Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Find and prevent compliance failures
Continuous Delivery for Puppet Enterprise
Build, test, and deploy infrastructure as code faster and easier
Compliance Enforcement Modules
Remediate to stay in compliance
Content & Modules
Pre-built scripts to automate common tasks
Get Puppet Enterprise
First 10 nodes are free!
Try it now
Request a demo
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
Cortez worked his way up through the ranks as a cloud security and compliance engineer, managing hundreds of production applications. Now he's taking those grueling lessons and teaching the team at Relay how to automate away tedium and toil. Join us as Cortez shares stories from the field and some of the motivation behind Relay's cloud compliance enforcement capabilities.
Want to learn more ways that infrastructure as code can help enforce compliance for your org? Download our free white paper, "Infrastructure as Code Use Cases," to learn more:
00:00:19Ben FordHello again and welcome to today's episode of Pulling the Strings podcast, as always powered by Puppet. My name is Ben Ford. I am the Ecosystem Product Manager here at Puppet and active in the community as @binford2K. And today we're talking with Cortez Frazier Jr. He tells me that the junior is a very important part of his name. Do you want to tell us the story about that Cortez?
00:00:42Cortez Frazier Jr.Yeah. So there's honestly a really exciting story about it, which is mostly that I am just extremely competitive. My dad's name, so I'm named after him, he's Cortez Frazier. I'm Cortez Frazier Junior, and I'm determined to be better than him in all aspects of my life. And so if I go by Cortez Frazier, I give him too much credit for my hard work.
00:01:00Ben FordWell, that sounds great. So Cortez Frazier Senior, if you happen to be listening to this, just know that we're talking to your kid here, not you. Anyway, Cortez has a background in cybersecurity, so it's no surprise that he's leading the Relay team here at Puppet and breaking into some new grounds in that domain. I mean, we'll ask him about that. He'll tell us all kinds of stories, but I'm super excited about it. He joins us from Atlanta, which I personally kind of find pretty cool because it's the site of the world's largest 10k running race. That's down Peachtree, of course. It's on my list of things I want to go do someday. Last time I was in Atlanta, a friend took me down to a speakeasy kind of hidden down underneath a loading dock. You had to go down underneath a set of stairs and there was a peephole, and you had to like whisper a code word into the peephole to get in. Super weird, but maybe someday, you can help me find that place again when we travel and I come do that race, Cortez.
00:02:06Cortez Frazier Jr.Well, you know what, Ben? I got no promises on trying to find that particular speakeasy because there are so many of them that we have in the Atlanta area. But it's a very, very popular thing. You know, first and foremost, I'm excited to be on. Thank you for inviting me. I really look forward to giving some additional details about, you know, both myself and then some of the exciting things we have going on in the Relay product. But, you know, before we get too far in the weeds there, please, Atlanta's a city and a forest, so we expect for you to come visit us anytime. I'll look forward to it.
00:02:38Ben FordI'm super excited. It was one of my favorite trips that I've been on. I've only been there a couple of times, but I'm really looking forward to going back. So do you want to tell us a little bit about your background? I saw several different things that I don't think that I'm qualified to even explain what they are. So maybe you could tell us?
00:02:57Cortez Frazier Jr.Absolutely. No, I can kind of hop into my background a bit. So kind of going back about four to five years ago, I graduated from the University of North Carolina at Charlotte with a Management Information Systems degree. That's all jargon for, you know, business and IT mixed together, basically. And it was a really, really good experience. It's actually really funny because at that time, I told myself that I did not want to work in software development and I didn't want to work in the energy space. And my first job out of college was for software development in the energy space.
00:03:36Ben FordI think you asked for that, didn't you?
00:03:37Cortez Frazier Jr.Exactly!
00:03:39Ben FordThe universe was like, hey, you know what? Guess what we're going to get you with here.
