(upbeat music) >> Welcome back to the program, and we're going to dig into the number one topic on the minds of every technology organization, that's cybersecurity. You know, survey data from ETR, our data partner, shows that among CIOs and IT decision makers, cybersecurity continues to rank as the number one technology priority to be addressed in the coming year. That's ahead of even cloud migration and analytics. And with me to discuss this critical topic area, are Jim Shook, who's the Global Director of Cybersecurity and Compliance Practice at Dell Technologies, and he's joined by Andrew Gonzalez, who focuses on cloud and infrastructure consulting at DXC Technology. Gents, welcome, good to have you. >> Thanks Dave, great to be here. >> Thank you. >> Jim, let's start with you. What are you seeing from the front lines in terms of the attack surface and how are customers responding these days? >> It's always up and down and back and forth. The bad actors are smart, they adapt to everything that we do. So we're seeing more and more, kind of living off the land. They're not necessarily deploying malware, makes it harder to find what they're doing. And I think though, Dave, we've adapted and this whole notion of cyber resilience really helps our customers figure this out. And the idea there goes beyond cybersecurity, it's, let's protect as much as possible so we keep the bad actors out as much as we can, but then let's have the ability to adapt to, and recover to the extent that the bad actors are successful. So we're recognizing that we can't be perfect a hundred percent of the time against a hundred percent of the bad actors. Let's keep out what we can, but then recognize and have that ability to recover when necessary. >> Yeah, thank you. So Andrew, you know, I like what Jim was saying, about living off the land, of course, meaning using your own tooling against you, kind of hiding in plain sight, if you will. But, and as Jim was saying, you can't be perfect. But, so given that, what's your perspective on what good cybersecurity hygiene looks like? >> Yeah, so you have to understand what your crown jewel data looks like, what a good copy of a recoverable asset looks like when you look at an attack if it were to occur, right? How you get that copy of data back into production, and not only that but what that golden image actually entails. So, whether it's networking, storage, some copy of a source code, intellectual property, maybe seem to be data or an active directory or DNS dump, right? Understanding what your data actually entails that you can protect it, and that you can build out your recovery plan for it. >> So, and, where's that live? Where's that gold copy? You put in a yellow sticky? No, it's got to be, you got to be somewhere safe, right? So you have to think about that chain as well, right? >> Absolutely, yeah. So, a lot of folks have not gone through the exercise of identifying what that golden copy looks like. Everyone has a DR scenario, everyone has a DR strategy but actually identifying what that golden crown jewel data, let's call it, actually entails as one aspect of it and then where to put it, how to protect it, how to make it immutable and isolated? That's the other portion of it. >> You know, if I go back to sort of earlier part of last decade, you know, cybersecurity was kind of a checkoff item. And then as you got toward the middle part of the decade and I'd say clearly by 2016 it, security became a boardroom issue. It was on the agenda, you know, every quarter at the board meetings. So, compliance is no longer the driver, is my point. The driver is business risk, real loss of reputation or data, you know, or money, et cetera. What are the business implications of not having your cyber house in order today? >> They're extreme, Dave. I mean the, you know, bad actors are good at what they do. These losses by organizations, tens, hundreds of millions into the billions sometimes, plus the reputational damage that's difficult to really measure. There haven't been a lot of organizations that have actually been put out of business by an attack, at least not directly, if they're larger organizations, but that's also on the table too. So you can't just rely on, oh, we need to do, you know, A, B, and C because our regulators require it. You need to look at what the actual risk is to the business and then come up with the strategy from there. >> You know, Jim, staying with you, one of the most common targets we hear of attackers is to go after the backup corpus. So how should customers think about protecting themselves from that tactic? >> Well, Dave, you hit on it before, right? Everybody's had the backup and DR strategies for a long time going back to requirements that we had in place for physical disaster or human error. And that's a great starting point for a resilience capability, but that's all it is, is a starting point. Because the bad actors will, they also understand that you have those capabilities and they've adapted to that. In every sophisticated attack that we see the backup is a target, the bad actors want to take it out or corrupt it or do something else to that backup so that it's not available to you. That's not to say they're always successful and it's still a good control to have in place because maybe it will survive. But you have to plan beyond that. So, the capabilities that we talk about with resilience, let's harden that backup infrastructure. You've already got it in place, let's use the capabilities that are there like immutability and other controls to make it more difficult for the bad actors to get to. But then, as Andrew said, that gold copy, that critical systems, you need to protect that in something that's more secure which commonly we might say a cyber vault, although there's a lot of different capabilities for cyber vaulting, some far better than others, and that's some of the things that we focus on. >> You know, it's interesting, but I've talked to a lot of CIOs about this is, prior to the pandemic, they, you know, had their, as you're pointing out, Jim, they had their DR strategy in place but they felt like they weren't business resilient and they realized that when we had the forced march to digital. So, Andrew, are there solutions out there to help with this problem? Do you guys have an answer to this? >> Yeah, absolutely. So, I'm glad you brought up resiliency. We take a position that to be cyber resilient it includes operational resiliency, it includes understanding at the C-level what the implication of an attack means, as we stated, and then how to recover back into production. When you look at protecting that data, not only do you want to put it into what we call a vault, which is a Dell technology that is an offline immutable copy of your crown jewel data but also how to recover it in real-time. So DXC offers a, I don't want to call it a turnkey solution, since we architect these specific each client needs, right? When we look at what client data entails, their recovery point objectives, recovery time objectives, what we call quality of the restoration. But when we architect these out we look at not only how to protect the data but how to alert and monitor for attacks in real-time. How to understand what we should do when a breaches in progress. Putting together with our security operations centers a forensic and recovery plan and a runbook for the client. And then being able to cleanse and remediate so that we can get that data back into production. These are all services that DXC offers in conjunction with the Dell solution to protect and recover, and keep bad actors out. And if we can't keep 'em out, to ensure that we are back into production in short order. >> You know, this discussion we've been having about DR kind of versus resilience, and you were just talking about RPO and RTO, I mean, it used to be that a lot of firms wouldn't even test their recovery 'cause it was too risky or, you know, maybe they tested it on, you know, July 4th or something like that. But I'm inferring that's changed. I wonder if we could, you know, double click on recovery, how hard is it to test that recovery and how quickly are you seeing organizations recover from attacks? >> So it depends, right, on the industry vertical, what kind of data, again. Financial services client compared to a manufacturing client are going to be two separate conversations. We've seen it as quickly as being able to recover in six hours, in 12 hours. In some instances we have the grace period of a day to a couple days. We do offer the ability to run scenarios once a quarter where we can stand up in our systems the production data that we are protecting to ensure that we have a good recoverable copy, but it depends on the client. >> I really like the emphasis here, Dave, that you're raising and that Andrew's talking about. It's not on the technology of how the data gets protected it's focused on the recovery, that's all that we want to do. And so the solution with DXC really focuses on generating that recovery for customers. I think where people get a little bit twisted up on their testing capability is you have to think about different scenarios. So, there are scenarios where the attack might be small, it might be limited to a database or an application. It might be really broadly-based, like the NotPetya attacks from a few years ago. The regulatory environment, we call those attacks severe but plausible. So you can't necessarily test everything with the infrastructure but you can test some things with the infrastructure. Others, you might sit around on a tabletop exercise or walk through what that looks like to really get that recovery kind of muscle memory so that people know what to do when those things occur. But the key to it, as Andrew said before, have to focus down what are those critical applications? What do we need? What's most important? What has to come back first? And that really will go a long way towards having the right recovery points and recovery times from a cyber disaster. >> Yeah, makes sense, understanding the value of that data is going to inform you how to respond and how to prioritize. Andrew, one of the things that we hear a lot on theCUBE, especially lately is around, you know, IOT, IIOT, Industry 4.0, the whole OT security piece of it. And the problem being that, you know, traditionally operations technologies have been air-gapped often by design. But as businesses, increasingly they're driving initiatives like Industry 4.0 and they're connecting these OT systems to IT systems. They're, you know, driving efficiency, preventative maintenance, et cetera. So, a lot of data flowing through the pipes, if you will. What are you seeing in terms of the threats to critical infrastructure and how should customers think about addressing these issues? >> Yeah, so bad actors can come in many forms. We've seen instances of social engineering, we've seen, USB stick dropped in a warehouse. That data that is flowing through the IOT devices is as sensitive now as your core mainframe infrastructure data. So, when you look at it from a protection standpoint, conceptually it's not dissimilar from what we've been talking about, where you want to understand, again, what the most critical data is. Looking at IOT data and applications is no different than your core systems now, right? Depending on what your business is, right? So when we're looking at protecting these, yes, we want firewalls, yes, we want air gap solutions, yes, we want front-end protection but we're looking at it from a resiliency perspective. Putting that data, understanding what data entails to put in the vault from an IOT perspective is just as critical as it is for your core systems. >> Jim, anything you can add to this topic? >> Yeah, I think you hit on the key points there, everything is interconnected. So even in the days where maybe people thought the OT systems weren't online, oftentimes the IT systems are talking to them or controlling theM, SCADA systems, or perhaps supporting them. Think back to the pipeline attack of last year. All the public testimony was that the OT systems didn't get attacked directly but there was uncertainty around that and the IT systems hadn't been secured so that caused the OT systems to have to shut down. It certainly is a different recovery when you're shutting them down on your own versus being attacked but the outcome was the same that the business couldn't operate. So, you really have to take all of those into account. And I think that does go back to exactly what Andrew's saying, understanding your critical business services and then the applications and data, and other components that support those and drive those and making sure those are protected, you understand them, you have the ability to recover them if necessary. >> So guys, I mean you made the point, I mean, you're right, the adversary is highly capable, they're motivated 'cause the ROI is so, it's so lucrative. It's like this never ending battle that cybersecurity pros, you know, go through. It really is kind of frontline, sort of technical heroes, if you will. And so, but sometimes it just feels daunting. Why are you optimistic about the future of cyber from the good guys' perspective? >> I think we're coming at the problem the right way, Dave, so that focus. I'm so pleased with the idea that we are planning that the systems aren't going to be a hundred percent capable every single time and let's figure that out, right? That's real world stuff. So, just as the bad actors continue to adapt and expand, so do we. And I think the differences there, the common criminals, it's getting harder and harder for them. The more sophisticated ones, they're tough to beat all the time. And of course, you've raised the question of some nation states and other activities but there's a lot more information sharing, there's a lot more focus from the business side of the house and not just the IT side of the house that we need to figure these things out. >> Yeah, to add to that, I think furthering education for the client base is important. You brought up a point earlier, it used to be a boardroom conversation due to compliance reasons. Now as we have been in the market for a while we continue to mature the offerings, it's further education for not only the business itself but for the IT systems and how they interconnect, and working together so that these systems can be protected and continue to be evolved and continue to be protected through multiple frameworks as opposed to seeing it as another check the box item that the board has to adhere to. >> All right guys, we got to go. Thank you so much. Great conversation on a really important topic. Keep up the good work, appreciate it. >> Thanks Dan. >> Thank you. >> All right, thank you for watching. Stay tuned for more excellent discussions around the partnership between Dell Technologies and DXC Technology. We're talking about solving real world problems, how this partnership has evolved over time. Really meeting the changing enterprise landscape challenges. Keep it right there. (upbeat music)

>> Welcome back to the program, and we're going to dig into the number one topic on the minds of every technology organization. That's cybersecurity. Survey data from ETR, our data partner, shows that among CIOs and IT decision makers, cybersecurity continues to rank as the number one technology priority to be addressed in the coming year. That's ahead of even cloud migration and analytics. And with me, to discuss this critical topic area, are Jim Shook, who's the global director of cybersecurity and compliance practice at Dell Technologies, and he's joined by Andrew Gonzalez, who focuses on cloud and infrastructure consulting at DXC Technology. Gents, welcome, good to have you. >> Thanks, Dave. Great to be here. >> Thank you. >> Jim, let's start with you. What are you seeing from the front lines in terms of the attack surface and how are customers responding these days? >> It's always up and down and back and forth. The bad actors are smart, they adapt to everything that we do, so, we're seeing more and more kind of living off the land, they're not necessarily deploying malware, makes it harder to find what they're doing. And I think, though, Dave, we've adapted and this whole notion of cyber resilience really helps our customers figure this out. And the idea there goes beyond cybersecurity, it's let's protect as much as possible, so we keep the bad actors out as much as we can, but then let's have the ability to adapt to and recover to the extent that the bad actors are successful. So, we're recognizing that we can't be perfect 100% of the time against 100% of the bad actors. Let's keep out what we can, but then recognize and have that ability to recover when necessary. >> Yeah, thank you. So, Andrew, I like what Jim was saying about living off the land, of course, meaning using your own tooling against you, kind of hiding in plain sight, if you will. And as Jim was saying, you can't be perfect, but so, given that, what's your perspective on what good cybersecurity hygiene looks like? >> Yeah, so you have to understand what your crown-jewel data looks like, what a good copy of a recoverable asset looks like when you look at an attack, if it were to occur, right? How you get that copy of data back into production. And not only that, but what that golden image actually entails. So, whether it's networking, storage, some copy of a source code, intellectual property, maybe SIM2B data, or an Active Directory, or DNS dump, right? Understanding what your data actually entails, so that you can protect it, and that you can build out your recovery plan for it. >> So, and where's that live? Where's that gold copy? You put in a yellow sticky? You know, it's got to be somewhere safe, right? So, you have to think about that chain as well, right? >> Absolutely. Yeah. So, a lot of folks have not gone through the exercise of identifying what that golden copy looks like. Everyone has a DR scenario, everyone has a DR strategy, but actually identifying what that golden crown-jewel data, let's call it, actually entails is one aspect of it, and then where to put it, how to protect it, how to make it immutable and isolated, that's the other portion of it. >> If I go back to sort of earlier part of last decade, cybersecurity was kind of a check-off item, and then as you got toward the middle part of the decade, and I'd say clearly by 2016, security became a boardroom issue, it was on the agenda every quarter at the board meetings. So, compliance is no longer the driver is my point. The driver is business risk, real loss of reputation, or data, or money, etc. What are the business implications of not having your cyber house in order today? >> They're extreme, Dave. I mean, the bad actors are good at what they do, these losses by organizations tens, hundreds of millions into the billions, sometimes, plus the reputational damage that's difficult to really measure. There haven't been a lot of organizations that have actually been put out of business by an attack, at least not directly, if they're larger organizations. But that's also on the table too. So, you can't just rely on, oh, we need to do A, B and C because our regulators require it. You need to look at what the actual risk is to the business, and then come up with the strategy from there. >> Jim, staying with you. One of the most common targets we hear of attackers is to go after the backup corpus. So, how should customers think about protecting themselves from that tactic? >> Well, Dave, you hit on it before, right? Everybody's had the backup and DR strategies for a long time going back to requirements that we had in place for physical disaster or human error. And that's a great starting point for a resilience capability. But that's all it is, is a starting point. Because the bad actors will, they also understand that you have those capabilities, and they've adapted to that. In every sophisticated attack that we see, the backup is a target, the bad actors want to take it out, or corrupt it, or do something else to that backup so that it's not available to you. That's not to say they're always successful, and it's still a good control to have in place because maybe it will survive. But you have to plan beyond that. So, the capabilities that we talk about with resilience, let's harden that backup infrastructure, you've already got it in place, let's use the capabilities that are there like immutability and other controls to make it more difficult for the bad actors to get to. But then, as Andrew said, that gold copy, that critical systems, you need to protect that in something that's more secure, which commonly we might say a cyber vault, or there's a lot of different capabilities for cyber vaulting, some far better than others. And that's some of the things that we focus on. >> You know, it's interesting, but I've talked to a lot of CIOs about this prior to the pandemic, they had their, as you're pointing out, Jim, they had their DR strategy in place, but they felt like they weren't business-resilient, and they realized that when we had the forced march to digital. So, Andrew, are there solutions out there to help with this problem? Do you guys have an answer to this? >> Yeah, absolutely. So, I'm glad you brought up resiliency. We take a position that to be cyber resilient, it includes operational resiliency, it includes understanding at the C level what the implication of an attack means, as we stated, and then how to recover back into production. When you look at protecting that data, not only do you want to put it into what we call a vault, which is a Dell technology that is an offline immutable copy of your crown-jewel data, but also how to recover it in real time. So, DXC offers a, I don't want to call it a turnkey solution, since we architect these specific to each client needs, right? When we look at what client data entails, their recovery point, objectives, recovery time objectives, what we call quality of the restoration, but, when we architect these out, we look at not only how to protect the data, but how to alert and monitor for attacks in realtime. How to understand what we should do when a breach is in progress. Putting together with our security operations centers a forensic and recovery plan and a runbook for the client. And then being able to cleanse and remediate, so that we can get that data back into production. These are all services that DXC offers in conjunction with the Dell solution to protect and recover and keep bad actors out. And if we can't keep 'em out, to ensure that we are back into production in short order. >> This discussion we've been having about DR kind of versus resilience, and you were just talking about RPO and RTO, I mean, it used to be that a lot of firms wouldn't even test their recovery, 'cause it was too risky, or maybe they tested it on July 4th or something like that, but I'm inferring that's changed. I wonder if we could double-click on recovery, how hard is it to test that recovery, and how quickly are you seeing organizations recover from attacks? >> So, it depends, right? On the industry vertical, what kind of data, again, financial services client compared to a manufacturing client are going to be two separate conversations. We've seen it as quickly as being able to recover in six hours, in 12 hours, in some instances we have the grace period of a day to a couple days, we do offer the ability to run scenarios once a quarter where we can stand up in our systems, the production data that we are protecting to ensure that we have a good recoverable copy. But it depends on the client. >> I really like the emphasis here, Dave, that you're raising and that Andrew's talking about, it's not on the technology of how the data gets protected, it's focused on the recovery. That's all that we want to do. And so, the solution with DXC really focuses on generating that recovery for customers. I think where people get a little bit twisted up on their testing capability is you have to think about different scenarios. So, there are scenarios where the attack might be small, it might be limited to a database or an application. It might be really broadly based, like the NotPetya attacks from a few years ago. In the regulatory environment we call those attacks severe but plausible. So, you can't necessarily test everything with the infrastructure, but you can test some things with the infrastructure, others, you might sit around on a tabletop exercise, or walk through what that looks like to really get that recovery kind of muscle memory, so that people know what to do when those things occur. But the key to it, as Andrew said before, have to focus down what are those critical applications. What do we need? What's most important? What has to come back first? And that really will go a long way towards having the right recovery points and recovery times from a cyber disaster. >> Yeah, makes sense. Understanding the value of that data is going to inform you how to respond and how to prioritize. Andrew, one of the things that we hear a lot on theCUBE, especially lately, is around IOT, IIOT, Industry 4.0, the whole OT security piece of it. And the problem being that, traditionally, operations technologies have been air gapped, often by design, but as businesses increasingly they're driving initiatives like Industry 4.0, and they're connecting these OT systems to IT systems. They're driving efficiency, preventative maintenance, etc. So, a lot of data flowing through the pipes, if you will. What are you seeing in terms of the threats to critical infrastructure, and how should customers think about addressing these issues? >> Yeah. So, bad actors can come in many forms, we've seen instances of social engineering, we've seen USB stick dropped in a warehouse. That data that is flowing through the IOT device is as sensitive now as your core mainframe infrastructure data. So, when you look at it from a protection standpoint, conceptually, it's not dissimilar from what we've been talking about, where you want to understand, again, what the most critical data is. Looking at IOT data and applications is no different than your core systems now, right? Depending on what your business is, right? So, when we're looking at protecting these, yes, we want firewalls, yes, we want air gap solutions, yes, we want front end protection, but we're looking at it from a resiliency perspective. Putting that data, understanding what data entails to put in the vault from an IOT perspective is just as critical as it is for your core systems. >> Jim, anything you can add to this topic? >> Yeah, I think you hit on the key points there. Everything is interconnected. So, even in the days where maybe people thought the OT systems weren't online, oftentimes the IT systems are talking to them, or controlling them SCADA systems, or perhaps supporting them. Think back to the pipeline attack of last year. All the public testimony was that the OT systems didn't get attacked directly, but there was uncertainty around that, and the IT systems hadn't been secured. So, that caused the OT systems to have to shut down. It certainly is a different recovery when you're shutting them down on your own versus being attacked, but the outcome was the same, that the business couldn't operate. So, you really have to take all of those into account, and I think that does go back to exactly what Andrew's saying, understanding your critical business services, and then the applications and data, and other components that support those and drive those, and making sure those are protected, you understand them, you have the ability to recover them if necessary. >> So guys, I mean, you made the point, I mean, you're right. The adversary is highly capable, they're motivated, 'cause the ROI is so lucrative. It's like this never-ending battle that cybersecurity pros go through, it really is kind of frontline sort of technical heroes, if you will. But sometimes it just feels daunting. Why are you optimistic about the future of cyber from the good guys' perspective? >> I think we're coming at the problem the right way, Dave, so that focus, I'm so pleased with the idea that we are planning that the systems aren't going to be 100% capable every single time and let's figure that out, right? That's real-world stuff. So, just as the bad actors continue to adapt and expand, so do we. And I think the differences there, the common criminals, it's getting harder and harder for them. The more sophisticated ones, they're tough to beat all the time, and, of course, you've raised the question of some nation states and other activities, but there's a lot more information sharing, there's a lot more focus from the business side of the house, and not just the IT side of the house that we need to figure these things out. >> Yeah. To add to that, I think furthering education for the client base is important. You brought up a point earlier, it used to be a boardroom conversation due to compliance reasons. Now, as we have been in the market for a while, we continue to mature the offerings, it's further education for not only the business itself, but for the IT systems and how they interconnect, and working together so that these systems can be protected, and continue to be evolved, and continue to be protected through multiple frameworks as opposed to seeing it as another check-the-box item that the board has to adhere to. >> All right, guys. We got to go. Thank you so much. Great conversation on a really important topic. Keep keep up the good work. Appreciate it. >> Thanks, Dave. >> Thank you. >> All right. And thank you for watching. Stay tuned for more excellent discussions around the partnership between Dell Technologies and DXC Technology. We're talking about solving real-world problems, how this partnership has evolved over time, really meeting the changing enterprise landscape challenges. Keep it right there.

>>We're here at AWS Reinvent. If it wasn't for the people, if it wasn't for the individuals that we have on this show, none of this would be possible, and we're very thankful for those, those individuals. We're very thankful for our hosts, and I'm very thankful for the rest of my production team that does such an incredible job here at aws. Reinvent. Thank you for joining us, and we'll see you next year.

