>> theCUBE Presents UiPath FORWARD 5. Brought to you by UiPath. >> We're back in Las Vegas live. You're watching theCUBE's coverage of FORWARD 5 UiPath's customer event. My name is Dave Vellante. I'm here with David Nicholson. Our third Dave Espinoza is here, Director of Transformation at Cushman & Wakefield. And Marshall Sied is also here. He's the co-founder of Ashling Partners. Guys, thanks for coming on theCUBE. >> Thanks for having us. >> We know Cushman & Wakefield, huge real estate firm. We'll come back to that, wanted to dig into some of the industry trends. But Marshall, what is Ashling Partners all about? >> Great question, Dave. So Ashling Partners was founded with modern automation and continuous improvement in mind. So a lot of us used to implement large ERP systems, accounting transaction systems. We viewed RPA and broader intelligent automation as kind of the wave of the future. So everything we do has continuous process improvement and automation in mind together. So we don't want to decouple, we want bring those together in an agile way. >> It's interesting, Rob Enslin this morning on the stage was talking about the waves of industry tech that used ERP was where he started and you know, et cetera, internet and now automation. He's sort of drawing that analogy. It's interesting that you're seeing the same pattern. >> David: Were were you fist bumping in the back of the room? >> Marshall: Absolutely. >> Well, I mean there's a lot of opportunity there. A lot of money to be made on both ends. Dave, talk about your firm. What's going on in the industry specifically? You joined sort of as we're exiting the isolation economy. Right? So what's happening in the industry now? I mean, real estate has been up and down and, you know, wild ride, you know, with COVID. What are the big trends in the industry that are informing your automation strategy. >> And actually I joined probably like right in the middle of the isolation economy. So it was a really interesting time to like to, I'm sure for most people also onboarding into groups. But coming on Cushman, you know, Cushman itself is an organization that formed predominantly through acquisition and through merger, right? So three large companies came together. And so a lot of the times the sort of headaches and the opportunities that we find are probably no different than other legacy organizations have when they're merging three companies together, right? So lots of disparate process, lots of paper, lots of process that isn't really very standardized. And so really it's a lot about us trying to make sure that we're continuing to double down on really that continuous process improvement but also bringing technology, lots of different types of technologies to bear to solve different problems throughout the organization. >> Well is the pandemic a catalyst for the automation initiative? Or actually you guys started before that I think, Marshall started about 2018. But was it like a rocket booster during the pandemic or was it more sort of steady state? >> I think it was actually a little bit of both Dave. 'Cause the reality is there was already top down executive support at Cushman pre-pandemic. So Cushman was already moving on this in a big way and they had executive sponsorship across the C-suite. Pandemic came, never a good time for a pandemic, but it came at a decent time for Cushman because they were prepared. They had the foundation of governance, everything you need in a large enterprise to run a program. They had that in place so they were able to kind of just put kerosene on the fire when the pandemic hit with certain automation candidates. >> Because I often said that pre-pandemic, you know, digital transformation was kind of this buzzword. A lot of firms were sort of giving it lip service. But it sounds like Cushman actually had started down the digital transformation path and then obviously everybody was accelerated. If you weren't digital business, you were out of business. But but how tightly aligned, 'cause we heard this in the keynotes today, I'd like to test it. How tightly aligned is automation and digital transformation at Cushman. >> They're pretty synonymous really for us, right? So like it is really about bringing different types of technologies, whether it's like NLP. The other really interesting thing that we were talking about the keynote, right? There's just so much that is going into the UiPath platform that is enabling us and enabling the things that we want to do across the organization, right? So like natural language processing, document understanding, you know, cloud based items. Like there's just so much that we can leverage and it's really about that continuous process improvement. It's trying to make sure that we're aligning ourselves to the strategy that the organization is absolutely pushing, but making sure that we're doing it in smart ways, right? And that we're empowering our employees as we do it, right? So it's not just very top down from a COE, it's also very bottoms up, very citizen-led throughout the organization. >> So I think of this as a strategic initiative that happens over time. But how does Ashling, and Marshall, how do you engage with Cushman? Do you engage on a project by project basis? Do you have sort of a long term strategic arc that you're working to? >> Absolutely. >> How does that work? >> No, that's a great question. So we started project based, so we were a part of the co-establishment of the intelligent automation COE. So very outcome driven, top down approach as Dave mentioned. But we also had a wider aperture than just RPA. It was broader end to end automation experiences that was project based. We had so much kind of quantifiable evidence at that point that we wanted to go bigger with the program. Over time we matured into more of an agile DevOps methodology with the Cushman team. And Dave should certainly speak about the size of the Cushman team and how that's evolved over time, but- >> Because the two of you are in a partnership in terms of proving out the ROI of what you're doing. >> Oh, absolutely. >> Right? >> Marshall: Every day, every day. We all have numbers we got to hit, right? And that's just the reality of it. But in order to do that, you know, agile DevOps approach where you're, you know, releasing every two weeks into production, you need a dedicated team that has like a longer term roadmap that is coinciding with the Cushman objective. So that's what we have in place today, something we call build as a service and mROC. So kind of think of that as as plan, build, and then run. We're infused. You have to be infused with your clients if you're going to run an agile DevOps program. >> Is automation more self-funding? Marshall, I want to draw on your experience with ERP. Is automation more self-funding than other technology initiatives? And if so, why or if not, why not? >> It is, and it's a double edged sword actually. We talk about this all the time at Ashling. We've never worked in an enterprise technology space where there's more accountability to value delivered because it's so quantifiable and measurable. So every time a transaction runs you can measure- >> Dave: How are we doing? >> Exactly, I mean the ERP days, nobody questioned. They just, they thought we just have to move to S/4HANA, we just have to move to Oracle. >> We'll let you know in a couple years. >> That's it, yeah. >> I mean the stuff that we just saw earlier from Javier Castellanos, right, from Orange. It is very much like each transaction has a value associated to it. Each part of that transaction has a value associated to it. We're constantly monitoring the numbers of looking at our performance, right? There's very real value associated to maintaining business as usual for the 50 plus automations that we have in production, right? So like the business is really counting on us to maintain and to make sure that we're continuing to perform. But also that we're continuing to work with them to find additional value and additional opportunities, right? To make sure that we are saving money and finding dollars- >> But it's dropping hard dollars to the bottom line, right, that are quantifiable to your point. But what's the governor, what's the barrier to your ability to absorb whether it's new automation? Is it just expertise, talent, or you bandwidth? Is it the prioritization exercise and thinking intelligently about, you know not- >> Dave: All of that. >> So how do you, I guess you guys work together, but take us through that a little bit. >> I mean, we're constantly refining our approach. So we were just talking about our DevOps approach. You know, we started with I think maybe five or six different teams based on specific service lines. We modulated that recently to go to two teams, right? One specific to build and one specific to enhance. So we're constantly looking for and building new automations throughout the organization. And then also looking for incremental value to enhance the automations that we've got out there, right? So making them better, faster, making them more resilient so resolving technical debt, doing a lot of different things to make sure that we're as stable as we possibly can be. But it's not only that, it's really like making sure like we're just as pinched by everybody else in terms of like the great resignation and looking for talent. I think everybody here is basically looking for the exact same talent. And so it's really making sure that we have interesting work, we're doing interesting work, we're making people feel valued, and we're bringing value throughout the business. >> So I remember Bobby Patrick called me when he joined UiPath. He goes, "You're not going to believe what I'm doing now. You got to get on this train." And so I started looking to it and we actually downloaded, you know, the package and started playing with it. And we tried to do it with the competitors, we, you know, we couldn't. It was like call for pricing kind of thing. We're like, well that's interesting. But what we saw was my perspective, this bottoms up adoption. And I know there was top down as well. But then, I remember I was in the meeting when they announced the sort of process gold acquisition and then started, I said, "Okay, they're going for platform now." And then Microsoft came into the market like, okay, they got to differentiate there. Now you're seeing everybody, all the software companies think they should own every dollar that's ever spent on software. So SAP's doing it and ServiceNow. And so Marshall, from your perspective, how has this platform evolved? And then Dave, to the extent you can talk about it, how is that platform adoption taking shape within the organization? I mean, platforms are much more complicated than products and they require integration. How is UiPath doing there? >> I think they're doing fantastic in that category. If you think about, and it's been a natural evolution. They're not fighting inertia, they're following challenges of their clients, right? So RPA obviously came onto the scene hot, everybody understands the business rule driven automation value. Easy to, you know, make a quantifiable, tangible evidence with RPA. But exceptions happen in a business and upstream processes break that, you know, cause challenges with downstream automations. So what do you do? You have to go upstream. You have to have more automations, you have to have process discovery, process mining with process gold. You need to have the ability to have a better user experience interface, which we've definitely incorporated into Cushman when we didn't get adoption with certain automations that we like. You build low-code apps. People want that consumerization of technology in the enterprise and that allows them to adopt more of the automation which triggers the robots and then you report analytics on it. So that expansion's been pretty natural with UiPath and I think the next acquisition they just made with Re:infer's really interesting, 'cause now you're going even more upstream with communication mining, turning that into structure data that you potentially could automate or analyze so it's been natural. It's truly the only platform that we've encountered that can do all of this at this point. >> So a couple things there. You know, one is the nuance of adoptions, not just the function of the potential savings or, you know, revenue production or productivity. It's, you know, the experience because you got to have a great UI. And then what are you going to do with Re:infer? I don't know if you guys are adopting Re:infer but what do you see as the potential. Marshall and Dave, if you guys have visibility on it? >> I know we've talked about it Dave so I mean the potential's huge. I think it's going to be more of a question of change management for each organization just to feel comfortable with that. But I mean, think about all of the communication and the semi and unstructured data in an organization that comes, you know, via Slacks, Teams, emails. It's huge and it's significant if you can figure out the right identifiers that you want to trigger for your business. And then figure out is that something downstream we can automate or can we just analyze and make our business more effective, more efficient, or provide a better experience. So I think it's huge. We don't know how big this is yet, but we know that it's something that, I mean, think about Cushman, get brokers all day long that are communicating with clients and third parties. So it could be extremely significant. >> Sounds like a potential to eliminate email hell, but. >> Marshall: Heard those promises before. >> Maybe that's like the paperless office eventually. >> Well in our organizations, like 50, 40 to 50,000 people, you know, globally, right? And there are definitely service lines within our organization where probably it doesn't make sense for us to leverage UiPath and provide them the, you know, studio and low code, no code automation tools. But a lot of this NLP stuff and a lot of the content mining and the communication mining stuff, really has the ability for us to be able to sort of pinpoint opportunities at levels that we couldn't possibly do it before. So it was really very exciting to see the stuff that we were in there. I think when you start your organization, a lot of times you're a hammer looking for a nail, right? And you need to quickly move away from that. And so I think a lot of the stuff that UiPath is introducing, a lot of the stuff that they're bringing into their platform, really helps us to be moving away from that sort of orientation. >> Well when you think of this in terms of CI/CD, you know, people maybe have a better understanding of sort of the life cycles and, you know, the iteration calendar. Can you give us an example of something that went from an idea, something like, "Hey, I think we might be able to automate this process" through "Okay, yeah, let's do it." You try it, at some point there's sort of quality testing involved to make sure that it's achieving that we want to do. Can you give us an example of a process that you've gone through? And then how long do those things usually take? Are we talking weeks, months? What are we talking about from idea to establishing that, "Yeah, this is something we want to keep in place." >> Dave: We always want to make it faster. So we're especially always trying to find ways, especially upfront parts of the process. So a lot of the analysis, requirements gathering, you know, stuff that's not actual building. We want to make sure that we're shrinking that as much as possible, that we're also being comprehensive so that we're not building something that doesn't meet someone's needs, right? Or that just completely misses the mark. But I mean, invoice processing is a good example. We do that internally. Obviously, we have corporate accounting. We also do that on behalf of clients. And so a lot of times, you know, we're bringing some of the internal processes, we're using the technologies for document understanding, optical character reading, and machine learning. And we're doing that on behalf of clients, but we're also doing that internally. So to be able to use some of those processes and automations, sort of client facing plus internally, are big changes. Big changes for us. But I think the other thing too is like, we're always trying to make it faster and better. I think that's one of those also processes where we put something in place and we're constantly looking to enhance it, make it better based on the process that's out here. >> And you're applying automation to that upfront piece, the planning phase? Is that right? Or? >> Yeah, yeah, so a lot of it is about sort of the work that we do on behalf of clients. And there are teams who are specifically tasked to accounts. And so we're looking to find ways to make it easier for those accounts to get their bills paid, to get visibility into, you know, accounts payable, accounts receivable, their full end to end accounts lifecycle. And so yeah, we're doing that directly on behalf of clients and then we're doing that internally. >> How about the why UiPath question. Marshall, I think I heard you say that you're pretty much exclusively UiPath as your automation partner. Why? Why not play the field? Why UiPath? >> So I think it started in like 2017, 2018 for Ashling. We did an analysis of kind of an outside in of what, at that point was the big three of RPA, the vision and the roadmap and the open platform architecture of UiPath and just the self-awareness that, "Hey, we need to operate with other technologies in order for our clients to get the most value from automation." That was really the main reason, outside of the fact that we like working with UiPath, but it was just that complete vision of a platform as opposed to a tool. We felt like everybody else was more of a pointed tool and then UiPath had this platform approach and it was going to be necessary to go end to end like we all are trying to achieve. >> And UiPath continues to deepen that, right? They continues to support us with tons of new technology- >> How so? Can you be specific? >> I mean, when we're talking about document understanding, I mean, we're trying to leverage that for manual handwritten time sheets. We're also using it for, you know, Chronos integration, right? So like there's a lot of stuff that we're using it for and we can go to a single shop, right? To be able to do it, a single platform from a scalability and a supportability perspective, it's also a big game changer for us, right? As you start, you want to be able to scale, but you can't spend a ton of money supporting, you know, a hundred different platforms. You really got to invest and be smart about it. And UiPath for us was a really smart play. >> Are you budget limited relative, you're competing with other initiatives within the organization? Where's the funding come from? Is it from the business? Is it from IT? Is it a combination? >> It had been centrally funded and we are now moving into a different model. So we are constantly looking at, you know, the justification of value, speed to value, and proving it out to our business partners from all service lines and within all different functions of the organization. So we're at an interesting inflection point, but I think we also have a really good background that we're building on. >> I've been saying it all day, I've said it for years, at the UiPath events that they are awesome about putting customers on theCUBE and we love to hear from the customer stories because we get to sort of map what we hear in the keynotes and then test it, right, in the real world. And I also really love the fact that Marshall, UiPath always brings implementation partners so we can get the expertise and you have a wider observation space. So guys, thanks so much for coming on theCUBE and thanks for sharing your stories and good luck in the future. >> Thanks for having us. >> Appreciate it guys. >> Very welcome. >> Thank you. >> All right, keep it right there. Dave Nicholson and Dave Vellante live from Las Vegas UiPath FORWARD 5. We'll be right back right after this short break.