00:03:44Cortez Frazier Jr.No, that's exactly what happened. So that was pure comedy, but it's one of those, you know, hindsight 2020, everything happens for a reason type situation. So I went out of college. I was working for a Company G, at the time. They're known for their leadership programs. I did, like a two year rotational program, got to do software development, got to do a project management, which those things are different. Don't let anyone fool you. And it was just a really, really good experience to kind of taste a bunch of different functions and then to kind of decide which one you want to go deeper in because I kind of had that engineering experience of, you know, the product manager who doesn't really know very much about delivering software but tends to make all the requirements and the timelines. I was determined to not be that guy or girl. And so, that was definitely my focus. I was like, you know what? I'm going to go in as deeply as I can technically. I mean, that's what kind of led me to a career in cybersecurity. And so after doing that initial two years and then for the next two years spent time as a senior cyber architect. We have about 1800 developers, 600 plus applications, and there's only a team of about three of us. So we had a lot of responsibility with a small amount of resources, and that was my very first experience, just really learning how to get a lot more done with less, frankly, which will be a theme you'll see here over the course of the podcast.
00:05:02Ben FordThat ratio is just amazing. I can't even comprehend owning 600 applications. I guess if it was a team of three, my responsibility would be two hundred of those, right?
00:05:14Cortez Frazier Jr.A team with three, but one was a manager. So more like 300. Yeah. But yeah, no. The level responsability was insane, but it allowed for me to, you know, really think on my feet and get really good at trying to influence people, if you will, because there's no way that I'd be able to make any of those changes. It was all about influencing those application owners to make them themselves.
00:05:35Ben FordWell, that's actually a really good segway into talking about Relay a little bit, because Relay is one of those things that just lets you magnify what you can do as a developer or anything. It lets you take your skills and just like automate them across your entire infrastructure. So I know a little bit about Relay as being a automation service that lets you like glue all of your other things together. But maybe you could sort of give us a real quick, just like an overview so that everybody knows what exactly we're talking about.
00:06:09Cortez Frazier Jr.Absolutely. So if I were to give a thousand foot overview or maybe a 10,000 foot overview, if you will, of what Relay is as product; at a high level, I like to view it as an event driven automation platform. And really, there's just three components to that, right? So you have a trigger, which means some form of event has occurred. So that's typically your observability tools. Think your Prometheus and Datadogs of the world, who says, hey, I have something going in whatever environment I'm watching. So you may have a EC2 instance that's not functioning the way that you want it to, and you use Datadogs or observability layer to control and capture all of those alerts. But that's only one side of the puzzle right now. Now that alert has happened. You want to actually do something with that. You want to perform some action. So you have the trigger and then you have the steps as we call them, which are more the action engine component of that. And so, I've received an alert and I want to perform some actions. I may want to communicate that action with people, right? So I want to send a Slack message or an email. I may want to open a JIRA ticket or a ServiceNow incident. I may want to actually, you know, just go perform that action myself, right? So maybe I want to just go restart that EC2 instance in this particular case. And so you have your event, right, which gives that trigger. You then have your actions, which come from individual steps. And then the last piece is really just the repeat, right? That's the automation and functionality of that, which is now, can we make this on a automated basis when that's a scheduled trigger, whether that's a reactive trigger based on the event itself, you have that flexibility and so you react, perform action and then repeat and continue that loop over and over again. And that would be how I would explain Relay at a 10,000 foot level and how we basically integrate as many APIs as you deal with in your organization, we can have access to.
00:08:01Ben FordThat's a really, really cool sort of a toolbox there. It's almost like Lego pieces. It lets you put together your own workflow to react or to automate different things. Like I can imagine building it as a self-healing system that if you get certain kinds of alerts, would try to go restart a service, maybe restart a database, or clear out a mail queue or something and only notify you if that fails. So all of these things just happen, and you can care about only the ones that are the most critical and stop with the pager alerts in the middle of the night.
