Grey Beards on Systems - 84: GreyBeards talk ultra-secure NAS with Eric Bednash, CEO & Co-founder, RackTop Systems
Episode Date: July 9, 2019We were at a recent vendor conference where Steve Foskett (@SFoskett) introduced us to Eric Bednash (@ericbednash), CEO & Co-Founder, RackTop Systems. They have taken ZFS and made it run as a ultra-se...cure NAS system. Matt Leib, my co-host for this episode, has on-the-job experience with ZFS and was a great co-host for this episode. … Continue reading "84: GreyBeards talk ultra-secure NAS with Eric Bednash, CEO & Co-founder, RackTop Systems"
Transcript
Discussion (0)
Hey everybody, Ray Lucchese here with Matt Lieb.
Welcome to the next episode of Graybeards on Storage podcast, a show where we get Graybeards
storage bloggers to talk with system vendors, discuss upcoming products, technologies, and
trends affecting the data center today. This Great Bids on Storage episode was recorded on
June 26, 2019. We have with us here today, Eric Bednash, CEO of Racktop Systems. So Eric,
why don't you tell us a little bit about yourself and your company?
Thanks, Ray. And thanks, Matt. It's a pleasure to be here. So a little bit about myself.
I'm a lifelong entrepreneur.
I spent at this point a little over 15 years in the national intelligence space and, you
know, founded Racktop, co-founded Racktop in 2010, and really to be focused on simplifying
data management and data security.
And today we have sort of evolved this market, which we call cyber converged data security.
And we've built a data storage product that sort of fits right between what you would consider as a traditional enterprise data storage
and security and compliance, things that you would typically see in the cyber world.
And we've kind of fused these two things together. And that's what our product does here at Racktop.
So, I mean, lots of, I'll call it standardized enterprise NAS systems have some aspects of security in them.
Where does Racktop, you know, take off from what's currently available?
Or what's the differentiator, I should say?
Yeah, so, you know, traditionally, the, so enterprise storage systems or NAS systems in particular, which is what our product is based on, rely on really superficial
access controls, right?
And that's kind of the beginning and end for external security when it comes to protecting
the data.
But in sort of the modern enterprise, there's all kinds of sophisticated attacks and a lot of compliance requirements that
enterprises are facing today. And so there's a level of security that goes well beyond just
preventing access to data or to a data share. And so what we do is we take a lot of the capabilities
that the cyber vendors are creating out on the network, things that you would typically see in an endpoint device or at the edge or in a firewall or in a network sim.
And we're taking those capabilities and we're merging them into the data system.
So in addition to providing your traditional access controls, what we're also doing is providing things like tracking
user behavior. So capturing what users are doing on the system, how they're doing it,
and running analysis off of that so that we can determine if something is out of the ordinary.
Right. We are keeping continuous audits of user access data. We're looking at compliance.
So when you say tracking user behavior, so I'm a user using a file system or something like that,
you're going to be tracking every file and directory I look at or write over a period of
time, that sort of thing? Exactly. So we're looking at how you're using and interacting with the data on an ongoing basis. And we collect this data and we provide visualizations for that
within our user interface and through our API. Or we can also forward this data
via RFC 5424 message format into a SIM, something like Splunk, that customers can use to analyze that
data. Their security operation centers can analyze that data. And it gives you a much
deeper picture into actually what's occurring. And it's everything from the machine they come
from, the protocol they're using, how they're using the file, what they're doing to it,
and what IO size is. It's very detailed. So, you know, occasionally I'm using financial services on the net and stuff like that. They'll
send me an email that says, you know, you used a different computer this time to log in, stuff like
that. Does it provide that sort of feedback to the user or just to, I don't know, security group
or something like that? Yeah. So today it's to the security group. So that's what we would
call an anomaly, right? So anomalous behavior, we'd be able to detect that. And within our
visualization interface, you can see that today. You can see user Eric Bednash access this file
from five different computers. And that may not be normal because two of those weren't even his,
right? So we can provide this information in a very visual way right now.