(bright music) >> The challenges of legacy data warehouses and traditional business intelligence systems, they've been well-documented. They're built on rigid infrastructure, and they're managed by really specialized gatekeepers. Data warehouses of the past were, as one financial customer once said to me, like a snake swallowing a basketball, imagine that. The amount of data ingested into a data warehouse has just overwhelmed the system. Every time Intel came out with a new microprocessor, practitioners, they would chase the chip in an effort to try to compress the overly restrictive elapsed time to insights, and this cycle repeated itself for decades. Cloud data warehouses, generally, and Snowflake, specifically, changed all this. Not only were resources virtually infinite, but the ability to separate, compute from storage, it actually turned off the compute when you weren't using it, permanently altered the cost, the performance, the scale and the value equation. But as data makes its way into the cloud and is increasingly democratized as a shared resource across clouds and at the edge, practitioners have to bring Sec DevOps mindsets to securing their cloud data warehouses. Hello, and welcome to this week's Wikibon, "theCUBE Insights," powered by ETR. In this "Breaking Analysis," we take a closer look at the fundamentals of securing Snowflake and to do so, we welcome two guests into the program. Ben Herzberg is an experienced hacker and developer and an expert in several aspects of data security. He's currently working as the Chief Data Scientist at Satori, and he's joined by his colleague, Yoav Cohen, who is a technology visionary, and currently serving as CTO at Satori Cyber. Gentlemen, welcome to "theCUBE," great to see you. >> Great to be here. >> Thanks for having us, Dave. >> Now, these two individuals have co-authored a book on Snowflake Security. It's a comprehensive guide to what you need to know as a data practitioner using Snowflake. So guys, congratulations on the book. It's really detailed, packed with great information, best practices and practical advice and insights all in one place, so really good work. So, before we get into the discussion, I want to share some ETR survey data just to set the context. We're seeing cybersecurity and data, they're colliding in a really important way. And here's some data points that we've shared before from ETR's latest drill down survey. They asked more than 1200 respondents. We're talking CIOs, CSOs and IT professionals, "Which organizational priorities "will be most important in 2022?" And these were the top seven. There were a lot of others, but these were the most important. So, it's no surprise that security is number one, although, as we shared in our predictions post, the magnitude of its relative importance, it does vary by the degree of expertise within the organization. The Delta is maybe not as significant, for example, in large companies, and you can see where analytics and data fit. And we've tied these two domains together and picked up on a term that our two guests have used, in fact, you guys may have even coined it, called DataSecOps, which, to me, is the idea that you bring Agile DevOps practices to data operations and built-in security as part of the full cycle of managing, creating the data, using the data, accessing the data, not a bolt on, but it's fundamental, so guys, what do you make of this data, and what's your point of view on DataSecOps? >> So, definitely aligns with what we're seeing on the ground in the market. In between what you saw there, you had cybersecurity and data warehousing. In the middle you had cloud migration, and that's basically what's pushing companies to invest in both security and data and warehousing, because the cloud changed the game for cybersecurity. The tools that we use before are not the same tools that we need to use now. And also, it unlocks a lot of performance value and capabilities around data warehousing. So, all of that comes together to a big trend in the industry for investment, for replacement, and definitely we're seeing that on the Snowflake platform, which is doing really, really well recently. >> Yeah, well thank you, Yoav. And to that point, I want to share another data point and then dive in, maybe Ben, you can comment. And I want to address, why are we always talking about Snowflake? Of course, it's a hot company. Everybody knows that. You can see it in the company's financials, but the ETR survey data tells a really compelling story about the company. Here's a chart from the most recent ETR January survey. And so, you can see at the, at the top, that blue line, it represents net score or spending momentum, and the darker line at the bottom represents presence or pervasiveness in the survey sample. Just a background, there are 165 Snowflake customers that responded to this past survey. 10% of companies within the Fortune 500 were in the sample, and around 4% of Global 2000 companies participated. Just under 30% of the respondents were C-Suite executives, and about 20% were analysts or engineers or data specialist with around half were VP, director, manager roles that fat middle, with a very broad mix of industries, and there was a bias toward larger companies. Now, back to the chart, that net score for a moment, is that top line, is derived by asking customers, "Are you adopting Snowflake new in 2022?" That's the 27% lime green number. "Will you be spending 6% or more on Snowflake, "relative to 2021?" That's the 57% forest green. "Is your spending flat?" That's the gray. "Is it down by 6% or worse?" That's the other, the pink area. "Are you leaving the platform?" That's the bright red, and that's a zero defection, so there's none there. So you subtract the reds from the greens, and you get net score, which calculates out to 83% in his pet survey. But what's remarkable is that Snowflake has held this elevated score for more than 12 quarterly surveys. It's in the stratosphere among the many thousands and thousands of companies in the ETR survey. Remember, anything above that 40% line is elevated and Snowflake is like glued to the ceiling. So the bottom line shows that the company's market presence continues to grow, that darker line at the bottom, and that green shade shows us that the pace of last quarter is actually accelerating. Snowflake is becoming ubiquitous, and customers are becoming intimately familiar with its platform, and it's scaling like we've never seen before, and it's building a pretty hard to penetrate fortress, we think, and an ecosystem. Ben, I wonder, in your view, what accounts for Snowflake's performance? >> Okay, so I would say that we can spend a full session just about such thing, so I'll try to say what I think. I think, first of all, it does what it says on the box. You get from zero to being able to have a data warehouse easily, you have a very rich support of capability and features that you need for a cloud data warehouse. Your multi-cloud, you're not dependent on one of the big public clouds, and it's fast and scalable, and you don't need to worry yourself with the infrastructure behind. You don't need to, God-forbid, add any indexes or do things like that. You don't need to do that, at least not often, indexes never, but other maintenance. And the innovation rate, they innovate fast. They add a lot of new capabilities, like the move to unstructured data, like a lot of security and governance capabilities, high innovation rate as well. >> Okay, good, and we'll talk about that move. So let's get deeper into the topic now on securing Snowflake. My first question is look, Snowflake, when you talk to practitioners and customers, they get pretty high marks on security, largely because of the simplicity, so why did you feel the need to write a book on the subject? >> So, definitely Snowflake is investing a lot of effort and putting a lot of emphasis on security. However, it's connected to the cloud service, and like any other cloud service, there is a shared responsibility model between Snowflake and its customers when it comes to fully securing their data cloud. So Snowflake can build amazing features, but then customers have to really adopt them, implement them in the best way. One of the things that we've seen by working with Snowflake customers is that we typically interact with data engineers, but then they have to implement security features and security capability. We thought writing a book about the topic would help these customers to understand the features better, benefit from them better and really structure their implementation and decide what's most important to implement at every step of their journey. >> Yeah, and I think that when I was researching this topic, I could find a lot of good information on the web, but I kind of had to hunt and peck for it. It was really sort of dispersed, and you put the information all in one place. You have a nice table of contents, so I can just zip right to where I want to go, so that was quite useful, I thought. What are the very basic fundamentals of securing Snowflake? In other words, I'm interested in, you get this world of flexible, it's globally distributed. You get democratizing data. How do you really make sure that only those folks that should have access, do have access? I mean really, let's talk about that a little bit. >> Oh, I think that, of course there are a lot of different aspects, but I think that I would start with the big blocks. For example, when you get a Snowflake account out of the box, it's open to the world in terms of network. I would start by limiting that. That should be easy for an organization. It's a couple of commands, and you've lowered your risk significantly, both security and compliance. Then, one of the common things that you can get a good improvement in a decrease of your risk is around those indications. For example, do you have applications that are accessing Snowflake using user password? Okay, change that to using a key. Do you have users with username, password? Change that to Okta integration or your IDP integration. So I would start with the big blocks that can remove most of my risk, and then of course, there is a lot to do from getting to the data warehouse and to auditing and monitoring. >> Okay, thank you for that. But, Yoav, how are these fundamentals that we just heard from Ben, how are they different? Isn't this kind of common sense? What's unique about Snowflake? >> So, a couple things, first of all, security, we love to say that it's 80% good security hygiene. You have to make sure that your basics are locked and tightly configured and that brings a lot of value. But two points to consider, first of all, all of these types of controls are pretty static in the sense that once you get in, you get in, and then you have pretty broad access, and we'll talk about authorization concepts and everything, perhaps today, but these are really static gatekeepers around your data. Once you have access, then it's really free for all. When you compare it to other types of environments and what we're seeing in other domains, maybe a move to more dynamic type of controls, elevated access or elevated additional authentication steps before you get elevated access. And what we're thinking is that beyond those static controls, the market is going to move towards implementing more dynamic, more fine-grain control, especially because in Snowflake, but any other data warehouse or large-scale data store, which becomes an aggregation point of data in the company, and we work with really big companies, and they bring in data from multiple jurisdiction from across the world, so they can get an overview of the business and run the business in a much more efficient way, but that really creates a pressure point when it comes to securing that data. >> Okay, Ben, you touched on this a little bit. I want to kind of dig deeper. So, Snowflake takes a layered approach, of course, it's sensible, and the layers, network, which talked about identity, access and encryption. and so, with any cloud, as you guys mentioned, it's a shared responsibility model. So I want to break that down a bit, and let's start with the network. So my responsibility, as a customer, I'm going to be responsible to set up the DNS. How much public internet access am I going to have for other users and apps. So how should practitioners think about their end of the bargain on the network? What do they need to know? >> At the network level, as I mentioned before, a new account is open network-wise, it's open to the world. And one of the first thing I would do would be to set a network policy on the account to limit network access to that account. And of course, in many organizations, you would want to configure that with private link to your cloud environment, but that would be step two. (laughs) First step is simply set the network policy to make sure that it's not open to the public. >> Yeah, and that seems pretty straightforward, but let's talk about identity, 'cause it feels like that's where it starts to get tricky. You got to worry about setting up roles and managing users. You could even configure row and column base access, as I understand it, and I imagine access is where it really gets confusing for a lot of people, especially when you're crossing domain identities. Like for example, isn't a role-based security, let's land on that for a minute, I think you called it hierarchy hell in the book, so what should we think about in regards to identity? >> Well, first of all, it's hierarchy hell, in the book, it says that you can use hierarchy, but you should avoid getting to a hierarchy hell. Basically, we've seen that with several Snowflake customers where the ability to set roles in a hierarchy model, to set a role that inherits privileges from another role, that inherits privileges from other roles and maybe, of course, used in a good way, but it also in some of the cases, it leads to complexities and to access not being deterministic, at least not obvious to the person who gives access, who is usually the data engineer. So, whenever you start having a complex authorization model, whenever I want to give Yoav access to a certain data set, and because things are complex, I also, by mistake, give him access to the salary information of the company, that's when things become tricky. If your roles are messy and complex, then it may lead to data exposure within the organization or outside the organization. >> How do you find Snowflake's integrations? Like if I want to use Okta or I want to use a CyberArk, I mean, how would you grade them on their ability to integrate with popular third party platforms? >> So, I would say pretty high, actually. We haven't encountered many customers who haven't configured any of these... nowadays, really basic security integration, and it really, really helps, setting that good identity management foundation for the platform. So they're investing a lot in that area, and we've been following them for a couple of years now, and it's really, really coming along nicely. >> All right, let's talk about encryption. I mean, that seemed pretty straightforward. Correct me if I'm wrong. I think Snowflake auto rotates the keys every 30 days. It really seems like your responsibility there is monitoring, making sure you're in compliance. You got good log data or access to good log data. Is that right? >> So, this really depends. So, for the average company, I would say, yes. For some of the companies with higher security requirements or compliance requirements or both, sometimes there are issues like companies that do not want to have the data stored in clear text, in Snowflake, even encrypted as in the data warehouse encryption or the account encryption, even if someone accidentally gets access to the table, they want them not to be able to pull the data in clear text, and then it gets slightly more complicated. You have different ways of tackling this, but for the average company or companies who do not have such requirements, then everything in Snowflake is encrypted in transit and addressed, and of course, there are more advanced features for higher requirements. >> Okay, I'm interested in what you guys think of some of the more vulnerable aspects that Snowflake customers should really be aware of. Imagine I'm saying, "Guys, let's run a pen test. "Okay, make sure I have no open chest wounds, "but really try to fool me." What would you attack? Where should I be extra cautious? >> So, I would start with where data resides. And, if you look at the Snowflake architecture, there's a separation between storage