00:08:36Cortez Frazier Jr.Absolutely right. Because I feel like as an organization, we all think about automation in so many different ways. But really, is it automation if I, as a human being, have to participate in it in some way, shape, or form? Probably not. Or at least I don't view it that way, right? And so that's why the power of Relay is incredible, because if you need to have that, you know, human in the middle interaction, someone who's an approver who needs to make sure that this is a legitimate alert, you can do that right, or if you want to just build the criteria yourself. So that way you have full trust in that, you know, automation platform, then you also have that flexibility to do that as well. And so that's really where we like, you know, find that power. And then I think the third piece of it that's really incredible is what we found in a lot of organizations. Both small and large, there tends to be a lot of consumers of automation, right? On ones who get the benefit of the automation, but not a lot of creators, right? Not a lot of people who can go and build it themselves. And Relay allows for this low code creation of the automation to now extend, you know, that ability and functionality to more than just your senior DevOps engineers who know how to make all the code themselves and Powershell or something of that nature.
00:09:48Ben FordThat's really cool, too, and it lets you swap out pieces like if you have a workflow going and you're using one set of tools and you switch to a different vendor, you don't have to switch out your tools entirely. You just swap out the pieces, and that to me, is so, so powerful. The ability to just like customize at a very, very easy level, like customize to what I need and swap out the things that I don't need, or that I might want to change out for something else.
00:10:15Cortez Frazier Jr.Absolutely. It also allows for like from a security perspective for you to obfuscate some of your more sensitive secrets and credentials, right? Maybe you want your users within your environment to be able to perform certain actions on, you know, certain environments and say, AWS or Azure, but you don't want to actually give them those credentials yourself, right? You don't want to hand over the keys to the kingdom, if you will. Well, now you can just build workflows that interact with the objects, the resources within those particular environments without directly given access to them. Once again, just extending that automation to more units within your environment.
00:10:48Ben FordI like that a lot. It lets you put guardrails on things like you could even interact as a Slack bot or something. Like type in a certain command, and it does a certain thing. And that's all it does. It doesn't let people do arbitrary actions, just the ones you put workflows in for.
00:11:03Cortez Frazier Jr.Exactly. Scope it down to specifically only actions that you think that they should comfortably be able to do without too much interaction from you. And then save your more senior developers and engineers time to spend time, you know, as I did as a senior cyber architect, saying no to the more complicated things.
00:11:19Ben FordRight on. Now, I'll be honest here. I have a little bit of bias as the ecosystem person here. I'm pushing the forge and I work with content all the time. You said something about creators and consumers and about how there is a certain number of people who are building content and a much larger group of people who are using that content? How how do people within an organization share that content around so that the people who need to use it have access to it?
00:11:52Cortez Frazier Jr.That's a really great question. And there's a few components that you can do for that, right? So of course, within the Relay platform itself, we have, you know, role based access control. So if you want to give them only a viewer role per se, so that way they can't change any of the actual workflows, but they can still observe them and get outputs from them that they can use in their individual instances. And that's one particular way. I would say another way is what the extensibility of, some of the like CMDB type platforms, like a ServiceNow. Maybe you want to open a ServiceNow ticket within your environment, which is a pretty common use case, to update the configuration of a EC2 instance or an S3 bucket, I'll go back to that example. Well, before where you could input that ticket update, now you have someone who physically needs to go in there, go change whatever they need to change and then give you an update to let you know that they've changed that. Well, that's just now a Relay workflow. And so the entry point is pretty indifferent, whether it's Sevicenow, a JIRA ticket, or a Google doc that you want to update, right? We're pretty agnostic, to the point that you were saying earlier, as far as that, you can enter any tool that you want and then we, you know, kind of handle that work on the back end. So I'd say the shortest answer to your question of the best way to share on those actions, in my point of view is to have a entry point that is available throughout your entire organization, such as like a CMDB. But of course, they can directly answer the platform themselves with your roles. We also have GitHub-based controls. So that way, if you want all of your workflows to only be controlled by a source control and they need to submit a PR to your existing GitHub environments, they can do that. So I say that those are probably the three most common ways.
