance and tenacity. And I know that's not a techie thing to say, not a techie answer. But, you know, JK Rowling got turned down 50 times for publishing Harry Potter before it was published. So just don't give up. And most people around you will, eventually. So you just outlast them. As far as, like a techie thing that if I had to pick one thing out, it would probably be learning LISP, even though you're probably never going to use LISP. If you're already a programmer, you probably grew up on some kind of C-derived language. And that's one view of the world. LISP is profoundly different way to think about software. Do something kind of the opposite of your comfort zone, and then just keep doing that.

21:32 Miko Pawlikowski

I'm pretty sure folks will be excited to try out Fugue and hopefully have you another time.

21:38 Josh Stella

It was really fun talking to you. Thank you.

Awesome tech events for

Priority access to all content

Video hallway track

Community chat

Exclusive promotions and giveaways