and compute, but that also means storage is accessible without going through the compute. That can create opportunities for hackers to go and try and find access where access shouldn't be had. That's where I would focus on. >> I want to ask you about Virtual Private Snowflake. It seems to me, if I have sensitive data, if I don't use Virtual Private Snowflake, I feel like I'm increasing my risk that a security incident at the shared cloud services layer could impact multiple customers, and is this a valid concern? How should we think about reducing that risk, and when should I use that higher level of security? >> So, I think first of all, to the best of my knowledge, I'm not a Snowflake employee, but to the best of my knowledge, Virtual Private Snowflake is used by a minority of the customers, a small minority of the customers. There are other more popular ways within Snowflake, like private link, for example, I would say, to enhance your security and your account segregation. But I wouldn't say that simply because the platform is multi-tenant, it is vulnerable. Of course, in many cases, your security or compliance requirements requires you to eliminate even this risk, but I wouldn't say that there are a lot of other platforms in different areas that are multi-tenant and-- >> And probably better than your on-prem, your average on-prem installation. >> Probably, probably. >> Okay, so I buy that. >> I would say on that, that maybe a shared environment is a higher value target for hackers. So if you're on a shared environment with thousands of other customers, if I'm a hacker, I would go there, 'cause then I get data for thousands of customers instead of try to focus on just one target and getting data for just one company. I think that's the most significant advantage. And obviously, Snowflake are investing a lot in making all of their environments very, very secure, and from our interactions with large Snowflake customers, we know that Snowflake are going above and beyond in making sure these environments are secure. >> Yeah, that's good, that's good news, because if I don't have to spend up, I can put the budget elsewhere. How do you guys think Snowflake's recent moves... They're making a couple of big moves. They've recently added unstructured data. They used to have semi-structured data. They're going after the data science and data lake functionality. Do those kinds of moves, I guess they're two different things, but does that change the way that security pros should think about protecting their Snowflake environment? >> I would say that Snowflake is moving fast with adding new functionality, well fast, but not too fast. They're releasing it in a controlled way. I would say that for new capabilities, of course, in some cases there are new attack vectors or new risks and obviously, securing different types of data may bring new challenges, but the basics, I think, remains the same. The basics of the network, identity authentication, authorization and auditing monitoring. I would say they will be the same and perhaps new features or capability will need to be used. And the largest issue, as data democratization is growing within organizations, and more and more people are using your data cloud, that also needs to be addressed. >> All right, finally, I want to end, I want to talk a little bit about futures. Have you guys talked in your book about multi-cloud as a way to reduce your reliance on a single vendor? And of course, it happens through M and A, and that's cool. We've talked a lot about multi-cloud, and we've been using this term that we coined, called supercloud, and it references an abstraction layer that exists on top of, and floats across, if you will, multiple clouds, and it hides some of that underlying complexity, and we feel like Snowflake is a good example of a company that's moving in that direction, building value on top of all that hyperscale infrastructure. So I wonder how you see Snowflake's moves in that direction would impact the way you think about DataSecOps. >> So definitely, we also see the trend of companies adopting more and more types of cloud and cloud technologies. They're in one cloud today. They want to move to a second one, almost every company that I talk to have, nowadays, a multi-cloud strategy. With respect to Snowflake, they basically have it figured out, because they are an overlay, like a supercloud, super data cloud, that is spread across any cloud, and you can basically pick and choose where you want to put your data for what use cases, and that's really, really helpful, because then you don't have to manage the complexity of multiple solutions for multiple areas of the business. We see this also in other areas where companies are saying, "Hey, I prefer to not use a specific cloud technology "for that purpose, but use a vendor that can cover my needs "across the clouds," definitely on the security side, where they want one throat to choke, so to speak, but they want to control things on a central place. As Ben mentioned before, complexity is the enemy of security and having those multi-cloud operations, from a security perspective, definitely adds complexity, which adds risks, so simplifying that is really, really helpful. >> Hey, thank you for that, and thank you guys for coming on today. Why don't you give us a little bumper sticker on Satori. What do you guys do? Give us the quick commercial. >> So, we help companies secure access to their data on platforms like Snowflake and others. We build really innovative technology that decouples security controls from the actual data layer. So if you think about it, where you can put controls to govern how people access data. You can put it inside the database. You can put it somewhere on the client. We've actually invented a technology that can do that in the middle, so you don't have to coalesce and mix your security concerns with your data. You don't have to go to your clients' users' end-points, laptops and put technology there. We set technology that fits in the middle, that decouples that aspect of your DataSecOps operations, and really helps companies implement those security controls much faster, because it's detached from the rest of their operation. >> Nice thought, leaning into that simplicity trend that you talked about. Okay guys, that's all the time we have today. Really, I want to thank Ben and Yoav for coming on "theCUBE." It was really great to have you. I'd love to welcome you back at some point. >> Thank you, Dave. >> Thank you, it was a pleasure >> All right, remember these episodes, these episodes are all available as podcasts, wherever you listen. All you got to do is search breaking analysis podcasts. Check out ETR's website at ETI.ai. We also publish full report every week on Wikibon.com and SiliconAngle.com. You can get in touch with me. Email me, David.Vellante@SiliconANGLE.com @DVellante or comment on our LinkedIn posts. This is Dave Vellante for "theCUBE Insights," powered by ETR. Have a great week, stay safe, be well, and we'll see you next time. (bright music)

>> Narrator: From around the globe. It's theCUBE covering space in cybersecurity symposium 2020 hosted by Cal Poly. >> Hello, everyone. Welcome to the space and cybersecurity symposium, 2020 hosted by Cal Poly where the intersection of space and security are coming together. I'm John Furrier, your host with theCUBE here in California. I want to welcome our featured guest, Lieutenant General, John F. Thompson with the United States Space Force approach to cybersecurity. That's the topic of this session. And of course he's the commander of the space and missile system center in Los Angeles Air Force Base. Also heading up Space Force. General, thank you for coming on. I really appreciate to you kicking this off. Welcome to the symposium. >> Hey, so thank you very much, John, for that very kind introduction. Also very much thank you to Cal Poly for this opportunity to speak to this audience today. Also a special shout out to one of the organizers, Dustin Debrun, for all of his work, helping get us to this point. Ladies and gentlemen as a John mentioned, I'm JT Thompson. I lead the 6,000 men and women of the United States Space Force's Space and Missile System Center, which is headquartered here at Los Angeles Air Force Base and El Segundo. If you're not quite sure where that's at, it's about a mile and a half from LAX. This is our main operating location, but we do have a number of other operating locations around the country. We're about 500 people at Kirtland Air Force Base in Albuquerque, New Mexico, and an about another 500 people on the front range of the Rockies between Colorado Springs and Denver plus a smattering of other much smaller operating locations nationwide. We're responsible for acquiring, developing and sustaining the United States Space Force's, critical space assets. That includes the satellites in the space layer and also on the ground layer our ground segments to operate those satellites. And we also are in charge of procuring launch services for the US Space Force and a number of our critical mission partners across the Department of Defense and the intelligence community. Just as a couple of examples of some of the things we do, if you're unfamiliar with our work we developed and currently sustain the 31 satellite GPS constellation that satellite constellation, while originally intended to help with global navigation, those GPS signals have provided trillions of dollars in unanticipated value to the global economy over the past three decades. GPS is everywhere. I think everybody realizes that. Agriculture, banking, the stock market, the airline industry, separate and distinct navigation systems. It's really pervasive across both capabilities for our Department of Defense and capabilities for our economy and individuals, billions of individuals across our country and the planet. Some of the other work we do for instance, in the communications sector, secure communications satellites that we designed and build that link America's sons and daughters serving in the military around the world and really enable real time support and comms for our deployed forces. And those of our allies. We also acquire infrared missile warning satellites that monitor the planet for missile launches that provide advanced warning to the US Homeland and to our allies in case some of those missile launches are nefarious. On a note, that's probably a lot closer to home, maybe a lot closer to home than many of us want to think about here in the state of California. In 2018, SMC jumped through a bunch of red tape and bureaucracy to partner with the US Forest Service during two of the largest wildfires in the state's history, the Camp and Woolsey fires in Northern California. As those fires spread out of control, we created processes on the fly to share data from our missile warning satellites. Those are satellites that are systems that are purpose built to see heat sources from thousands of miles above the planet. And we collaborated with the US Forest Service so that firefighters on the ground could track those fires more in real time and better forecast fires and where they were spreading, thereby saving lives and property by identifying hotspots and flareups for firefighters. That data that we were able to working with our contractors pass to the US Forest Service and authorities here in California, was passed in less than an hour as it was collected to get it into the hands of the emergency responders, the first responders as quickly as possible and doing that in an hour greatly surpassed what was available from some of the other assets in the airborne and ground-based fire spotters. It was really instrumental in fighting those fires and stopping their spread. We've continued that involvement in recent years, using multiple systems to support firefighters across the Western US this fall, as they battled numerous wildfires that unfortunately continue. Working together with the US Forest Service and with other partners we'd like to think that we've made a difference here, but there's still a lot more work to go. And I think that we should always be asking ourselves what else can space data be used for and how can we more rapidly get that space data to stakeholders so that they can use it for purposes of good, if you will. How else can we protect our nation? How else can we protect our friends and allies? I think a major component of the discussion that we will have throughout this conference is that the space landscape has changed rapidly and continues to change rapidly. Just over the past few years, John and I were talking before we went live here and 80 nations now have space programs. Nearly 80 space faring nations on the planet. If you just look at one mission area that the Department of Defense is interested in, and that's small launch, there are currently over 100 different small launch companies within the US industrial base vying for commercial DoD and civil payload capabilities, mostly to lower earth orbit. It's truly a remarkable time. If you factor in those things like artificial intelligence and machine learning, where we're revolutionizing really, the ways that we generate process and use data. It's really remarkable. In 2016, so if you think about this four years ago, NASA estimated that there were 28 terabytes of information transiting their space network each day. And that was four years ago. Obviously we've got a lot of desire to work with a lot of the people in the audience in this conference, we need to work with big thinkers, like many of you to answer questions on how best we apply data analytics to extract value and meaning from that data. We need new generations of thinkers to help apply cutting edge theories of data mining, cyber behaviorism, and Internet of Things 2.0, it's just truly a remarkable time to be in the space business and the cyber aspects of the space business are truly, truly daunting and important to all of us. Integrating cyber security into our space systems, both commercial and government is a mandate. it's no longer just a nice to have as the US Space Force and Department of the Air Force leadership has said many times over the past couple of years, space is becoming congested and contested. And that contested aspect means that we've got to focus on cyber security in the same way that the banking industry and cyber commerce focus on cybersecurity day in and day out. The value of the data and services provided is really directly tied to the integrity and availability of that data and services from the space layer, from the ground control segments associated with it. And this value is not just military, it's also economic and it's not just American, it's also a value for the entire world, particularly our allies, as we all depend upon space and space systems. Your neighbors and friends here in California that are employed at the space and missile system center work with network defenders. We work with our commercial contractors and our systems developers, our international allies and partners to try and build as secure and resilient systems as we can from the ground up that keep the global comments of space free and open for exploration and for commerce as John and I were talking earlier, before we came online, there's an aspect of cybersecurity for space systems, especially for some of our legacy systems, that's more, how do we bolt this on? Cause we fielded those space systems a number of years ago, and the challenges of cybersecurity in the space domain have grown. So we have a part that we have to worry about, bolting it on, but then we have to worry about building it in as we field new systems and build in a flexibility that realizes that the cyber threat or the cybersecurity landscape will evolve over time. It's not just going to be stagnant. There will always be new vulnerabilities and new threat vectors that we all have to look at. Look, as Secretary Barrett, who is our secretary of the air force likes to say most Americans use space before they have their first cup of coffee in the morning. The American way of life really depends on space. And as part of the United States Space Force, we work with defense leaders, our Congress joint, and international military teammates and industry to ensure American leadership in space. I really thank you for this opportunity to address the audience today, John, and thanks so much to Cal Poly for letting me be one of the speakers at this event. I've really looked forward to this for several months. And so with that, I look forward to your questions as we