00:13:36Ben FordI like that a lot. And then shameless plug here. If you are a longtime listener, you might remember that back in November, we did a recording talking about ServiceNow integrations, so that might be something for you to go back and listen to if you are interested in that integration part there, which means that we have a couple of different ways that we can integrate with a live service now. We were talking the other day and you were talking about a few new features that we've got coming up. Do you think you could tell us a little bit about those?
00:14:07Cortez Frazier Jr.Absolutely. I'd love to get into it. So of course, kind of, you know, bringing in my background from a cybersecurity perspective. One of the things that were the biggest frustrations of mine is how do we ensure that our environments are secure and compliant, right? How do we know that they're properly configured? And we normally use like a CIS benchmark as our metric by which that we measure our environment's health against. Follow a lot of those controls and then compare that against our environments to ensure. And so from a Relay perspective, what we felt is that, you know what, we could actually probably offer our customers an automated solution to fixing this problem. Which is, you know, how do you get an inventory, how many assets that you have in a particular cloud environment, and then measure that inventory against a particular benchmark, in this case, CIS? And then lastly, and most importantly, actually be able to perform action on that inventory. And that's the feature set that we're working on within Relay, which is the ability to do scans and remediations for your cloud native resources and assets. I'd say there are a lot of scanner products out there. Like a lot of products that will let you know that your S3 bucket has publicly accessible environments. However, that information in of itself is not incredibly useful, at least not to me. What's more powerful is knowing, Okay, my S3 bucket is misconfigured, now please go fix that for me or, and we can kind of get into a little bit more details on that on the second half, some other workflow based remediations if you aren't comfortable changing the asset itself. So at a high level, one of the most exciting features that we have is what we're calling our call compliance module, and that's going to allow for you to evaluate a CIS benchmark against your cloud posture, if you will, and then perform the remediations.
00:15:56Ben FordI'll tell you what- I mean, as somebody who has lost far too many hours staring at those stupid ACLs and access rules and whatnot, if all you did is just make me never have to look at AWS access rules again, I would be your biggest fan.
00:16:13Cortez Frazier Jr.Yes. No, no, absolutely.
00:16:18Cortez Frazier Jr.And that's the beauty, right? It's just like finding a one-scope-down, tiny problem that we can just help alleviate and give you some additional time back because it is frustrating. It is repetitive. And it's just hard to do. Like that knowledge of what permissions should be allocated? How do you actually facilitate the least privileged connections within those particular environments? All of that information is typically held in maybe three people's heads within your organization.
00:16:45Ben FordAnd then you have to stack them all together, right? Because it's not like any one person knows it. It's like the combination of what one, two, and three all say.
00:16:54Cortez Frazier Jr.Yes, exactly. Which, honestly, you know, maybe Ben, if I could get into the problem a little bit more here. So you're either like a large enterprise organization or you're a small and medium sized business, right? And whether you're either one of those, you deal with the same problems. So we're all moving to the cloud. We're all living in this environment where we're like, we kind of know what we're doing, but not really. Like, we're all kind of figuring out this thing together. And on the large enterprise side, and I can speak to this diligently because that's what I was working in previously. It is incredibly frustrating when, you know, so that example, I had 600 applications that I owned, but I didn't have any access to any of them, not a single one of the 600. And so I am, as a security function, responsible for creating the policies by which that our applications must cohere to. However, I cannot force them to cohere to them, and nor can I actually evaluate the environments themselves. Got to go open a ServiceNow ticket to that resource owner, and then they got to go in and fix the thing. And then they got to let me know that they fixed the thing and then I can go, you know, run another scan or do some research to figure out if they've actually fixed the thing.
00:18:05Ben FordIt's a lot of layers of bureaucracy to deal with there.
00:18:09Cortez Frazier Jr.Exactly, exactly. Which will be much preferred, which we can offer. And our solution is, yeah, okay, now you're able to provision a Relay application that has now like a security auditor role within your environment, can run those scans, give you those results back. And then, you know, of course, assuming you give the proper permissions, you can actually then go fix it. Like myself, being a person of three engineers for 600 applications would have had a nightmare of a time trying to update all 600 of them, whereas I can do it with a push of a button with this cloud compliance module.