Or again, like I said,
you can forward that information to other systems
if you have bigger analysis systems
that your security team is using.
And does it do a sort of a proactive protection
against potentially an external user
that it doesn't recognize outside of, and I imagine it's what,
standard LDAP authentication? Yeah. So it's using the directory services. And today,
what we're doing is collecting, forwarding, and visualizing this information. So today,
it's very much an interactive. The data is meant to be used
interactively by security operations center. Where we're headed on the roadmap is to
automatically make decisions based off of certain user behaviors. So since once the system learns
what's normal and what's not, then we can start to take action on our own, or we can respond to
commands that may
come in from another automated system. So sort of the next evolution of this capability would be
to add more autonomous behavior in so that you wouldn't even have a human involved in catching
a lot of these anomalies as they occur. And yet the alerting would still take place.
Alerting always would take place. Yeah. You always, there's always multiple things. I think, you know, sort of coming out of the security
world in the, in the sort of intelligence space you know, there's always, you don't ever do one
thing, right. There's always multiple things you want to do to not only protect the system,
but also to deal with a certain event, right. There's a couple of people that need to be aware. And, you know, sometimes the security operations center kind of, they end up ignoring
certain threats and issues because they kind of glaze over things because they're used to looking
at whether it be a dashboard or certain indicators, they're used to seeing those. And actually the
false positives create, you know, have a really bad habit of allowing people to miss good information.
So by alerting multiple people in multiple different ways allows you to converge much faster when there is an issue.
And so, yeah, alerting is always part of that response, even if there is automation.
But you guys go beyond just access profiling and things of that nature.
You offer like encryption and that sort of stuff.
Yeah, absolutely. And so, you know, what kind of think about if you look at a data storage system
from kind of the ground up, you know, you at your base layer, you have a hard drive,
and then you have a file system, and then you have protocols, right? And there's a bunch of
things that happen in between, but in general, and then outside of that, you have users accessing data.
That's from the utility storage perspective. If you start to wedge in the security components, I view encryption sort of that base layer,
right?
So in order to have a secure network attached storage device, you have to start with that
base security layer, which is encryption to us.
And so we do encryption at two different layers.
And so we're doing it within the drives themselves.
And then we're also doing it within the file system.
And then we use a key manager to manage different sets of keys between the two
so that you can meet pretty much any security policy you have in place.
And then there's this government standard called CSFC, which is Commercial Solutions
for Classified.
And that actually dictates that in order to use a commercial product to store classified
data, you actually have to have two layers of encryption and managed differently by two
different keys.
And we have that capability built in. And
it's sort of that foundational layer. And then we add up the stack. I already talked about user
behavior, but there's auditing and reporting that goes on. All right, wait. So let me try to
understand the two-layer encryption. So let's say you use a self-encrypting drive, but the data that
you're sent to the self-encrypting drive, but the data that you're sent to the self-encrypting drive is
already encrypted? Is that what that means? That's correct. So yeah, think about it like,
right, the self-encrypting drive is just encrypting the bits as it sees them. It doesn't
know that they're already encrypted. And then the layer above would be the data itself within the
file system is encrypted, and that's managed by a different set of keys.
So in essence, you have double encrypted data, which means you would have to try and decrypt both to actually make sense of it.
As it's ingested into the file system, but is it in flight as well?
Anything in flight would also be encrypted, but encrypted by transport encryption, right? So
whether that be on the protocol or whether that be, well, I'd pretty much be on the protocol,
but whatever that protocol may be, using a secure transport would deal with it at that point.
I was going to ask who the target customers are. I noticed on your webpage,
you've got a bunch of different solution solution sort of target customers, including energy and
finance and certainly Fed space, but healthcare, et cetera. I'm wondering if just anybody that's concerned today about issues like GDPR and other sovereignty rules, HIPAA, etc.,
are really going to be your target customers.