kind of move along here. >> General, thank you very much for those awesome introductory statement. For the folks watching on the stream, Brigadier General Carthan's going to be in the chat, answering any questions, feel free to chat away. He's the vice commander of Space and Missile System Center, he'll be available. A couple of comments from your keynote before I get to my questions. Cause it just jumped into my head. You mentioned the benefits of say space with the fires in California. We're living that here. That's really realtime. That's a benefit. You also mentioned the ability for more people launching payloads into space. I'm only imagined Moore's law smaller, faster, cheaper applies to rockets too. So I'm imagining you have the benefits of space and you have now more potential objects flying out sanctioned and maybe unsanctioned. So is it going to be more rules around that? This is an interesting question cause it's exciting Space Force, but for all the good there is potentially bad out there. >> Yeah. So John, I think the basics of your question is as space becomes more congested and contested, is there a need for more international norms of how satellites fly in space? What kind of basic features satellites have to perhaps de orbit themselves? What kind of basic protections should all satellites be afforded as part of a peaceful global commons of space? I think those are all fantastic questions. And I know that US and many allied policy makers are looking very, very hard at those kinds of questions in terms of what are the norms of behavior and how we field, and field as the military term. But how we populate using civil or commercial terms that space layer at different altitudes, lower earth orbit, mid earth orbit, geosynchronous earth orbit, different kinds of orbits, what the kind of mission areas we accomplished from space. That's all things that need to be definitely taken into account as the place gets a little bit, not a little bit as the place gets increasingly more popular day in and day out. >> I'm super excited for Space Force. I know that a new generation of young folks are really interested in it's an emerging, changing great space. The focus here at this conference is space and cybersecurity, the intersection. I'd like to get your thoughts on the approach that a space force is taking to cybersecurity and how it impacts our national goals here in the United States. >> Yeah. So that's a great question John, let me talk about it in two basic ways. At number one is an and I know some people in the audience, this might make them a little bit uncomfortable, but I have to talk about the threat. And then relative to that threat, I really have to talk about the importance of cyber and specifically cyber security, as it relates to that threat. The threats that we face really represented a new era of warfare and that new era of warfare involves both space and cyber. We've seen a lot of action in recent months from certain countries, notably China and Russia that have threatened what I referred to earlier as the peaceful global commons of space. For example, it threw many unclassified sources and media sources. Everybody should understand that the Russians have been testing on orbit anti-satellite capabilities. It's been very clear if you were following just the week before last, the Department of Defense released its 2020 military and security developments involving the People's Republic of China. And it was very clear that China is developing ASATs, electronic jammers, directed energy weapons, and most relevant to today's discussion, offensive cyber capabilities. There are kinetic threats that are very, very easy to see, but a cyber attack against a critical command and control site or against a particular spacecraft could be just as devastating to the system and our war fighters in the case of GPS and important to note that that GPS system also impacts many civilians who are dependent on those systems from a first response perspective and emergency services, a cyber attack against a ground control site could cause operators to lose control of a spacecraft or an attacker could feed spoofed data to assist them to mislead operators so that they sent emergency services personnel to the wrong address. Attacks on spacecraft on orbit, whether directly via a network intrusion or enabled through malware introduced during the system's production while we're building the satellite can cripple or corrupt the data. Denial-of-service type attacks on our global networks obviously would disrupt our data flow and interfere with ongoing operations and satellite control. If GPS went down, I hesitate to say it this way, cause we might elicit some screams from the audience. But if GPS went down a Starbucks, wouldn't be able to handle your mobile order, Uber drivers wouldn't be able to find you. And Domino's certainly wouldn't be able to get there in 30 minutes or less. So with a little bit of tongue in cheek there from a military operations perspective, it's dead serious. We have become accustomed in the commercial world to threats like ransomware and malware. And those things have unfortunately become commonplace in commercial terrestrial networks and computer systems. However, what we're seeing is that our adversaries with the increased competition in space these same techniques are being retooled, if you will, to use against our national security space systems day in and day out. As I said, during my opening remarks on the importance of cyber, the value of these systems is directly tied to their integrity. If commanders in the field, firefighters in California or baristas in Starbucks, can't trust the data they're receiving, then that really harms their decision making capabilities. One of the big trends we've recently seen is the move towards proliferated LEO constellations, obviously Space X's Starlink on the commercial side and on the military side, the work that DARPA and my organization SMC are doing on Blackjack and Casino, as well as some space transport layer constellation work that the space development agency is designing are all really, really important types of mesh network systems that will revolutionaries how we plan and field war fighting systems and commercial communications and internet providing systems. But they're also heavily reliant on cybersecurity. We've got to make sure that they are secured to avoid an accident or international damage. Loss of control of these constellations really could be catastrophic from both a mission perspective or from a satellites tumbling out of low earth orbit perspective. Another trend is introductions in artificial intelligence and machine learning, onboard spacecraft are at the edge. Our satellites are really not so much hardware systems with a little software anymore in the commercial sector and in the defense sector, they're basically flying boxes full of software. And we need to ensure that data that we're getting out of those flying boxes full of software are helping us base our decisions on accurate data and algorithms, governing the right actions and that those systems are impervious to the extent possible to nefarious modifications. So in summation, cybersecurity is a vital element of everything in our national security space goals. And I would argue for our national goals, writ large, including economic and information dimensions, the Space Force leadership at all levels from some of the brand new second lieutenants that general Raymond swore in to the space force this morning, ceremonially from the air force associations, airspace and cyberspace conference to the various highest levels, General Raymond, General DT Thompson, myself, and a number of other senior leaders in this enterprise. We've got to make sure that we're all working together to keep cyber security at the forefront of our space systems cause they absolutely depend on it. >> You mentioned hardware, software threats, opportunities, challenges. I want to ask you because you got me thinking of the minute they're around infrastructure. We've heard critical infrastructure, grids here on earth. You're talking about critical infrastructure, a redefinition of what critical infrastructure is, an extension of what we have. So I'd love to get your thoughts about Space Force's view of that critical infrastructure vis-a-vis the threat vectors, because the term threat vectors has been kicked around in the cyberspace. Oh you have threat vectors. They're always increasing the surface area. If the surface area is from space, it's an unlimited service area. So you got different vectors. So you've got new critical infrastructure developing real time, really fast. And you got an expanded threat vector landscape. Putting that in perspective for the folks that aren't really inside the ropes on these critical issues. How would you explain this and how would you talk about those two things? >> So I tell you, just like, I'm sure people in the security side or the cybersecurity side of the business in the banking industry feel, they feel like it's all possible threat vectors represent a dramatic and protect potentially existential threat to all of the dollars that they have in the banking system, to the financial sector. On the Department of Defense side, we've got to have sort of the same mindset. That threat vector from, to, and through space against critical space systems, ground segments, the launch enterprise, or transportation to orbit and the various different domains within space itself. Like I mentioned before, LEO, MEO and GEO based satellites with different orbits, all of the different mission areas that are accomplished from space that I mentioned earlier, some that I did mention like a weather tactical or wide band communications, various new features of space control. All of those are things that we have to worry about from a cyber security threat perspective. And it's a daunting challenge right now. >> Yeah, that's awesome. And one of the things we've been falling on the hardware side on the ground is the supply chain. We've seen, malware being, really put in a really obscure hardware. Who manufactures it? Is it being outsourced? Obviously government has restrictions, but with the private sector, you mentioned China and the US kind of working together across these peaceful areas. But you got to look at the supply chain. How does the supply chain in the security aspect impact the mission of the US space Force? >> Yeah. Yeah. So how about another, just in terms of an example, another kind of California based historical example. The very first US Satellite, Explorer 1, was built by the jet propulsion laboratory folks, not far from here in El Segundo, up in Pasadena, that satellite, when it was first built in the late 50s weighing a little bit, over 30 pounds. And I'm sure that each and every part was custom made and definitely made by US companies. Fast forward to today. The global supply chain is so tightly coupled, and frankly many industries are so specialized, almost specialized regionally around the planet. We focus every day to guarantee the integrity of every component that we put in our space systems is absolutely critical to the operations of those satellites and we're dependent upon them, but it becomes more difficult and more difficult to understand the heritage, if you will, of some of the parts that are used, the thousands of parts that are used in some of our satellites that are literally school bus sized. The space industry, especially national security space sector is relatively small compared to other commercial industries. And we're moving towards using more and more parts from non US companies. Cybersecurity and cyber awareness have to be baked in from the beginning if we're going to be using parts that maybe we don't necessarily understand 100% like an Explorer one, the lineage of that particular part. The environmental difficulties in space are well known. The radiation environment, the temperature extremes, the vacuum, those require specialized component. And the US military is not the only customer in that space. In fact, we're definitely not the dominant customer in space anymore. All those factors require us along with our other government partners and many different commercial space organizations to keep a very close eye on our supply chains, from a quality perspective, a security perspective and availability. There's open source reporting on supply training intrusions from many different breaches of commercial retailers to the infectious spread of compromised patches, if you will. And our adversaries are aware of these techniques. As I mentioned earlier, with other forms of attack, considering our supply chains and development networks really becomes fair game for our adversaries. So we have to take that threat seriously. Between the government and industry sectors here in the US. We're also working with our industry partners to enact stronger defenses and assess our own vulnerabilities. Last fall, we completed an extensive review of all of our major contracts here at Space and Missile System Center to determine the levels of cyber security requirements we've implemented across our portfolio. And it sounds really kind of businessy geeky, if you will. Hey, we looked at our contracts to make sure that we had the right clauses in our contracts to address cybersecurity as dynamically as we possibly could. And so we found ourselves having to add new language to our contracts, to require system developers, to implement some more advanced protective measures in this evolving cyber security environment. So that data handling and supply chain protections from contract inception to launch and operations were taken into account. Cyber security really is a key performance parameter for us now. Performance of the system, It's as important as cost, it's as important as schedule, because if we deliver the perfect system on time and on cost, it can perform that missile warning or that communications mission perfectly, but it's not cyber secure. If it's doesn't have cyber protections built into it, or the ability to implement mitigations against cyber threats, then we've essentially fielded a shoe box in space that doesn't do the CA the war fighter or the nation any good. Supply chain risk management is a major challenge for us. We're doing a lot to coordinate with our industry partners. We're all facing it head on to try and build secure and trusted components that keep our confidence as leaders, firefighters, and baristas as the case may be. But it is a challenge. And we're trying to rise to that challenge. >> This is so exciting this new area, because it really touches everything. Talk about geeking out on the tech, the hardware, the systems but also you put your kind of MBA hat on you go, what's the ROI of extra development and how things get built. Because the always the exciting thing for space geeks is like, if you're building cool stuff, it's exciting, but you still have to build. And cybersecurity has proven that security has to be baked in from the beginning and be thought as a system architecture. So you're still building things, which means you got to acquire things, you got to acquire parts, you got acquire build software and sustain it. How is security impacting the acquisition and the sustainment of these systems for space? >> Yeah. From initial development, through planning for the acquisition, design, development, our production fielding and sustainment, it impacts all aspects of the life cycle, John. We simply, especially from the concept of baking in cybersecurity, we can't wait until something is built and then try and figure out how to make it cyber secure. So we've moved way further towards working side by side with our system developers to strengthen cybersecurity from the very beginning of a systems development, cyber security, and the resilience associated with it really have to be treated as a key system attribute. As I mentioned earlier, equivalent with data rates or other metrics of performance. We like to talk in the space world about mission assurance and mission assurance has always sort of taken us as we technically geek out. Mission assurance has always taken us to the will this system work in space. Can it work in a vacuum? Can it work in as it transfers through the Van Allen radiation belt or through the Southern hemisphere's electromagnetic anomaly? Will it work out in space? And now from a resiliency perspective, yeah, it has to work in space. It's got to be functional in space, but it's also got to be resistant to these cybersecurity threats. It's