>>Welcome to this Q conversation. I'm Dave Nicholson. And today we are joined by Andrew ish and Chris Y Moran, both from Gentech. Andrew is the vice president of marketing. Chris John is the, uh, vice president of product engineering, gentlemen, welcome to the cube. >>Welcome David. Thanks for having us. Hey, >>David, thanks for having us on your show. >>Absolutely. Give us just, let's start out by, uh, giving us some background on, on Gentech. How would you describe to a relative coming over and asking you what you do for a living? What Genotech does? >>Well, I'll take a shot at that. I'm the marketing guy, David, but, uh, I think the best way to think of Genotech first and foremost is a software company. We, uh, we do a really good job of bringing together all of that physical security sensor network onto a platform. So people can make sense out of the data that comes from video surveillance, cameras, access control, reads, license plate recognition, cameras, and from a whole host of different sensors that can live out there in the world. Temperature, sensors, microwaves, all sorts of stuff. So we're a company that's really good at making sense of complex data from sensors. That's kind of, I think that's kind of what we >>Do and, and, and we focus specifically on like larger, complex, critical infrastructure type projects, whether they be airports, uh, large enterprise campuses and whatnot. So we're not necessarily your well known consumer type brand. >>So you mentioned physical, you mentioned physical security. Um, what about the intersection between physical security and, and cyber security who are, who are the folks that you work with directly as customers and where do they, where do they sit in that spectrum of cyber versus physical? >>So we predominantly work with physical security professionals and, uh, they typically are responsible for the security of a facility, a campus, a certain area. And we'll talk about security cameras. We'll talk about access control devices with card readers and, and, and locks, uh, intrusion detection, systems, fences, and whatnot. So anything that you would see that physically protects a facility. And, uh, what's actually quite interesting is that, you know, cybersecurity, we, we hear about cybersecurity and depressed all the time, right. And who's been hacked this week is typically like, uh, a headline that we're all like looking at, uh, we're looking for in the news. Um, so we actually do quite a lot of, I would say education work with the physical security professional as it pertains to the importance of cyber security in the physical security system, which in and of itself is an information system. Right. Um, so you don't wanna put a system in place to protect your facility that is full of cybersecurity holes because at that point, you know, your physical security systems becomes, uh, your weakest link in your security chain. Uh, the way I like to say it is, you know, there's no such thing as physical security versus cyber security, it's just security. Uh, really just the concept or a context of what threat vectors does this specific control or mechanism actually protects against >>Those seem to be words to live by, but are, are they aspirational? I mean, do you, do you see gaps today, uh, between the worlds of cyber and physical security? >>I mean, for sure, right? Like we, physical security evolved from a different part of the enterprise, uh, structure then did it or cyber security. So they, they come at things from a different angle. Um, so, you know, for a long time, the two worlds didn't really meet. Uh, but now what we're seeing, I would say in the last 10 years, Christian, about that, there's a huge convergence of cyber security with physical security. It, so information technology with operation technology really coming together quite tightly in the industry. And I think leading companies and sophisticated CISOs are really giving a big pitcher thought to what's going on across the organization, not just in cybersecurity. >>Yeah. I think we've come a long way from CCTV, which stands for closed circuit television, uh, which was typically like literally separated from the rest of the organization, often managed by the facilities, uh, part of any organization. Uh, and now we're seeing more and more organizations where this is converging together, but there's still ways to go, uh, to get this proper convergence in place. But, you know, we're getting there. >>How, how does Gentech approach its addressable market? Is this, is this a direct model? Uh, do you work with partners? What, what does that look like in your world? >>Well, we're a, we're a partner led company Gentech, you know, model on many friends is all about our partners. So we go to market through our integration channel. So we work with really great integrators all around the world. Um, and they bring together our software platform, which is usually forms the nucleus of sort of any O T security network. Uh, they bring that together with all sorts of other things, such as the sensor network, the cabling, all of that. It's a very complex multiplayer world. And also in that, you know, partnership ecosystem and Christian, this is more your world. We have to build deep integrations with all of these companies that build sensors, whether that's access, Bosch, Canon, uh, Hanoi, you know, we're, we're really working with them them. And of course with our storage and server partners >>Like Dell >>Mm-hmm <affirmative>. Yeah. So we have, we have like hundreds of, I would say ecosystem partners, right? Camera manufacturers, uh, access control reader, controller manufacturers, intrusion detection, manufacturers, late LIDAR radar, you know, the list goes on and on and on. And, and basically we bring this all together. The system integrator really is going to pick best of breed based on a specific end customer's I would say requirements and then roll out the system. According >>That's very interesting, you know, at, at Silicon angle on the cube, um, we've initiated coverage of this subject of the question, does hardware still matter? And, and you know, of course we're, we're approaching that primarily from kind of the traditional it, uh, perspective, but you said at the outset, you you're a software company mm-hmm <affirmative>, but clearly correct me if I'm wrong, your software depends upon all of these hardware components and as they improve, I imagine you can do things that maybe you couldn't do before those improvements. The first thing that comes to mind is just camera resolution. Um, you know, sort of default today is 4k, uh, go back five years, 10 years. I imagine that some of the sophisticated things that you can do today weren't possible because the hardware was lagging. Is that, is that a, is that a fair assessment? >>Oh, that's a fair assessment. Just going back 20 years ago. Uh, just VGA resolution on a security camera was like out of this world resolution, uh, even more so if it was like full motion, 30 images per second. So you typically have like, probably even like three 20 by 2 44 images per second, like really lousy resolution, just from a resolution perspective, the, the imagery sensors have, have really increased in terms of what they can provide, but even more so is the horsepower of these devices. Mm-hmm, <affirmative> now it's not uncommon to have, uh, pretty, pretty powerful Silicon in those devices now that can actually run machine learning models and you can actually do computer vision and analytics straight into the device. Uh, as you know, in some of the initial years, you would actually run this on kind of racks of servers in this data center. >>Now you can actually distribute those workloads across on the edge. And what we're seeing is, you know, the power that the edge provides is us as a software company, we have the opportunity to actually bring our workloads where it makes most sense. And in some cases we'll actually also have a ground station kind of in between the sensors and potentially the cloud, uh, because the use case just, uh, calls for it. Uh, just looking from a, from a, from a video security perspective, you know, when you have hundreds or thousands of cameras on an airport, it's just not economical or not even feasible in some cases to bring all that footage to the cloud even more so when 99% of that footage is never watched by anybody. So what's the point. Uh, so you just wanna provide the clips that, that actually do matter to the cloud and for longer term retention, you also want to be able to have sometimes more resilient systems, right? So what happens if the cloud disconnects, you can stop the operations of that airport or stop that operations of that, of that prison, right? It needs to continue to operate and therefore you need higher levels of resiliency. So you do need that hardware. So it's really a question of what it calls for and having the right size type of hardware so that you don't overly complexify the installation, uh, and, and actually get the job done. Are >>You comparing airports to prisons >>Christian? Well, nowadays they're pretty much prepared <laugh>, >>But I mean, this is exactly it, David, but I mean, this payload, especially from the video surveillance, like the, the workload that's going through to the, these ground stations really demands flexible deployment, right? So like we think about it as edge to cloud and, uh, you know, that's, what's really getting us excited because it, it gives so much more flexibility to the, you know, the C I S O and security professionals in places like prisons, airports, also large scale retail and banking, and, uh, other places, >>Universities, the list goes on and on and on, and >>On the flexibility of deployment just becomes so much easier because these are lightweight, you usually word deploying on a Linux box and it can connect seamlessly with like large scale head end storage or directly to, uh, cloud providers. It's, it's really a sophisticated new way of looking at how you architect out these networks. >>You've just given, you've just given a textbook example of why, uh, folks in the it world have been talking about hybrid cloud for, for, for such a long time, and some have scoffed at the idea, but you just, you just present a perfect use case for that combination of leveraging cloud with, uh, on-premises hardware and tracking with hardware advances, um, uh, on, on the subject of camera resolution. I don't know if you've seen this meme, but there's a great one with the, the first deep field image from the, from the, I was gonna say humble, the James web space telescope, uh, in contrast with a security camera F photo, which is really blurry of someone in your driveway <laugh>, uh, which is, which is, uh, sort of funny. The reality though, is I've seen some of these latest generation security cameras, uh, you know, beyond 4k resolution. And it's amazing just, you know, the kind of detail that you can get into, but talk about what what's, what's exciting in your world. What's, what's Gentech doing, you know, over the next, uh, several quarters that's, uh, particularly interesting what's on the leading edge of your, of your world. >>Well, I think right now what's on the leading edges is being driven by our end users. So the, so the, the companies, the governments, the organizations that are implementing our software into these complex IOT networks, they wanna do more with that data, right? It's not just about, you know, monitoring surveillance. It's not just about opening and closing doors or reading license plates, but more and more we're seeing organizations taking this bigger picture view of the data that is generated in their organizations and how they can take value out of existing investments that they've made in sensor networks, uh, and to take greater insight into operations, whether that can be asset utilization, customer service efficiency, it becomes about way more than just, you know, either physical security or cyber security. It becomes really an enterprise shaping O T network. And to us, that is like a massive, massive opportunity, uh, in the, in the industry today. >>Yeah. >>Now you're you're you're oh, go ahead. I'm sorry, Christian, go ahead. Yeah, >>No, it's, it's, it's good. But, you know, going back to a comment that I mentioned earlier about how it was initially siloed and now, you know, we're kind of discovering this diamond in the rough, in terms of all these sensors that are out there, which a lot of organizations didn't even know existed or didn't even know they had. And how can you bring that on kind of across the organizations for non-security related applications? So that's kind of one very interesting kind of, uh, direction that we're, that we've been undergoing for the last few years, and then, you know, security, uh, and physical security for that matter often is kind of the bastard step child. Doesn't get all the budget and, you know, there's lots of opportunities for, to help them increase and improve their operations, uh, as, as Andrew pointed out and really help bringing them into the 21st century. >>Yeah. >>And you're, you're headquartered in Montreal, correct? >>Yes. >>Yeah. So, so the reason, the reason why that's interesting is because, um, and, you know, correct me if I'm, if I'm off base here, but, but you're sort of the bridge between north America and Europe. Uh, and, and, uh, and so you sit at that nexus where, uh, you probably have more of an awareness of, uh, trends in security, which overlap with issues of privacy. Yeah. Where Europe has led in a lot of cases. Um, some of those European like rules are coming to north America. Um, is there anything in your world that is particularly relevant or that concerns you about north America catching up, um, or, or do those worlds of privacy and security not overlap as much as I might think they do? >>Ah, thank you. Any >>Thoughts? >>Absolutely not. No, no. <laugh> joking aside. This is, this is, this is, >>Leave me hanging >><laugh>, uh, this is actually core to our DNA. And, and, and we, we often say out loud how, like Europe has really paved the way for a different way, uh, of, of looking at privacy from a security setting, right. And they're not mutually exclusive. Right. You can have high security all while protecting people's privacy. And it's all of a question of ensuring that, you know, how you kind of, I would say, uh, ethically, uh, use said technology and we can actually put some safeguards in it. So to minimize the likelihood of there being abuse, right? There's, there's something that we do, which we call the privacy protector, which, you know, for all intents and purposes, it's not that complex of an idea. It's, it's really the concept of you have security cameras in a public space or a more sensitive location. And you have your security guards that can actually watch that footage when nothing really happens. >>You, you want to protect people's privacy in these situations. Uh, however, you still want to be able to provide a view to the security guard so they can still make out that, you know, there there's actually people walking around or there's a fight that broke out. And in the likelihood that something did happen, then you can actually view the overall footage. So, and with, with the details that the cameras that you had, you know, the super high mega pixel cameras that you have will provide. So we blur the images of the individuals. We still keep the background. And once you have the proper authorization, and this is based on the governance of the organization, so it can be a four I principle where it could be the chief security officer with the chief privacy officer need to authorize this footage to be kind of UN blurred. And at that point you can UN blur the footage and provide it to law enforcement for the investigation, for example. >>Excellent. I've got Andrew, if you wanted, then I, then I'm. Well, so I, I've a, I have a final question for you. And this comes out of a game that, uh, some friends and I, some friends of mine and I devised over the years, primarily this is played with strangers that you meet on airplanes as you're traveling. But the question you ask is in your career, what you're doing now and over the course of your careers, um, what's the most shocking thing <laugh> that people would learn from what, you know, what do you, what do you find? What's the craziest thing. When you go in to look at these environments that you see that people should maybe address, um, well, go ahead and start with you, Andrew. >>I, >>The most shocking thing you see every day in your world, >>It's very interesting. The most shocking thing I think we've seen in the industry is how willing, uh, some professionals are in our industry to install any kind of device on their networks without actually taking the time to do due diligence on what kind of security risks these devices can have on a network. Because I think a lot of people don't think about a security camera as first and foremost, a computer, and it's a computer with an IP address on a network, and it has a visual sensor, but we always get pulled in by that visual sensor. Right. And it's like, oh, it's a camera. No, it's a computer. And, you know, over the last, I would say eight years in the industry, we've spent a lot of time trying to sensitize the industry to the fact that, you know, you can't just put devices on your, your network without understanding the supply chain, without understanding the motives behind who's put these together and their track record of cybersecurity. So probably the weirdest thing that I've seen in my, um, you know, career in this industry is just the willingness of people not to take time to do due diligence before they hook something up on onto their corporate network where, you know, data can start leaking out, being exfiltrated by those devices and malevolent actors behind them. So gotta ask questions about what you put on your network. >>Christian, did he steal your, did he steal your thunder? Do you have any other, any other thoughts? >>Well, so first of all, there's things I just cannot say on TV. Okay. But you can't OK. >>You can't. Yeah, yeah, yeah. Saying that you're shocked that not everyone speaks French doesn't count. Okay. Let's just get, let's get past that, but, but go, but yeah, go ahead. Any thoughts? >>So, uh, you know, I, I would say something that I I've seen a lot and, and specifically with customers sometimes that were starting to shop for a new system is you'd be surprised by first of all, there's a camera, the likelihood of actually somebody watching it live while you're actually in the field of view of that camera is close to Neil first and foremost, second, there's also a good likelihood that that camera doesn't even record. It actually is not even functional. And, and I would say a lot of organizations often realize that, you know, that camera was not functioning when they actually knew do need to get the footage. And we've seen this with some large incidents, uh, very, uh, bad incidents that happened, uh, whether in the UK or in Boston or whatnot, uh, when they're, when law enforcement is trying to get footage and they realize that a lot of cameras actually weren't recording and, and, and goes back to Andrew's point in terms of the selection process of these devices. >>Yeah. Image resolution is important, like, because you need an, an image that it actually usable so that you can actually do something with it forensically, but you know, these cameras need to be recorded by a reliable system and, and should something happen with the device. And there's always going to be something, you know, power, uh, uh, a bird ate the lens. I don't know what it might be, or squirrel ate the wire. Um, and the camera doesn't work anymore. So you have to replace it. So having a system that provides, you know, you with like health insights in terms of, of, of if it's working or not is, is actually quite important. It needs to be managed like any it environment, right? Yeah. You have all these devices and if one of them goes down, you need to manage it. And most organizations it's fire and forget, I sign a purchase order. I bought my security system, I installed it. It's done. We move on to the next one and seven years later, something bad happens. And like, uhoh, >>It's not a CCTV system. It's a network. Yeah. Life cycle management counts. >>Well, uh, I have to say on that, uh, I'm gonna be doing some research on Canadian birds and squirrels. I, I had no idea, >>Very hungry. >>Andrew, Chris, John, thank you so much. Great conversation, uh, from all of us here at the cube. Thanks for tuning in. Stay tuned. The cube from Silicon angle media, we are your leader in tech coverage.

(upbeat music) >> Okay, we're here talking about how you can better understand and manage the risks associated with the digital supply chain. How in this day and age where software comes from so many different places and sources throughout the ecosystem, how can organizations manage the risks associated with our dependence on software? And with me now are two great guests, Andrea Hall, who is a specialist solution architect and project manager for security and compliance at Red Hat. She's going to focus on public sector. And Andrew Block who's a distinguished architect at Red Hat Consulting, folks welcome. >> Welcome >> Thank you. Thanks for having us. >> You're very welcome. Andrea, let's start with you. Let's talk about regulations. What exists today that we should be aware of that organizations should be paying attention to? >> Oh sure, so the thing that comes to mind first being in the US is the presidential executive order on cybersecurity that came out a few months ago. Organizations are really paying attention to that. And in the US, it's having a ripple effect with policy, but we're also seeing policy considerations pop up in other countries, Australia and England. The supply chain is a big focus right now, of course, but we see these changes coming down the road as more and more government organizations are trying to secure their critical infrastructure. >> Is there kind of a leadership, or probably in other words, is somebody saying seeing what the UK does and say, okay, we're going to follow that template? Or is it just a variety and a mish mash with no sort of consolidation? How is that sort of playing out? >> I see a lot of organizations kind of basing their requirements on (indistinct) However, each organization has its own nuances. Each agency has its own nuances to how it wants them implemented. >> Andrew, maybe you could chime in here. What are you seeing when you talk to customers that are tuned into this issue? >> You know, as Andrea had just mentioned having that north star in terms of regulations is so fundamentally great for them because many of them especially in regulate industries, look to these regulations on how they apply their own policies. So at least it has some guidance on how to move forward because as we all know the secure software supply chain is getting news every day and how they react to it is something that I know all their leaders are asking themselves, especially those IT leaders. >> Andrea, when I talk to practitioners, sometimes they're frustrated. They understand they have to comply. They know new regulations are coming out, but sometimes it's hard for them to keep up. It would be helpful if you're sitting across the table from somebody who's frustrated and they ask you, what are your expectations? What are the trends in regulations? How do you see the current regulations evolving to specifically accommodate the digital supply chain and the security exposures and corollary requirements there? >> We see a lot of organizations struggling in the sense of trying to understand what the policy actually wants. Definitions are still a little bit vague, but implementation is also difficult because sometimes organizations will add more tools to their toolkit, adding a layer of complexity there. Really automation has to be pulled in. That's key to implementing this instead of adding more workload and more burden to your folks. It's really important for these organizations to pull stakeholders in the organization together. So the IT leaders bring together the developers, the security operations sit at the same table, talk about whether or not what needs to be implemented or what's proposed to be implemented, will affect the mission or in any way or disrupt operations. It's important for everybody to be on the same page so it doesn't slow anything down as you're trying to roll it out. >> And one of the things here is that we're seeing a lot of change with these new regulations and with a lot of organizations, any type of change is scary. And that is one area that they're looking for guidance not only in the tooling, but also how they apply it in the organization. >> I'll add on. >> Please. >> I'll add onto that and say, organizations really need to take into account the people side of things too. People need to understand what the impact is to the organization, so that they don't try to find the loopholes, they're buying into what needs to be done. They understand the why behind it. You for example, if you walk into your house, you normally close the door behind you. Security needs to be seen as that, as well, that's the culture and it's the habit. And it's ingrained in the fabric of the organization to live this way, not just implement the tools to do it. >> Right, and the number of doors you have in your infrastructure are a lot more than just a couple. Andrew mentioned sort of guidance and governments are obviously taking a more active role. I mean, sometimes I'm a cynic. I mean, the president Biden signs an executive order, but swipe of a pen doesn't really give us enough to go on. Do you think Andrea, that we're going to see new guidance from governments in the very near future? What are you expecting? >> I expect to see more conversations happening. I know that agencies who developed the policies are pulling together stakeholders and getting input. But I do see in the not too distant future, that mandates will be rolling out, yes. >> Well, so Andrew of course, Andrea, if you have a thought on this as well, but how do you see organizations dealing with adopting these new policies. >> Slowly, don't boil the ocean is one thing I tell a lot to every one of them, because a lot of these tooling, a lot of these concepts are foreign to them, brand new. How they adopt those and how they implement them, needs to be done in a very agile fashion, very slow and prescriptive. Go ahead and try to find one area of improvement and go ahead and work upon it and build upon it. Because not only does that normally make your organization more successful and secure, but also helps your organization just from a more out standpoint. One thing that you need to emphasize is that don't blame anyone. 'Cause a lot of times when you're going through this, you're reassessing your own supply chain. You might find where you could see improvements that need to be done. Don't blame things that may have occurred in the past. See how you can benefit from these lessons learned in the future. >> It's interesting you say that the blame game, I mean it used to be that failure meant you get fired and that's obviously has changed. As many have said, you know you're going to have incidents. It's how you respond to those incidents. What you learn from them. Do you have Andrew, any insights from specifically working with customers on securing their software supply chain? What can you tell us about what leading practitioners are doing today? >> They're going in and not only assessing what their software components consist of. Using tools like an SBOM, a software bill of materials, understand where all the components of their ecosystem and their lineage comes from. We're hearing almost every single day, new vulnerabilities that are being introduced in various software packages. By having that understanding of what is in your ecosystem, you can then better understand how to mitigate those concerns moving forward. >> Andrea, Andrew was just saying, one of the things is you don't just dive in. You've got to be careful. There's going to be ripple effects is what I'm inferring, but at the same time, there's a mandate to move quickly. Are there things that could accelerate the adoption of regulation or even the creation of regulations and that guidance in your view? What could accelerate this? >> As far as accelerating it goes, I think it's having those conversations proactively with the stakeholders in your organization and understanding the environment like Andrew said. Go ahead and get that baseline. And just know that whatever changes you make are maybe going to be audited down the road, because as we were moving towards this kind of third-party verification, that you're actually implementing things in order to do business with another organization. The importance of that, if organizations see that gravity to this, I think they will try to speed things up. I think that if organizations and the people in those organizations understand that why, that I talked about earlier and they understand how things like solar winds or things like the oil disruption that happened earlier this year. The personal effect to cyber events will help your organization move forward. Again, everybody's bought into the concept, everybody's working towards the same goals and they understand that why behind it. >> In addition to that, having tooling available, that makes it easy for them. You have a lot of individuals who this is all foreign, providing that base level tooling that aligns to a lot of the regulations that might be applicable within their real realm and their domain, makes it easier for them to start to complying and taking less burden off of them to be able to be successful. >> So it's a hard problem because Andrew, how do you deal with sort of the comment more tools, okay. But I look at that the Optiv map, if you've seen that. It makes your eyes cross. You've got so many tools, so much fragmentation, you're introducing new tools. Can automation help that? Is there hope for consolidation of that tools portfolio? >> Right now, this space is very emerging. It's very emerging, it's very fluid to be honest, 'cause there is actually mandates only a year or two old. But as they come over the course of time, however, I do see these types of tooling starting to consolidate where right now it seems like every vendor has a tool that tries to address this. It's being able to have the people work together, have more regulations that will come out that will allow us to start to redefine and solidify on certain tools like ISO standards. There are certain ones that I mentioned on as balance previously, there's now a ISO standard on SBOM there wasn't previously. So as more and more of these regulations come out, it makes it easier to provide that recommended set of tooling that organizations can start leveraging instead of vendor A, vendor B. >> Andrea, I said this before I was a cynic, but will give you the last word, give us some hope. I mean, obviously public policy is very important. A partnership between governments and industry, both the practitioners, the organizations that are buying these tools, as well as the technology industry got to work together in an ecosystem. Give us some hope. >> The hope I think will come from realizing that as you're doing this, as you are implementing these changes, you're in a sense trying to prevent those future incidents from happening. There's some assurance that you're doing everything that you can do here. It's a situation, it can be daunting, I'll put it that way. It can be really daunting for organizations, but just know that organizations like Red Hat are doing what we can to help you down the road. >> And really it's just continuing this whole shifting left mentality. The top of supply chain is just one component, but the introducing dev sec ops security at the beginning, that really will make the organizations become successful because this is not just a technology problem, It's a people issue as well. And being able to kind of package them all up together will help organizations as a whole. >> Yeah, so that's a really important point. You hear that term shift left. For years, people say, hey, you can't just bolt security on, as an afterthought, that's problematic. And that's the answer to that problem, right? Is shifting left meaning designing it in at the point of code, infrastructure as code, dev sec ops. That's where it starts, right? >> Exactly, being able to have security at the forefront and then have everything afterwards. Propagate from your security mindset. >> Excellent, okay, Andrea, Andrew, thanks so much for coming to the program today. >> Thank you for having us. >> Very welcome, thanks for watching. This is Dave Vellante for The Cube. Your a global leader in enterprise tech coverage. (soft music)