So I think that's a really good point because, I mean, GDPR, even if you don't,
GDPR doesn't apply to you.
It's a blueprint for what's to come, right?
We see California already enacting laws around data privacy.
And so I feel like every entity, every enterprise is eventually going to be held to some sort
of data regulation, right?
And so, and GDPR was just the first example of a regulation that, you know, had a lot
of teeth to it.
And so if you look at it from that perspective,
a lot of businesses that were not traditionally regulated have to figure out how to deal with
regulation. And not all of them could go hire chief compliance officers and add a lot of structure
because it doesn't really align with their business. I mean, finance could do that.
Healthcare could do that because they've been doing it. But so more and more enterprises are going to need this capability built in and they're
going to need it to be very simple.
And so in terms of target markets for us, if you add compliance and sort of the security
together, it really could be anybody, but we're focused specific.
Half of our business is in the federal space because it's sort of where we came out of and we understand that really well and they understand the importance of what we're offering.
But a lot of the larger enterprises that do have regulatory issues to deal with, some like NIST 800-171 is another one. And then media and entertainment, healthcare, life sciences, enterprises that have lots
of unstructured data, that have security and compliance concerns, or in general, just care,
you know, want to increase their security posture overall.
And those are really the ideal.
So that market's getting bigger and bigger every day,
because I was joking with someone just a couple of days ago. I said, when was the last time you
asked somebody, asked the CIO, whether or not security was important, right? So it is,
and it's becoming something that is really becoming important. Oh, yeah.
And you're far better being proactive in your approach on that, knowing that
it's certainly coming down the pipe, even if it's not necessarily mission critical for your business
today. Yeah, absolutely. Yeah. I look at the market, I kind of look at the market and I say
that when the market is full steam ahead on security, it'll start to demand these types
of solutions. I think we're at the beginning of that
starting to happen where some of the, some larger organizations who are being hit by this are
pulling a lot more, uh, than the smaller ones, but it's the momentum is building and I've seen it
over the last two years. Um, I don't know, I don't know if you guys are kind of seeing the same thing,
but, uh, in my customer base, I'm actually seeing, I have an ongoing conversation right now where a customer of mine has a presence in Europe and a presence in the States, but they also have remote users coming in from China. set of issues that we have to deal with, with them, just in terms of making sure that there's
a level of security and, as you say, tracking in place to ensure that the right people are
getting at the right data. And how do we go about that? And I think it's really relevant to me right
now. Yeah, I got a couple questions. I'm not sure where to go, but maybe the first one would be, can you kind of provide a high level discussion or description of GDPR? I mean, I always thought it was just a data movement constraint, but it's more than that, right? So if you sort of boil it, and it's complex, more complex than I could
understand it or even describe it in a succinct way. But I kind of look at it as, if you take a
pull all the way back, it's about data privacy, right? And I think the importance is we want to ensure that the people, the enterprises that hold our data are protecting
it and that we also have the right to request that data to be expunged.
And that part's a little bit harder.
But as the data owners or originators, we have that right.
And I think that's kind of what GDPR says overall.
So all of the details of the regulation kind of boil up, you know, down to that to me.
And so if you take that blueprint and say, you know, OK, that was for EU citizens and
then anybody doing business, you know, with those individuals would also need to adhere
to these policies.
It becomes difficult because that is not the way we've designed architectures and infrastructures
for so, you know, for the last three decades, it's just not the way we've done it.
You know, and actually, you know, not to sidetrack GDPR, but I, zero trust is another big
issue that sort of is, is another one of these things that does not adhere to the last
few decades of how we've done things. And so, you know, it really is, it boils down to that privacy
and data privacy, and then how do we protect that? And so if you kind of take the approach of saying
that, listen, all data is important, whether that data is generated by us and it's ip of the company um or it's our customers
ip or if it's our customers uh data um you know we need to protect it and we need to think about
it in a different context uh uh you know a different context than the way we've traditionally
thought about it right we can't think about data systems as just being repositories anymore for
data we have to think about them as holding critical information that we need to protect all the way down to the data level. And so to me, that's kind of the
GDPR. And the meaning of protection there is not just encryption, but access controls and
user profiling and audit logging. And I mean, all these things that you're bringing to bear
are part of that underlying term of protection. Is that how you see it?