not just, I think a General D.T Thompson quoted this term. It's not just widget assurance anymore. It's mission assurance. How does that satellite operator that ground control segment operate while under attack? So let me break your question a little bit, just for purposes of discussion into really two parts, cybersecurity, for systems that are new and cybersecurity for systems that are in sustainment are kind of old and legacy. Obviously there's cyber vulnerabilities that threatened both, and we really have to employ different strategies for defensive of each one. For new systems. We're desperately trying to implement across the Department of Defense and particularly in the space world, a kind of a dev sec ops methodology and practice to delivering software faster and with greater security for our space systems. Here at SMC, we have a program called enterprise ground services, which is a toolkit, basically a collection of tools for common command and control of different satellite systems, EGS as we call it has an integrated suite for defensive cyber capabilities. Network operators can use these tools to gain unprecedented insight to data flows and to monitor space network traffic for anomalies or other potential indicators of a bad behavior, malicious behavior, if you will, it's rudimentary at this point, but because we're using DevSecOps and that incremental development approach, as we scale it, it just becomes more and more capable. Every product increment that we feel. Here at LA Air Force Base, we have the United Space Force's West Coast Software Factory, which we've dubbed the Kobayashi Maru. They're using those agile DevOps software development practices to deliver a space awareness software to the combined space operations center. Affectionately called the CSpock that CSpock is just on the road from Cal Poly there in San Luis Obispo at Vandenberg Air Force Base. They've so securely linked the sea Spock with other space operation centers around the planet, our allies, Australia, Canada, and the UK. We're partnering with all of them to enable secure and enhanced combined space operations. So lots of new stuff going on as we bake in new development capabilities for our space systems. But as I mentioned earlier, we've got large constellations of satellites on orbit right now. Some of them are well in excess of a decade or more or old on orbit. And so the design aspects of those satellites are several decades old. But we still have to worry about them cause they're critical to our space capabilities. We've been working with an air force material command organization called CROWS, which stands for the Cyber Resiliency Office for Weapon Systems to assess all of those legacy platforms from a cyber security perspective and develop defensive strategies and potential hardware and software upgrades to those systems to better enable them to live through this increasingly cybersecurity concerned era that we currently live in. Our industry partners have been critical to both of those different avenues. Both new systems and legacy systems. We're working closely with them to defend and upgrade national assets and develop the capabilities to do similar with new national assets coming online. The vulnerabilities of our space systems really kind of threatened the way we've done business in the past, both militarily and in the case of GPS economically. The impacts of that cybersecurity risk are clear in our acquisition and sustainment processes, but I've got to tell you, as the threat vectors change, as the vulnerabilities change, we've got to be nimble enough, agile enough, to be able to bounce back and forth. We can't just say, many people in the audience are probably familiar with the RMF or the Risk Management Framework approach to reviewing the cyber security of a system. We can't have program managers and engineers just accomplish an RMF on a system. And then, hey, high five, we're all good. It's a journey, not a destination, that's cybersecurity. And it's a constant battle rhythm through our weapon systems lifecycle, not just a single event. >> I want to get to this commercial business needs and your needs on the next question. But before I go there, you mentioned agile. And I see that clearly because when you have accelerated innovation cycles, you've got to be faster. And we saw this in the computer industry, mainframes, mini computers, and then we started getting beyond maybe when the internet hit and PCs came out, you saw the big enterprises, the banks and government start to work with startups. And it used to be a joke in the entrepreneurial circles is that, there's no way if you are a startup you're ever going to get a contract with a big business enterprise. Now that used to be for public sector and certainly for you guys. So as you see startups out there and there's acquisition involved, I'm sure would love to have a contract with Space Force. There's an ROI calculation where if it's in space and you have a sustainment view and it's software, you might have a new kind of business model that could be attractive to startups. Could you share your thoughts on the folks who want to be a supplier to you, whether they're a startup or an existing business that wants to be agile, but they might not be that big company. >> John, that's a fantastic question. We're desperately trying to reach out to those new space advocates, to those startups, to those what we sometimes refer to, within the Department of Defense, those non traditional defense contractors. A couple of things just for thinking purposes on some of the things that we're trying to highlight. Three years ago, we created here at Space and Missile System Center, the Space Enterprise Consortium to provide a platform, a contractual vehicle, really to enable us to rapidly prototype, development of space systems and to collaborate between the US Space Force, traditional defense contractors, non traditional vendors like startups, and even some academic institutions. SPEC, as we call it, Space Enterprise Consortium uses a specialized contracting tool to get contracts awarded quickly. Many in the audience may be familiar with other transaction agreements. And that's what SPEC is based on. And so far in just three years, SPEC has awarded 75 different prototyping contracts worth over $800 million with a 36% reduction in time to award. And because it's a consortium based competition for these kinds of prototyping efforts, the barrier to entry for small and nontraditional, for startups, even for academic institutions to be able to compete for these kinds of prototyping has really lowered. These types of partnerships that we've been working through on spec have really helped us work with smaller companies who might not have the background or expertise in dealing with the government or in working with cyber security for their systems, both our developmental systems and the systems that they're designing and trying to build. We want to provide ways for companies large and small to partner together in support kind of mutually beneficial relationships between all. Recently at the Annual Air Force Association conference that I mentioned earlier, I moderated a panel with several space industry leaders, all from big traditional defense contractors, by the way. And they all stressed the importance of building bridges and partnerships between major contractors in the defense industry and new entrance. And that helps us capture the benefits of speed and agility that come with small companies and startups, as well as the expertise and specialized skill sets of some of those larger contractors that we rely on day in and day out. Advanced cyber security protections and utilization of secure facilities are just a couple of things that I think we could be prioritizing more so in those collaborations. As I mentioned earlier, the SPEC has been very successful in awarding a number of different prototyping contracts and large dollar values. And it's just going to get better. There's over 400 members of the space enterprise consortium, 80% of them are non traditional kinds of vendors. And we just love working with them. Another thing that many people in the audience may be familiar with in terms of our outreach to innovators, if you will, and innovators that include cyber security experts is our space pitch day events. So we held our first event last November in San Francisco, where we awarded over a two day period about $46 million to 30 different companies that had potentially game changing ideas. These were phase two small business innovative research efforts that we awarded with cash on the spot. We're planning on holding our second space pitch day in the spring of 2021. We're planning on doing it right here in Los Angeles, COVID-19 environment permitting. And we think that these are fantastic venues for identifying and working with high-speed startups, and small businesses who are interested in really, truly partnering with the US Air Force. It's, as I said before, it's a really exciting time to be a part of this business. And working with the innovation economy is something that the Department of Defense really needs to do in that the innovation that we used to think was ours. That 80% of the industrial base innovation that came from the Department of Defense, the script has been flipped there. And so now more than 70%, particularly in space innovation comes from the commercial sector, not from the defense business itself. And so that's a tsunami of investment and a tsunami of a capability. And I need to figure out how to get my surfboard out and ride it, you know what I mean? >> Yeah, It's one of those things where the script has been flipped, but it's exciting because it's impacting everything. When you're talking about systems architecture? You're talking about software, you're talking about a business model. You're talking about dev sec opsx from a technical perspective, but now you have a business model innovation. All the theaters are exploding in innovation, technical, business, personnel. This brings up the workforce challenge. You've got the cyber needs for the US Space Force, It's probably great ROI model for new kinds of software development that could be priced into contracts. That's a entrepreneurial innovation, you've got the business model theater, you've got the personnel. How does the industry adopt and change? You guys are clearly driving this. How does the industry adjust to you? >> Yeah. So I think a great way to answer that question is to just talk about the kind of people that we're trying to prioritize in the US Space Force from an acquisition perspective, and in this particular case from a cybersecurity perspective. As I mentioned earlier, it's the most exciting time to be in space programs, really since the days of Apollo. Just to put it in terms that maybe have an impact with the audience. From 1957 until today, approximately 9,000 satellites have been launched from the various space varying countries around the planet. Less than 2000 of those 9,000 are still up on orbit and operational. And yet in the new space regime players like Space X have plans to launch, 12,000 satellites for some of their constellations alone. It really is a remarkable time in terms of innovation and fielding of space capabilities and all of those space capabilities, whether they're commercial, civil, or defense are going to require appropriate cybersecurity protections. It's just a really exciting time to be working in stuff like this. And so folks like the folks in this audience who have a passion about space and a passion about cybersecurity are just the kind of people that we want to work with. Cause we need to make sure our systems are secure and resilient. We need folks that have technical and computing expertise, engineering skills to be able to design cyber secure systems that can detect and mitigate attacks. But we also, as you alluded to, we need people that have that business and business acumen, human networking background, so that we can launch the startups and work with the non traditional businesses. Help to bring them on board help, to secure both their data and our data and make sure our processes and systems are free as much as possible from attack. For preparation, for audience members who are young and maybe thinking about getting into this trade space, you got to be smart on digital networking. You got to understand basic internet protocols, concepts, programming languages, database design. Learn what you can for penetration or vulnerability testing and a risk assessment. I will tell you this, and I don't think he will, I know he will not mind me telling you this, but you got to be a lifelong learner and so two years ago, I'm at home evening and I get a phone call on my cell phone and it's my boss, the commander of Air Force Space command, General, J. Raymond, who is now currently the Chief of Space Operations. And he is on temporary duty, flying overseas. He lands where he's going and first thing he does when he lands is he calls me and he goes JT, while I was traveling, I noticed that there were eBooks available on the commercial airliner I was traveling on and there was an ebook on something called scrumming and agile DevSecOps. And I read it, have you read it? And I said, no, sir. But if you tell me what the title of the book is, I will read it. And so I got to go to my staff meeting, the very next week, the next time we had a staff meeting and tell everybody in the staff meeting, hey, if the four star and the three star can read the book about scrumming, then I'm pretty sure all of you around this table and all our lieutenants and our captains our GS13s, All of our government employees can get smart on the scrumming development process. And interestingly as another side, I had a telephone call with him last year during the holidays, where he was trying to take some leave. And I said, sir, what are you up to today? Are you making eggnog for the event tonight or whatever. And the Chief of Space Operations told me no, I'm trying to teach myself Python. I'm at lesson two, and it's not going so well, but I'm going to figure this out. And so that kind of thing, if the chief of staff or the Chief of Space Operations can prioritize scrumming and Python language and innovation in his daily schedule, then we're definitely looking for other people who can do that. And we'll just say, lower levels of rank throughout our entire space force enterprise. Look, we don't need people that can code a satellite from scratch, but we need to know, we need to have people that have a basic grasp of the programming basics and cybersecurity requirements. And that can turn those things into meaningful actions, obviously in the space domain, things like basic physics and orbital mechanics are also important spaces, not an intuitive domain. So under understanding how things survive on orbit is really critical to making the right design and operational decisions. And I know there's probably a lot, because of this conference. I know there's probably a whole lot of high speed cybersecurity experts out in the audience. And I need those people in the US Space Force. The country is counting on it, but I wouldn't discount having people that are just cyber aware or cyber savvy. I have contracting officers and logisticians and program managers, and they don't have to be high end cybersecurity experts, but they have to be aware enough about it to be able to implement cyber security protections into our space systems. So the skill set is really, really broad. Our adversaries are pouring billions of dollars into designing and fielding offensive and destructive space, cybersecurity weapons. They repeatedly shown really a blatant disregard of safety and international norms for good behavior on orbit. And the cyber security aspects of our space systems is really a key battleground going forward so that we can maintain that. As I mentioned before, peaceful global comments of space, we really need all hands on deck. If you're interested in helping in uniform, if you're interested in helping, not in uniform, but as a government employee, a commercial or civil employee to help us make cyber security more important or more able to be developed for our space systems. And we'd really love to work with you or have you on the team to build that safe and secure future for our space systems. >> Lieutenant General John Thompson, great insight. Thank you for sharing all that awesome stories too, and motivation for the young next generation. The United States Space Force approach to cybersecurity. Really amazing talk, thank you for your time. Final parting question is, as you look out and you have your magic wand, what's your view for the next few years in terms of things that we could accomplish? It's a super exciting time. What do you hope for? >> So first of all, John, thanks to you and thanks to Cal Poly for the invitation and thanks to everybody for their interest in cybersecurity, especially as it relates to space systems, that's here at the conference. There's a quote, and I'll read it here from Bernard Schriever, who was the founder, if you will, a legend in a DoD space, the founder of the Western development division, which was a predecessor organization to Space and Missile System Center, General Schriever, I think captures the essence of how we see the next couple of years. "The world has an ample supply of people "who can always come up with a dozen good reasons "why new ideas will not work and should not be tried, "but the people who produce progress are breed apart. "They have the imagination, "the courage and the persistence to find solutions." And so I think if you're hoping that the next few years of space innovation and cybersecurity innovation are going to be upon a pony ride at the County fair, then perhaps you should look for another line of work, because I think the next few years in space and cybersecurity innovation are going to be more like a rodeo and a very dynamic rodeo as it goes. It is an awesome privilege to be part of this ecosystem. It's really an honor for me to be able to play some small role in the space ecosystem and trying to improve it while I'm trying to improve the chances of the United States of America in a space war fighting environment. And so I thank all of you for participating today and for this little bit of time that you've allowed me to share with you. Thank you. >> Sir, thank you for your leadership and thank you for the time for this awesome event, Space and Cyber Cybersecurity Symposium 2020, I'm John Furrier on behalf of Cal Poly, thanks for watching. (mellow music)