(upbeat music) >> Welcome to the AWS start up showcase, theCUBE's premiere platform and show. This is our second season, episode one of this program. I'm Lisa Martin, your host here with two guests here to talk about open source. Please welcome Andrew Backes, the VP of engineering at Armory, and one of our alumni, Ian Delahorne, the staff site, reliability engineer at Patreon. Guys, it's great to have you on the program. >> Thank you. >> Good to be back. >> We're going to dig into a whole bunch of stuff here in the next fast paced, 15 minutes. But Andrew, let's go ahead and start with you. Give the audience an overview of Armory, who you guys are, what you do. >> I'd love to. So Armory was founded in 2016 with the vision to help companies unlock innovation through software. And what we're focusing on right now is, helping those companies and make software delivery, continuous, collaborative, scalable, and safe. >> Got it, those are all very important things. Ian help the audience, if anyone isn't familiar with Patreon, it's a very cool platform. Talk to us a little bit about that Ian. >> Absolutely, Patreon is a membership platform for creators to be able to connect with their fans and for fans to be able to subscribe to their favorite creators and help creators get paid and have them earn a living with, just by being connected straight to their audience. >> Very cool, creators like podcasters, even journalists video content writers. >> Absolutely. There's so many, there's everything from like you said, journalists, YouTubers, photographers, 3D modelers. We have a nightclub that's on there, there's several theater groups on there. There's a lot of different creators. I keep discovering new ones every day. >> I like that, I got to check that out, very cool. So Andrew, let's go to your, we talk about enterprise scale and I'm using air quotes here. 'Cause it's a phrase that we use in every conversation in the tech industry, right? Scalability is key. Talk to us about what enterprise scale actually means from Armory's perspective. Why is it so critical? And how do you help enterprises to actually achieve it? >> Yeah, so the, I think a lot of the times when companies think about enterprise scale, they think about the volume of infrastructure, or volume of software that's running at any given time. There's also a few more things that go into that just beyond how many EC2 instances you're running or containers you're running. Also velocity, count how much time does it take you to get features out to your customers and then stability and reliability. Then of course, in enterprises, it isn't as simple as everyone deploying to the same targets. It isn't always just EC2, a lot of the time it's going to be multiple targets, EC2, it's going to be ECS, Lambda. All of these workloads are out there running. And how does a central platform team or a tooling team at a site enable that for users, enable deployment capabilities to those targets? Then of course, on top of that, there's going to be site specific technologies. And how do, how does your deployment tooling integrate with those site specific technologies? >> Is, Andrew is enterprise scale now even more important given the very transformative events, we've seen the last two years? We've seen such acceleration, cloud adoption, digital transformation, really becoming a necessity for businesses to stay alive. Do you think that, that skill now is even more important? >> Definitely, definitely. The, what we see, we've went through a wave of the, the first set of digital transformations, where companies are moving to the cloud and we know that's accelerating quite a bit. So that scale is all moving to the cloud and the amount of multiple targets that are being deployed to at any given moment, they just keep increasing. So that is a concern that companies need to address. >> Let's talk about the value, but we're going to just Spinnaker here in the deployment. But also let's start Andrew with the value that, Armory delivers on top of Spinnaker. What makes this a best of breed solution? >> Yeah, so on top of open-source Spinnaker, there are a lot of other building blocks that you're going to need to deploy at scale. So you're going to need to be able to provide modules or some way of giving your users a reusable building block that is catered to your site. So that is one of the big areas that Armory focuses on, is how can we provide building blocks on top of open source Spinnaker that sites can use to tailor the solution to their needs. >> Got it, tailor it to their needs. Ian let's bring you back into the conversation. Now, talk to us about the business seeds, the compelling event that led Patreon to choose Spinnaker on top of Armory. >> Absolutely. Almost three years ago, we had an outage which resulted in our payment processing slowed down. And that's something we definitely don't want to have happen because this would hinder creator's ability to get paid on time for them to be able to pay their employees, pay their rent, hold that hole, like everything that, everyone that depends on them. And there were many factors that went into this outage and one of them we identified is that it was very hard for us to, with our custom belt deploy tooling, to be able to easily deploy fast and to roll back if things went wrong. So I had used Spinnaker before to previous employer early on, and I knew that, that would be a tool that we could use to solve our problem. The problem was that the SRE team at Patreon at that time was only two people. So Spinnaker is a very complex product. I didn't have the engineering bandwidth to be able to, set up, deploy, manage it on my own. And I had happened to heard of Armory just that week before and was like, "This is the company that could probably help me solve my problems." So I engaged early on with Andrew and the team. And we migrated our customers deployed to, into Spinnaker and help stabilize our deploys and speed them up. >> So you were saying that the deployments were taking way too long before. And of course, as you mentioned from a payment processing perspective, that's people's livelihoods. So that's a pretty serious issue there. You found Armory a week into searching this seems like stuff went pretty quickly. >> And the week before the incident, they had randomly, the, one of the co-founders randomly reached out to me and was like, "We're doing this thing with Armory. You might be interested in this, we're doing this thing with Spinnaker, it's called Armory." And I kind of filed it away. And then they came fortuitous that we were able to use them, like just reach out to them like a week later. >> That is fortuitous, my goodness, what a good outreach and good timing there on Armory's part. And sticking with you a little bit, talk to us about what it is that the business challenges that Armory helps you to resolve? What is it about it that, that just makes you know this is the exact right solution for us? Obviously you talked about not going direct with Spinnaker as a very lean IT team. But what are some of the key business needs that it's solving? >> Yeah, there's several business things that we've been able to leverage Armory for. One of them as I mentioned, they, having a deployment platform that we know will give us, able deploys has been very important. There's been, they have a policy engine module that we use for making sure that certain environments can only be deployed to by certain individuals for compliance issues. We definitely, we use their pipelines as code module for being able to use, build, to build reusable deploy pipelines so that software engineers can easily integrate Spinnaker into their builds. Without having to know a lot about Spinnaker. There's like here, take these, take this pipeline module and add your variables into it, and you'll be off to the races deploying. So those are some of the value adds that Armory has been able to add on top of Spinnaker. On top of that, we use their managed products. So they have a team that's managing our Spinnaker installation, helping us with upgrades, helping up the issues, all that stuff that unlocks us to be able to focus on building our creators. Instead of focusing on operating Spinnaker. >> Andrew, back to you. Talk to me a little bit about as the VP of engineering, the partnership, the relationship that Armory has with Patreon and how symbiotic is it? How much are they helping you to develop the product that Armory is delivering to its customers? >> Yeah, one of the main things we want to make sure we do is help Patreon be successful. So that's, there are going to be some site specific needs there that we want to make sure that we are in tune with and that we're helping with, but really we view it as a partnership. So, Patreon has worked with us. Well, I can't believe it's been three years or kind of a little bit more now. But it's, it, we have had a lot of inner, a lot of feedback sessions, a lot of going back and forth on how we can improve our product to meet the needs of Patreon better. And then of course the wider market. So one thing that is neat about seeing a smaller team, SRE team that Ian is on, is they can depend on us more. They have less bandwidth with themselves to invest into their tooling. So that's the opportunity for us to provide those more mature building blocks to them. So that they can combine those in a way that makes them, that meets their needs and their business needs. >> And Ian, back to you, talk to me about how has the partnership with Armory? You said it's been almost three years now. How has that helped you do your job better as an SRE? What are some of the advantages of that, to that role? >> Yeah, absolutely. Armory has been a great partner to work with. We've used their expertise in helping to bring new features into the open-source Spinnaker. Especially when we decided that we wanted to not only deploy to EC2 instances, but we wanted to play to elastic container service and Lambdas to shift from our normal instance based deploys into the containerization. There were several warrants around the existing elastic container service deploy, and Lambda deploys that we were able to work with Armory and have them champion some changes inside open-source as well as their custom modules to help us be able to shift our displays to those targets. >> Got it. Andrew back over to you, talk to me, I want to walk through, you talked about from an enterprise scale perspective, some of the absolute critical components there. But I want to talk about what Armory has done to help customers like Patreon to address things like speed to market, customer satisfaction as Ian was talking about, the compelling event was payment processing. A lot of content creators could have been in trouble there. Talk to, walk me through how you're actually solving those key challenges that not just Patreon is facing, but enterprises across industries. >> Yeah, of course, so the, talking to specifically to what brought Ian in was, a problem that they needed to fix inside of their system. So when you are rolling out a change like that, you want it to be fast. You want to get that chain, change out very quickly, but you also want to make sure that the deployment system itself is stable and reliable. So the last thing you're going to want is any sort of hiccup with the tool that you're using to fix your product, to roll out changes to your customers. So that is a key focus area for us in everything that we do is we make sure that whenever we're building features that are going to expand capabilities, deployment capabilities. That we're, we are focusing firstly on stability and reliability of the deployment system itself. So those are a few features, a few focus areas that we continually build into the product. And you can, I mean, I'm sure a lot of enterprises know that as soon as you start doing things at massive scale, sometimes the stability and reliability, can, you'll be jeopardized a little bit. Or you start hitting against those limits or what are the, what walls do you encounter? So one of the key things we're doing is building ahead of that, making sure that our features are enabling users to hit deployment scales they've never seen or imagined before. So that's a big part of what Armory is. >> Ian, can you add a number to that in terms of the before Armory and the after in terms of that velocity? >> Absolutely, before Armory our deploys would take some times, somewhere around 45 minutes. And we cut that in half, if not more to down to like the like 16 to 20 minute ranges where we are currently deploying to a few hundred hosts. So, and that is the previous deployment strategy would take longer. If we scaled up the number of instances for big events, like our payment processing we do the first of the month currently. So being able to have that and know that our deploys will take about the same amount of time each time, it will be faster. That helps us bring features to create some fans a lot faster. And the stability aspect has also been very important, knowing that we have a secure way to roll back if needed, which you didn't have previously in case something goes wrong, that's been extremely useful. >> And I can imagine, Ian that velocity is critical because I mean more and more and more these days, there are content creators everywhere in so many different categories that we've talked about. Even nightclubs, that to be able to deliver that velocity through a part, a technology like Armory is table-stakes for against business. >> Absolutely, yeah. >> Andrew, back over to you. I want to kind of finish out here with, in the last couple of years where things have been dynamic. Have you seen any leading indices? I know you guys work with enterprises across organizations and Fortune 500s. But have you seen any industries in particular that are really leaning on Armory to help them achieve that velocity that we've been talking about? >> We have a pretty good spread across the market, but since we are focused on cloud, to deploy to cloud technologies, that's one of the main value props for Armory. So that's going to be enabling deployments to AWS in similar clouds. So the companies that we work with are really ones that have either already gone through that transformation or are on their journey. Then of course, now Kubernetes is a force, it's kind of taken over. So we're getting pulled into even more companies that are embracing Kubernetes. So I wouldn't say that there's an overall trend, but we have customers all across the Fortune 500, all across mid-market to Fortune 500. So there's depending on the complexity of the corporation itself or the enterprise itself we're able to do. I think Ian mentioned our policy engine and a few other features that are really tailored to companies that have restricted environments and moving into the cloud. >> Got it, and that's absolutely critical these days to help organizations pivot multiple times and to get that speed to market. 'Cause that's, of course as consumers, whether we're on the business side or the commercial side, we have an expectation that we're going to be able to get whatever we want A-S-A-P. And especially if that's payments processing, that's pretty critical. Guys, thank you for joining me today, talking about Armory, built on Spinnaker, what it's doing for customers like Patreon. We appreciate your time and your insights. >> Thank you so much. >> Thank you. Thank you so much. >> For my guests, I'm Lisa Martin. You're watching theCUBE's, AWS startup showcase, season two, episode one. (upbeat music)

(upbeat music) >> Okay, we're here talking about how you can better understand and manage the risks associated with the digital supply chain. How in this day and age where software comes from so many different places and sources throughout the ecosystem, how can organizations manage the risks associated with our dependence on software? And with me now are two great guests, Andrea Hall, who is a specialist solution architect and project manager for security and compliance at Red Hat. She's going to focus on public sector. And Andrew Block who's a distinguished architect at Red Hat Consulting, folks welcome. >> Welcome >> Thank you. Thanks for having us. >> You're very welcome. Andrea, let's start with you. Let's talk about regulations. What exists today that we should be aware of that organizations should be paying attention to? >> Oh sure, so the thing that comes to mind first being in the US is the presidential executive order on cybersecurity that came out a few months ago. Organizations are really paying attention to that. And in the US, it's having a ripple effect with policy, but we're also seeing policy considerations pop up in other countries, Australia and England. The supply chain is a big focus right now, of course, but we see these changes coming down the road as more and more government organizations are trying to secure their critical infrastructure. >> Is there kind of a leadership, or probably in other words, is somebody saying seeing what the UK does and say, okay, we're going to follow that template? Or is it just a variety and a mish mash with no sort of consolidation? How is that sort of playing out? >> I see a lot of organizations kind of basing their requirements on (indistinct) However, each organization has its own nuances. Each agency has its own nuances to how it wants them implemented. >> Andrew, maybe you could chime in here. What are you seeing when you talk to customers that are tuned into this issue? >> No as Andrea had just mentioned having that north star in terms of regulations is so fundamentally great for them because many of them especially in regulate industries, look to these regulations on how they apply their own policies. So at least it has some guidance on how to move forward because as we all know the secure software supply chain is getting news every day and how they react to it is something that I know all their leaders are asking themselves, especially those IT leaders. >> Andrea, when I talk to practitioners, sometimes they're frustrated. They understand they have to comply. They know new regulations are coming out, but sometimes it's hard for them to keep up. It would be helpful if you're sitting across the table from somebody who's frustrated and they ask you, what are your expectations? What are the trends in regulations? How do you see the current regulations evolving to specifically accommodate the digital supply chain and the security exposures and corollary requirements there? >> We see a lot of organizations struggling in the sense of trying to understand what the policy actually wants. Definitions are still a little bit vague, but implementation is also difficult because sometimes organizations will add more tools to their toolkit, adding a layer of complexity there. Really automation has to be pulled in. That's key to implementing this instead of adding more workload and more burden to your folks. It's really important for these organizations to pull stakeholders in the organization together. So the IT leaders bring together the developers, the security operations sit at the same table, talk about whether or not what needs to be implemented or what's proposed to be implemented, will affect the mission or in any way or disrupt operations. It's important for everybody to be on the same page so it doesn't slow anything down as you're trying to roll it out. >> And one of the things here is that we're seeing a lot of change with these new regulations and with a lot of organizations, any type of change is scary. And that is one area that they're looking for guidance not only in the tooling, but also how they apply it in the organization. >> I'll add on. >> Please. >> I'll add onto that and say, organizations really need to take into account the people side of things too. People need to understand what the impact is to the organization, so that they don't try to find the loopholes, they're buying into what needs to be done. They understand the why behind it. You for example, if you walk into your house, you normally close the door behind you. Security needs to be seen as that, as well, that's the culture and it's the habit. And it's ingrained in the fabric of the organization to live this way, not just implement the tools to do it. >> Right, and the number of doors you have in your infrastructure are a lot more than just a couple. Andrew mentioned sort of guidance and governments are obviously taking a more active role. I mean, sometimes I'm a cynic. I mean, the president Biden signs an executive order, but swipe of a pen doesn't really give us enough to go on. Do you think Andrea, that we're going to see new guidance from governments in the very near future? What are you expecting? >> I expect to see more conversations happening. I know that agencies who developed the policies are pulling together stakeholders and getting input. But I do see in the not too distant future, that mandates will be rolling out, yes. >> Well, so Andrew of course, Andrea, if you have a thought on this as well, but how do you see organizations dealing with adopting these new policies. >> Slowly, don't boil the ocean is one thing I tell a lot to every one of them, because a lot of these tooling, a lot of these concepts are foreign to them, brand new. How they adopt those and how they implement them, needs to be done in a very agile fashion, very slow and prescriptive. Go ahead and try to find one area of improvement and go ahead and work upon it and build upon it. Because not only does that normally make your organization more successful and secure, but also helps your organization just from a more out standpoint. One thing that you need to emphasize is that don't blame anyone. 'Cause a lot of times when you're going through this, you're reassessing your own supply chain. You might find where you could see improvements that need to be done. Don't blame things that may have occurred in the past. See how you can benefit from these lessons learned in the future. >> It's interesting you say that the blame game, I mean it used to be that failure meant you get fired and that's obviously has changed. As many have said, you know you're going to have incidents. It's how you respond to those incidents. What you learn from them. Do you have Andrew, any insights from specifically working with customers on securing their software supply chain? What can you tell us about what leading practitioners are doing today? >> They're going in and not only assessing what their software components consist of. Using tools like an SBOM, a software bill of materials, understand where all the components of their ecosystem and their lineage comes from. We're hearing almost every single day, new vulnerabilities that are being introduced in various software packages. By having that understanding of what is in your ecosystem, you can then better understand how to mitigate those concerns moving forward. >> Andrea, Andrew was just saying, one of the things is you don't just dive in. You've got to be careful. There's going to be ripple effects is what I'm inferring, but at the same time, there's a mandate to move quickly. Are there things that could accelerate the adoption of regulation or even the creation of regulations and that guidance in your view? What could accelerate this? >> As far as accelerating it goes, I think it's having those conversations proactively with the stakeholders in your organization and understanding the environment like Andrew said. Go ahead and get that baseline. And just know that whatever changes you make are maybe going to be audited down the road, because as we were moving towards this kind of third-party verification, that you're actually implementing things in order to do business with another organization. The importance of that, if organizations see that gravity to this, I think they will try to speed things up. I think that if organizations and the people in those organizations understand that why, that I talked about earlier and they understand how things like solar winds or things like the oil disruption that happened earlier this year. The personal effect to cyber events will help your organization move forward. Again, everybody's bought into the concept, everybody's working towards the same goals and they understand that why behind it. >> In addition to that, having tooling available, that makes it easy for them. You have a lot of individuals who this is all foreign, providing that base level tooling that aligns to a lot of the regulations that might be applicable within their real realm and their domain, makes it easier for them to start to complying and taking less burden off of them to be able to be successful. >> So it's a hard problem because Andrew, how do you deal with sort of the comment more tools, okay. But I look at that the Optiv map, if you've seen that. It makes your eyes cross. You've got so many tools, so much fragmentation, you're introducing new tools. Can automation help that? Is there hope for consolidation of that tools portfolio? >> Right now, this space is very emerging. It's very emergent, it's very fluid to be honest, 'cause there is actually mandates only a year or two old. But as they come over the course of time, however, I do see these types of tooling starting to consolidate where right now it seems like every vendor has a tool that tries to address this. It's being able to have the people work together, have more regulations that will come out that will allow us to start to redefine and solidify on certain tools like ISO standards. There are certain ones that I mentioned on as balance previously, there's now a ISO standard on SBOM there wasn't previously. So as more and more of these regulations come out, it makes it easier to provide that recommended set of tooling that organization is leveraging instead of vendor A, vendor B. >> Andrea, I said this before I was a cynic, but will give you the last word, give us some hope. I mean, obviously public policy is very important. A partnership between governments and industry, both the practitioners, the organizations that are buying these tools, as well as the technology industry got to work together in an ecosystem. Give us some hope. >> The hope I think will come from realizing that as you're doing this, as you are implementing these changes, you're in a sense trying to prevent those future incidents from happening. There's some assurance that you're doing everything that you can do here. It's a situation, it can be daunting, I'll put it that way. It can be really daunting for organizations, but just know that organizations like Red Hat are doing what we can to help you down the road. >> And really it's just continuing this whole shifting left mentality. The top of supply chain is just one component, but the introducing dev sec ops security at the beginning, that really will make the organizations become successful because this is not just a technology problem, It's a people issue as well. And being able to kind of package them all up together will help organizations as a whole. >> Yeah, so that's a really important point. You hear that term shift left. For years, people say, hey, you can't just bolt security on, as an afterthought, that's problematic. And that's the answer to that problem, right? Is shifting left meaning designing it in at the point of code, infrastructure as code, dev sec ops. That's where it starts, right? >> Exactly, being able to have security at the forefront and then have everything afterwards. Propagate from your security mindset. >> Excellent, okay, Andrea, Andrew, thanks so much for coming to the program today. >> Thank you for having us. >> Very welcome, thanks for watching. This is Dave Vellante for The Cube. Your a global leader in enterprise tech coverage. (soft music)

(upbeat music) >> Okay, we're here talking about how you can better understand and manage the risks associated with the digital supply chain. How in this day and age where software comes from so many different places and sources throughout the ecosystem, how can organizations manage the risks associated with our dependence on software? And with me now are two great guests, Andrea Hall, who is a specialist solution architect and project manager for security and compliance at Red Hat. She's going to focus on public sector. And Andrew Block who's a distinguished architect at Red Hat Consulting, folks welcome. >> Welcome >> Thank you. Thanks for having us. >> You're very welcome. Andrea, let's start with you. Let's talk about regulations. What exists today that we should be aware of that organizations should be paying attention to? >> Oh sure, so the thing that comes to mind first being in the US is the presidential executive order on cybersecurity that came out a few months ago. Organizations are really paying attention to that. And in the US, it's having a ripple effect with policy, but we're also seeing policy considerations pop up in other countries, Australia and England. The supply chain is a big focus right now, of course, but we see these changes coming down the road as more and more government organizations are trying to secure their critical infrastructure. >> Is there kind of a leadership, or probably in other words, is somebody saying seeing what the UK does and say, okay, we're going to follow that template? Or is it just a variety and a mish mash with no sort of consolidation? How is that sort of playing out? >> I see a lot of organizations kind of basing their requirements on (indistinct) However, each organization has its own nuances. Each agency has its own nuances to how it wants them implemented. >> Andrew, maybe you could chime in here. What are you seeing when you talk to customers that are tuned into this issue? >> No as Andrea had just mentioned having that north star in terms of regulations is so fundamentally great for them because many of them especially in regulate industries, look to these regulations on how they apply their own policies. So at least it has some guidance on how to move forward because as we all know the secure software supply chain is getting news every day and how they react to it is something that I know all their leaders are asking themselves, especially those IT leaders. >> Andrea, when I talk to practitioners, sometimes they're frustrated. They understand they have to comply. They know new regulations are coming out, but sometimes it's hard for them to keep up. It would be helpful if you're sitting across the table from somebody who's frustrated and they ask you, what are your expectations? What are the trends in regulations? How do you see the current regulations evolving to specifically accommodate the digital supply chain and the security exposures and corollary requirements there? >> We see a lot of organizations struggling in the sense of trying to understand what the policy actually wants. Definitions are still a little bit vague, but implementation is also difficult because sometimes organizations will add more tools to their toolkit, adding a layer of complexity there. Really automation has to be pulled in. That's key to implementing this instead of adding more workload and more burden to your folks. It's really important for these organizations to pull stakeholders in the organization together. So the IT leaders bring together the developers, the security operations sit at the same table, talk about whether or not what needs to be implemented or what's proposed to be implemented, will affect the mission or in any way or disrupt operations. It's important for everybody to be on the same page so it doesn't slow anything down as you're trying to roll it out. >> And one of the things here is that we're seeing a lot of change with these new regulations and with a lot of organizations, any type of change is scary. And that is one area that they're looking for guidance not only in the tooling, but also how they apply it in the organization. >> I'll add on. >> Please. >> I'll add onto that and say, organizations really need to take into account the people side of things too. People need to understand what the impact is to the organization, so that they don't try to find the loopholes, they're buying into what needs to be done. They understand the why behind it. You for example, if you walk into your house, you normally close the door behind you. Security needs to be seen as that, as well, that's the culture and it's the habit. And it's ingrained in the fabric of the organization to live this way, not just implement the tools to do it. >> Right, and the number of doors you have in your infrastructure are a lot more than just a couple. Andrew mentioned sort of guidance and governments are obviously taking a more active role. I mean, sometimes I'm a cynic. I mean, the president Biden signs an executive order, but swipe of a pen doesn't really give us enough to go on. Do you think Andrea, that we're going to see new guidance from governments in the very near future? What are you expecting? >> I expect to see more conversations happening. I know that agencies who developed the policies are pulling together stakeholders and getting input. But I do see in the not too distant future, that mandates will be rolling out, yes. >> Well, so Andrew of course, Andrea, if you have a thought on this as well, but how do you see organizations dealing with adopting these new policies. >> Slowly, don't boil the ocean is one thing I tell a lot to every one of them, because a lot of these tooling, a lot of these concepts are foreign to them, brand new. How they adopt those and how they implement them, needs to be done in a very agile fashion, very slow and prescriptive. Go ahead and try to find one area of improvement and go ahead and work upon it and build upon it. Because not only does that normally make your organization more successful and secure, but also helps your organization just from a more out standpoint. One thing that you need to emphasize is that don't blame anyone. 'Cause a lot of times when you're going through this, you're reassessing your own supply chain. You might find where you could see improvements that need to be done. Don't blame things that may have occurred in the past. See how you can benefit from these lessons learned in the future. >> It's interesting you say that the blame game, I mean it used to be that failure meant you get fired and that's obviously has changed. As many have said, you know you're going to have incidents. It's how you respond to those incidents. What you learn from them. Do you have Andrew, any insights from specifically working with customers on securing their software supply chain? What can you tell us about what leading practitioners are doing today? >> They're going in and not only assessing what their software components consist of. Using tools like an SBOM, a software bill of materials, understand where all the components of their ecosystem and their lineage comes from. We're hearing almost every single day, new vulnerabilities that are being introduced in various software packages. By having that understanding of what is in your ecosystem, you can then better understand how to mitigate those concerns moving forward. >> Andrea, Andrew was just saying, one of the things is you don't just dive in. You've got to be careful. There's going to be ripple effects is what I'm inferring, but at the same time, there's a mandate to move quickly. Are there things that could accelerate the adoption of regulation or even the creation of regulations and that guidance in your view? What could accelerate this? >> As far as accelerating it goes, I think it's having those conversations proactively with the stakeholders in your organization and understanding the environment like Andrew said. Go ahead and get that baseline. And just know that whatever changes you make are maybe going to be audited down the road, because as we were moving towards this kind of third-party verification, that you're actually implementing things in order to do business with another organization. The importance of that, if organizations see that gravity to this, I think they will try to speed things up. I think that if organizations and the people in those organizations understand that why, that I talked about earlier and they understand how things like solar winds or things like the oil disruption that happened earlier this year. The personal effect to cyber events will help your organization move forward. Again, everybody's bought into the concept, everybody's working towards the same goals and they understand that why behind it. >> In addition to that, having tooling available, that makes it easy for them. You have a lot of individuals who this is all foreign, providing that base level tooling that aligns to a lot of the regulations that might be applicable within their real realm and their domain, makes it easier for them to start to complying and taking less burden off of them to be able to be successful. >> So it's a hard problem because Andrew, how do you deal with sort of the comment more tools, okay. But I look at that the Optiv map, if you've seen that. It makes your eyes cross. You've got so many tools, so much fragmentation, you're introducing new tools. Can automation help that? Is there hope for consolidation of that tools portfolio? >> Right now, this space is very emerging. It's very emergent, it's very fluid to be honest, 'cause there is actually mandates only a year or two old. But as they come over the course of time, however, I do see these types of tooling starting to consolidate where right now it seems like every vendor has a tool that tries to address this. It's being able to have the people work together, have more regulations that will come out that will allow us to start to redefine and solidify on certain tools like ISO standards. There are certain ones that I mentioned on as balance previously, there's now a ISO standard on SBOM there wasn't previously. So as more and more of these regulations come out, it makes it easier to provide that recommended set of tooling that organization is leveraging instead of vendor A, vendor B. >> Andrea, I said this before I was a cynic, but will give you the last word, give us some hope. I mean, obviously public policy is very important. A partnership between governments and industry, both the practitioners, the organizations that are buying these tools, as well as the technology industry got to work together in an ecosystem. Give us some hope. >> The hope I think will come from realizing that as you're doing this, as you are implementing these changes, you're in a sense trying to prevent those future incidents from happening. There's some assurance that you're doing everything that you can do here. It's a situation, it can be daunting, I'll put it that way. It can be really daunting for organizations, but just know that organizations like Red Hat are doing what we can to help you down the road. >> And really it's just continuing this whole shifting left mentality. The top of supply chain is just one component, but the introducing dev sec ops security at the beginning, that really will make the organizations become successful because this is not just a technology problem, It's a people issue as well. And being able to kind of package them all up together will help organizations as a whole. >> Yeah, so that's a really important point. You hear that term shift left. For years, people say, hey, you can't just bolt security on, as an afterthought, that's problematic. And that's the answer to that problem, right? Is shifting left meaning designing it in at the point of code, infrastructure as code, dev sec ops. That's where it starts, right? >> Exactly, being able to have security at the forefront and then have everything afterwards. Propagate from your security mindset. >> Excellent, okay, Andrea, Andrew, thanks so much for coming to the program today. >> Thank you for having us. >> Very welcome, thanks for watching. This is Dave Vellante for The Cube. Your a global leader in enterprise tech coverage. (soft music)