00:18:42Ben FordEnforce a policy.
00:18:43Cortez Frazier Jr.Exactly, exactly. And then, of course, what is a even further extension of that is, you know, in the interest of transparency, some organizations may not feel comfortable with you performing resource changes in their environment or AIM. And so that's where the power of the underlying workflow engine that this compliance model is built on top of is because if you're not comfortable with Relay having the ability to actually perform actions in that environment, you know, that's great. We will facilitate the process of opening that ServiceNow, ticket for you. We will listen for when that ServiceNow ticket has been updated. So that way we can then email the resource owner to let them know that action has been taken on their environment. And so whether you're comfortable performing that action or you just want us to help facilitate the process for performing that action, we have you covered either way.
00:19:33Ben FordRight. And you mentioned earlier that you can put in like a human intervention step in there so it could entirely be audited by the resource owner, who then approves the action before it happens.
00:19:42Cortez Frazier Jr.Exactly. And that was that flexibility that we really wanted, because ultimately, and I'm still like a passionate believer that the remediation is the most powerful piece, right? Being able to click a button and have that asset updated is going to continue to remain what I feel is a significant differentiator. However, it's going to take time, I would say, for especially on the larger enterprise side, for that comfortability and that trust to be built up. Now we're able to benefit, you know, the second half of the equation. If you're a more small to medium sized business, maybe you only have a IT or operations team of, you know, five to 10 in comparison to the potential hundreds of some of these large enterprises. Well, you probably feel very, very comfortable allowing for Relay to take ownership and actually perform those remediations for you, right? And so once again, the work of, you know, 10 people can be done with one.
00:20:30Ben FordYeah, I am quite familiar with that hesitance there. I actually, as Pro Services back in the day, I used to have a whole bunch of financial clients that would run Puppet in No Op mode and it wouldn't do anything. It would just like shout about the things that it would do, and they would go manually do other remediation changes until Puppet didn't complain anymore. And that's exactly kind of like one of the things that people might end up doing with something like this when they're getting used to it. What would Relay tell me to do? Okay, I can go do that. Look, hey, it's fixed. It's not telling me that that's a problem anymore.
00:21:08Cortez Frazier Jr.Yep, exactly. And then there's also that second level, which is, you know, sometimes you may be comfortable with the state of a particular asset, right? So maybe for your particular use case, you want to allow an S3 bucket to be publicly accessible. Now, from a cybersecurity perspective that terrifies me, right? I would never want that. I don't think any organization does.
00:21:32Ben FordIn all the time that I have ever worked with S3 buckets there has been precisely one use case where I came up with it and it actually made sense, and it still terrified me.
00:21:41Cortez Frazier Jr.So it is rough, but you know, in this hypothetical organization, maybe that's something you want. So you probably want to mark that asset as exempt, right? You want to give it that ability to say, you know what? I know that this is in violation of a particular CIS rule. I'm comfortable. I accept this risk. Let me mark this tax exempt. And more importantly, maybe market is exempt for a certain amount of time, right? Because you don't want to just be indefinitely exempt, right? You maybe only want that for six months or a year to come back and revisit. So I really love the fact that the module is going to have that flexibility between direct remediations, when I'm considering these more workflow based remediations, and then just general posture management that general updates of the exemptions.
00:22:26Ben FordOne thing that I'm a little bit curious about here, and I'll fully admit that this is my own ignorance in the state of security and compliance here. Last time I really looked at benchmarks at in-depth level, it felt like it was very much designed for on prem. It was like, you know, permissions of your shadow file and things like that. So I'm kind of curious to know what compliance means when we're talking about cloud resources and what kind of rules we're looking at.