>> Live from New York, it's theCUBE, covering theCUBE New York City 2018. Brought to you by SiliconANGLE Media and its ecosystem partners. >> Hello, everyone, welcome back. This is theCUBE live in New York City for theCUBE NYC, #CUBENYC. This is our ninth year covering the big data ecosystem, which has now merged into cloud. All things coming together. It's really about AI, it's about developers, it's about operations, it's about data scientists. I'm John Furrier, my co-host Dave Vellante. Our next guest is Brent Compton, Technical Marketing Director for Storage Business at Red Hat. As you know, we cover Red Hat Summit and great to have the conversation. Open source, DevOps is the theme here. Brent, thanks for joining us, thanks for coming on. >> My pleasure, thank you. >> We've been talking about the role of AI and AI needs data and data needs storage, which is what you do, but if you look at what's going on in the marketplace, kind of an architectural shift. It's harder to find a cloud architect than it is to find diamonds these days. You can't find a good cloud architect. Cloud is driving a lot of the action. Data is a big part of that. What's Red Hat doing in this area and what's emerging for you guys in this data landscape? >> Really, the days of specialists are over. You mentioned it's more difficult to find a cloud architect than find diamonds. What we see is the infrastructure, it's become less about compute as storage and networking. It's the architect that can bring the confluence of those specialties together. One of the things that we see is people bringing their analytics workloads onto the common platforms where they've been running the rest of their enterprise applications. For instance, if they're running a lot of their enterprise applications on AWS, of course, they want to run their analytics workloads in AWS and that's EMRs long since in the history books. Likewise, if they're running a lot of their enterprise applications on OpenStack, it's natural that they want to run a lot of their analytics workloads on the same type of dynamically provisioned infrastructure. Emerging, of course, we just announced on Monday this week with Hortonworks and IBM, if they're running a lot of their enterprise applications on a Kubernetes substrate like OpenShift, they want to run their analytics workloads on that same kind of agile infrastructure. >> Talk about the private cloud impact and hybrid cloud because obviously we just talked to the CEO of Hortonworks. Normally it's about early days, about Hadoop, data legs and then data planes. They had a good vision. They're years into it, but I like what Hortonworks is doing. But he said Kubernetes, on a data show Kubernetes. Kubernetes is a multi-cloud, hybrid cloud concept, containers. This is really enabling a lot of value and you guys have OpenShift which became very successful over the past few years, the growth has been phenomenal. So congratulations, but it's pointing to a bigger trend and that is that the infrastructure software, the platform as a service is becoming the middleware, the glue, if you will, and Kubernetes and containers are facilitating a new architecture for developers and operators. How important is that with you guys, and what's the impact of the customer when they think, okay I'm going to have an agile DevOps environment, workload portability, but do I have to build that out? You mentioned people don't have to necessarily do that anymore. The trend has become on-premise. What's the impact of the customer as they hear Kubernetese and containers and the data conversation? >> You mentioned agile DevOps environment, workload portability so one of the things that customers come to us for is having that same thing, but infrastructure agnostic. They say, I don't want to be locked in. Love AWS, love Azure, but I don't want to be locked into those platforms. I want to have an abstraction layer for my Kubernetese layer that sits on top of those infrastructure platforms. As I bring my workloads, one-by-one, custom DevOps from a lift and shift of legacy apps onto that substrate, I want to have it be independent, private cloud or public cloud and, time permitting, we'll go into more details about what we've seen happening in the private cloud with analytics as well, which is effectively what brought us here today. The pattern that we've discovered with a lot of our large customers who are saying, hey, we're running OpenStack, they're large institutions that for lots of reasons they store a lot of their data on-premises saying, we want to use the utility compute model that OpenStack gives us as well as the shared data context that Ceph gives us. We want to use that same thing for our analytics workload. So effectively some of our large customers taught us this program. >> So they're building infrastructure for analytics essentially. >> That's what it is. >> One of the challenges with that is the data is everywhere. It's all in silos, it's locked in some server somewhere. First of all, am I overstating that problem and how are you seeing customers deal with that? What are some of the challenges that they're having and how are you guys helping? >> Perfect lead in, in fact, one of our large government customers, they recently sent us an unsolicited email after they deployed the first 10 petabytes in a deca petabyte solution. It's OpenStack based as well as Ceph based. Three taglines in their email. The first was releasing the lock on data. The second was releasing the lock on compute. And the third was releasing the lock on innovation. Now, that sounds a bit buzzword-y, but when it comes from a customer to you. >> That came from a customer? Sounds like a marketing department wrote that. >> In the details, as you know, traditional HDFS clusters, traditional Hadoop clusters, sparklers or whatever, HDFS is not shared between clusters. One of our large customers has 50 plus analytics clusters. Their data platforms team employ a maze of scripts to copy data from one cluster to the other. And if you are a scientist or an engineer, you'd say, I'm trying to obtain these types of answers, but I need access to data sets A, B, C, and D, but data sets A and B are only on this cluster. I've got to go contact the data platforms team and have them copy it over and ensure that it's up-to-date and in sync so it's messy. >> It's a nightmare. >> Messy. So that's why the one customer said releasing the lock on data because now it's in a shared. Similar paradigm as AWS with EMR. The data's in a shared context, an S3. You spin up your analytics workloads on AC2. Same paradigm discussion as with OpenStack. Your spinning up your analytics workloads via OpenStack virtualization and their sourcing is shared data context inside of Ceph, S3 compatible Ceph so same architecture. I love his last bit, the one that sounds the most buzzword-y which was releasing lock on innovation. And this individual, English was not this person's first language so love the word. He said, our developers no longer fear experimentation because it's so easy. In minutes they can spin up an analytics cluster with a shared data context, they get the wrong mix of things they shut it down and spin it up again. >> In previous example you used HDFS clusters. There's so many trip wires, right. You can break something. >> It's fragile. >> It's like scripts. You don't want to tinker with that. Developers don't want to get their hand slapped. >> The other thing is also the recognition that innovation comes from data. That's what my takeaway is. The customer saying, okay, now we can innovate because we have access to the data, we can apply intelligence to that data whether it's machine intelligence or analytics, et cetera. >> This the trend in infrastructure. You mentioned the shared context. What other observations and learnings have you guys come to as Red Hat starts to get more customer interactions around analytical infrastructure. Is it an IT problem? You mentioned abstracting the way different infrastructures, and that means multi-cloud's probably setup for you guys in a big way. But what does that mean for a customer? If you had to explain infrastructure analytics, what needs to get done, what does the customer need to do? How do you describe that? >> I love the term that industry uses of multi-tenant workload isolation with shared data context. That's such a concise term to describe what we talk to our customers about. And most of them, that's what they're looking for. They've got their data scientist teams that don't want their workloads mixed in with the long running batch workloads. They say, listen, I'm on deadline here. I've got an hour to get these answers. They're working with Impala. They're working with Presto. They iterate, they don't know exactly the pattern they're looking for. So having to take a long time because their jobs are mixed in with these long MapReduce jobs. They need to be able to spin up infrastructure, workload isolation meaning they have their own space, shared context, they don't want to be placing calls over to the platform team saying, I need data sets C, D, and E. Could you please send them over? I'm on deadline here. That phrase, I think, captures so nicely what customers are really looking to do with their analytics infrastructure. Analytics tools, they'll still do their thing, but the infrastructure underneath analytics delivering this new type of agility is giving that multi-tenant workload isolation with shared data context. >> You know what's funny is we were talking at the kickoff. We were looking back nine years. We've been at this event for nine years now. We made prediction there will be no Red Hat of big data. John, years ago said, unless it's Red Hat. You guys got dragged into this by your customers really is how it came about. >> Customers and partners, of course with your recent guest from Hortonworks, the announcement that Red Hat, Hortonworks, and IBM had on Monday of this week. Dialing up even further taking the agility, okay, OpenStack is great for agility, private cloud, utility based computing and storage with OpenStack and Ceph, great. OpenShift dials up that agility another notch. Of course, we heard from the CEO of Hortonworks how much they love the agility that a Kubernetes based substrate provides their analytics customers. >> That's essentially how you're creating that sort of same-same experience between on-prem and multi-cloud, is that right? >> Yeah, OpenShift is deployed pervasively on AWS, on-premises, on Azure, on GCE. >> It's a multi-cloud world, we see that for sure. Again, the validation was at VMworld. AWS CEO, Andy Jassy announced RDS which is their product on VMware on-premises which they've never done. Amazon's never done any product on-premises. We were speculating it would be a hardware device. We missed that one, but it's a software. But this is the validation, seamless cloud operations on-premise in the cloud really is what people want. They want one standard operating model and they want to abstract away the infrastructure, as you were saying, as the big trend. The question that we have is, okay, go to the next level. From a developer standpoint, what is this modern developer using for tools in the infrastructure? How can they get that agility and spinning up isolated, multi-tenant infrastructure concept all the time? This is the demand we're seeing, that's an evolution. Question for Red Hat is, how does that change your partnership strategy because you mentioned Rob Bearden. They've been hardcore enterprise and you guys are hardcore enterprise. You kind of know the little things that customers want that might not be obvious to people: compliance, certification, a decade of support. How is Red Hat's partnership model changing with this changing landscape, if you will? You mentioned IBM and Hortonworks release this week, but what in general, how does the partnership strategy look for you? >> The more it changes, the more it looks the same. When you go back 20 years ago, what Red Hat has always stood for is any application on any infrastructure. But back in the day it was we had n-thousand of applications that were certified on Red Hat Linux and we ran on anybody's server. >> Box. >> Running on a box, exactly. It's a similar play, just in 2018 in the world of hybrid, multi-cloud architectures. >> Well, you guys have done some serious heavy lifting. Don't hate me for saying this, but you're kind of like the mules of the industry. You do a lot of stuff that nobody either wants to do or knows how to do and it's really paid off. You just look at the ascendancy of the company, it's been amazing. >> Well, multi-cloud is hard. Look at what it takes to do multi-cloud in DevOps. It's not easy and a lot of pretenders will fall out of the way, you guys have done well. What's next for you guys? What's on the horizon? What's happening for you guys this next couple months for Red Hat and technology? Any new announcements coming? What's the vision, what's happening? >> One of the announcements that you saw last week, was Red Hat, Cloudera, and Eurotech as analytics in the data center is great. Increasingly, the world's businesses run on data-driven decisions. That's great, but analytics at the edge for more realtime industrial automation, et cetera. Per the announcements we did with Cloudera and Eurotech about the use of, we haven't even talked about Red Hat's middleware platforms, such as AMQ Streams now based on Kafka, a Kafka distribution, Fuze, an integration master effectively bringing Red Hat technology to the edge of analytics so that you have the ability to do some processing in realtime before back calling all the way back to the data center. That's an area that you'll also see is pushing some analytics to the edge through our partnerships such as announced with Cloudera and Eurotech. >> You guys got the Red Hat Summit coming up next year. theCUBE will be there, as usual. It's great to cover Red Hat. Thanks for coming on theCUBE, Brent. Appreciate it, thanks for spending the time. We're here in New York City live. I'm John Furrier, Dave Vallante, stay with us. All day coverage today and tomorrow in New York City. We'll be right back. (upbeat music)