(upbeat music) >> Welcome to this CUBE conversation. I'm Lisa Martin. Today, we're going to be talking about the cyber protection and recovery solutions for unstructured data. I have two guests joining me, Andrew Mackay is here, The President of Superna, and Parasar Kodati, Senior Consultant, ISG Product Marketing at Dell technologies. Guys, great to have you on the program talking about cybersecurity, cyber resiliency. Something that we've heard a lot in the news in the last 18 months or so. Parasar, let's go ahead and start with you. Talk to us about what you're seeing from a cybersecurity perspective, some of the challenges the last 18 months or so, and then tell us what Dell is doing specifically to really infuse its storage solutions to enable customers to have that cyber resiliency that they need. >> Sure, Lisa. So today, there's no question that cyberattacks have become a serious threat for business operations, for organizations of all sizes across all industries. And if you look at the consequences, there is a huge financial impact of course, through the, like 70% of the cyberattacks when they're financially motivated. Look at the ransom part, which is a big financial impact in itself, but look at the lost revenue from disrupted operations, legal expenses, and sometimes regulatory fines, and so on, add up to the financial impact. And if you look at the data after data loss that is involved, data being such a critical asset for organizations, think about losing customer data, losing access to customer data or critical applications that depend on customer data. Similarly, data related to your business operations data that is source of your competitive advantage data that could be very confidential information as well. And when it comes to government organization, institutions, there is also the issue of national security and the need to protect critical infrastructure that depend on these IT systems as well. So absolutely it is becoming an imperative for IT organizations to improve the cyber resiliency, to boost the cyber resiliency of their organization. At Dell technologies, for the storage products that we offer, we have integrated solutions to protect the data in terms of detecting patterns of data access, to detect the cyber attacks in advance, to kind of put IT a step ahead of these attackers and also have the tools and technologies to recover from a cyberattack rapidly so that the business can continue to run. >> That recovery is absolutely critical. It's one thing to have all this data, customer data, PII, competitive advantage data, but you have to be able to recover it because as you said, we've seen this now become a matter of national security, infrastructure being threatened. The ransomware rise we have seen in the last 18 months has been unprecedented. I want to talk now, Andrew, about Superna. Talk to us about what you guys do and how you're a partner with Dell technologies and helping customers recover and really be cyber resilient. >> Yeah, we've been working with Dell for years. In fact, our products are built in targeting the Isilon PowerScale platform. So we're at very closely tightly integrated solution that focuses on solving one problem, solving it really well. >> Talk to me a little bit about what you guys are doing specifically with the Dell technology storage solutions to help customers in any industry be able to recover. As we know now, ransomware is not, if it happens to us, it's a wand. Give us a little bit more of a dissection of those solutions. >> So when we looked at this problem, it's associated with files, right? But today, there's files and objects, objects and other types of unstructured data. So we've built a solution that addresses both file and object. But one of the areas that we think is important for customers to consider is the framework that they choose. They shouldn't just jump in and start looking for products. They should step back and take a look at what frameworks exist. For instance, the NIST framework, that guides them in how they build and tick off all the key boxes and how to build a cyber resilient solution. >> So for companies that are using traditional legacy tools, backup and restore it, how was what Superna enables, how is it different? >> So the buzzword these days is zero trust. So I'm going to use the buzzword. So we use a zero trust model, but really that comes down to being proactive. And I consider a backup/restore, a bit of a legacy approach. That's just restore the data after you've been attacked. So we think you should get in front of the problem and don't trust any of the access to the storage and try to take care of the problem at the source, which means detection patterns, locking usually out of the file system, reacting in real time to real-time IO that's being processed by a storage device. >> Got it. Parasar, let's talk now about unstructured data specifically and why does it need protection against the attacks? >> Traditionally, structured data or the enterprise databases have been the more critical data to protect, but more and more unstructured data is also becoming a source of competitive differentiation for customers. Think about artificial intelligence, machine learning, internet of things, a lot of edge computing. And a lot of this data is actually being stored on highly scalable NAS platforms like Dell EMC PowerScale. And this is where, given the volume of the data involved, we actually have a unique solution for unstructured data to protect it from cyberattacks and also having the recovery mechanisms in place. So most of the audience might have already heard about the PowerProtect Cyber Recovery solution, but for unstructured data, we have something unique in the industry in terms of rapid recovery of large amount of data within a few hours for a business to be up and running in the event of a cyberattack. So when it comes to the data protection technologies on the PowerScale platform, we have, starting from the operating system, the OneFS, already has a great foundation in terms of access control, separate access zones that can be protected. And these things work across multiple protocols, which is a really key thing about how this technology works in terms of access control. But thanks to the great technology that Andrew and his team is building, the Ransomware Defender, real-time access auditing. These products from the core, kind of cyber resiliency framework when it comes to unstructured data on power skill platforms. >> Got it. Andrew, let's talk about the NIST framework. As we've talked about in the last few minutes, cybersecurity has really become quite a business. Unfortunately, in the last 18 months, we've seen huge x-fold increases in ransomware attacks of any type of company. Talk to me about how, where are those conversations? Are you having conversations at the board level, at the C-level, in terms of the right cyber resiliency framework that organizations need to put in place? >> Yeah, we talk with customers almost daily. That's a daily conversation we have with customers about the requirements and the frameworks offer. And then this one, especially offers all of the key requirements from detection to prevention to recovery. And if you look at all of those requirements, you may end up with multiple products. And so we've built a solution that can address all of the key requirements in a single product. So for example, I mentioned detection and mitigation and recovery. Well, that's our protect the data at the source strategy, but the number one recommendation these days is to have an offline copy of your data. And that requires a cyber vault solution where you're going to take a copy of your data, place it in an offline storage device and you're going to manage that through some sort of automation. We've married those two requirements into a single product. So we actually look at the whole framework and can comply with all aspects of that, including the offline component. And that's one of the sort of secret sauce, part of our solution is that we can both protect at the source and maintain and monitor the offline copy of the data as well at the same time. >> So, the offline copy, interesting. Talk to me about how frequently is that updated so that if a business has to go back and restore and recover, they can. What's that timeframe of how frequently that's updated? >> So generally, we recommend about 24 hours. Because in reality, it's going to take time to uncover that there's something seriously wrong with your production data. In the case of our solution, the hope and intent is that really the problem is addressed right at the source, meaning we've detected ransomware on the source data and we can protect it and stop it before it actually ends up in your cyber vault. That's really the key to our solution. But if you have that day, recovery with the Isilon PowerScale snapshotting features, you can revert petabytes of data and bring it online in a worst-case scenario. And we tell customers, you need to work backwards from what is the worst case. And if you do that, you're going to realize that what you need is petabyte scale data recovery with your offline data. And that's a very hard problem to solve that we think we've solved really well with the PowerScale. >> And just sticking with you for a second. In the last year and a half, since things have been so turbulent, have you seen any industries in particular that have come to you saying, we really need to get ahead of this challenging situation as we've seen attacks across infrastructure? I mean, you name it, we've seen it. >> Yeah, the number one vertical for sure is healthcare. Healthcare has been the target. In fact, it was last October. I think the FBI made an announcement to all healthcare organizations to improve their cybersecurity. That's probably our largest vertical, but there really isn't a vertical that doesn't feel the need to do something more than they are today. Finance of course, manufacturing, retail. Basically, there's no target that isn't the target these days. But I would say for sure, it's going to be healthcare because they have a willingness and a need to have their data online all the time. >> Right, and it's absolutely a such critical information. Parasar, back to you. I'm curious to understand maybe any joint customers that you guys are working together with and how they have, what are some of the recovery time and the recovery point objectives that you're able to help them achieve? >> Sure, Lisa. So with Ransomware Defender, for example, there are more than thousand customers, almost thousand, we are very close, I think the exact number is around 970 or something, but have adopted this set of tools to boost their cyber resiliency in terms of being able to detect these attack patterns or any indications of a compromised through the way data is being accessed or the kinds of users that are accessing the data and so on. But also when it comes to isolation of the data, that has also been a lot of interest for customers to be able to have this cyber ward, which is air gap from your primary infrastructure. And of course, which is regulated with a lot of intelligence in terms of looking for any flags to close the connection and continue to replicate data or to terminate the connection and keep the cyber ward secure. So, absolutely. >> Andrew, how do you guys help? First of all, is it possible for companies to be able to stay ahead of the attackers? The attackers are also taking advantage of the emerging technologies that businesses are, but how do you, if the answer is yes, how do you help companies stay ahead of those attackers? >> I think a prime example of that is if you look at ransomware today and there's publicized versions or variants or names of it, they all attack files. But the bad actors are looking for the weak link. They're always looking for the weak link to go after the corporate data. And so the new frontier is object storage because these types of systems are compliance data. It's frequently used to store backup data, and that is a prime target for attackers. And so the security tools and the maturity of the technology to protect object data is nowhere near what's in place for file data. So we've announced and released the ability to protect object data in real-time, the same way we've already done it for years for file data, because we understand that that's just the next target. And so we were offering that type of solution in a unified single product. >> And the last question, Parasar for you. Where can folks go to learn more about this joint solution and how can they get started with it? >> Sure, Lisa. delltechnologies.com/powerscale, that's the unstructured data platform or the scale of NAS platform from Dell technologies. And we have great content there to educate customers about the nature of this cyberattacks and what kind of data is at risk and what is the kind of steps that can take to the point that Andrew mentioned, to build a cyber resiliency strategy as well as how to use these tools effectively to protect against attacks and also be very agile when it comes to recovery. >> Right, that agility with respect to recovery is critical because as we know, the trends are that we're only going to see cybersecurity and risks and attacks increase in some businesses and every industry are vulnerable and really need to put in place the right types of strategies and solutions to be able to recover when something happens. Guys, thank you so much for joining me. This is such an interesting topic. Great to hear about the partnership with Superna and Dell Technologies. And I'm sure your joint customers are very appreciative of the work that you're doing together. >> Thank you, Lisa. >> Great, thank you. >> From my guests, I'm Lisa Martin and you're watching a CUBE conversation. (upbeat music)

(upbeat music) >> Back the cube here. I'm John Furrier with the cube. Thanks Adam in the studio. We've got two entrepreneurs here. Co-founders of LastMileXchange, Andrew Hoskin and James Grant. Guys, thanks for coming on the cube, >> John. Good to be here. >> Love to get the entrepreneur, both co-founders making it happen. I mean, the pandemic was either a tailwind or a headwind for companies and certainly the internet didn't break. Everything worked out great. So, let's just jump in, why don't we get into some of the questions. What does LMX do? Who are you guys? Take a quick minute to explain what you guys do. >> Sure. So, we're a software provider. We have a cloud-based SAS platform, which effectively it's a bit like a Skyscanner or an Expedia for networks. Carriers need to buy and sell networks from each other and we help them do that. And we have been in the cloud since day one. And so, that's what we do while we're here and it's a good place for us to tell you about it. >> I got it. I got to ask you, because one of the things being entrepreneur, you've got to read the tea leaves. One of the secrets of being a co-founder and doing anything entrepreneurial these days is you got to see the future, but then you've got to come back to the present and convince everybody, what's going on. >> Entrepreneurs: Yeah. >> What is the core value proposition? What's the day in the life of a conversation? I mean you're talking to Martians now, like, huh? What's the public cloud it's like, is it like, isn't it just the internet? It's changing. What's the value proposition? What's the conversation like? >> So, the value position for us is that we, you know, we work with our customers to accelerate the sales cycle through cloud based services. So, a lot of our customers are global tier one carriers. So, we're looking to automate their connectivity pricing, and we do that via a cloud-based solution. So it is vital to us. And particularly with having customers all across the globe, being able to sort of deploy cloud-based services makes life much easier. >> I got to ask you, one of the things that we love about cloud is the agilities. >> Yeah. >> Can you talk about the impact of what you guys are offering for the agility side. What's the impact of the consumer, the application developer, what's the impact? >> Clouds have a big play for us, big impact for our customers. So we provide our solution effectively, almost a plug and play for them. So, we do quoting really, really well. You want to know where a network is, you want to know the connectivity, we'll sort that out for you, and we can give you a solution that they can plug into their systems really quickly. In terms of, for us, when we first started, we had servers in data centers and managing software on that, but we moved to Amazon pretty early. And what we now have is, we can spin up a new customer environment in a day, which you know, from previously two, three weeks. So, cloud has been transformational for us and hopefully for our customers as well. >> And you guys target mainly carriers? >> Very much so, yeah. We're very much in the big carrier Telco space. The people that provide the fabric upon which all of this sits. >> Yeah. And then by the way, it's magic and this, it's robust. It's what we need, utilities, it's important. Last mile, obviously, as we all, some people look at it and say, go back decades, rug ban, you know, last mile is always that last nut to crack. 5G's here, the mobile sector is looking at massive growth. You're starting to see the cloud providers recognize that the edge is just another network connection. >> Yeah, absolutely. >> How do you guys see that evolving? What's going on? How do you see that affecting your business, the customers on the market? >> Well, so network, I mean, access is all about getting onto the network, whether you're talking cloud or whatever. So, if you can't get into the network, cloud is nothing. If you can't sort of back haul your 5G, you're stuck. So, what we're seeing is, even with 5G, as it rolls out, as people look to densify their networks, they still need to get all that voice stuff, all that data traffic onto fiber. So, we're seeing a lot of interest there still in knowing where connectivity options are, knowing where the network is. With James also, I mean, that other aspect of access, 10 years ago was all about fiber. But you were just telling me before about how increasingly carriers are using 5G as effectively a router in a box, ship it in by a DPD or FedEx out to a customer. >> Yeah. So typically we'll think about mobile as connecting your mobile phone, but now we're looking at sort of, mobile connecting buildings. And one of the key challenges when you're connecting a building with mobile is what the actual connectivity within the building is. So, often we will see mobile maps that show you that sort of connectivity at sort of, the outside level. But of course, you're actually going to have your infrastructure in the building. So, you need to know what the straight signal strength is there. So, we're actually working with a partner at the moment so that we can identify within a building, what the quality of the signal is. >> I mean, that's class, if you think about like, most people think of, oh, it just drops to the end point and then you've got more network behind it, wireless. You got now to work at home dynamics, IOT devices. So, you guys have the buy-sell side of things going on, you got the carriers buying and selling there. >> Entrepreneurs: Yeah, absolutely. >> And then, SD WAN is a huge market, >> Andrew: Absolutely. >> That's growing and, as well. >> And all of that relies on access. Do you know what I mean? Like, you can talk 5G, you can talk IOT. And of course, those are the exciting, sexy things in the industry. But underpinning all of that is a network. And you mentioned the word before and it's right, utility, you know, maybe it's not the sexy side of things, but you've got to have it, otherwise, nothing else works. >> You know, one of the things we do a lot of cloud cover, we cover all of Amazon shows here coming into Telco, the Telco, digital revolution that's going on here, you can see it. And some people aren't ready for it. Almost like, reminds me of the mainframe days back when I was growing up in college, it's like, oh, I'm not, I don't want to do the mainframe. I'm the new guy, I'm the young kid. I love this, a PC and mini computers. Here, it's the same thing. It's kind of like, okay, I see the cloud, but when you have infrastructure as code, >> Yeah. >> Everything gets fuzzy. >> Yeah. >> I mean, now you're talking about programmability. So, that edge at the application level, some say it's going to be a massive innovation enabler, which is going to change that infrastructure's code, which means that guys like you guys got to be able to provide programmable routes, programmable and, >> Yeah. And APR is our, and the programmability of the network, the whole interplay from whether it's quoting, whether it's ordering, whether it's delivering services, whether it's kind of somebody going into somewhere and saying, "I'd like a, a hundred gig into this building", pressing a button and 15 minutes later, everything rolls together to turn it up, is where the whole industry is going. >> Let's take that for a second. >> Sure. >> Just a mind blowing scenario right there. Sounds simple. >> Yeah. >> Compared to where we were just 15 years ago. >> Yeah. >> That scenario didn't exist. >> No. >> And it's hard. It's not trivial. >> No. >> It's not non-trivial. All right. So what's this mean for customers? Are they like buying this level now, like, are they like, where are they on the spectrum of, you know, buying and the progression of operationalizing their business to be fully robust, network end to end, visibility on workloads to network? >> I would say it often depends where the customer is. So, obviously we deal with global customers and that's one of our big selling points is that, you know, a lot of people are focusing on the US, the Western European market, you know, and the connectivity challenges that they're trying to solve there. Our customers have global customers who are looking for connectivity all throughout world. And often there'll be things like mining companies who don't have fiber going into them. And so, we need to be able to work with our customers and their suppliers to be able to automate everything, because you can only fully quote a network when you've got all the locations back. And if you're waiting for information coming back from Africa or from the former CIS, then you know, you're going to have a problem. And we're working with companies in Africa and Russia, Kazakhstan, at the moment to help them automate everything. >> You know what's interesting, I just, my mind just goes nuts here when thinking about what you guys do, because as people start rolling their own with applications, they're going to need to have this programmability, like almost on demand, they're going to need to have, I want to do a digital TV network, I want to provision something or something's hybrid or at the edge. >> You've got a football game, or you've got something like this where you need capacity, you need it quickly. You need it for an event. >> Yeah, exactly. And 5G's perfect. I mean, how many times we've all been at a soccer game or a football game. It's like, I got bars but I have no back haul. Like we all been there. >> Yeah. >> Why, oh? >> Saturated the network and everyone's doing the same thing. >> The radios working, the back haul's choking. I mean, this is real. >> Absolutely. >> How does, does 5G solve that? I mean, where does that get, how does that get solved? I mean, is it going to be ubiquitous? Truly 5G going to make us all work better? I mean, certainly for the end use of 5G is it provides speed, it provides capacity. And also for the operators it provides being able to get more people onto it. And so, and 5G is not my core strength, but it absolutely will be transformative. What I can comment on is, like you say, for an event like this or the football or anything, the Euros, it ultimately goes into a pipe. So, you've got to make sure that you've got to have the right connectivity there and the right capacity there, from the user's phone, through the towers, all the way into the network, all the way to the data center and back again. So the edge, everything, has to play together to do that, and probably, rolling it out quickly and making sure it's agile and making sure it's fast and making sure it's quick and reliable. That's what needs to all work together. I liked how you said you know, the Expedia of the networks. >> Andrew: Yeah. >> That immediately in my mind says, okay, ease of use. >> Andrew: Yeah. >> From consumption standpoint, what's the next level of growth for you guys? I'm almost imagining is programmability or cloudifying or amplifying it, make it rain. >> Yeah, certainly we are going to continue to push into, yeah, effectively digital transformation in fact, across telecoms is happening. You would think there would be a lot further ahead than it is. It's not. There are a lot of people still quoting, ordering manually. So, we're very much part of that, but certainly the ordering and the provisioning, like we've mentioned, that's a big part, but for the industry, and we're going to hopefully be part of that, or we expect to be part of that. So that's, and making sure that connectivity is there when you need it. You know, I'm here, what's there? A bit like flights, I'd like to fly to New York. Who can do it, how much will it cost? I'll buy that one please. And that's what networks should be as well. >> James, what's your vision on how the customers are progressing in their mindset? Obviously, you've got the blocking and tackling to do, you're in the market. Where are they going with the use case and the application? >> The customers are getting to the stage where they're expecting to be able to go into a portal and turn up services. So, as with many things that we're seeing throughout life today, you can go into an app, you can press a couple of buttons and you can, you can order something. So, that's what they're expecting is to be able to just go and say, I need a hundred mg here, press a few buttons. And in 10 minutes time, the circuit's not only quoted, but it's provisioned. At the moment, there's this sort of a digital divide between those that have the digitization in place and those that don't. And that's the sort of the key that we're trying to sort of help the industry with is the sort of the, the outliers and, and also the main carriers to make sure that it's not a sort of, a digital haves and a digital have-nots. >> I was just going to say that. So, if you have the digital haves and have-nots, is that a function of them just not being operationalized in their digitization? Or is it they're not set up for it or they don't have you guys? What's that have-not side of it? How do they become the haves? >> One of the biggest challenges is actually around the sort of, identifying the connectivity at a particular location. So, in some countries it's very easy to do, like the US, UK, Netherlands. We have nice sort of standard address formatting, and you can identify a building at roof level. And when it comes to turning up connectivity straight away, you want to make sure that you turn up the connectivity to the right building. And that's one of the challenges that we're seeing throughout sort of, some of the Eastern European and the LatAm, the Asian and the African markets. >> I mean, we saw what happened with Amazon instances. You've got spot instances, you get reserved instances, you're starting to see that mindset. That's a SAS mindset. >> Yeah. >> That's kind of where things are going. Is that, you guys see the same thing here or is it different? >> Yeah. Well, certainly at the enterprise space, they tend to make decisions over a longer scale. So there, maybe not so much that you sign contracts in a year's term et cetera, but yeah, certainly as a provider, a SAS provider, using all those things, the ability to to tune your expenses, tune your costs, even your resource, you know, you're turning up servers by the hour, by the minute is a big thing. And it takes a mindset change for us and our customers. >> If you don't mind me asking, how long have you guys been doing business as co-founders, when did it start? What was the guiding principle? How do you guys look back now? >> James and I met working for Verizon many years ago. You might've heard of them. And, we sort of did what we do now, in as much as James ran the commercial side of things, I ran the software side of things and we saw that connectivity was a universal problem. And so we saw our opportunity. We went out, we started LastMileXchange. We pivoted once or twice, still in the same space, but we eventually realized that where we are now was what the industry needed. And that's where we've been pushing now for quite a few years. >> I want to give you guys a lot of credit and a lot of props, congratulations. I think, you know, the digital divide has been a broadband challenge for many, many years and decades. Now, you've got that urban divide where people don't have access. And I heard stories during the pandemic that people had access in the region, but couldn't get it to the home, affordability, access, devices. These are new issues, the digital divide, they have connectivity options. >> Andrew: Yeah. >> But it's not really clear yet. So, you're starting to see a lot more of that going on. Of course, the rural areas. >> Andrew: Yeah. >> I live out in the countryside on a farm. So, I'm quite used to their challenges of connectivity. You know, when I first moved into my house, I ended up having to get to way satellite broadband and things have improved now. But when we're talking about 5G, you have people in London, they have 5G. 5G is something that I'm not going to see for three, four years probably. >> Globally, it'll democratize access because like we were saying, we're sitting in an enterprise. You can send out a rooter or a router with a SIM card in it. I mean, you can give a kid a mobile phone in the middle of, you know, Kenya, and he can have access to the world through the internet. So, you know, that increased capacity, that increased densification of networks. Okay, they're not all going to be on 5G today. James hasn't got 5G and he only lives 30 minutes out of London. But 3G, 4G, I think the gentlemen on one of the keynotes was talking there about 3G Plus. You know, effectively, that's going to roll out. The 5G's are going to be in New Yorks and London, but, >> Like, it's going to be bring your own G to your house soon. And I think this space ops is going to be great. And I think overall, just overall, the challenges and the topologies, you're going to start to see diversity in the network topology, and actually it's going to explode. >> Andrew: Yeah, absolutely. Absolutely. >> Going to be super exciting. Well, again, I think you guys are under something big. I think this idea of sasifying, making things programmable, infrastructure as code is going to be pretty big. So, thanks for coming on. And what's your take, real quick, of Cloud City. >> It's been great. We've just walked in. We both said, as we came in, we came in yesterday to set up and we were really blown away and the rest of our team arrived today and they were very impressed as well. I was going to say Telco D on the team, have done a really impressive job. >> I think you have to come here and see it to believe it because when we walked in, it was just like, this place is stunning. >> Awesome. Well that's the cube coverage, we're rocking and rolling here. We're going back to the studio to see Adam and the team. Back to you.