00:22:57Cortez Frazier Jr.No, it's a great question, Ben. And so I would say that compliance on the cloud resource side is mostly on configuration. So when you go to deploy a particular cloud resource, whether that's in a GUI, like a console or a portal, or whether that's via infrastructure as code, or cloud formation template, a BSON template, you know something of that nature on the Azure side. Then you go through a thousand different options, right? Do you want it to be publicly accessible? Do you want to allow HTTP connections or do they all have to be secured via HTTPS? Do you need certain versions of TLS RAM from an encryption standpoint? So those are the type of things that the CIS benchmarks are looking for. Of course, unlike the IAM permission side, that's where a lot of the rules and controls come from, which is ensuring that, you know, they only have least privileged, that you have root users have multifactor authentication enabled. So those are the type of things that we're looking for on the CIS side and where it becomes tricky and where Relay has a really, really interesting play here is because not all rules within the CIS benchmark can be automated, right? Like not every cloud resource has an API that we can easily interact with. And so where we can play because we're a workflow based rules engine, we can do more custom remediations and actually maybe go scrape a GUI for that information, for example, rather than only relying on the API. So instead, it gets a little bit more extensibility outside of that. But really the configuration side of it is where you'll see most of the the CIS benchmarks play and really just trying to lock down your resources. So that way they don't get unintended access, outdated access, things of that nature. Does that make sense?
00:24:46Ben FordIt absolutely does. And it kind of seems to me like a lot of security and compliance is also kind of around process, which itself you can't do an API on, unlike whether you require code review and things like that. Could you talk a little bit about how Relay helps improve human processes?
00:25:07Cortez Frazier Jr.Absolutely. And so one of the things that we observed as we were, you know, really just kind of working on the core Relay workflow experience and trying to decide which scoped down experiences really makes sense for us. And one of the immediate realizations that we were able to take away from that is that when you're in like a compliance function or compliance environment, people in process really are the biggest barriers, and I'll take a step back and set the stage a little bit here. So like in an average organization, you have a few different functions: you have like a governance function that is going to set the compliance rules by which that organization must confer to, you then have internal auditors, you got external auditors, you have what I call a CIO type organization. So that's like infrastructure, your application developers, all that rolled up into some type of CIS organization. And then you have like a CSO of a chief information security officer organization, which has all your security rules, which can be similar, but a lot of times are very different than your compliance rules, but have a lot of overlap. And so between those four rough functions, all four of them have to communicate, right? The governance and the CSO organization sets the rules and regulations. The external auditors and the internal auditors enforce those rules and regulations. The CIO organization has to adhere to the rules and regulations performed by the governance in the CECL side. So as you can see, it becomes this incredibly complex matrix, if you will, of I need some information from these people and in order for them to do their job, they need some information from me. And this constant back and forth. And so I say all that to say that that is where Relay comes into play because we have such deep integrations with the ServiceNow, the GROs, the Slack, the email communications. We can really orchestrate in the take it in our step further because we have the reactiveness of being an event driven action engine. We can listen for updates to those particular systems and then pass that information along. So if you open up a ServiceNow ticket, you then update it with. I performed some configuration changes to the S3 bucket. How do I know that that work is done or Relay workflow is going to listen for it to let you know that that work is done and then update me on the security side and let me know so I can go and validate it. So you really have that, that workflow based remediation flow to orchestrate this incredibly complicated people process barrier that we have to find our way around.
00:27:37Ben FordThat's a really, really cool description. And I remember ages ago somebody taught me something about DevOps, and his thing was that DevOps isn't like processes and tools. And like all of these things, it's mostly everybody speaking the same language so that you can communicate. To me, it sounds like you're saying that it's like taking that almost to the next step where it's like, this helps everybody speak the same language, but it also like fits in the middle is sort of like a Google Translate almost so that you can speak the same language, but there's that same overlap in between, but you don't have to be fully engrossed and get OP's workflow or whatnot to get your message across.
00:28:25Cortez Frazier Jr.Absolutely. And what it also does too is it kind offloads some of those layers that aren't important, right? Like if you're a developer in a particular organization and you own a, you know, an AVS account, right? You're responsible for making sure that all of those services adhere to a certain compliance standard. You know, do you really want to go digging through your governance organizations? You know, I don't know a thousand page policy of requirements. I know because I wrote them and it was a pain, right? Like it was. And honestly, a lot of times they're even hard to even match. And then when someone goes and updates that policy, which is probably an Excel sheet on someone's Confluence page, right, somewhere in the organization, how do you even know that that's updated, then go and perform that action yourself. And so that's where Relay really kind of comes into the play and says, You know what? We got the benchmarks already loaded in for you. We'll let you know what's in violation and what's compliant. And then if you're comfortable, we'll go ahead and fix it for you as well.