>> Announcer: Live from Las Vegas. It's theCUBE. Covering ServiceNow, Knowledge2018. Brought to you by ServiceNow. >> Welcome back, everybody. Jeff Frick here with theCUBE. We're at ServiceNow Knowledge18, 2018. Been here for six years. It's amazing. It's like 18,000 people all over the Sands Convention Center. Huge ecosystem and we're excited to be back, as usual. Our next guest, Greg Deitrich. He's a VP of operations in engineering at DXC. Joined by Tim Henderson, director of automation engineering at DXC. Gentlemen, welcome. >> Thank you. >> Thanks for having us. >> Yeah, absolutely. So, first off, just kind of impressions of the show. It's amazing. This thing grows like four or five thousand people, I think, every single year. >> Yeah, it's amazing to see 18,000 people here at a ServiceNow conference. I actually attended back in October of 2007 before they had Knowledge. I attended a first user group session in New York where there's about 70 people around... >> You and Fred and a couple other people, right? >> Fred, his brother who ran operations at the time, and a few more. >> That's right. And then, obviously, you guys... We interviewed traditional partners way back into the day. You got mopped by CSC and you guys have rebranded into DXC. So you guys have a long history in really making a bet on the ServiceNow value proposition. >> Yeah, that's right. CSC and now DXC has had a long history of partnership with ServiceNow and, as you said, as evidenced by some of these acquisitions that we did with Fruition and Logicalis, the guys with the green suits around here. >> Jeff: That's right. >> And that continues to be a very strong part of our business. >> Good bet. >> Yeah, absolutely. >> And what's interesting, and I'm sure back in the day, we used to talk to Fred. He had this great platform but nobody's got a line item budget for a new platform, right? So you have to build the application. Obviously, the story's well-known. He build the service-management application. But he still has that great platform underneath. And now we're seeing all these different kind of applications built on this platform beyond what the original application-- >> I think that what you see is the pivot to more focus on business and less about IT, right? And that's what we're doing with Bionics And Platform DXC. It's taking a completely different angle that we're trying to orchestrate business within an ecosystem which ServiceNow is a key construct of. And it resonates with clients. We've showed what we've done to several major clients and it's really trying to achieve, like John said, business outcomes and less about the IT. But how can you quickly bundle sequence workflows and capability to get efficiency and automation into the workplace. >> Right. So let's dig down a little deeper on that application. What problem did you approach? Why was this the right tool to go after this problem? >> Sure. So the big thing that Tim and I are driving across DXC is our DXC Bionics approach which is really centered on how can we digitally transform our delivery engine, right? So we're applying data and analytics and leaning out people on processes and applying technology automation tools to really drive intelligent automation across everything we do. To get better, faster, cheaper, more automated, scalable, repeatable. In doing that, it was really important that we took a platform approach and ServiceNow's been a cornerstone in that platform. And we call that platform Platform DXC. >> Why are you called Bionics? >> So, Bionics, for us, is that combination of data, people, and technology. It's not just automation as the silver bullet and just the technology. It has to be that combination of the data with the people and the technology and automation coming together to make people work smarter, work more intelligently. >> Jeff: Right. >> And I think some of that, too, is the muscle part of it, right? You think Bionics but, as Greg said, you've really got to understand the business problem or what's occurring. And a lot of people we've seen in the industry are applying just automation without really understanding the underlying problem. And a lot of companies have had IT implemented in a diversified portfolio for 20 years and these disparate systems are very siloed. And there's a lot of waste in the value stream of their company. If you really don't break that apart and look at that, you're really not helping them lead in their marketplace. >> Right. It's just fascinating how we continue to find these big giant buckets of inefficiency. All the way back to the original ERP days and you just keep finding so many giant buckets where things are just not working as smoothly as they could. >> You know, people will look at this somewhat and they'll say, "Well, automation is to get heads out." Well, actually, it's to free up heads, right, Greg? To where you can actually empower these people to go do other value-added things for that company and not sit here in this toil or managing technical data or inefficient waste. It's really liberating but it does take a good champion within a company to go pull that off. >> And clearly the people part's probably the hardest part, right? In the keynote yesterday, John touched on, kind of, best practices and one of them, I think number three, was a commitment to change process. And that's, obviously, a big part of you guys' business, helping people to get through that piece of it. I laugh. I have Alexa and I have a Google Home, and they send me emails on how I should interact with this thing to try to help me change my behavior to take advantage of this new technology. I'm like, "Oh, okay." So it's hard to change people's behavior. >> Yeah, see the people component comes down to a couple of things. One, it comes down to skills, right. And there's been a lot of discussion here this week around getting the right skills, the digital types of skill that are needed in this new economy. But the other piece that's more important, I think, around people is this cultural picot, right? So a big piece of our digital transformation has not been about technology, but is has been about a cultural change. Thinking differently, challenging the status quo. Working differently, right? That agile DevOps. Eliminating that fear of failure. Let's fail fast, let's learn from it in that continual incremental way of driving improvement. >> Right. And something we did when Greg and I experimented with this. We actually didn't know how it was going to work out. To put the platform itself together, we created this concept called a Buildathon. >> Jeff: A Buildathon? >> A Buildathon. >> Jeff: Not a hackathon. >> So we have our team. We have ServiceNow. We have AWS. Microsoft, Dell, other partners in there. And we write code together. It's no Powerpoint. You're doing scrum sessions. And we basically created the platform in 230 days which is phenomenal when you think about it. From inception to briefing Greg and the CTO of our company, Dan Hushon, to saying it's open for business. >> Right. >> And, as Greg said, empowering people, getting them to work. But one thing we're doing is getting our partners to build with us. We call it co-creation. I know it's a little dicey term if you take that the wrong way. But they're having fun with it because, instead of getting all caught up in contractuals and, "What am I going to make on this?", it's like, "Let's go try some things and build together "and then go, oh, well, I made that water glass "and I can go price this in here and everybody "understands what they're going to make in it "as a business." And it's huge. It transforms the workforce. Our partner network loves it. They're lined up to get into the framework. And, like Greg says, it's re-energized our workforce. It's been huge. >> It's interesting, the whole DevOps conversation. So all these terms, Moore's Law, et cetera, have a very specific application. But I think it's much more interesting in the more general application of that method. Whether it's Moore's Law and this presumption that we're just going to keep getting better, faster, cheaper, and driving forward. Or we really do have switches. No, we're not going to do a big old MRD, and we're not going to do a big giant PRD, and spread this thing out, and start our build, and someday down the road, hope to deliver something. It's like, "Let's start delivering now." >> Right. Gone are the days of those big requirements, and then go way, and then the big reveal. And, oh no, we missed all this. Right? It's got to be that more interactive, collaborative module way. >> Right. And the thing about the people... You know, we go to a ton of shows, right? Everyone's automation's going to take. But I've never heard anyone say, "We're overstaffed." That we have more people qualified in these new areas than we need. I mean, there's still such a demand for people across the board. Whether it's truck-driving or it's... >> It's unlocking the power of those people. Just to kind of share an example, when we went through the pilot for this to go get the funding, we took basically a womb-to-tomb situation where we would go do infrastructure to service a platform and have it in a client's hand for business. In the past, that would take us 2100 hours and eight teams and 53 hand-offs. In seven weeks, we've proved we could orchestrate that all the way through the last mile, getting to the client's network in two hours and 14 minutes to where the client could log in. >> Wow, that's a game-changer. >> It is a game-changer. But you free up those resources then to help that customer understand how to leverage that application and change their business versus all this toil of trying to figure out, "Well, did I get the network connected? "Well, who knows how to do the firewalls?" Everything is code. >> Right. >> And that's really, I said it earlier, we're really going towards business code, right? Because that's what John's talking about, is getting business processes code, and then empowering people to have that situational awareness. >> And then, hopefully, opening up their minds to, "Oh, my goodness. "If I can do this that easily, "what else can I do? "What else can I do." So, Tim, you've got an interesting background. Not that ServiceNow is not exciting. But you were involved in a very exciting business for years and years at Cape Canaveral. So what did you do there and what lessons did you learn there that you can apply right now? >> That's a great question. So it was actually an honor to support our country in that way. I was the IT director at Cape Canaveral for 12 years and supported Atlas, Titan, and Delta rocket launches for commercial and military purposes. But what I learned there a lot was two key things: systems engineering... That's almost like DevOps for aerospace and defense. It is people really building a system together and understanding what they have to achieve. The other thing is command and control. And that sounds a little rigid in today's world of agile. But when Greg and I talked about Platform DXC, what we felt is, we need and control system for business. Right? That has a complete loop. And we're going to talk about this Thursday at 1:30? >> 1:30. >> Right. So we took a lot of those constructs and we didn't even select ServiceNow when we put the platform together. We'd been a good partner with them. But then we said, "You know what? "They have a market-leading solution. "They're going to fit into the orchestration "of business." And then, there's an intelligence pillar, and an automation pillar. But we're seeing huge gains. Every client we get in front of is like, "Wow, we didn't think about that." And we also have, our partners are actually wanting to put their IP into our platform so people can just consume it and we could wrap another service wrapper around it. So it kind of turns into an IT marketplace in a way. So we're pretty excited about it. >> I'd love to just kind of drill down on the command and controls. Interesting. I talked to a company a couple of weeks ago and they were in aviation. And the guy's like, "You know, in aviation, "if they want to innovate around ticketing "or AV systems in the planes, "they can innovate all day long. "It doesn't really matter if somebody "can't print their ticket if it doesn't come up "on their phone." But in terms of the safety, it's not to say, in terms of the regs, and the maintenance, of the aircraft. It's super-rigid. You can't take risks. I would imagine at Cape Canaveral, although, some missions have people, some don't, it's still big, expensive missions and you really aren't failing fast... >> We actually move pretty quick, believe it or not. You can build a rocket in six months. They'll fly it in and you can erect it and test it in thirty days and launch, which is pretty crazy when you think about it. And a rocket's a lot of hardware and software, right? What they have is that value stream, through systems engineering and situational awareness. So, for example, they know every time a torque wrench is used, who used it. So if it went out of calibration, they can immediately go back and say it was used on this guidance system, on that rocket. We need to go back and check it before it launches. And it's really a pedigree. You know, who was the tech? Were they assigned? Did they have the right skills? Did they capture the data for the test? And you really have a pedigree. And we've actually built some of that into the Platform DXC. We call it the Digital Thread, which is something we'd worked on with the Air Force. So if you take compliance, right, and you have this thread of everything that's occurred, whether it's the people, an asset, an application, you have a thread. So you look at compliance radically different. So we capture a lot of telemetry, whether it's technical, business, or security. And that's where the intelligence pillar has this whole AI engine and machine learning and things to just start pivoting radically. So it's really a closed-loop system which is what a rocket has. The airplane that probably everybody in this room flew here in, right? It's always sensing itself and adjusting. And if it has a failure potentially coming up, it notifies Boeing before that plane lands that they need something to go look at. That's what we're trying to do here for business. >> It's funny. Another interview, this gal came. She was a lawyer. She was a homicide detective. And we talked to her about chain of possession. What an important concept chain of possession is. And I'm just curious about how cumbersome was that before when you started versus with the tools that we have now in terms of sensors and networks, and basically unlimited networking and unlimited storage? What percentage of it really was chain of command versus actually doing things, and that kind of followed along? >> I think you asked a question, how cumbersome was it? I think it was so difficult that, in many cases, it was not there. Right? So you had these big gaps. And you didn't know what happened and you didn't have the integration of the data. And now, in today's world, with these more real-time cloud-based, integrated systems, you're able to get that at, more and more, a commoditized price. It's no longer as expensive and difficult to get that. It's being commoditized where, in the past, in some cases, you didn't have it because it was too hard or too expensive. >> Right. So you didn't have that closed-loop kind of feedback mechanism to make sure that things go well. >> Tim: You needed people and paper. >> Yeah. >> Alright, so I can't believe we're, like, May 9th. The year's halfway gone. So what's next up in the balance of 2018 on this journey? If we talk a year from now, what are we going to be talking about? >> Yeah, so our strategy for this year ahead of us is really to continue driving Bionics, or intelligent automation across our whole business unit. So DXC, the world's leading largest independent services company across infrastructure, apps, and BPS. So we're transforming how we deliver and deploying that at scale. So intelligent automation at scale across your business. The second key piece for us this year is to work across all of our offerings and our industry solutions to ensure that they're built for operations and built on Platform DXC so all that efficiency, effectiveness, automation is built into the offerings. So that what we have ahead of us for this year. Alright. Should be fun. And it has been so far. We'll watch Elon Musk's car keep going through space because that's very entertaining. >> Tim: It is pretty cool. >> Well, what's cool, too, is that everyone's excited to watch the launches. They're going to get up at six in the morning and count it down and it is very cool. Alright, Tim, Greg, thanks again for taking a few minutes and stopping by. >> Thank, Jeff. >> Alright, Tim and Greg. I'm Jeff. You're watching theCUBE from ServiceNow Knowledge2018 in Las Vegas, Nevada. We'll be right back after this short break. Thanks for watching.