>> Announcer: From around the globe, it's theCUBE. With digital coverage of IBM Think 2021. Brought to you by IBM. >> John: Hello and welcome back to theCUBE's coverage of IBM Think 2021 Virtual. I'm John Furrier, your host of theCUBE. We're here with two great guests, Andrew Coward's the GM, Software Defined Networking at IBM and Caroline Chappel. Research Director, Cloud and Platform Services at Analysys Mason. Folks, thanks for coming on. Caroline, good to see you. Andrew, thanks for coming on theCUBE. >> You're welcome, it's nice to be here. >> Thank you. >> So software defined networking, love it. Software-defined data center, software defined cloud, all that has been pointing to what is now a reality which is hybrid cloud and the Edge, and soon to be multicloud. This kind of makes networking, again, at the centerpiece. This has been this way for now, at least for five hardcore years, at the center of the value proposition discussion. And certainly networking is super relevant. Why is networking now more important than ever for IBM? >> Well, to your point, I think networking is weaved into pretty much everything we touch. From Red Hat Linux for its analytics, machine learning tools, security, cloud services, and so on. And the networking business is changing very radically at the moment. We're going through kind of massive shift. Not just to the cloud, but the desegregation of networking products that, you know, you think of being very tight and integrated are actually being separated into their constituent parts. Distribution of applications and data across multiple clouds, ensuring that the products really have industry-leading capabilities, so that networking is weaved into what they do. The other thing is the scary numbers, right? But now, there's like 15 billion network-capable devices out there with general computing capabilities. And so I don't mean like really dumb things but things that are now we call smart, like a smart car. A medical center that's got applications that even your fridge now, has general compute capabilities. And all of those are expected to connect into the public or private cloud. And so how they connect, where data moves across that really on critical concern to everything that we at IBM do. >> So I have to ask you, I love the word radical change. It gets my attention for certain. What specifically are you referring to in radical change? Because, I mean, I would, I mean, I'm pretty radical that COVID has hit everybody and I think everyone woke up and never thought 100% of the workforce would be working remotely. So, you know, there is radical kind of macro conditions. What specifically though about networking would you say is radical and how does that impact the enterprise? >> Well, right. I think it's about how compute is shifting and how network has to follow. You know, we've been speaking a lot of enterprise accounts and customers. And, you know, it's through COVID and over the last year, we've seen that the ongoing migration into, not just one cloud but many clouds. But we need to think the enterprise you can stop and say, two clouds is enough to be here and to be able to do that. That's not happening. There is no limit to the number of clouds that each enterprise is going into and it's not a coordinated decision, so the radicalism is that the network guys, the cloud architects are being left to pick up the pieces and their job now is to kind of join together applications and data that might be spread in three or four different locations. And that's really, really challenging. And nobody's thinking about things like latency or connectivity, data accountability when these decisions are made. And it is kind of like the business units are allowed to make their own decisions to get it, but corporate itself then has to figure out how all this stuff works. And that's creating a lot of headaches. >> Caroline, If you could chime in on this, because this is kind of like what we're hearing. What's your thoughts? Because I mean, the platform shifting. I mean, five years ago. Oh, go move to the cloud, lift and shift. Now, the conversation is hyper-focused on cloud integration, at scale with kind of the features that enterprise really need. That's the confusion. What's your take on all this radical change? >> Well, I'd like to, to talk about another aspect of the radical change here, which I think is part of the story which is the radical change for the network itself. So the network itself is, as Andrew said, you know becoming desegregated into hardware and software and really becoming a software application if you think about it, that runs on the cloud itself. And that means you can distribute the network in a very different way, than you could in the past. And what that's really affecting is who can provide a network, how they can provide it, what services, what network services they can provide. And I think that is changing the decision points for operators, for enterprises. They're being faced with a very big choice about who do they, who will provide their connectivity services? Will it be an SD-WAN vendor? Who's not necessarily a traditional operator? Would it be a SaSS-y player that's basically just operating after the cloud. And if you look at the services themselves, there's the opportunity for enterprises to build really kind of rich, bespoke connectivity on demand and in a way that they've never had before. And I think that choice is obviously wonderful in one sense, but in another sense, it's pretty scary. And, and as Andrew said, it's not these decisions are not being taken particularly in a coordinated way. You know, you'll have your traditional network guys often very embedded with the lines of business and then you'll have the IT guys all going to the cloud. And these two parts of an enterprise don't necessarily even talk to each other in terms of how they're procuring their network services. So lot of choice, a lot of moving parts, a lot of change. And I think that's contributing to the situation we're finding ourselves in. >> So. First of all, great insight. I want to just double down on that one point around radical change, because what you just laid out is kind of the institutional lock-in or the way they've been operating things before You mentioned lines of business being embedded with the network guys. So you have radical change. So that's a disruption. So what's the disruption look like from your perspective because now you've got more choice, but it's hasn't been operationalized. What are the best practices? This is net new. Is it net new? How do I do security? This is all now new questions. So I got to ask you what's the disruption and what's it mean for the enterprise networks over the next couple of years going forward? >> Well, I think that there are a lot of disruptions but I think one of the ones that I haven't even mentioned. So I think, you know a lot of things are going to go, for example, I think that the idea of the network as being something fixed, persistent with fixed persistent connections is changing. So a lot of the enterprises I've talked to have said that their corporate networks, of course, they will need corporate networks with fixed VPNs between locations. Yeah, because they've got an awful lot of legacy they've got to support. But a lot of the new stuff that's coming along of the IOT driven stuff a lot of the changes around the edge and an operation, operational process automation and that kind of thing will actually be more on demand. We'll ask for on demand connectivity. A lot of it is will the applications themselves run on the cloud and not just on one cloud but as Andrew said on many, many distributed clouds. So you've got to think about zero trust security because you are basically spinning up these connections on demand. A lot of mobile will come in 5g. We know is going to be very important to operators in the future. So I think enterprises have got to deal with those data and security and all their best practices. We've got to shift to a much more dynamic, you know connectivity world, where they've got us to the playoffs. You know, what's the terministic on what's a network. That's just going to be on demand there when they need it and shut down when they don't. >> That's a great point. Andrew, I want you to weigh in on the IBM impact because what we just heard was application driven. That's dev ops. That's programmability. That's what we had hoped. Now you've got DevSecOps, all this is now the requirements. What's the bet on IBM side.? You got to make it happen. You got to bring the customers a solution and make it scale and be responsive to those you know, new, dynamically, flexible agile networks. >> Well, that's right. So the bet is that, you know that these applications that are being spent out there in containerize and they're being separated into these clouds and connecting those is what we as IBM have to have to do. And so kind of an example of that, kind of looking at the medical world, right? You think of an application that would today, monitor a patient. What's going on with that patient and all of the senses and so on. Well, the way we see it, the monitor itself, there might be monitoring temperature and heart rate etc. That what actually happens on that device might change moments depending on the patient's condition. That's one part of the application. Another part of that application may live in private data center. A third part of that application may live in the cloud. And depending on what's going on with that patient and what's going on with the ward and everything else. Those things may shift and move around. So, where does that data? Where's that data allowed to move to inform of what are the boundary points for that? How is the reliability, resiliency of our system guaranteed, but across many disparate parts of what's going on there. All of those things end up being a very vertically integrated solution. But fundamentally we've got a very different way, new ways of being able to react, dynamically. To both the network, the application and ultimately the unusual patient in this case and that's what kind of is the advantage of the outcome if you like for moving to this new world. >> So what are the implications then of the changes? These are massive changes for the better We're seeing that kind of innovation come from this transformational quick change. Hybrid cloud and edge is coming, you mentioned. Caroline talked about that too. What do you guys think about the implications and how enterprises specifically can prepare for these changes? >> Okay, well, I can pick that up. I think what enterprises are looking for at the moment is how do they get a holistic view of everything that's underneath them? I mean, I think the cloud providers individually are abstracting away as much of the network as they possibly can. They want it to appear to developers just as some kind of plumbing. And it's very easy now for enterprises to through API is you know, we've got a very API different world so it's very easy to say, okay I want this service and I'm just going to go through their API and connect to it. And that's why you get to the situation of multiple, multiple clouds. Now you've got this situation where you've got some companies are talking about needing 50 to 10,000 micro data centers, room closet data centers if you like ,to support some of the things that they want to do, like telemetry ,pick up telemetry from rental cars, for example. So what they really need is to look at all that connectivity, just as plumbing just as we don't worry about how electricity is being delivered to us. That's kind of how they want to do connectivity. So I think they want that view. They want that. Okay. I want to treat my network as one virtual thing. No matter how many different points of plumbing there are underneath. And it's getting to that point that I think they've really got to think about a plan for. You know, how do we get that to you? What's going to provide us with that holistic way that we can put a policy into our plumbing. And it proliferates across, you know all our applications and so on. I think that's a very difficult thing to achieve at the moment but it's certainly the way enterprises need to start thinking about things. >> Andrew, you know, when Caroline's talking, I can't help but kind of throw back to my days of the telephone closet. You know, back in the analog switches. But no, we're talking about a footprint. Radical footprint change too. You know, you need plumbing. Obviously that's a network. It's distributed. We just talked about that at the top of this interview. Now you have the plumbing, you got the footprint and data center could be in a closet, AKA, you know a couple of devices powering an edge. And the edge could be big, small, medium, extra large right? I mean, it's all now radically changed. This is reality now. what's your take on these implications and how do people prepare? >> Well, that's right. It's really the computer's generalized and it's everywhere and yes, it's in the closet. But as I say, it's also in your fridge, it's also in your medical censor and what loads and what runs on that is it's very intertwined with the network. And the lament, if you like, that network architects, the card architects have today is that they feel like they've lost control. They feel they've lost control of exactly what different business groups are doing, how these applications are playing out. And shout out to them, I guess for them is really that they need to be involved from a very early date on how these services are supposed to look. Just the latency of the patients, the data and where the data's supposed to live, where it's allowed to move to. All of those are deeply regulated and deeply controlled. And so making sure that that's aligned with how these applications will actually live and work. Even on a regular basis, sooner there has to be thought about now. An unplanned for so that we can get to the there and not trip up along the way. And then if it's bad enough now with all the different clouds, it's going to be much worse when everything can run a different workload on a minute by minute basis. Right. But that's cool. That's the world we have to find for. >> Okay. Andrew. Caroline. Thank you for your insight. Really appreciated coming on theCUBE. Thanks for coming. I really appreciate it. >> Thank you very much. >> Thank you >> Okay. This is the cube coverage of IBM Think 2021. I'm John Furrier, your host. Thanks for watching. (cheerful music playing)

>>Welcome to the cubes coverage of Dell Technologies world 2021. The digital experience. I'm lisa martin. I've got two guests here with me today. Adam Glick is here. Senior Director of portfolio marketing for Apex at Dell Technologies. Adam welcome to the cube >>lisa. It's great to be here with you >>likewise. And Andrew Glinka is here VP of Competitive intelligence at Dell Technologies as well. Andrew welcome to you as well. >>Thank you. Glad to be here. >>So the last Dell Technologies world was only about six months or so ago and sadly I was sitting in the same room doing that. We're not in Vegas at the convention center but hopefully one day we will be soon. But a lot of news there um Adam was about Apex and this big transformation about what Dell wants to do, give us a little bit of a history and what's transpired in the last six months. >>Well, a lot of things have happened in the past six months with what we were calling Project Apex before probably the first most obvious one is we've removed project from the name as we've made the offering generally available. We've also added a lot to it. There's a lot of new pieces of technology that are part of Project Apex now, we've talked about bringing in the cloud, bringing the custom solutions, hear a lot about that at Dell Technologies where all this time and really practicing that all up together in a single experience for customers, giving them something that's super simple agile and gives them all the control that they want to use their infrastructure where they want it all of that as a service. >>Big changes Andrew. Let's go over to you now. Talk to me about some of the players in the market. >>Well, he has a service market is growing incredibly fast and will continue to grow over the next number of years. And what we're seeing is a lot of players trying to enter that market because it is growing so fast. So you have some of the traditional infrastructure players that are entering like HP has their offer out in the market and pure storage and that happened many others. And you also have the public cloud providers like amazon web services, google Microsoft azure that are starting to develop um on prem tech capabilities to kind of validate this hybrid cloud as a service, all things everywhere model. So uh rapidly growing market a lot changing in a lot of players entering this space very quickly. >>So a lot of acceleration we've seen with respect to digital transformation Andrew in the last year. So talk to me about how Apex compares to those infrastructure players, you mentioned peer storage, Netapp HP. Talk to me about the comparison there. >>Yeah, so one of the things is we continue to develop, Apex is we're going to offer the broadest portfolio of as a service solutions for customers, all with different consumption models. So we'll be offering outcome based meter based as well as custom solutions, which is a little bit different than what others can provide all delivered using market leading technology and all Dell supported. So we're not using third party to deliver any of the asset service, it's all Dell supported, um some other very tactical things like single rate, so we don't charge for over usage or charge extra, which is different than some um and also it's all self service. So through the console you can place an order for a new system or upgraded system and you're avoiding the lengthy sale cycles and all the back and forth. So just a couple of questions you can get the outcome that you're looking for. >>Adam. Talk to me about how apex compares to the public cloud providers, customers obviously have that choice as well. AWS google cloud platform. What's the comparison contrast there? >>So when we think about what's going on with public cloud providers, we really look at them as partners and people that we work with. There's a Venn diagram if you think about it and the reality is that although there is some overlap between, there's also a lot of differentiated value that we look at, that we bring their and it's how do we work together on those pieces? So the most obvious of those is when you're thinking about things like a hybrid cloud and how people work together to make sure that they've got a cloud that meets their needs, both on prem in their Coehlo locations out of the edge as well as whatever they're doing with public >>cloud. >>And so we're looking at how do we bring all those pieces together? And there are certain things that work better in certain places, certain ones that work better than others. We do a lot of things around the simplicity of billing to make that easy for customers, giving them really high performance ways to to work well that really meet the needs of a lot of workloads that might need regulatory needs or might have specific performance mapping, high performance computing, things like that. But it works together. And that's really the point is that what customers tell us is that they have needs for on premises, They have needs for things in their private cloud and follows. They also have needs in the public cloud. And how do they bring that together? And so we're working to say, how do we bridge that gap to make the best possible outcome for customers? We work on partnerships with the partnership that we announced with Equinix to bring together co location facilities around the world and bring apex services customers easily when they want to say reduce the latency between what they're running and what they control within their own hardware stacks and what might be running in the public cloud. It's kind of a merger of both that really helps customers get the best of all that they need because at the end of the day that's the goal is helping our customers get the best I. T. Outcomes for their businesses as possible. >>Right? And you mentioned Hybrid cloud and we talk about that so often customers are in that hybrid world for many reasons. So basically what you're saying is there is partnerships that Dell Technologies has with Apex and the other hyper scholars so that when customers come in, if they're most likely already using some of those other platforms, they actually could come in and work with Apex too, develop a solution that works very synergistically. >>Yeah, we're helping them pull together what they need. And if you take a look, 72 of organizations say that they're taking a hybrid cloud approach, they want to be able to bring the best of both worlds to what they're doing and really choose what's right for them. Where do they need to be able to really control what's happening with their data? Where do they want to be able to maintain and control the costs that they have and also be able to access the other services that might be out there that they would need. So how do they bring those together? And those ways that we work together for the benefit of customers? And we bridge those two pieces is really what we're aiming to do here. >>Excellent. So Andrew, let's go back over you. I want to talk about workloads here because you know when we look at some of the numbers, the 8020 rule with the cloud, 80 of those workloads still on prem customers needing to determine which workloads should go to the cloud. How does apex work with customers to facilitate making those decisions? Um about the workloads that are best suited for apex versus club? >>Well, I think that's the beauties, it's very flexible. And so some of those traditional workloads that are still on prem can be run as a service without a whole lot of change. So you don't have to re platform, you don't have to reengineer them and you can move them into an as a service model, continue to run them easily. But then there's a whole lot of new development like high performance computing and Ai And machine learning, particularly at an edge where Gartner says by 2025 75 of all data will be processed at the edge. So as these new capabilities are being built out, uh customers have been asking us to start to run that infrastructure in these new workloads and and at as a service model and so high performance computing ai. Ml these edge workloads are fantastic use cases just get started with as a service and can certainly extend back into some of the more traditional workloads that they've been running >>adam. Can you talk to us a little bit about what's transpired in the last six months from the customers lens as we talked a little bit about, we talked a lot in the last year about the acceleration of digital transformation and so many businesses having to pivot multiple times in the last year. A lot of acceleration of those getting to cloud for, for to survive. Talk to me about the customer experience, what you see in the last six months. >>So what we've heard a lot from our customers is that they're really looking for the benefits of consumption as a service that especially as you see the financial impacts that happened over the past year, People looking at ways to preserve capital and what are the ways that they can go and maintain what they want to do or perhaps even grow and accelerate. Take advantage of those new opportunities in ways that don't require large capital purchases and the ability to go in and purchase as a service is something we've heard from multiple customers is something that is really attractive to them as they look at. Hey, there's no opportunities they've opened up and how do they be able to expand on those as well as how do they be able to preserve the capital? They have, be able to continue with the projects that they're looking at but be able to take a more agile approach for those things. And so the as a service offerings that we've been talking to our customers about have been really something they've been excited about and they come to us kind of, hey, what do you have? What's the roadmap? How can we have more of those kinds of things? And that's why we're so excited Dell Technologies world to be talking about how we're bringing even more apex services as a service available to our customers. >>And I'm just curious in the last year since we've seen so many industries, every industry really rocked by the very dynamic market, but some of the things like healthcare and government, I'm just curious if you've seen any industries in particular really take a leading edge here and working with you in apex. >>one of the most >>interesting things that I've seen from the customers that I've been talking to is that it really is broad ranging that I've talked to customers who are governmental customers who are interested in expanding what they're doing with it but very concerned about things like data, locality and data sovereignty. That's very interesting to them. I've talked to manufacturing organizations, they're looking at how do they expand their operations in asian manufacturing for instance. And they're going from, how do they operate within the United States to how do they expand their operations? Be able to do that in a more quick fashion? What they're doing? Talk to healthcare organizations, they're looking at, how do they be able to bring digital healthcare and as you to think about what's happening more virtually that people are doing, What does that mean in terms of health care? Both from people who are actually doing virtual visits with their doctors as well as even things like digital surgery. So there's so many things that are happening really. I could talk to you about dozens of industries. But the takeaway that I've had is that there's no real one industry, it's really something that has impacted just operations globally and different folks. Look at different things in different ways. I talked to a company that does train that actually train company. They do logistics and they're looking at edge scenarios and how do they do train inspections faster to be able to provide better turnaround times for their trains because there's a limited amount of track and so if they miss a maintenance window like that's time that they not only have to wait for the next window, they have to wait for all the other trains to pass too. So it's really breathtaking, just the scope of all that's changing in it and all the opportunities that are coming up as people think about what consuming it services as a service can mean for them. >>Yeah, amazing opportunities. And you talked about, you know, the virtual and there's so much of it that's going to persist in in a good way, silver linings, right? Um and you want to go back over to you talk to me when we, when we talked about apex at Dell technologies world 2026 months ago, this was kind of revolutionary and really looking at it as a really big change to Dell's future strategy. Talk to me about that. >>Well, it's a change for the entire company, so having to rethink how we deliver all these services and outcomes to customers. So it's it's not just about the product. The product is now the service and the service is the product, so it's very different in how we approach it. Thinking more about how we can help our customers achieve these outcomes um and help deliver these services that get them there, which is a little different than just developing the products themselves. And so that's been a big thing that we've been taking on and making sure that we deliver these outcomes for our customers. >>Yeah. And then adam last question for you talk to me about kind of same perspective of looking at this as as how Dell intends to compete in the future and what customers can expect. Also how can they engage? Is this something that is available with Channel Partners? Dell Direct? >>So this is the beginning of a huge journey and transformation as Andrew spoke about, like this is a transformation of not only what we're providing, but a transformation across all of Dell. We're looking at how do we expand the X portfolio to bring a portfolio of options to our customers? You know, we're starting with with storage and cloud and some are custom solutions, but we really have a vision of how do we bring all of Dell's business products and into services for our customers? You know, it's a huge transformation, it's something I'm incredibly excited about because it really aligns what we do with what our customers do. We've never had an opportunity to be so closely connected with our customers and create great outcomes for them. So the transformation, like we're just at the beginning of this and it's an incredible path that we're on that's providing amazing value for the people that we've already started working with. For people that want to find out more about it. You can certainly come to our website, Dell technologies dot com slash apex. People who have a relationship with Dell already contact their sales representative will be more than happy to talk to them about what their current needs are and what effects can do to help them continue their digital transformation and create better outcomes for their organization. >>Excellent, Adam Andrew, Thank you for joining me today to talk about what's going on. Project apex to apex the tremendous amount of opportunities that it's helping customers in any industry uncover. We look forward to seeing down the road some of those great customer outcomes that come from this. I thank you both for joining me today. >>Thank you very much. Thank you >>for Adam Glick and Andrew Glinka. I'm lisa martin. You're watching the cubes coverage of Dell Technologies World 2021 The Digital Experience.