Yeah. Yeah, exactly. Right. And so protection is another one of those words that can mean a
bunch of different things depending on how you're talking about it. But if you look at security as
an ecosystem, and that's really the way you need to look at it, because that's how you have to successfully implement it.
You can't stop at one level within your infrastructure and expect you to have end- those things because security is kind of the act of protecting
and compliance is the proof that you're continuing to protect, right?
So GDPR is a regulation and we call it compliance.
You have to comply with the regulation.
And so we'll put in measures, security measures to do that, but then you have to continue
to prove it.
So if you add things like audit and tracking
user behavior and then encryption, and you put all these things together, you get that combination
that you need to actually solve the problem. You mentioned zero trust. The only thing I
know about zero trust is that Zcash. Is there something else there?
There's zero trust. So zero trust is a framework that was established by Forrester.
Um, and it's really sort of changes the model for how you, um, architecture enterprise,
uh, going from this sort of trust, but verify type model to a like never trust, always verify
model.
And so if you think about, uh, you think about the internet's an open architecture,
we've designed the core of our networks,
the core of our infrastructures as open architectures
because we trust that once somebody is inside the firewall,
they should be there.
But that's the problem because we have all kinds of people
and things inside our network now that shouldn't be there,
including advanced
persistent threats and potential nation states.
And there's all of these things.
So this whole concept of a trusted core is gone.
And that's what Zero Trust really kind of lays out.
It's a framework.
Now, the problem with Zero Trust, and I have a couple of pet peeves with it in particular,
is that if you Google Zero Trust, you'll see the
whole first page of Google are network security vendors trying to sell you network products to
give you Zero Trust. And it's not, you can't buy Zero Trust. It's not a thing you buy, right?
Zero Trust is a context. It's a way of thinking. It's a way to architect. And it's really a way
to architect to get an end-to-end secure infrastructure system so that it is possible to
comply with GDPR or NIST 800-171 or to protect data because it's hard protection at the exterior,
it's protection at the interior. And ultimately what we're doing is we put those two things
together to protect your data. And that's precisely what like what Racktop is fulfilling in that in that chart
would be the strong interior, right? For forever, we had a soft interior. And people say, well,
data, data security and data storage, it's in my data center doesn't matter. Well, we're kind of
saying, well, it does matter, because, you know, those days are over. And so you need to have a
nice, tough interior as well, where the data is living, just as you have a nice, tough exterior, and you put those together, and you think it goes over the head of a lot of people.
I think one of the things that I'd like to know is, first of all, what do you mean by cyber converged?
Which I think is the first time I've actually ever heard that used.
We all know what converged infrastructure is. I imagine that there's a server engine that runs all of the security layer and the access layer software that manages the file system underneath. Is that what coined the term cyber converged and we sort of took, we looked at
kind of, you know, converged markets have always created great leaps and sort of progress
and innovation and produce great results for consumers.
So just, I mean, I always use the iPhone as a great example of that.
It's a converged product that converged multiple technologies together into something that, you know, created
exponential value. Right. And so what cyber converged where the sort of the genesis of that
word was taking like, well, we look at all of the things that are happening in the cyberspace,
which are basically centered around
the network to help protect our systems and protect our data. And so we kind of viewed the
way what we were doing, which was essentially merging that with data storage. That's kind of
where we came up with the term, well, it's a cyber converged data system. It's a cyber converged data security is kind of how we kind of, you know, look at the whole market. And eventually,
I'm sure there'll be other competitors in the space. And, and, but, but that's really where
it came from is, is it's really, it's the convergence of two very core technologies
to the enterprise. And really with the with the the emphasis on cyber because we look at the next sort of generation
or the modern enterprise as really being a security-focused one versus security as an afterthought.