>> Narrator: Live, from Las Vegas! It's the Cube, covering IBM Think 2018. Brought to you by IBM. >> We're back at IBM Think 2018. This is day three of our wall to wall coverage. My name is Dave Vellante and you're watching the Cube, the leader in live tech coverage. A lot of times in the Cube, we talk about how CIO's understood a while ago, they just can't take their business and put it up into the cloud. Rather, they have to bring the cloud operating model to their data. So that's a topic that we're going to talk about with Dave Linquist, who's here. He's an IBM fellow and Vice President of Private Cloud at IBM and Ajay Apte, who's a Distinguished Engineer of IBM Cloud Private. Gentleman, welcome to the Cube. Good to see you again! >> Good to see you Dave. >> Thank you. >> So, Dave, let's start with you. IBM Cloud Private, you heard my little narrative at the beginning. I think it's consistent with what your philosophy is, but what is IBM Cloud Private? What's it all about? >> Sure. Well why don't we just start with, there's public clouds, private clouds, hybrid clouds and the ability to match your workload requirements with the particular cloud, is very important. And having that consistency between private and public, so you have that flexibility, whether it's security, performance, cross aspects, regulatory, et cetera, is an important part of a multi-cloud strategy. With Private Cloud, in particular, we introduce Private Cloud, the offering is called IBM Cloud Private, last year. And the demand has been through the roof at the enterprises. What we're effectively doing, is bringing cloud-native technologies, right into the enterprise. It's really quite cool. We're bringing Kubernetes and containers into the enterprise, optimizing a lot of the core enterprise middleware, so it runs on this optimized Kubernetes environment and then integrating it with the security and operational systems of the enterprise. >> So as you said, you only recently, really, announced the IBM Cloud Private and you talked about private cloud for years, as did others. But others, maybe, had an offering, but the offering really didn't work. It really wasn't the cloud experience, so what did you guys have to go through... I mean, it's not trivial to get that cloud experience. So maybe Ajay, you can talk about, sort of, how you got there and what you had to do to get there. >> Right. We started with some use cases that we had in mind. So let me talk about three, very core use cases that we started with. The first one is, IBM has an anonymous enterprise grade, production ready, footprint of middleware in our customer's data center. We wanted to bring that footprint to a containerized wall, to a cloud-based operational model. When I say enterprise grade footprint that customers have today, they measure the success of that footprint in terms of KPIs, in terms of resilience, in terms of reliability, in terms of security and compliance, these kind of things. We wanted to bring the same qualities of services to a private cloud model, in a container model That was probably one of the main use cases that we started targeting. On the other side of the spectrum, the cloud-native micro-services based department. This is where most of the developers are interested in today. This is where really high velocity, agility, can be achieved. So that was the second use case that we were targeting. In both those cases, the key also is that customers already have existing tools and practices, those kinds of things, the data center. The idea was to very seamlessly integrate into that set of tools and practices and even people within the data center, while providing the same cloud operational model. And then the third main use case was around integration. By integration, there are various dimensions to integration. There's integration between the footprint that's running on PrIM with the things that are not running in containers. They my be running in DMs or bare metal instances or maybe whole systems running on our main frame, like IBM Z systems, right? And then there will be other services, may be running SAS services in public cloud, so the integration scenario is basically expanded from our legacy footprint all the way into the public cloud SAS connector, so that integration was the third use case for us. So those three use cases, I would say, became the foundation of what we did over last one year. >> So Dave, in thinking about, you know, bringing the cloud-operating model to the data, what should clients expect, in terms of that experience? Is it substantially similar? Identical? Are there huge gaps? What do you tell people? >> Well, that's a good question. What they're going to experience is, when you're using public cloud environments, what you'll see is your developers get rapid access to the content they need to start developing applications. And it fits very well into their agile DevOps life cycles, high iterations. And what you'll see is, operations teams often refer to it as site reliability engineering in a cloud model. They have access to all the efficiencies of cloud for deployment, scale, recovery, maintenance, all those types of pieces. So what a customer will experience is we're bringing those capabilities into the data center, but as Ajay pointed out, we're then able to run a lot of the core transactional data, analytic, messaging workloads right on that environment, so the developers get rapid access to that type of content, what they need. And the operations, can leverage those capabilities on a cloud infrastructure. That's the experience they're going to get, matching up the enterprise requirements with the cloud-native. >> Is the impetus to take that proprietary data, that 80% of data Ginni Rometty talked about that isn't searchable on the public web. Is the impetus to get leverage out of that data, that they don't want to put into the public cloud, or is to modernize their applications and cut their costs? Probably both, but I wonder if you can talk to-- >> There are many higher level, type of scenarios and use cases, so one that Ajay went through is, really modernizing your applications, extending with innovation. But as Ginni talked about, and I think, you probably had sessions earlier on IBM Cloud Private for data, what we're seeing is how we can bring many of the critical data services together, from data science experience and data analytics and data governance and movement and management, into this cloud technology, so that it can be used against the data that's in the data center, within the enterprise to start getting insights into that data and furthering their business. >> Ajay, I wonder if you can take us inside the development process, even the thought process behind how you approach this. The secret sauce, how you approach this challenge, maybe, differently, than historically, you've approached system design? >> Right, so since the whole idea of IBM Cloud Private is around cloud operational model, high velocity, agility, those are the things we are preaching to our customers. The very key principle there is, using those in our development, as well. Our development itself, is built on the same, open source DevOps tool chains, the cloud operational principles, so that we can achieve the exact same velocity, agility, that our customers are expecting to achieve with the kind of offerings that we are trying to make over here. So that's, sort of, the first key principle for us. The second principle, is around production readiness. When we are expecting a customer to run production-ready workloads, we have security, compliance, reliability, these kinds of things, the same principles apply back to the platform that they're going to use for running those workloads, as well. So the first thing is, we are our own customers. We have to apply the same principles to our platform, so that customers can do the same thing. Our platform is, sort of, a layered model, where we have Kubernetes and Cloud Foundry as the containerization model, but we also have a plethora of IBM and non-IBM and open source middleware software, that's running on top of that. And then, we have customer applications running on top of that, so we have to make sure that as we build this platform, all these layers are taken care of, in terms of how we can deliver a production-grade offering end to end. Like, when we talk about Watson Studio, what Ginni mentioned yesterday, running as part of ICP for data, for example, The idea of running that, where it's not just about ICP running a database, it's about what happens to the life cycle of the data and how ICP gets designed to make sure the life cycle of that data can be managed in a containerized model. Those are the kinds of things that became very important for our philosophy. >> Having a little fun, our development team rocks! They are incredible. What our organization has done, it's fully embraced all the agile DevOps capabilities, it's all developed on a cloud environment, we actually use ICP in our development of our IBM Cloud Private. It's weekly iterations, two week sprints, and every quarter, we have a major release. We've done that the last four quarters, we've had a major release come out. It's really been exciting. >> So one of the great things about shows like this, is that you can't walk around without bumping into a customer. So, my question, Dave, is what are they telling you? What's resonating with the customers, in terms of the services that they're consuming? What are they like? What do they want? What are they asking you for? >> So we did what we consider a soft launch in June, where wanted to get some experience and feedback from users and operations. And what we actually did, is opened a open-select channel with our users. So we had tens of thousands of downloads that came with that very first release and we got feedback continually on what they liked from content, how they liked the environment, the whole experience. In the beginning of the fourth quarter, we did a major launch with all the middleware capabilities, that content on the platform, it just took off. Since that time, we have upwards of 150 global accounts picked up IBM Cloud Private and started and going through the deployment, some are even going into production. The thing that resonates with them so quickly, is they have so many existing workloads that they've been trying, to really, bring into this dev transformation, trying to bring into cloud technologies and this creates a journey, a path for them through application modernization and then adding all kinds of innovation with micro-services for refactoring or even adding Watson Artificial Intelligence Services into the environment. >> Ajay, I started off asking you, sort of, where you got the motivation, a good starting point, your answer was outside in. You started with the customers, looked at use cases. Having said that, you're trying to replicate, mimic, to the greatest degree possible, the public cloud experience, so there's a reference model there. So when you think about what's next, do you, sort of, pop over to your public cloud colleagues in the IBM Cloud and have a little bake off and see? Where do you get your motivation going forward, your, sort of, road map ideas. Obviously, the customers, but do you benchmark yourself against public cloud to try to close that gap? How do you approach that? >> Sure, there are multiple dimension. Customers, of course, is one of the important ones. Having a consistent story between IBM Public Cloud and IBM Cloud Private, is an absolute key principle for us. It's not just a requirement, but it's not just about keeping them functionally consistent, keeping them expedience-wise consistent, but making sure that when customers embark on the journey of hybrid deployment, be it, in terms of doing my dev test in public and then moving to IBM Cloud Private for production, or be a bursting scenario, these kind of things. Customers, not only want to run their application seamlessly, they want performance, they want network connectivity, they want secure connectivity, these kind of things. So that becomes another angle, in terms of how we are growing this, we have public, we have private, we can build a seamless hybrid storage today, but how do we evolve that hybrid storage to make sure that we can give them the same qualities of service? Just because you move your application from private to public, if the data stays on private, the performance is going to really impact, it'll suffer. How do you make sure that those kinds of things are taken care of when customers truly build that? So that's the second dimension of how do we really take the customers on the hybrid journey? And the third important one, is that customers, of course, are going to deploy on our cloud, on other clouds, right? They will always have multiple clusters, geographically distributed. How do we manage their entire footprint and give them the right views for deployment, management, accountability, these kinds of things, across that entire real estate, right? What we generally call hybrid cloud management, multi-cloud management. >> And that's a really, fundamental technical challenge, presumably. To create that similar capability, that consistency, maintaining performance. You've got a got of challenges there. Good thing these guys are rock stars! Alright, Dave. We'll give you the last word. If you had to summarize Think 2018 in less than 10 words, what would you say? >> Accelerate your transformation with cloud. That's what I would say. Leverage the technologies across IOT, public, private cloud, AI, block chain, and accelerate the transformation. >> Ajay, Dave, thanks very much for coming to the Cube. Good to see you again. >> Thank you. >> Alright, keep it right there, buddy. We'll be right back with our next guest. You're watching the Cube, we're live from Think 2018. (techno music)