>>from >>around the globe. It's the cube with >>Digital coverage of IBM think 2021 brought to you by IBM. Hello and welcome back to the cubes coverage of IBM think 2021 virtual. I'm john for your host of the cube. We're here with two great guests. Andrew cowards. GM Software defined networking at IBM and Caroline chappelle Research director, cloud and platform services at analysis mason folks. Thanks for coming on Caroline. Good to see you Andrew. Thanks for coming on. Uh, thank you. >>Welcome. Nice to >>begin. So >>software defined networking love it suffered to find data center suffered to find cloud. All that has been pointing to what is now a reality which is hybrid cloud and the edge and soon to be multi cloud. This kind of makes networking again at the center pieces has been this way for now at least for five hardcore years at the center of the value proposition and discussion and certainly networking is super relevant. Why is networking now more important than ever for IBM? >>Well, to your point, I think networking is weaved into pretty much everything we touch from red hot limits to analytics, machine learning tools, security card services and so on. And the networking business is changing very radically. At the moment we're going through a massive shit um, not just the cloud, but the desegregation of networking products that you know, you think of being very tight and integrated are actually being separated into their constituent parts, distribution of applications and data across multiple clouds, ensuring that the products really have industry leading capabilities so that networking is weaved into into what they do. Um, the other thing is, you know, this is kind of scary numbers, right? But there's now over 15 billion um, network capable devices out there with general compute capabilities. So I don't mean like really dumb things but things that are now we call smart, like a smart car, a medical center that's that's got application, even your fridge now has general compute capabilities and all of those are expected to connect into public or private cloud and so how they connect where data moves across that really on critical concern to to everything that we had IBM do. >>So I have to ask you love the word radical change, gets my attention for certain for certain um what specifically are you referring to in radical change? Because I mean I would mean I've pretty radical. The COVID has hit everybody and I think everyone woke up and never thought 100 of the workforce would be working remotely. So you know, there is radical kind of macro conditions. What specifically though about networking, would you say is radical? How is that impact enterprise >>Well, right. I think it's about how computers is shifting and how network has to follow. Um We've been speaking with lots of enterprise accounts customers and um you know, through covid and over the last year we've seen that the ongoing migration into not just one cloud, but many clouds. Um and you think that enterprises can stop saying to clouds is enough going to be here on the other there, That's not happening. There is no limit to the number of clouds that um each enterprises going into and it's not a coordinated decisions. So the radical list of this is that the network guys, the cloud architects are being left to pick up the pieces um and their job now is to kind of join together applications and data that might be spread in three or four different locations. Um and and that's really, really challenging and nobody's thinking about things like latency connectivity, um data portability when when these decisions are made. Um It's kind of like the business units are allowed to make their own decisions here. But the corporate itself then has to figure out how all this stuff works and that's creating a lot of headaches >>Carolina. If you can chime in on this because this is kind of like what we're hearing, what's your thoughts? Because I mean the platform shifting five years ago, so go move to the cloud lift and shift now. The conversation is hyper focused on cloud integration at scale with kind of the features that enterprise really need. That's that's the confusion. What's your take on all this radical change? >>Well, I'd like to talk about another aspect of the sort of radical change here, which I think is part of the story, which is the radical change for the network itself. So the network itself is, as Andrew said, becoming desegregated into hardware and software and really becoming a software application, if you think about it that runs on the cloud itself, and that means you can distribute the network in a very different way than you could in the past. And what that's really affecting is who can provide a network, how they can provide it and what services, what network services they can provide. And I think that is changing the decision points for operate for enterprises. They're being, they're being faced with a very big choice about who do they, who do they, who will provide their connectivity services, will it be an SD one and then who's not necessarily a traditional operator? Will it be a will it be a sassy player that's basically just operating out of the cloud? And if you look at the services themselves, I mean there's there's the opportunity for enterprises to build really kind of rich bespoke connectivity on demand and in in a in a way that they've never had before. Uh and I think that choice is obviously wonderful in one sense, but in another sense it's pretty scary and as and you said it's not these decisions are not being taken particularly in a coordinated way. You know, you'll have your traditional network guys often very embedded with the lines of business and then you'll have the I. T. Guys all going to the cloud and these two parts of an enterprise don't necessarily even talk to each other in terms of how they're procuring their network services. So a lot of choice, a lot of moving parts, a lot of change and I think that's that's contributing to the situation we're finding ourselves in. >>So you first great insight, I want to just double down on that one point around radical change because what you just laid out is kind of the institutional lock in or the way they've been operating things before, you mentioned lines of business being embedded with the network guys. So you have radical change, So that's a disruption. So what's the disruption look like from your perspective, because now you've got more choice, but this has been operationalized, one of the best practices. This is news that net new. How do I do security? This is all now new questions. So I gotta ask you what's the disruption and what's it mean for the enterprise networks over the next couple of years going forward? >>Well, I think that there are a lot of disruptions, but I think one of the uh and ones that I haven't even mentioned, so I think a lot of things are going to go, for example, I think that the idea of the network is being something fixed, persistent with fixed persistent connections um is changing. So a lot of enterprises I've talked to have said that uh corporate networks of course they will need corporate networks with fixed VPNS between locations because they've got an awful lot of legacy they've got to support, but a lot of the new stuff that's coming along, a lot of the IOT driven stuff, a lot of the changes around the edge and an operation operational process automation and that kind of thing will actually be be more on demand. We'll ask for on demand connectivity. A lot of it is uh it will the applications themselves run on the cloud and not just on one cloud, but as Andrew said on many, many distributed clouds. So you've got to think about zero trust security because you are basically spinning up these connections on demand, a lot of mobile will come in five G, we know is going to be very important to operators in in the future. So I think enterprises have got to deal with those data, that data and security and all their best practices have got to shift to a much more dynamic uh, connectivity world where they've got a playoff, what's deterministic and what's, what's a network that's just going to be on demand there when they need it and shut down when they don't. >>That's a great point. Andrew. I want you to weigh in on the IBM impact because what we just heard was application driven, that's devops, that's program ability, that's what we had hoped. Now you got Deb sec. Ops, all this is now the requirements. What's the bet on IBM side? You gotta gotta make it happen. You gotta bring the customers a solution and make it, make it scale and be responsive to those, you know, new dynamically flexible agile networks. >>Well, that's right. So, so the better is that these applications that are being split up there in containerized and they're being separated into these clouds and connecting those is what we as IBM has has to do. And so kind of an example of that kind of looking in the medical world, right? You think of an application that would today monitor a patient, uh what's going on with our patients in all of the senses and so on. Well, the way we see it, the monitor itself, uh that might be monitoring temperature and heart rate etcetera. That what actually happens on that device might change moment to moment depending on the patient's condition. That's one part of the application, another part of the application. They live in private data center, a third part of that application. They live in the cloud. And depending on what's going on with that patient and what's going on with the war and everything else, those things may shift and move around. So where does that data? Where's that data allowed to move to and from? And what are the boundary points for that? How is the the, the reliability resiliency of that system guaranteed across many disparate parts of what's going on there, All of those things end up being a very vertically integrated solution. But fundamentally, we've got a very different way. A new ways of being able to react dynamically to both the network, the application and ultimately, the unusual patient in this case is uh use case and that and that's what is the vanishing of the outcome, if you like, from moving to this new world. >>So, what are the implications, then, of the changes? These are massive changes for the better? Um We're seeing that kind of innovation come from this transformational change. Um Hybrid, Cloud and Edge is coming. You mentioned Caroline talked about that too. What do you guys think about the implications and how enterprises specifically can prepare for these changes? >>Okay, well, I I can pick that up. I think uh what enterprises uh looking for at the moment is how do they get a holistic view of everything that's underneath them? I mean, I think the cloud providers individually are abstracting away as much of the network as they possibly can. They want it to appear to developers just as some kind of plumbing. Um and it's very easy now for enterprises to through a P. I. S. You know, we've got a very api driven world so it's very easy to say okay I want this service and I'm just going to go through the A. P. I. And connect to it. And that's why you get to the situation of multiple multiple clouds. Now you've got, you've got this situation where you've got some, some companies are talking about needing 50-10,000 uh micro data centers, broom closet data centers if you like to support some of the things that they want to do, like telemetry to pick up telemetry from rental cars, for example. So what they really need is to look at all that connectivity just as plumbing, just as we don't worry about how electricity is being delivered to us, that's kind of how they want to do connectivity. So I think they want that view, they want that, okay, I want to treat my network as one virtual thing no matter how many different points of plumbing there are underneath. And it's getting to that point that I think they've really got to think about and plan for how do we get that view, what's going to provide us with that holistic way and we can put a policy into the into our plumbing and it it proliferates across all our applications and so on. I think that's a very difficult thing to achieve at the moment but it's certainly the way enterprises need to start thinking about things >>and you know when Caroline's talking I can't help but kind of throwback to my days of the telephone closet, you know back in the analog switches but we're talking about a footprint radical footprint change to you. You need plumbing. I'll see that's a network, it's distributed. We just talked about that the top of this interview now you have the plumbing, you've got the footprint of data center could be in a closet A. K. A. You know a couple devices powering an edge and the edge could be big small medium extra large. Right? I mean it's all now radically changed. This is reality now. What's your take on these implications and how do people prepare? >>Well that's right. It's really the computers generalist and it's everywhere and yes it's in the closet but it's also in your fridge is also a new medical sensor and what loads and what runs on that is it's very intertwined with the network and the lament if you like. That. The network architects the architects have today is that they feel like they've lost control um They feel like lost control of exactly what different business groups are doing. How these applications are playing out and shout out to them I guess for them is really that they need to be involved in the very early um date of how these services is supposed to look just the latest implications. The data where the data is supposed to live, where it's allowed to move to. All of those are deeply regulated and deeply control and so making sure that that's aligned with how these applications will actually live and work uh on the basis of something that has to be thought about now um and planned for so that we can we can get to the there and then not trip up along the way. And if it's bad enough now with all the different clouds it's going to be much worse when when everything can run a different workload on a minute by minute basis. Right? That's what that's that's the the world we have to find. >>Okay. Andrew Caroline. Thank you for your insight. Really appreciate it coming on the cube. Thanks for coming. I really appreciate it. >>Thanks very much. Okay. >>Okay. This is the Cube coverage of IBM think 2021 um, John for your host. Thanks for watching. >>Mm.

>> Announcer: From around the globe, it's theCUBE. With digital coverage of IBM Think 2021. Brought to you by IBM. >> John: Hello and welcome back to theCUBE's coverage of IBM Think 2021 Virtual. I'm John Furrier, your host of theCUBE. We're here with two great guests, Andrew Coward's the GM, Software Defined Networking at IBM and Caroline Chappel. Research Director, Cloud and Platform Services at Analysys Mason. Folks, thanks for coming on. Caroline, good to see you. Andrew, thanks for coming on theCUBE. >> You're welcome, it's nice to be here. >> Thank you. >> So software defined networking, love it. Software-defined data center, software defined cloud, all that has been pointing to what is now a reality which is hybrid cloud and the Edge, and soon to be multicloud. This kind of makes networking, again, at the centerpiece. This has been this way for now, at least for five hardcore years, at the center of the value proposition discussion. And certainly networking is super relevant. Why is networking now more important than ever for IBM? >> Well, to your point, I think networking is weaved into pretty much everything we touch. From Red Hat Linux for its analytics, machine learning tools, security, cloud services, and so on. And the networking business is changing very radically at the moment. We're going through kind of massive shift. Not just to the cloud, but the desegregation of networking products that, you know, you think of being very tight and integrated are actually being separated into their constituent parts. Distribution of applications and data across multiple clouds, ensuring that the products really have industry-leading capabilities, so that networking is weaved into what they do. The other thing is the scary numbers, right? But now, there's like 15 billion network-capable devices out there with general computing capabilities. And so I don't mean like really dumb things but things that are now we call smart, like a smart car. A medical center that's got applications that even your fridge now, has general compute capabilities. And all of those are expected to connect into the public or private cloud. And so how they connect, where data moves across that really on critical concern to everything that we at IBM do. >> So I have to ask you, I love the word radical change. It gets my attention for certain. What specifically are you referring to in radical change? Because, I mean, I would, I mean, I'm pretty radical that COVID has hit everybody and I think everyone woke up and never thought 100% of the workforce would be working remotely. So, you know, there is radical kind of macro conditions. What specifically though about networking would you say is radical and how does that impact the enterprise? >> Well, right. I think it's about how compute is shifting and how network has to follow. You know, we've been speaking a lot of enterprise accounts and customers. And, you know, it's through COVID and over the last year, we've seen that the ongoing migration into, not just one cloud but many clouds. But we need to think the enterprise you can stop and say, two clouds is enough to be here and to be able to do that. That's not happening. There is no limit to the number of clouds that each enterprise is going into and it's not a coordinated decision, so the radicalism is that the network guys, the cloud architects are being left to pick up the pieces and their job now is to kind of join together applications and data that might be spread in three or four different locations. And that's really, really challenging. And nobody's thinking about things like latency or connectivity, data accountability when these decisions are made. And it is kind of like the business units are allowed to make their own decisions to get it, but corporate itself then has to figure out how all this stuff works. And that's creating a lot of headaches. >> Caroline, If you could chime in on this, because this is kind of like what we're hearing. What's your thoughts? Because I mean, the platform shifting. I mean, five years ago. Oh, go move to the cloud, lift and shift. Now, the conversation is hyper-focused on cloud integration, at scale with kind of the features that enterprise really need. That's the confusion. What's your take on all this radical change? >> Well, I'd like to, to talk about another aspect of the radical change here, which I think is part of the story which is the radical change for the network itself. So the network itself is, as Andrew said, you know becoming desegregated into hardware and software and really becoming a software application if you think about it, that runs on the cloud itself. And that means you can distribute the network in a very different way, than you could in the past. And what that's really affecting is who can provide a network, how they can provide it, what services, what network services they can provide. And I think that is changing the decision points for operators, for enterprises. They're being faced with a very big choice about who do they, who will provide their connectivity services? Will it be an SD-WAN vendor? Who's not necessarily a traditional operator? Would it be a SaSS-y player that's basically just operating after the cloud. And if you look at the services themselves, there's the opportunity for enterprises to build really kind of rich, bespoke connectivity on demand and in a way that they've never had before. And I think that choice is obviously wonderful in one sense, but in another sense, it's pretty scary. And, and as Andrew said, it's not these decisions are not being taken particularly in a coordinated way. You know, you'll have your traditional network guys often very embedded with the lines of business and then you'll have the IT guys all going to the cloud. And these two parts of an enterprise don't necessarily even talk to each other in terms of how they're procuring their network services. So lot of choice, a lot of moving parts, a lot of change. And I think that's contributing to the situation we're finding ourselves in. >> So. First of all, great insight. I want to just double down on that one point around radical change, because what you just laid out is kind of the institutional lock-in or the way they've been operating things before You mentioned lines of business being embedded with the network guys. So you have radical change. So that's a disruption. So what's the disruption look like from your perspective because now you've got more choice, but it's hasn't been operationalized. What are the best practices? This is net new. Is it net new? How do I do security? This is all now new questions. So I got to ask you what's the disruption and what's it mean for the enterprise networks over the next couple of years going forward? >> Well, I think that there are a lot of disruptions but I think one of the ones that I haven't even mentioned. So I think, you know a lot of things are going to go, for example, I think that the idea of the network as being something fixed, persistent with fixed persistent connections is changing. So a lot of the enterprises I've talked to have said that their corporate networks, of course, they will need corporate networks with fixed VPNs between locations. Yeah, because they've got an awful lot of legacy they've got to support. But a lot of the new stuff that's coming along of the IOT driven stuff a lot of the changes around the edge and an operation, operational process automation and that kind of thing will actually be more on demand. We'll ask for on demand connectivity. A lot of it is will the applications themselves run on the cloud and not just on one cloud but as Andrew said on many, many distributed clouds. So you've got to think about zero trust security because you are basically spinning up these connections on demand. A lot of mobile will come in 5g. We know is going to be very important to operators in the future. So I think enterprises have got to deal with those data and security and all their best practices. We've got to shift to a much more dynamic, you know connectivity world, where they've got us to the playoffs. You know, what's the terministic on what's a network. That's just going to be on demand there when they need it and shut down when they don't. >> That's a great point. Andrew, I want you to weigh in on the IBM impact because what we just heard was application driven. That's dev ops. That's programmability. That's what we had hoped. Now you've got DevSecOps, all this is now the requirements. What's the bet on IBM side.? You got to make it happen. You got to bring the customers a solution and make it scale and be responsive to those you know, new, dynamically, flexible agile networks. >> Well, that's right. So the bet is that, you know that these applications that are being spent out there in containerize and they're being separated into these clouds and connecting those is what we as IBM have to have to do. And so kind of an example of that, kind of looking at the medical world, right? You think of an application that would today, monitor a patient. What's going on with that patient and all of the senses and so on. Well, the way we see it, the monitor itself, there might be monitoring temperature and heart rate etc. That what actually happens on that device might change moments depending on the patient's condition. That's one part of the application. Another part of that application may live in private data center. A third part of that application may live in the cloud. And depending on what's going on with that patient and what's going on with the ward and everything else. Those things may shift and move around. So, where does that data? Where's that data allowed to move to inform of what are the boundary points for that? How is the reliability, resiliency of our system guaranteed, but across many disparate parts of what's going on there. All of those things end up being a very vertically integrated solution. But fundamentally we've got a very different way, new ways of being able to react, dynamically. To both the network, the application and ultimately the unusual patient in this case and that's what kind of is the advantage of the outcome if you like for moving to this new world. >> So what are the implications then of the changes? These are massive changes for the better We're seeing that kind of innovation come from this transformational quick change. Hybrid cloud and edge is coming, you mentioned. Caroline talked about that too. What do you guys think about the implications and how enterprises specifically can prepare for these changes? >> Okay, well, I can pick that up. I think what enterprises are looking for at the moment is how do they get a holistic view of everything that's underneath them? I mean, I think the cloud providers individually are abstracting away as much of the network as they possibly can. They want it to appear to developers just as some kind of plumbing. And it's very easy now for enterprises to through API is you know, we've got a very API different world so it's very easy to say, okay I want this service and I'm just going to go through their API and connect to it. And that's why you get to the situation of multiple, multiple clouds. Now you've got this situation where you've got some companies are talking about needing 50 to 10,000 micro data centers, room closet data centers if you like ,to support some of the things that they want to do, like telemetry ,pick up telemetry from rental cars, for example. So what they really need is to look at all that connectivity, just as plumbing just as we don't worry about how electricity is being delivered to us. That's kind of how they want to do connectivity. So I think they want that view. They want that. Okay. I want to treat my network as one virtual thing. No matter how many different points of plumbing there are underneath. And it's getting to that point that I think they've really got to think about a plan for. You know, how do we get that to you? What's going to provide us with that holistic way that we can put a policy into our plumbing. And it proliferates across, you know all our applications and so on. I think that's a very difficult thing to achieve at the moment but it's certainly the way enterprises need to start thinking about things. >> Andrew, you know, when Caroline's talking, I can't help but kind of throw back to my days of the telephone closet. You know, back in the analog switches. But no, we're talking about a footprint. Radical footprint change too. You know, you need plumbing. Obviously that's a network. It's distributed. We just talked about that at the top of this interview. Now you have the plumbing, you got the footprint and data center could be in a closet, AKA, you know a couple of devices powering an edge. And the edge could be big, small, medium, extra large right? I mean, it's all now radically changed. This is reality now. what's your take on these implications and how do people prepare? >> Well, that's right. It's really the computer's generalized and it's everywhere and yes, it's in the closet. But as I say, it's also in your fridge, it's also in your medical censor and what loads and what runs on that is it's very intertwined with the network. And the lament, if you like, that network architects, the card architects have today is that they feel like they've lost control. They feel they've lost control of exactly what different business groups are doing, how these applications are playing out. And shout out to them, I guess for them is really that they need to be involved from a very early date on how these services are supposed to look. Just the latency of the patients, the data and where the data's supposed to live, where it's allowed to move to. All of those are deeply regulated and deeply controlled. And so making sure that that's aligned with how these applications will actually live and work. Even on a regular basis, sooner there has to be thought about now. An unplanned for so that we can get to the there and not trip up along the way. And then if it's bad enough now with all the different clouds, it's going to be much worse when everything can run a different workload on a minute by minute basis. Right. But that's cool. That's the world we have to find for. >> Okay. Andrew. Caroline. Thank you for your insight. Really appreciated coming on theCUBE. Thanks for coming. I really appreciate it. >> Thank you very much. >> Thank you >> Okay. This is the cube coverage of IBM Think 2021. I'm John Furrier, your host. Thanks for watching. (cheerful music playing)