00:29:22Ben FordYeah. So it's almost like the communications back playing. It just makes everything so much easier.
00:29:27Cortez Frazier Jr.Yep, exactly. Exactly.
00:29:29Ben FordSo a little bit curious here. And and maybe I'm jumping the gun a little bit. But do we have anybody like internal or external, trying out this cloud compliance features?
00:29:41Cortez Frazier Jr.Yeah, absolutely. It's a great question. So we actually do have a small subset of design partners. A lot of them are early Relay customers. What's actually been really interesting is we've been able to use it as an opportunity for some of our newer prospects as well, so we have a line of sight with some of our customers, who, you know, saw even just the early alpha version of the compliance experience and was like, Wow, I need this right? This is going to save me a ton of time, a ton of energy and a ton of effort. And so those are some of the people that are participating in our early design stage. However, where, you know, maybe I'm getting ahead of ourselves here, but we are looking to open it up for anyone who wants to publicly participate at the end of March. So that's going to be publicly available. All you have to do is sign into to the application and start using it. We want you to use the tools to your heart's content, of course. You know, don't be too aggressive, but we want you to break it. We want you to let us know where all the other problems lie and in the areas that we can improve. But more importantly, to get that feedback because, you know, as I'm sure you can see that Puppet is kind of making a cultural shift here, right? It's all about that, that rapid testing and validating our concepts and ensuring that this is really the value that we can provide to our prospects. We have a lot of, you know, conviction, if you will. An early customer sentiment has been very, very in line with this is a massive problem that we need help solving. But we want to continue to validate that with that public alpha at the end of March.
00:31:19Ben FordThat's pretty cool. So do people have to do anything when they sign in? Like, is there an accept alpha feature or anything? Or are they just available in their mark, in the UI?
00:31:30Cortez Frazier Jr.Absolutely. So today f you sign into Relay and have access to the compliance alpha, you would request access. So we have it a bit walled garden and sends a message to me so I'm not, you know, too fancy, maybe send me some bourbon or something like that and I'll give you access. Just kidding. But seriously, you request access for it today. However, the moment that we've turned that live at the end of March, anyone who signs up for a Relay account will immediately have access to that functionality. While we're in the alpha stages, of course, you know, in a few more months right after we've kind of completed that alpha experience and we can have deeper conversations around what the pricing will look like and and all of those details. However, anyone who participates in our Alpha, I can assure you, is going to be very, very happy with the the discounts, if you will, for what that final product would look like. So it is something that we're actively looking for participants for whom if anyone is interested. And to answer that last piece of the question, the best part about it is especially because we're really only focused on cloud native services is you can, you know, within five minutes, sign up for a Relay account and put your credentials within the Azure connection and be scanning and remediating assets within minutes. Within under five minutes. I've done it myself personally. And so that's kind of something that we think is incredibly powerful. And for the sake of completeness, we are very Azure focused for this first go around and we do have scans and remediations built out for AWS as well. But of course, we have to complete, you know, one benchmark at a time, right, kind of walk before you crawl. And so that Azure CIS level one profile is our target for completion.
00:33:18Ben FordThat's exciting. So that means all you, dear listeners, by the time you hear this, you might be able to just go click some buttons and start using this and try it out.
00:33:27Cortez Frazier Jr.Absolutely. Try it out. Get some value. Make the connection, right. You know, I'd love to see the, you know, thousands of remediations kind of come through and and more importantly, get yourself some time back, right? That's really what this play is most importantly about is how do we give, you know, our DevOps and technical engineers more time for them to work on frankly more important problems than is their S3 bucket properly configured?
00:33:56Ben FordThat's important.