Let me ask a couple of questions about the basic data services.
So it's an open ZFS variant.
Is that how I understand it?
It is, yes.
So we started with ZFS as the base file system.
And it's a very mature file system that's been out there.
There's a number of other vendors who have used that as a starting point.
And that's kind of the way we did, we approached the problem with Spall.
We didn't want to go out there
and invent a new file system
because in this sort of modern age,
we didn't think that's very practical
or very practical business model to do that.
And so we started with something
that was known to be very good,
very reliable,
and we built up from there. So at the utility
storage layer, we fixed some of the rough edges. We implemented data management layers on top to
make it easy. There's a bunch of pitfalls with ZFS. We sort of addressed some of those by
sort of taking away some of the knobs and tunables that could really get people in trouble. And so we really focused on making it easy, reliable, and consistent, right? And then we
built up from there. Then we sort of started building our data management layer out. We built
our app layer out, and then we're leveraging the power. I mean, it runs on a commodity
Intel server. And so we're leveraging the power of modern processors with multiple cores and a large memory footprint to be able to do everything we do in real time in the same system that's providing data services because of that headroom that we have in the systems today.
And do you support compression in the solution?
I mean, there's the other side of the deduplication and how does that work
with encryption
and all that stuff.
But I'll just limit myself
to compression at this point.
Yeah.
So,
and this is another
sort of benefit
of ZFS
is that all the capabilities,
we didn't lose
any capabilities of ZFS.
So some of the native
capabilities that
you have are compression,
deduplication,
and, you know, being able
to do snapshots and data protection. So all, all of these sorts of things are, are, we don't lose
any of those capabilities, right. And so that we kind of enhance them, uh, for our purpose. Um,
so anything you would expect, uh, this, so this is the best way to describe it. If, if, if our goal
is to secure data within the enterprise and be able to replace
your NAS device that you're on now, and in order to do that, we have to be able to provide those
base storage capabilities, right? We don't want to go in and say, hey, you have to change your
workflow. I think this is one of the problems with S3 adoption within the local enterprises,
right? It's like, hey, this is
great, but you have to change the way you do everything because it's not a common protocol
that, you know, it's not POSIX compliant. It doesn't fit into your organization, right? And
I think that hurt adoption of some of these S3 products. And so we're saying, look, you don't
have to do any of that. We want you to have a more secure enterprise. We want you to have more secure data, but we also realize that you can't really have these great disruptions to how you
do business today. It has to talk SMB. It has to talk NFS. You know, you have to be able to support
all of the data storage things that an enterprise needs. And we do that. That's very interesting.
You know, I'm having worked in this space in the past. the past, I'm a huge ZFS fan, so a fan from back in the Sun Microsystem days. and write cache, but it seems to me that you've got,
and I may be wrong here,
but various other OpenZFS protocols have taken advantage
of metadata caching as well as almost an additional layer.
Is that something that you guys are doing as well?
Yes, so we've made a couple enhancements that facilitate the tasks that we're doing with data, you know, overall. So like with external auditor compliance piece of software causes, like if it's connected to one of our competitor systems,
it would have to scan files externally that would pollute the cache. And that would actually,
you know, create false user signatures. Um, you know, and so we don't, we don't have to do that,
right. Cause we're doing it all internally. Uh, and so we've made, we've made enhancements,
uh, to how the system works to be able to facilitate
our activity in there so that we don't kind of get in the way of what's happening. And then we
also provide all that same benefits, you know, all the same benefits of the built-in cache.
And we made some enhancements to how the cache is managed and architected so that we can fix some
of the rough edges there with, you know, that we're in some of the open source versions of that. And so, but again, we look at, we have to provide
high performance storage capabilities in order to be in the conversation. And then our differentiator
is the entire security and compliance stack that sits on top. And we need to merge those together
seamlessly. And that's really what our vision and our goal is as we continue to build and evolve the product.