>> Announcer: From around the globe, it's theCUBE, with digital coverage of AWS re:Invent 2020, sponsored by Intel, AWS and our community partners. >> Hey is Keith Townsend a CTO Advisor on the Twitter and we have yet another CUBE alum for this, AWS re:Invent 2020 virtual coverage. AWS re:Invent 2020 unlike any other, I think it's safe to say unlike any other virtual event, AWS, nearly 60, 70,000 people in person, every conference, there's hundreds of thousands of people tuning in to watch the coverage, and we're talking to builders. No exception to that is our friends at Densify, co founder and CTO of Densify Andrew Hillier, welcome back to the show. >> Thanks, Keith, it's great to be with you again. >> So we're recording this right before it gets cold in Toronto. I hope you're enjoying some of this, breaking the cold weather? >> Yeah, no, we're getting the same whether you are right now it's fantastic. We're ready for the worst, I think in the shorter days, but we'll get through it. >> So for those of you that haven't watched any of the past episodes of theCUBE in which Andrew has appeared. Andrew can you recap, Densify, what do you guys do? >> Well, we're analytics where you can think of us as very advanced cost analytics for cloud and containers. And when I say advanced, what I mean is, there's a number of different aspects of cost, there's understanding your bill, there's how to purchase. And we do those, but we also focus heavily on the resources that you're buying, and try to change that behavior. So it's basically, boils down to a business value of saving a ton of money, but by actually changing what you're using in the cloud, as well as providing visibility. So it's, again, a form of cost optimization, but combined with resource optimization. >> So cost of resource optimization, we understand this stuff on-premises, we understand network, compute, storage, heating, cooling, etc. All of that is abstracted from us in the public cloud, what are the drivers for cost in the public cloud? >> Well, I think you directly or indirectly pay for all of those things. The funny thing about it is that it happens in a very different way. And I think everybody's aware, of course, on-demand, and be able to get resources when you need them. But the flip side of on-demand, the not so good size, is it causes what we call micro-purchasing. So when you're buying stuff, if you go and turn on a, like an Amazon Cloud instance, you're paying for that instance, you're paying Rogers and storage as well. And, implicitly for some networking, a few dollars at a time. And that really kind of creates a new situation and scale because all of a sudden now what was a control purchase on-prem, becomes a bunch of possibly junior people buying things in a very granular way, that adds up to a huge amount of money. So the very thing that makes cloud powerful, the on-demand aspects, the elasticity, also causes a very different form of purchasing behavior, which I think is one of the causes of the cost problem. >> So we're about 10, 12 years into this cloud movement, where public cloud has really become mainstream inside of traditional enterprises. What are some of the common themes you've seen when it comes to good cloud management, the cost management, hygiene across organizations? >> Yeah, and hygiene is a great word for that. I think it's evolved, you're right it's been around this is nothing new. I mean, we've probably been going to cloud expos for over a decade now. But it's kind of coming waves as far as the business problem, I think the initial problem was more around, I don't understand this bill. 'Cause to your point, all those things that you purchase on-prem, you're still purchasing in some way, and a bunch of other services. And it all shows up in this really complicated bill. And so you're trying to figure out, well, who in my organization owes what. And so that was a very early driver years ago, we saw a lot of focus on slicing and dicing the bill, as we like to call it. And then that led to well, now I know where my costs are going, can I purchase a little more intelligently. And so that was the next step. And that was an interesting step because what the problem is, the people that care about cost can't always change what's being used, but they can buy discounts and coupons, and RIs and Savings Plans. So we saw that there was a, then start to be focused on, I'm going to come up with ways of buying it, where I can get a bit of a discount. And it's like having a phone bill where I can't stop people making long distance calls, but I can get on a better phone plan. And that, kind of the second wave, and what we're seeing is the next big wave now is that, okay, I've done that, now I actually should just change what I'm actually using because, there's a lot of inefficiency in there. I've got a handle on those other problems, I need to actually, hopefully make people not buy giant instances all the time, for example. >> So let's talk about that feedback loop, understand what's driving the cost, the people that's consuming that, those services and need to understand those costs. How does Densify breach that gap? >> Well, again, we have aspects of our product that lineup with basically all three of those business problems I mentioned. So there's a there's a cloud cost intelligence module that basically lets you look at the bill any different ways by different tags. Look for anomalies, we find that very important, you say, well, this something unusual happened in my bill. So there's aspect that just focuses on kind of accountability of what's happening in the cost world. And then now, one of the strengths of our product is that when we do our analytics, we look at a whole lot of things at once. So we look at, the instances and their utilization, and what the catalog is, and the RIs and Savings Plans, and everything all together. So if you want to purchase more intelligently, that can be very complicated. So we see a lot of customers that say, well, I do want to buy savings plans, but man, it's difficult to figure out exactly what to do. So we like to think of ourselves as kind of a, it's almost like a, an analytics engine that's got an equation with a lot of terms in. It's got a lot of detail of what we're taking into account when we tell you what you should be doing. And that helps you by more intelligently, it also helps you consume more intelligently, 'cause they're all interrelated. I don't want to change an instance I'm using if there's no RI on it, that would take you backwards. I don't want to buy RIs for instances that I shouldn't be using, that takes you backwards. So it's all interconnected. And we feel that looking at everything at once is the path to getting the right answer. And having the right answer is the path to having people actually make a change. >> So when I interviewed you a few years ago, we talked about very high level containers, and how containers is changing the way that we can consume Cloud Services, containers introduced this concept of oversubscription, and the public cloud. We couldn't really oversubscribe and for large instance, back then. But we can now with containers, how are containers in general complicating cloud costing? >> So it's interesting because they do allow overcommit but not in the same way that a virtual environment does. So in a virtual environment, if I say I need two CPUs for job X, I need two CPUs for job Y, I can put them both on a machine that has two CPUs, and there will be over committed. So over committed in a virtual environment, it is a very well established operation. It lets you get past people asking for too much effectively. Containers don't quite do that in the same way, when they refer to overcommit, they refer to the fact that you can ask for one CPU, but you can use up to four, and that difference is if you overcommit. But the fact that I'm asking for one CPU is actually a pretty big problem. So let me give an example. If I look into my laptop here, and I've got Outlook and Word and all these things on it, and I had to tell you how many millicores I had to give each one, or with Zoom, let's see I'm running Zoom. Now, well, I want Zoom to work well, I want to give it $4,000 millicores, I want to give it four CPUs, because it uses that when it needs it. But my PowerPoint, I also want to give 4000 or $2,000 millicores. So I add all these things up of what I need based on the actual more granular requirements. And it might add up to four laptops. But containers don't overcommit the same way, if I asked for those requests by using containers, I actually will use for laptops. So it's those request values that are the trick, if I say I need a CPU, I get a CPU, it's not the same as a virtual CPU would be in a virtual environment. So we see that as the cause of a lot of the problem and that people quite rationally say I need these resources for these containers. But because containers are much more granular, I'm asking for a lot of individual resource, that when you add them up, it's a ton of resources. So almost every container running, we see that they're very low utilization, because everybody, rightfully so asked for individual resources for each container, but they are the wrong resources, or in aggregate, it's not creating the behavior you wanted. So we find containers are a bit, people think they're going to magically cause problems to go away. But in fact, what happens is, when you start running a lot of them, you end up just with a ton of cost. And people are just starting to get to that point now. >> Yeah, I can see how that could easily be the case inside of a virtual environment. I can easily save my VM needs four CPUs, four VCPUs. And I can do that across 100 applications. And that really doesn't cost me a lot in the private data center, tools like VMware, DRS, and all of that kind of fix that for me on the back-end is magical. In the public cloud, if I ask for four CPUs, I get four CPUs, and I'm going to pay for four CPUs, even if I don't utilize it, there's no auto-balancing. So how does Densify help actually solve that problem? >> Well, so they, there's multiple aspects for that problem, ones of the thing was that people don't necessarily ask for the right thing in the first place, that's one of the biggest ones. So, I give the example of, I need to give Zoom 4,000 millicores, that's probably not true at all, if I analyze what it's doing, maybe for a second it uses that, but for the most of the time, it's not using nearly those resources. So the first step is to analyze the container behavior patterns, and say, well, those numbers should be different. And so for example, the one thing we do with that is, we say, well if a developer is using terraform templates to stand up containers, we can say, instead of putting the number 1000, in that, a thousand millercores, or 400 millicores in your template, just put a variable and that references our analytics, just let the analytics figure what that number should be. And so it's a very elegant solution to say, the machine learning will actually figure out what resources that container needs, 'cause humans are not very good at it, especially when there's 10s of thousands of containers. So that's kind of the, one of the big things is to optimize the container of requests. And then once you've done that the nodes that you're running on can be optimized, because now they start to look different. Maybe you don't have, you don't need as much memory or as much CPU. So it's all again, it's all interrelated, but it's a methodical step that's based on analytics. And, people, they're too busy to figure this out, that they can't figure it out for thousands of things. Again, if I asked you don't get your laptop, on your laptop, how many miillicores do you need to get PowerPoint? You don't know. But in containers, you have to know. So we're saying let the machine figure out. >> Yes kind of like when you're asked how many miillicores do you need to give Zoom answer's yes. >> Yeah exactly. >> (laughs) So at the end of the day, you need some way to quantify that. So you guys are doing the two things. One, you're quantifying, you're measuring how much this application typically take. And then when I go to provision it, we're using a tool like terraform. Though then instead of me answering the question, the answer is go ask Densify, and Densify will tell you, and then I'll optimize my environment. So I get both ends of that equation, if I'm kind of summarizing it correctly. >> Absolutely. And that last part is extremely important because, in a legacy environment, like in a virtual environment, I can call an API and change the size of VM, and it will stay that way. And so that's a viable automation strategy for those types of environments. In the cloud, or when you're using terraform, or in containers, they will go right back to what's in the terraform template, that's one of the powerful things about terraform is that it always matches what's in the code. So I can't go and change the cloud, it'll just go back to whatever is in the terraform template next time, it's provision. So we have to go upstream, you have to actually do it at the source, when you're provisioning applications, the actual resource specifications should be coming through at that point, you can't, you don't want to change them after the fact, you can update the terraform and redeploy with a new value, that that's the way to do automation in a container environment, it doesn't, you can't do it, like you did in a VMware environment, because it won't stick, it just gets undone the next time the DevOps pipeline triggers. So it's both a, it's a big opportunity for a kind of a whole new generation of automation, doing it, we call it CICDCO. It's, Continuous Integration, Continuous Delivery, Continuous Optimization. It's just part of the, of the fabric of the way you deploy Ops, and it's a much more elegant way to do it. >> So you hit two trigger words, or a few trigger terms, one, DevOps, two, I'm saying DevOps, CICD, and Continuous Operations. What is the typical profile of a Densify customer? >> Well, usually, they're a mix of a bunch of different technologies. So I don't want to make it sound like you have to be a DevOps shop to benefit from this, most of our customers have some DevOps teams, they also have a lot of legacy workloads, they have virtual environments, they have cloud environments. So don't necessarily have 100%, of all of these things. But usually, it's a mix of things where, there might be some newer born in the cloud as being deployed, and this whole CICDCO concept really makes sense for them, they might just have another few thousand cloud instances that they stood up, not as a part of a DevOps pipeline, but just to run apps or maybe even migrated from on-prem. So it's a pretty big mix, we see almost every company has a mix, unless you just started a company yesterday, you're going to have a mix of some EC2 services that are kind of standalone and static, maybe some skill groups running, or containers running skill groups. And there's a generally a mix of these things. So the things I'm describing do not require DevOps, the notion of optimizing the cloud instances, by changing the marching orders when they're provisioned not after the fact, that that applies to any anybody using the cloud. And our customers tend to be a mix, some again very new, new school processes and born in the cloud. And some more legacy applications that are running that look a little more like on-prem environment would, where they're not turning on and off dynamically, they're just running transactional workloads. >> So let's talk about the kind of industries, because you you hit on a key point, we kind of associate a certain type of company with born in the cloud, et cetera. What type of organizations or industries are we seeing Densify deployed in. >> So we don't really have a specific market vertical that we focus on, we have a wide variety. So we find we have a lot of customers in financial services, banks, insurance companies. And I think that's because those are very large, complicated environments, where analytics really pay dividends, if you have a lot of business services, that are doing different things, and different criticality levels. The things I'm describing are very important. But we also have logistics companies, software companies. So again, complexity plays a part, I think elasticity plays a part in the organization that wants to be able to make use of the cloud in a smart way where they're more elastic, and obviously drive costs down. So again, we have customers across all different types of industries, manufacturing, pharmaceutical. So it's a broad range, we have partners as well that use our like IBM, that use our product, and their customers. So there's no one type of company that we focus on, certainly. But we do see, again, environments that are complicated or mission critical, or that they really want to run in a more of elastic way, those tend to be very good customers for us. >> Well, CUBE alum Andrew Hillier, thank you for joining us on theCUBE coverage of AWS re:Invent 2020 virtual. Say goodbye to a couple hundred thousand of your closest friends. >> Okay, and thanks for having me. >> That concludes our interview with Densify. We really appreciate the folks that Densify, having us again to have this conversation around workload analytics and management. To find out more of, well or find out just more great CUBE coverage, visit us on the web SiliconANGLE TV. Talk to you next episode of theCUBE. (upbeat music)

>>from around the globe. It's the Cube with digital coverage of AWS reinvent 2020 sponsored by Intel, AWS and our community partners. >>Hey, welcome back already, Jeffrey here with the Cube coming to you from Palo Alto studios today for our ongoing coverage of aws reinvent 2020. It's a digital event like everything else in 2020. We're excited for our next segment, so let's jump into it. We're joined in our next segment by Andrew Rafa. He is the principal and zero trust offering lead at the Light and Touche LLP. Andrew, great to see you. >>Thanks for having me. >>Absolutely. And joining him is Robbie Deval. He is the AWS cyber risk lead for Deloitte and Touche LLP. Robbie, Good to see you as well. >>Hey, Jeff, good to see you as well. >>Absolutely. So let's jump into it. You guys are all about zero trust and I know a little bit about zero trust I've been going to are safe for a number of years and I think one of the people that you like to quote analysts chase Cunningham from Forrester, who's been doing a lot of work around zero trust. But for folks that aren't really familiar with it. Andrew, why don't you give us kind of the 101? About zero trust. What is it? What's it all about? And why is it important? >>Sure thing. So is your trust is, um, it's a conceptual framework that helps organizations deal with kind of the ubiquitous nature of modern enterprise environments. Um, and then its course. Your trust commits to a risk based approach to enforcing the concept of least privileged across five key pillars those being users, workloads, data networks and devices. And the reason we're seeing is your trust really come to the forefront is because modern enterprise environments have shifted dramatically right. There is no longer a defined, clearly defined perimeter where everything on the outside is inherently considered, considered untrusted, and everything on the inside could be considered inherently trusted. There's a couple what I call macro level drivers that are, you know, changing the need for organizations to think about securing their enterprises in a more modern way. Um, the first macro level driver is really the evolving business models. So as organizations are pushing to the cloud, um, maybe expanding into into what they were considered high risk geography is dealing with M and A transactions and and further relying on 3rd and 4th parties to maintain some of their critical business operations. Um, the data and the assets by which the organization, um transact are no longer within the walls of the data center. Right? So, again, the perimeter is very much dissolved. The second, you know, macro level driver is really the shifting and evolving workforce. Um, especially given the pandemic and the need for organizations to support almost an entirely remote workforce nowadays, um, organizations, they're trying to think about how they revamp their traditional VPN technologies in order to provide connectivity to their employees into other third parties that need to get access to, uh, the enterprise. So how do we do so in a secure, scalable and reliable way and then the last kind of macro level driver is really the complexity of the I t landscape. So, you know, in legacy environment organizations on Lee had to support managed devices, and today you're seeing the proliferation of unmanaged devices, whether it be you know, B y o d devices, um, Internet of things, devices or other smart connected devices. So organizations are now, you know, have the need to provide connectivity to some of these other types of devices. But how do you do so in a way that, you know limits the risk of the expanding threat surface that you might be exposing your organization to by supporting from these connected devices? So those are some three kind of macro level drivers that are really, you know, constituting the need to think about security in a different >>way. Right? Well, I love I downloaded. You guys have, ah zero trust point of view document that that I downloaded. And I like the way that you you put real specificity around those five pillars again users, workloads, data networks and devices. And as you said, you have to take this kind of approach that it's kind of on a need to know basis. The less, you know, at kind of the minimum they need to know. But then, to do that across all of those five pillars, how hard is that to put in place? I mean, there's a There's a lot of pieces of this puzzle. Um, and I'm sure you know, we talk all the time about baking security and throughout the entire stack. How hard is it to go into a large enterprise and get them started or get them down the road on this zero trust journey? >>Yeah. So you mentioned the five pillars. And one thing that we do in our framework because we put data at the center of our framework and we do that on purpose because at the end of the day, you know, data is the center of all things. It's important for an organization to understand. You know what data it has, what the criticality of that data is, how that data should be classified and the governance around who and what should access it from a no users workloads, uh, networks and devices perspective. Um, I think one misconception is that if an organization wants to go down the path of zero trust, there's a misconception that they have to rip out and replace everything that they have today. Um, it's likely that most organizations are already doing something that fundamentally aligned to the concept of these privilege as it relates to zero trust. So it's important to kind of step back, you know, set a vision and strategy as faras What it is you're trying to protect, why you're trying to protect it. And what capability do you have in place today and take more of an incremental and iterative approach towards adoption, starting with some of your kind of lower risk use cases or lower risk parts of your environment and then implementing lessons learned along the way along the journey? Um, before enforcing, you know more of those robust controls around your critical assets or your crown jewels, if you >>will. Right? So, Robbie, I want to follow up with you, you know? And you just talked about a lot of the kind of macro trends that are driving this and clearly covert and work from anywhere is a big one. But one of the ones that you didn't mention that's coming right around the pike is five g and I o t. Right, so five g and and I o. T. We're going to see, you know, the scale and the volume and the mass of machine generated data, which is really what five g is all about, grow again exponentially. We've seen enough curves up into the right on the data growth, but we've barely scratched the surface and what's coming on? Five G and I o t. How does that work into your plans? And how should people be thinking about security around this kind of new paradigm? >>Yeah, I think that's a great question, Jeff. And as you said, you know, I UT continues to accelerate, especially with the recent investments and five G that you know pushing, pushing more and more industries and companies to adopt a coyote. Deloitte has been and, you know, helping our customers leverage a combination of these technologies cloud, Iot, TML and AI to solve their problems in the industry. For instance, uh, we've been helping restaurants automate their operations. Uh, we've helped automate some of the food safety audit processes they have, especially given the code situation that's been helping them a lot. We are currently working with companies to connect smart, wearable devices that that send the patient vital information back to the cloud. And once it's in the cloud, it goes through further processing upstream through applications and data. Let's etcetera. The way we've been implementing these solutions is largely leveraging a lot of the native services that AWS provides, like device manager that helps you onboard hundreds of devices and group them into different categories. Uh, we leveraged device Defender. That's a monitoring service for making sure that the devices are adhering to a particular security baseline. We also have implemented AWS green grass on the edge, where the device actually resides. Eso that it acts as a central gateway and a secure gateway so that all the devices are able to connect to this gateway and then ultimately connect to the cloud. One common problem we run into is ah, lot of the legacy i o t devices. They tend to communicate using insecure protocols and in clear text eso we actually had to leverage AWS lambda Function on the edge to convert these legacy protocols. Think of very secure and Q t t protocol that ultimately, you know, sense data encrypted to the cloud eso the key thing to recognize. And then the transformational shift here is, um, Cloud has the ability today to impact security off the device and the edge from the cloud using cloud native services, and that continues to grow. And that's one of the key reasons we're seeing accelerated growth and adoption of Iot devices on did you brought up a point about five G and and that's really interesting. And a recent set of investments that eight of us, for example, has been making. And they launched their AWS Waveland zones that allows you to deploy compute and storage infrastructure at the five G edge. So millions of devices they can connect securely to the computer infrastructure without ever having to leave the five g network Our go over the Internet insecurely talking to the cloud infrastructure. Uh, that allows us to actually enable our customers to process large volumes of data in a short, near real time. And also it increases the security of the architectures. Andi, I think truly, uh, this this five g combination with I o t and cloudy, I m l the are the technologies of the future that are collectively pushing us towards a a future where we're gonna Seymour smart cities that come into play driverless connected cars, etcetera. >>That's great. Now I wanna impact that a little bit more because we are here in aws re invent and I was just looking up. We had Glenn Goran 2015, introducing a W S s I O T Cloud. And it was a funny little demo. They had a little greenhouse, and you could turn on the water and open up the windows. But it's but it's a huge suite of services that you guys have at your disposal. Leveraging aws. I wonder, I guess, Andrew, if you could speak a little bit more suite of tools that you can now bring to bear when you're helping your customers go to the zero trust journey. >>Yeah, sure thing. So, um, obviously there's a significant partnership in place, and, uh, we work together, uh, pretty tremendously in the market, one of the service are one of solution offering that we've built out which we dub Delight Fortress, um is a is a concept that plays very nicely into our zero trust framework. More along the kind of horizontal components of our framework, which is really the fabric that ties it all together. Um s o the two horizontal than our framework around telemetry and analytics. A swell the automation orchestration. If I peel back the automation orchestration capability just a little bit, um, we we built this avoid fortress capability in order for organizations to kind of streamline um, some of the vulnerability management aspect of the enterprise. And so we're able through integration through AWS, Lambda and other functions, um, quickly identify cloud configuration issues and drift eso that, um, organizations cannot only, uh, quickly identify some of those issues that open up risk to the enterprise, but also in real time. Um, take some action to close down those vulnerabilities and ultimately re mediate them. Right? So it's way for, um, to have, um or kind of proactive approach to security rather than a reactive approach. Everyone knows that cloud configuration issues are likely the number one kind of threat factor for Attackers. And so we're able to not only help organizations identify those, but then closed them down in real time. >>Yeah, it's interesting because we hear that all the time. If there's a breach and if if they w s involved often it's a it's a configuration. You know, somebody left the door open basically, and and it really drives something you were talking about. Ravi is the increasing important of automation, um, and and using big data. And you talked about this kind of horizontal tele metrics and analytics because without automation, these systems are just getting too big and and crazy for people Thio manage by themselves. But more importantly, it's kind of a signal to noise issue when you just have so much traffic, right? You really need help surfacing. That signals you said so that your pro actively going after the things that matter and not being just drowned in the things that don't matter. Ravi, you're shaking your head up and down. I think you probably agree with this point. >>Yeah, yeah, Jeff and definitely agree with you. And what you're saying is truly automation is a way off dealing with problems at scale. When when you have hundreds of accounts and that spans across, you know, multiple cloud service providers, it truly becomes a challenge to establish a particular security baseline and continue to adhere to it. And you wanna have some automation capabilities in place to be able to react, you know, and respond to it in real time versus it goes down to a ticketing system and some person is having to do you know, some triaging and then somebody else is bringing in this, you know, solution that they implement. And eventually, by the time you're systems could be compromised. So ah, good way of doing this and is leveraging automation and orchestration is just a capability that enhances your operational efficiency by streamlining summed Emmanuel in repetitive tasks, there's numerous examples off what automation and orchestration could do, but from a security context. Some of the key examples are automated security operations, automated identity provisioning, automated incident response, etcetera. One particular use case that Deloitte identified and built a solution around is the identification and also the automated remediation of Cloud security. Miss Consideration. This is a common occurrence and use case we see across all our customers. So the way in the context of a double as the way we did this is we built a event driven architectures that's leveraging eight of us contribute config service that monitors the baselines of these different services. Azzan. When it detects address from the baseline, it fires often alert. That's picked up by the Cloudwatch event service that's ultimately feeding it upstream into our workflow that leverages event bridge service. From there, the workflow goes into our policy engine, which is a database that has a collection off hundreds of rules that we put together uh, compliance activities. It also matched maps back to, ah, large set of controls frameworks so that this is applicable to any industry and customer, and then, based on the violation that has occurred, are based on the mis configuration and the service. The appropriate lambda function is deployed and that Lambda is actually, uh, performing the corrective actions or the remediation actions while, you know, it might seem like a lot. But all this is happening in near real time because it is leveraging native services. And some of the key benefits that our customers see is truly the ease of implementation because it's all native services on either worse and then it can scale and, uh, cover any additional eight of those accounts as the organization continues to scale on. One key benefit is we also provide a dashboard that provides visibility into one of the top violations that are occurring in your ecosystem. How many times a particular lambda function was set off to go correct that situation. Ultimately, that that kind of view is informing. Thea Outfront processes off developing secure infrastructure as code and then also, you know, correcting the security guard rails that that might have drifted over time. Eso That's how we've been helping our customers and this particular solution that we developed. It's called the Lloyd Fortress, and it provides coverage across all the major cloud service providers. >>Yeah, that's a great summary. And I'm sure you have huge demand for that because he's mis configuration things. We hear about him all the time and I want to give you the last word for we sign off. You know, it's easy to sit on the side of the desk and say, Yeah, we got a big security and everything and you got to be thinking about security from from the time you're in, in development all the way through, obviously deployment and production and all the minutes I wonder if you could share. You know, you're on that side of the glass and you're out there doing this every day. Just a couple of you know, kind of high level thoughts about how people need to make sure they're thinking about security not only in 2020 but but really looking down the like another road. >>Yeah, yeah, sure thing. So, you know, first and foremost, it's important to align. Uh, any transformation initiative, including your trust to business objectives. Right? Don't Don't let this come off as another I t. Security project, right? Make sure that, um, you're aligning to business priorities, whether it be, you know, pushing to the cloud, uh, for scalability and efficiency, whether it's digital transformation initiative, whether it be a new consumer identity, Uh uh, an authorization, um, capability of china built. Make sure that you're aligning to those business objectives and baking in and aligning to those guiding principles of zero trust from the start. Right, Because that will ultimately help drive consensus across the various stakeholder groups within the organization. Uh, and build trust, if you will, in the zero trust journey. Um, one other thing I would say is focus on the fundamentals. Very often, organizations struggle with some. You know what we call general cyber hygiene capabilities. That being, you know, I t asset management and data classifications, data governance. Um, to really fully appreciate the benefits of zero trust. It's important to kind of get some of those table six, right? Right. So you have to understand, you know what assets you have, what the criticality of those assets are? What business processes air driven by those assets. Um, what your data criticality is how it should be classified intact throughout the ecosystem so that you could really enforce, you know, tag based policy, uh, decisions within, within the control stack. Right. And then finally, in order to really push the needle on automation orchestration, make sure that you're using technology that integrate with each other, right? So taken a p I driven approach so that you have the ability to integrate some of these heterogeneous, um, security controls and drive some level of automation and orchestration in order to enhance your your efficiency along the journey. Right. So those were just some kind of lessons learned about some of the things that we would, uh, you know, tell our clients to keep in mind as they go down the adoption journey. >>That's a great That's a great summary s So we're gonna have to leave it there. But Andrew Robbie, thank you very much for sharing your insight and and again, you know, supporting this This move to zero trust because that's really the way it's got to be as we continue to go forward. So thanks again and enjoy the rest of your reinvent. >>Yeah, absolutely. Thanks for your time. >>All right. He's Andrew. He's Robbie. I'm Jeff. You're watching the Cube from AWS reinvent 2020. Thanks for watching. See you next time.