00:33:56Cortez Frazier Jr.It is absolutely important, don't get me wrong. It was way too late in my career before I realized that I should be carving out my own time and like, hold some, some boundaries there.
00:34:08Ben FordWell, that seems like a really good space to sort of close up on. It's like, I see this as like this huge space was so much room to grow and so many things that you can do with. And Relay being right there to help you build the things that you need in order to grow into this space. So we're just going to close here with a thing that I saw on your LinkedIn feed, one of your recent blog posts had a tagline towards the end. It was something like, Let me help automate your way to your next vacation or something like that. Could you close up and talk a little bit about what that means to you?
00:34:48Cortez Frazier Jr.I absolutely can. I mean, this is something that means the most to me, right? Like, I don't want to sound like a broken record, but I keep alluding to the fact that I was on a team of three, 600 applications, 1,800 engineers, right, so there was not very many vacations being had, I can assure you. And so really what we're talking about here, as when I say like, let me help you automate your way to your next vacation. Is that the event driven and reactive nature of Relay, whether that's the workflow experience or even the compliance experience. It ultimately is looking to give it your time back, and what you choose to do at that time is completely up to you if you want to go make the next greatest product for your company, that's fantastic. If you want to go hang out on a beach, that would be my preference for you, right? That's even better. Well, and most importantly...
00:35:38Ben FordWith a nice bourbon, of course.
00:35:39Cortez Frazier Jr.With a nice bourbon, of course. Yes and an umbrella. You got to have the umbrella in thereright or it's not a vacation, but yes, it'll offer you to, you know, go to the beach, for instance, right, and know that you don't have to worry that if your environment has an issue, it's gonna self heal because you have a Relay workflow for that, right? If you need to redeploy into your environments and you're the only one who knows the deployment process well. Now you have a Relay workflow. It just kicks off a Relay workflow that's not just stored in your head anymore. And now you're the first person on call. And then the compliance piece is even more worrying, right? Because compliance problems you never have to worry about until it's too late, right? Until you've already had a breach, and so you're already being sued. And so rather than wait for that to happen, you now have these compliance answers being run an automatic basis. And if you desire, even being remediated on automatic basis.
00:36:36Ben FordKind of lets you get ahead and know that things are happening on a schedule. It's like one of the things that I always had a hard time with. Vacation was like knowing that on the third week of, I don't know, August I was going to be able to say, Hey, I'm not going to be in work mode for an entire week and be able to know and trust and have that schedule in place.
00:37:00Cortez Frazier Jr.Absolutely, absolutely. And that, trust piece, is important, right? And frankly, I mean, that's where we lean on the fact that, you know, we as Puppet have been operating configuration management for well over a decade, right? This is our area of expertize and compliance is a natural extension of that as well. And so because we do have the expertize in that space, you know, outsource that trust to us, right? Let us, you know, let Relay take care of it, let Puppet take care of it. And then, you know, spend more of your precious time on the things that are most valuable to you.
00:37:53Cortez Frazier Jr.Absolutely. So I do participate in the Puppet Slack channel and we also have a Relay Community Slack channel as well that you can participate in. And we're active in all of those are our CTO Deepak even participates in there. So, you know, hop in there in the Slack and have a great conversation with him. He's a hoot, for sure. So you'll absolutely love it. But we really try to pride ourselves on being as reactive as possible. So whether that's in the Puppet or Relay Community Slack, whether that's directly within the application itself or feel free to reach out to me on LinkedIn as well. I'm very active on all three of those areas and we will be sure to respond to you and we really just want to hear your feedback, right? Like, I continue to emphasize that that is what we want the most is. You know, how does this work for you? How how much value do you think that you can get from it? And maybe there's just some other areas that you feel pain in and that you'd prefer to get value
00:38:42Ben FordRight on, that is very exciting. Let's go ahead and close up right there. Call it a wrap for today. Once again, thanks for being here, Cortez. Thanks for being on the Pulling the Strings podcast and everybody, thank you so much for lending us your ears for this time.