So I guess I'm not as familiar with ZFS.
Does it support like high available dual controller cutovers and things of that nature?
It doesn't.
It doesn't natively.
This is work that we've done.
We've done internally to make it highly available, make our services highly available.
Oh, so you have added that functionality.
We did, yeah.
And you mentioned that you're using servers. Do you support both hardware appliance as well as
software only?
So our current model is very much tied to the hardware, just mainly because most of our
customers, or almost all of them,
are used to buying storage as a thing, right? And so they stick it in their data center,
and that's the way they purchase it. We've built metering capability into the software so that we
can license it in a metered fashion or license it as software only. We don't have a lot of customers taking advantage of that.
We are probably starting to see some more interest there in the market,
but we have a very limited hardware footprint that we support
because that's another sort of gotcha about ZFS
is that you can't really run it on everything.
So you do have to be careful on what you run it on.
And we have a very limited set of qualified systems that of course we,
we support to do that. And so and so we're, you know, we're,
we're sort of seeing, seeing some more interest in, in, in that side,
but really it's all, it's mainly a system sale today. But but I,
but I think the natural evolution of things is it'll,
it'll continue to to evolve to the point where even across a limited set of hardware, we'd be able to support software.
Towards a hardware compatibility list or a reference architecture?
I would say more.
Well, I don't know the answer to that.
Right.
Right.
I think you could go either way.
Right.
I think we all know the gotchas of what happens.
Yeah, exactly. So the way I look at reference architecture is vendor A, you know, let's say
with the big, let's just look at the bigs, right? So it's this Dell server with this Dell JBOD and
these types of disks. Well, the problem there is that Dell can never guarantee you what disks
they're going to ship. So that breaks a little bit. You can say this HP server with this HP
JBOD and this disk. So we'd love to be able to get to the point
where we can do that
and actually provide the quality control
that's necessary.
Sometimes it's easier to say like,
well, these are the disks that you can get
from anywhere.
And then those are the ones
that we know are qualified and work.
The unfortunate side is it gets really messy
for customers really quickly.
And so what we want to do is make it easy.
And nine times out of 10, customers who've even come to us from other sort of open source
vendors who've gone down that path, this is something that they're like, look, I don't
want to deal with it.
I just want to buy a thing and I want it to work.
And so, right.
And that's been my experience too. I think that
there's a lot to be said for just buying a line item skew. And if you could skew it an HPE or a
super micro or even a quanta device with X, Y, Z. I imagine we're talking about SATA disks.
Yeah, SAS disks are, yeah, that's what we're, yeah.
So a SAS controller with X number of ports, et cetera,
and these SSDs for caching in the classic sort of ZFS model.
Yeah, I would see it be more along those lines.
Ideally, if we were able to skew it up in a way
where we can sort of know down to the hard drive level
that they weren't getting mixed vendor hard drives
and things like that,
which would cause reliability concerns,
then that is the ultimate way because customers get flexibility and they also get the reliability
and the ease that they are used to when buying storage.
You mentioned in a prior conversation that we had something about a secure supply chain.
Yes.
And how does that play out in this space?
So that is something that we're able to accomplish with our partner Seagate. And so what we do is,
as we know, most electronic components are not made in the United States. They're probably all
made overseas at some location. And with recent supply chain issues that have been in the news,
I'm sure we've all read about those. Some of our commercial customers and of course,
our government customers are very concerned about where their stuff is coming from and how that's
been controlled along that supply chain. And so what we're able to do with Seagate is because,
and the reason we do this with Seagate is because the lowest level components,
the drive enclosures and the drives themselves come from them.
We're able to get those drives essentially bare, right? So the boards themselves,
the chips and everything come over from Asia and they come to a secure facility in the United
States. And then all of the software components are, they're put onto the devices here in a
controlled manner. And so that's like the basis for our supply chain. And then all of the final
transformation of all the software that we put on and everything else around the system itself
is done in a secure facility before it goes out to our customers so that we can say that the
process is compliant with BAA and TAA standards and that supply chain has been secured along the
way so that we can provide that assurance to our customers.
Well, wait a minute.
You're off, I'll call it a factory where you're producing the appliances.
Is a secure facility within some standard compliance?
Yeah, that's correct.
Oh, my God.
Yeah, that must add some significant time to delivery, doesn't it?
It adds.
Actually, on our side, it doesn't add as much time to delivery um but what
but it does right it does add a little bit of cost and but on the components because a lot of our
components are sourced um you know a lot of the server components and things like that they're
they're much easier sourced um than the hard drives themselves which come in quantities of
hundreds or thousands and they're coming from um you know, they're coming directly from Asia. And, and so the,
the, it's a little bit, there's an extra stop or two in the way, right? So they kind of go to other
places before they come to us. And in order to kind of work their way through secure measures.
And so that that's kind of, so that's a little bit of time. I would say more than anything, it adds time, you know, to the process.
But it's something that we can offer.
And it's very important to some of our customers.
For sure.
And if you have the supply chain in place and enough stocking within your fabrication,
you can make up for some of that
time.
Exactly.
Yeah.
And there's a number of different ways you could deal with that.
And honestly, I think that, you know, if we kind of look forward in the future, I wouldn't
be surprised if we see, you know, folks like HP and Dell start to adopt this sort of stuff.
Exactly.
People, people, they're going to start to say like, hey, you know, and maybe, maybe they will charge more because it's a, it's a deviation
from what they're doing today, but they'll say devices out of this facility are considered
secure. We've gone through the same set of security measures at the hardware level. And I mean, from
the HP, you discover, right? We, we heard a lot of talk about security at the hardware level.
And, and so I wouldn't be surprised if you start to see some of them start to implement the
same sort of thing just for servers and things like that.
Okay, let me turn a little bit to the business side.
So, I mean, are you selling this through big partners or direct or a combination of both?
We're a channel model um you know that the company right now is focused on
building our channels um you know throughout the various regions of the u.s and and that's uh
that's predominantly how we go to market and and you mentioned the the metering charging so i mean
you're you're charging for the appliance presumably and your system software and stuff like that is licensed on a yearly basis?
Yeah.
So I would say that 99.9% of our customers are purchasing it like you would purchase a traditional NAS system, right?
It's a system license.
The license is tied to the hardware, and you pay and, you know, it's, you pay maintenance and, you know, pretty easy to understand. Um, and that's, that's how almost everything, um, is, is sold today and, and
consumed. Um, we have a very small number of what I call special purpose use cases where the hardware,
um, and the software is separated. And in those instances, some of those are on the consumption model.
We work with partners when we do that because it doesn't really exactly fit our business model.
But we're able to sort of meet in a channel and do that.
Exactly right.
So they kind of manage the financial and do that. Exactly. Right. So they, they kind of manage the, the financial
aspects of that. And then we were able to bill from the software side on a, on a, or at least
provide them the reports for them to bill on a, on a meter basis. And a support environment for
your solution. I mean, you must have parts depots and, and support contracts that you need to support, that sort of thing?
Yeah, absolutely.
So anything you would expect from one of the big players, you could expect from us.
We have exactly what you said.
We have parts depots.
We have on-site support.
We have 24-hour on-site support, parts replacement on the hardware side, 24-7 help desk and support team.
And then we also have the ability to support even the most secure facilities.
We have a whole team that manages that as well.
So we sort of do it all when it comes to that.
Hey, Eric, can you tell us a little bit about the operating system that underlies the Racktop system? So it runs Brickstore OS, which is our operating system.
And it's a derivation of what was called a Lumos. And we've sort of, yeah, exactly. Yeah. And so
one of our chief architects actually was the, the,
the guy who, who put that out there and gave it the name. And, and so, uh, we've evolved it from
there. Um, but, but we sort of look at that, you know, the base, the base OS, we did a number of
things to secure it up. Uh, we ripped a couple of things out. We turned it into almost like a firmware image. And it is the delivery
mechanism for ZFS. And then everything on top, you know, is sort of where all of our special sauce is.
So it's everything sitting in between the kernel and, you know, in user space that's doing all
that data magic. And so the OS is really just sort of the delivery mechanism for all that.
Eric, you know that ZFS has often had problems in the past with usability
and performance tuning and that sort of stuff.
Have you guys done anything to try to address any of that stuff?
Yeah, so we have a management interface called MyRack and MyRack Manager. And really, what that's meant to do is
abstract all of those knobs from the underlying OS. Solaris is an incredible operating system,
and it was very secure, but it was built for engineers, by engineers. And everybody in the enterprise space today is a generalist or they wear 20 hats or
nobody has time to just be the storage person who knows everything they can about every setting.
And so we abstracted all of that out through a management interface and an API and to just make it drop dead simple and, you know, really,
you know, sort of buff down all those rough edges that were in that operating system by
nature.
And we actually just want to make a point about security.
We, at the request of one of our customers, our product was put through a full red team
by a government organization.
That red team assessment came back. It took
them a couple of months, but it came back with no high vulnerabilities or findings.
So it's kind of a testament that we started with a secure base and we built on top of there. And
so had we picked some other options,
we may not have, you know, fared so well.
Yeah, I never heard of that full red team thing.
That needs to be all over your website, I'm thinking.
Yeah, yeah, yeah, definitely.
I have to figure out with, you know,
what we can and can't say publicly about what we can publish.
But I will say this. They do some very sophisticated
techniques to try and figure out things. And it was impressive. I did not know they were
going to go to the level they did, but I'm happy how it turned out.
Okay. Hey, well, this has been great. Eric, anything you'd like to say to our listening
audience?
Oh, well, I actually have something to say to you guys you know like i have
50 of my beard is gray i don't know does that does that does that make me an honorary
you're qualified yeah you could be on that you could be a co-host if you want
okay all right is there i didn't know if there was like a number of years or something
percentage or i've gotten to the point where any gray hair is worthwhile at my point.
So we've had some women that wanted to be co-hosts,
so we're going to have to change it from gray beards to gray hair,
but that's a different discussion.
There was one question I had, Eric, for you guys.
The cloud is all brand-new kind of stuff.
Do you guys support cloud tiering if such a thing exists?
Oh, yeah, definitely, yeah.
So that's
funny. I didn't even talk about, so we have a, we have a technology called transparent data movement,
which facilitates data movement in and out of the cloud. So think about all the security stuff we
talked about today, right? That whole stack of software. Now think about, all right, well,
I have a cold storage requirement. I want to put this stuff off in the S3 or whatever,
whatever system that's super cheap
and deep. So we built a technology to facilitate that. So we, our technology, which we call TDM,
we'll split the data from the metadata and it'll move that data off into that third party system.
So let's just say it's an S3 bucket. And then, but we'll leave all the metadata references local, um, so that, uh, all the
compliance, um, capabilities, all the, uh, reporting, everything that all the user behavior,
you still have that.
So if somebody ever needed to access those files, even though they're in cold storage,
we would be able to capture exactly.
We have to capture all of that stuff.
So we, we built that technology to facilitate people moving data in and out of, um, you
know, those types of systems.
All right. There's probably a dozen other questions about the ZFS side of things,
but I'll leave that as it were. I'd love to come back.
Yeah, maybe we can do that. Well, this has been great. Thank you very much,
Eric, for being on our show today. Thanks, Ray. Appreciate it.
Next time, we'll talk to another system storage technology person.
Any questions you want us to ask, please let us know.
And if you enjoy our podcast, tell your friends about it,
and please review us on iTunes and Google Play, as this will help get the word out.
That's it for now. Bye, Eric.
See you later.
Until next time. Thanks.