>> Narrator: From theCUBE studios in Palo Alto in Boston, connecting with all leaders all around the world, this is theCUBE conversation. >> Hi, everybody, this is Dave Vellante, and welcome to this episode of Startup Insights. Andrew Lau is here with me, he's the co founder and CEO of a relatively new company called Jellyfish. They focus on engineering management, which is kind of a new space that we want to present to you, Andrew, great to see you, thanks for coming on. >> Hey, Dave, thanks for having me on. >> So when I see co founder and a title I always ask why did you start a company? What's your Why? >> So the three co founders myself, Dave Gourley, and Phil Braden,we actually met geez more than 20 years ago, at a company called Endeca. We had the chance to kind of bring the proverbial band back together, just 'cause rare is the chance to work with great people. And for us, Jellyfish really was coming out of our own experiences. All three of us grew our careers running big engineering teams big product teams. We realized how hard it was to really lead those teams and connect them to the business at scale. And that's the problem we just got together to solve. >> Yeah, so interesting right, and Endeca, another East Coast company, great exit, brought by Oracle. And of course, when you say in Endeca, I always think okay, Jellyfish, you guys in the search business, but you're not in engineering management. What is engineering management? And, you know, how does it relate to some of your past experiences? >> Great question, well, so engineering management engineering management sector or management platform, as we talked about, really comes down to how we can facilitate the tools to make leading big teams easier, right, we've realized that as you get to larger teams, teams bigger than 50, bigger than 100 engineers, it's really hard to understand what the team is doing really hard to make sure that they're working their best in making sure they're pointed in the right direction. And even Furthermore, how to connect that to the business and how to make sure the business successful after the team dies. And as for us, is really around making tools and processes available that they really help accelerate the act of leading big teams. >> So when you think about it, I mean, it's really the problem you're solving is visibility, kind of what's going on in engineering and providing metrics is that a sort of a fair, high level? >> I think it's a perfect high level statement. When we actually got together and talked about the problem space we all saw as we lead these big teams. We quickly drew an analogy to you know, when I started my career in the late 90s, there was a time before Salesforce and CRM were pervasive, right And so really quickly, we drew a quick and easy analogy that said, like, hey, why isn't there a Salesforce for engineering? That is, why isn't it that same leadership and executive visibility into how a team is progressing and to make sure it's aligned with the business? >> Well, when you think about it, right, Salesforce, what 1999 we had the first Salesforce clouding before the real cloud hit, you know, we certainly have marketing clouds now capital Management clouds, customer service management clouds, why not an engineering cloud right? >> I think it's probably you follow that map there, I think we've seen the last 20 years, that clouds actually kind of progressed from sales to marketing to success to HR, as you pointed out, I think the last bastion in organizations is the engineering team right? It just so happens right now that engineering teams probably are the most strategic, if not the most expensive team in most companies roster. And so really, providing visibility is really necessary at this time. >> So I don't run engineering it's Silicon Angle by my co-CEO and partner John furrier does. But I'm always like asking him like, hey, what are you guys working on? What are the deliverables? What am I going to get it and when? how we do it on quality, and so forth and so I think just scanning your website, reading some of your blogs, these are some of the things that you really focus on. You wrote a five part series, I think, I don't know if I'm dying to see part five but four parts are out. I want to dig into some of those, I think they're in, I think you called it, you know, five things that you should present to the board. >> Yeah, yeah Like, you know, a great question around like, there's a series were four or five in two, I'm talking about what are five slides that heads of engineering should be showing to their boards or even their executive management teams? You know, early on in the process, I'm aware, before we actually started the company, we did a ton of research, talking with leaders at scale, trying to ask them, like, how do you manage your team? How do you connect into the business? And out of those conversations fell, you know, asking folks like, well, what slides do you show your board meeting? And and the answer was, there wasn't ubiquitous answer. People were looking for answers and so we really synthesized a number of different leaders that we thought were really successful in this world, and really put together this series to talk about like, what are the metrics that people should be measuring? >> Well, let's talk more about some of those metrics so you know, I mentioned so what am I going to get? When what are some of the other key things that people are focused on? I mean, obviously, quality, where I'm spending my money. But what are some of the ones that you're seeing, aligning with business and really driving business outcomes? >> So okay, so part one I think you talked about right which is, you know, what are you getting? What got shipped out the door? what's coming down the pipe? I think job one for a leader of engineering and Product is to talk about what's coming out, right in the same way that sales job is actually hit a revenue number and talk about the pipeline coming down the way it's an engineers job to actually ship new product that you can sell your users can engage with so that's definitely slide one. Slide two, you already alluded to here two is about quality, right? I think if you're shipping product that actually can't hold quality in the eyes of your customers, it won't last very long. So I think it's really important to show command of quality and actually show metrics that actually measure quality over time in the lens of your customer. Slide three, I think we're really talking about alignment. Making sure that your team is spending your dollars, time and effort in the right way that actually aligns with what the business wants to right? So examples might be, if you're a company that splits time between enterprise and SMB efforts, well, making sure that the features the team is working on actually aligned to the strategy of the company, right? And you can't do that if you don't measure that. And then slide four is really around capturing broad level productivity. But is the team healthy moving forward? And then the last of which is really the preview coming up for the next segment here is going to be about really around the team in hiring right. How is the team holding up? How's the morale? And how's the actual hiring pipeline looking and ramp? All right in terms of new employees right, it's really the people side of the engineering leadership. >> Cool, thanks for teasing that a little bit. I'm glad to hear it's not just about productivity, 'cause there are tools out there that can measure developer productivity, but seems like you're taking a broader approach and building a platform to really take a more end to end sort of lifecycle view. >> Yeah, I think we really look about, think about it as look productive is really important. I think it's necessary but not sufficient. You can talk about a boat, you can roll faster. But if you're rolling the boat in the wrong direction, who cares? So it's as important to make sure that alignments in place and actually making sure that the rest of communication and context is really in place to make sure that team succeeds and the lens of the business. >> Andrew I'm interested in the market, I mean, my sense is engineering management is sort of new, very new, actually, although we talked about productivity being sort of one of the metrics and there are tools out there, but how do you look at this market? Is there a big whale that you're targeting? Or is this more of a Greenfield up? >> I think really, it's a Greenfield opportunity. I think if you were to you know, people don't wake up right now with a quadrant they look at or a wave that they're actually measuring on at the moment. It doesn't say isn't coming. I mean, if you look at this as a baseball game, we're probably getting one and defining market right now. And you can tell because if you look across the vendor space, I think there's a lot of variety of different solutions in these places. And so, from my view, you know, there's room right now just to innovate and describe what this platform really is going to be right and that's what the next few years are going to look like and defining this market. >> Did the unknown nature of the market? Was that was that a challenge in terms of your race? >> I actually think that's actually the opportunity. I think both as founders and and our investors, I think really, whenever you have these Greenfield opportunities, it helps you create big opportunities, I either grow you know, this better than anyone, I think, define the markets are very clear in the box you're trying to fill in, it's a race to do that. You know, this space here is a space ripe for innovation. It needs innovation, both in product and process and how you going to market and the story will be told five years from now. >> So I want to talk about your go to market but before we do, so one of the things you got to do when you're doing your investor pitches, you got to figure out the total available market your served market. I mean, how did you do that? What can you share with us about the TAM? >> I mean, okay, there's the quantitative answer, right, you could pick apart all the companies in the world count all the software engineers and I can tell you, it's going to be a big number, right You can also map it to other large software engineering companies like Atlassian, or even Microsoft and talk about the markets there. But I think, you know, look, the world has moved far for long with that like, what's the word every company is a software company now? I think it's not a necessary part of the pitch anymore. I think everyone intuits the TAM is large, because even air conditioning companies now have hundreds of software engineers, It's no longer this niche thing like it was 20 years ago. I think literally, you know, every company in the planet could be a potential customer of Jellyfish in the future. >> You know I feel like some sometimes if you can actually size the TAM, it's maybe a negative in your race because if the TAM is just so obviously large then investors say hey, okay, check the markets huge, and that's what they want to see. >> And I think part of it too, is like we've seen the last five years, not just has you know, every company become a software company. This also means the engineering departments and how they recruit have been really scrutinized. Everybody needs more wants more engineers, they're hard to get and expensive. I think everyone's realizing like, because of both of those things, everyone cares a lot more, It's no longer this, you know, small number of people have low cost. It's actually just an expensive investment, a strategic one. And I want to make sure everyone wants to make sure it's pointing in the right direction now. >> So there's a lot of people in our community, young people get, you know, either just graduated from college or been out for, you know, 567 years working at a company and feel like they want to do their own thing. And they're always interested in how you did it, how you got started, how you ascended the company where you know how you seated it, I think, I think you guys started in 2017, I think you've raised $12 million. But take us back to the beginning, how did you and your co founders get launched, you know, how did you see the company and bootstrap it? So I mean, I, I think for us, like we're lucky to have actually been through all three of us through a number of different startups. So I think this is for us coming with a lot of awareness of actually how to build the company, we had the chance, you know, in at the talent 2016 to actually get the proverbial band back together. We hadn't worked together in probably shy of 15 years. But I think we really respected the chance to do so. And so we got together and said, like, hey, let's see if there's an opportunity for us to do something together. And so that was a real journey, you know, we pushed through a number of different concepts, we largely fell into this one simply because of our backgrounds, right, it is an area that we actually bring some personal expertise to and our networks bring it that way, but also some passion around wanting to actually solve it. So I think it's probably at the end of 16 that we actually said, like, hey, this is a space we might be interested in. We actually spent I think the the first couple months of 17 just interviewing every VPE CTO CEO, exactly we could find I think we probably talked to north of 65 technology leaders in that time period. Largely just actually asked him like, hey, what do you think about this space, this idea? What do you do instead? In fact, tell me not to start the startup, I don't want to invest x years of my life to find out that there's a better solution out there. The part that was I think amazing was that everyone was interviews, everybody kind of stopped at the end of it and leaned in and said, "hey, can you do me a favor? Can you write up the, whatever your notes on this and just send me the actual answer? So at that moment, we knew that, you know, we didn't have the solution yet. But we knew there's pain out there an opportunity to actually solve something, we weren't the only ones that actually identified that. And so that became the mission, which is how do we make people in this seat? How do we make their lives better, right? And, you know, sliding forward that you know, concurrent with actually, the early checks coming in, we actually call those same folks back and said, hey, can we work with you to build the product? So from a philosophical standpoint, we really believe in actually building with our customers, right, and so, from the first moment, you know, pre product, you know, pre code, we sat down with those same people and said, hey, let's work with you. let's do things by hand, let's do with your data, just to make sure that we understand what we're building a use case that you care about. >> Okay, so you co-created really with the customers as you actually started generating revenue, kind of a sell design build model, is that right, or? >> Yeah, I want to think of a much more of a, as an alpha product development, right, I think, you know, our philosophy on that early on, let's say June of 17. It was, look, we'll do your manual, we'll do your board decks for you, we'll do your management team slides, we'll do your metrics will do your capitalization, right. We'll do whatever you need on a manual basis, as long as we can work with you and your data. And you know, because we always had an eye on building the platform there. And so behind the scenes, of course, we're automating all of this. But that helps make sure that the use cases that we're building for were things they actually needed, we're going to use. >> Did you find you had to leave a lot on the cutting room floor? In other words, a lot of times when you take that approach, and you kind of try to generate maybe early revenue from customers, you sometimes get sick, especially in the enterprise, you get sucked into specials and some of your custom work that might not scale across the the other organizations. You guys obviously experienced, was that something you guys put a lot of thought into and how did you manage that? >> Look, I don't think it's magic, I think we were aware. To your point we've done this a few times, so at least we knew the pitfalls, like yeah, so some stuff has been left on the cutting for in the sense that we probably, you know, pushed harder on areas that we push less on today. I don't think anything was abandoned. I think part of it is that, you know, there's two sides of it, right, which is, if you're able to think about where you want to go, which is building a platform, you can always take any engagement and trade it off and say like, hey, is this something we want to build? Does this make sense for actually leading us towards the long platform story? you don't have to do every opportunity that comes along. So I think you need to thread the needle and I should take advantage of working with customers, but also making sure you have an eye for where you're going the North star so you can pick and choose which project you want to work on or which customers you know you want to work with because end of the day products are really the byproduct of who you work for who you serve as who you actually build for. And so we're very conscious along the way to choose the right individuals, the right partners that helps shape the product over time. >> And you guys had some some engineering chops and your own Andy Jassy says there's no compression algorithm, the algorithm for experience and then maybe that's an Amazon thing, but I hear him all the time. So you know, they had that to your advantage. And so, okay, so i got your website I see you've got customers so you know, you're well into your journey here. You've got product market fit, I presume you've got you know, your SaaS model your pricing down, but where are you in your sort of journey and you're phasing? >> I mean, geez, those words all change quite a bit these days, I would actually say product market fit is never a binary thing, that the constant journey, right so I would say that we're always working on that because the markets are always moving. And we have a market that is changing month on month and a quarter on quarter, right, so I never want to declare victory on that. Because that's going to get left behind. I think in terms of our journey, like we have on the team right now is 27 people normally based in downtown Boston, We're all working from home at the moment. You know, we have, you know, a sales team in place now of I think six, seven folks now. So we're in market actually pushing this forward. But, you know, I think for us, we're out there really kind of scaling the story right now. I think we've had some tremendous customers we had the chance to work with, we have a product that we're really proud of. I think we just need to put more units out there and more customers to actually make them more successful. So I think anything we're really in the act of repeating every function of the organization right now. It's really kind of build it up. So okay, so I mean, normally when you do a startup, you go to your friends, first the people in your core circles, you get them to that's I'm sure you did something similar. You're obviously beyond that phase of six to seven salespeople, you're starting to scale up, you've probably got a good sense as to that types of salespeople that you're looking for. And then now you're trying to figure out okay, it sounds like how much do I spend on marketing? How does that affect sales productivity? And then how do we scale that whole thing up and then go hyper scale and build a moat and all that other good stuff. >> Yeah, I think you're exactly right, I mean, I think we're at the point now where we can actually start making trade offs, right, like, you know, like, you know, do we actually add a additional salesperson? Do we actually invest in marketing programs? Do we actually build out more strategic product? I think you know, we are still the point we have to make trade offs, right, but the business is mature enough that we can make trade offs right, that makes sense. >> So let's talk about customers, I mean, maybe you could give us some examples, some of your, your favorite examples how you've impacted their business. >> Well, I think if you look at actually our website, I think there's a few case studies up there, I think there's building them up there, there's like salsify books at toast. I think all three of those actually really talk about different kinds of use cases around how we actually affect them. So One of which will we're really helping them actually on alignment, right and making sure that their team is working on the most important things, And, and in those situations, when you're working on the most important thing, you're really kind of essentially getting opportunity cost of engineers and making sure that they're driving towards things that you really will help the business, right so if you're, if you're looking at it that way, you're finding engineers that can help you progress faster, but you're building more product faster, because you can focus the energy where the team is going. And so that's case one, I think another case is really is around, making sure around quantitative management visibility, right, making sure that the team is visible in the metrics and in their output to make sure that they're performing their best, right, and that might mean everything from automated performance management to just making sure that people aren't left behind and making sure that they're the team is actually healthy in their function. And then the last of which is really around capitalization, which is a financial process and really automating that, that's out of the house which is, you know, capitalization requires a traditionally, engineering leaders have to manually fill out spreadsheets for finance, and for the accounting team to make sure that they're actually able to account for where the team effort is going, and then it can actually capitalize it correctly when we treat it from a financial perspective. And so we automate that process that just makes everyone's lives easier. So you're no longer manually data on a week by week basis. >> So I may have obviously seen some of your product and some of the outputs but your your SaaS based model, you know, cloud pricing, all that sort of modern, you know, approaches and business practices. And but what else can you tell us about sort of your, pricing model and how you're going to market? >> Yeah, so I think, you know, we are a SaaS hosted application. We also have, you know, open source agents that have been deployed on premise to actually, you know, whether to work with complex network architectures or deal specific redaction concerns, so we got to operate an on premise environments in that way. You mentioned our pricing is SaaS base we broadly price annually, you know, from broad strokes perspective, it's relative to the the size of the engineering team. Very simply like a, an engineering team of 300 people is a lot more complicated than engineering team of 30 people, right, put it that way. And the pricing reflects that. And then to your question around, like, what else I can talk about? Well, you know, I made the analogy earlier around like they were trying differentiating what Salesforce did for sales. What I mean by that really is providing that executive and leadership visibility to that department, right, if you're looking at the innovation that Salesforce brought in the early aughts, it was really getting stuff out of notebooks into the cloud through manual data entry, and in contemporary sales, I think there's less of that these days, it's all through plugins and voice recognition and stuff. And in the same way, in the engineering side, we're not in the business of actually asking for new data entry. In fact, we connect with systems engineers already using You know, the JIRA is the GitHub to get labs, all they know that their testing tools and their CI tools and then all of those things really we emit what we call engineering signals. So the engineers don't do anything differently. We collect that data, we connect to those systems, we clean that data, normalize and contextualize it with respect to business data. And that's actually where the insight actually comes from. Because if you just look at the raw engineering data by itself, there's not a lot you can do with it, right you know, I joked with you in our kind of earlier conversation, which is, you might look at, you know, your 300 get or request your engineers are produced thing. Like, it doesn't really help you figure out if you're going to do great this quarter, right? And so for us, we really bring that in contextualize it and make sure that you understand it in a business context, to talk about like, hey, is the team accelerating and being successful in the ways that we need the business needs them to do. >> Yeah, you're so right I get a stream of those every day every week and I open them up and I go, okay, I don't know. There's people that work in sort of last sort of topic areas is I want to understand where you want to take this thing. I think I'm writing that you've raised about $12 million, you obviously got a big market seems like you've got a great product. I mean, if I'm you, I'm throwing gasoline on the fire, I want to run the table, you got to create the market . So that's sometimes kind of expensive. Where do you want to take this thing? >> I mean, look, this may sound hubris bowl, but our ambitions are to build a large multi billion dollar standalone software company. And and I think, you know, part of the reason why I say it that way is that I think it's important to have a North star, right. It's important to have a North star to make sure that we're all headed in the right direction. We get the right team members, actually, as we grow the team, and then we actually capitalize it accordingly. I think if you look at the analogy, we started out earlier around sales and marketing. Every time someone's actually cracked that leadership visibility, for each function, there has been a multi billion dollar opportunity there, if not, a multi, you know multi multi billion dollar opportunity out there. So I don't think it's a overly anim facies that where we're going. But I think there's a lot of work to get from here to there. >> Yeah, I mean, I didn't ask you directly about the competition, I did ask you if there's a big whale, is there a big entity, you know, like a database, guys, is they want to target oracle, for example. And I looked around and I, I really didn't see it. It really does look like a Greenfield opportunity, which is absolutely enormous. I mean, I think I'm getting that right. >> Yeah, I think you're right on, and look at I think there are going to be more small players actually entering the market. Like I think whenever we look at new markets, and as they actually kind of build momentum, that always happens. And so of course, I you know, in that sense, I want competition to be here. But right now, I really don't focus on that. I think as for us, It's really about our product in the hands of our customers, how we make them successful. And then let's rinse and rinse and repeat that over and over again to more and more companies. >> Yeah, you don't have to compete you guys have to create. Andrew, great to have you on thanks so much for sharing your insights on your company, good luck with Jellyfish and come back anytime you know, in the future would love to track your progress and see how you're doing. >> Right Dave, thank you so much for having me here and I hope you, your family or team are staying healthy and all this and I look forward to next time. okay, and thank you for watching everybody this is Dave Vellante for theCUBE and startup insights. We'll see you next time. (upbeat music)

>> Announcer: Live from Denver, Colorado, it's theCUBE. Covering Commvault GO, 2019. Brought to you Commvault. (upbeat music) >> Hey, welcome back to theCUBE's coverage of Commvault GO '19 from Colorado. Lisa Martin here, with Stu Miniman. Stu and I are pleased to welcome, somebody who knows a lot about Commvault from a couple of different angles, we have Andrew Cochrane, Solutions Architect at Softcat. Andrew, welcome to the program. >> Hi Lisa and Stu, thanks for having me. It's great to be here. >> So you have familiarity, more than familiarity, with Commvault for a long time. You are at Softcat now, you've been there since the beginning part of this year. But you've been working with Commvault on the customer's side for a long time. Let's start there which just giving us your history of what your guys do, what you were doing with Commvault on the customer's side, before we get into the partnership with SoftCat. >> Yes, I started working with Commvault about five years ago. I was working for a large global company, headquarters in the UK, around research and development. We had a lot of different siloed backup technologies. We had big problems with data growth. So I ran a project there, to find a solution that will help us with that in the day that we were doing it, but then also as we grew. As we had big plans to grow, our data we were growing about six or seven average year on year. So we had a major challenge with that data boom. So I started working with Commvault, we selected that as a tool set. And we implemented it and so, were able to reduce our backup down to a much more controlled environment, much more automated, and increase our backup success, and our restore success dramatically from sort of, our SLA was, we didn't have one actually, but it was probably more around 50% up to sort of then 99% success rate. And then, we started that journey and it was definitely a partnership with Commvault then from a customer angle. Because we saw backup as day one, and then it was really how can we progress that, and move from data redaction to data management. So we started looking at what we now refer to as Orchestrate and Activate. So Orchestrate really looking at how can we move workloads, initially it was between sites or it might be for recovery scenarios, and then obviously now the cloud. And then, we started looking at Activate, because we realize we had a challenge of our data's growing more and more. We can protect, which is great. We can move it, but we didn't really know what it was. We knew we had stuff, we know we had a lot of it. But, when you start drilling down beyond the file types, or the sizes of, is it sensitive, is it person identifiable, is there a risk with this data, do we need it, can we delete it, we didn't know. So that's where we started looking at Activate. So that's kind of where my journey start to end as a customer, when we started to get involved with Activate. I sort of left that when we were sort of end of the POC phase, so we knew it could do what we wanted it to do. It's then a matter of scaling that. And then yeah, I joined Softcat beginning of this year to take on a new challenge as a partner. >> All right, so it's great learning you had as the user now you can relate with your customers even more. Just give us a thumbnail sketch of Softcat, and how the Commvault partnership you have, fits into the overall business. >> Yeah, so Softcat, our UK partner, we were around infrastructure services. We're one of the leading UK partners. We cover a broad ranges across hybrid cloud, network, security, digital working space, so we cover a wide gander of different technologies. And Commvault are one of our key vendors that we work with and really one that we work a lot with around the data management piece, and discuss with customers the challenge I had as a customer. And we share that with them and discuss Commvault and how that can help them in their challenges. >> The role that you now have with Softcat what part of your experience with Commvault on the customer side attracted you to shift over to Softcat and partner, and be a partner with Commvault? >> Yeah, yes, I mean my whole career up to this point about 20 years has always been from a customer side, in different organizations, different sectors. And I kind of, I got to the point where I've done a lot different roles, I'd been different infrastructure roles, different end-user compute roles, and I've been on service desks, into the architecture world, and I've kind of had a good round of experience, but I thought I've never experienced the channel of a vendor. So I wanted a new challenge, and Softcat has this Solution Architect role, which is ideal, and I thought actually sitting in the channel, I suppose, still being close to the customer, and being able to understand their challenges and what they're trying to do, because that's been my whole career to that point. But then also, sign to form, relationships with the vendors that were different. So having that closer relationship, that being able to, I suppose amplify almost my voice, 'cause I can having one voice as single customer, but now I see even in 10 months, I think, I'm into triple digits of customers, so I can start to amplify that voice of saying it's not just one, it's all of the customers that I represent and almost starting to be that go-between between the customer and the vendor. And I thought that was really interesting challenges, it's something that I'd be good at hopefully. And it really attracts me to start to sort of sit in that space and start to meet more customers, see their environments, their challenges to see was my experience unique or is everybody having the same sort of challenges and aspirations and start to work together to try and help solution design around those. >> Great so Andrew, I'd love you to bring us inside some of those conversations you're having. >> Yeah. >> We've been having conversations this whole week about the new Commvault, they've got some new products, like Metallic, very much partner driven activity. Which of the product in the Commvault portfolio are resonating most with your customers and what you have heard this week that you want to make sure that you're bringing back to your users? >> Yeah, as far as before this week, the two that really resonated were Complete and Activate. Complete obviously for that almost the stuff that we have to do. We need to protect that data, we need to recover it. So it's always going to been, I think a conversation in any organization. The Activate one is a really interesting discussion point actually, and something which, from my experience before as a customer, I bring into a lot of the conversations I have with my customers. And it's really trying to understand, yes, you might protect it, but do you understand the, like I said the challenge I had as a customer, and quite a lot organizations don't, they don't have the understanding or that ability to automate things, or they might be early on that journey, so it's really, I try and take a slightly difference attack of trying to understand the business. Work with not only, our infrastructure contacts, but also trying to say actually, can we speak to Legal, to Compliance, to Governance, to HR, because data securing are considering things like GDPR and other regulatory bodies. It's not an IT problem, this is the whole organization. Actually we find that Activate is a good way to start to have that discussion with customers. I suppose that was up to this point, and then obviously, now, last couple of days, I think, the one that I'm looking forward to will be Metallic. It's not yet, outside of the US, but I'm waiting for that time because we definitely see a space with SMBs where they want the power of something like Commvault but they also want the simplicity to deploy it and to operate it. And I think Metallic has a really great play there. I've seen it over the last couple of days a few times and I think it's looking real powerful. >> Andrew, I'm curious, you've talked about the products that are resonating with your customers. How many of them are really on the defensive when it comes to data? You know, I'm worry about protecting, I'm worry about government, versus those that are saying okay, I want to be data driven, I'm going through digital transformation, and therefore, understanding and leveraging my data is a key part of that? >> Yeah, I think it's a mix. I've seen so far and it really sort of comes down to the sector they're in. I've find out the sectors that are more governed tend to be more around that security and that protection side. Also like, sort of government, healthcare, any things sort of federal anything like that they seemed to be much more protection oriented. Anything more in the private sector is definitely that transformation, and that's where we have a lot of discussions whether it be digital transmission, a hybrid cloud, it's definitely more data driven. It's interesting seeing those two different perspectives. But I think, at some point, they all start to merge so I think it's just where those sectors are at the moment. >> Where would you say, customers, you said you were working with triple digits. >> Yeah. >> So 30 plus or no, hundred of customers. >> Yeah, hundreds yeah. >> Actually wait. >> It's been a busy time 10 months. (laughs) >> Lisa: That's a lot, that's a lot businesses. Where would you guesstimate they are with respect to readiness for GDPR? I heard some stats recently 70% of organizations are still, aren't ready ready or really fully able to address that. Your take from the UK's stand point. >> Yeah, I think, I'm not sure of the stats from what I've seen, you're right, it's probably high percentage on complying or ready for it. I think the main thing is to address that, and I suppose be aware that you're not ready, and to start on that journey. Because a lot of the regulatory things is about being on that journey, and starting it, and knowing that you got a roadmap to get to, to be, there is no real Nirvana of being compliant it's a constant rolling. And it's a matter of start that journey, identifying the processes, building a virtual team, of like I said, all those different people within the organization, finding out what data you have, but almost that comes after you've almost identified the problem. And the technology will come afterwards to try and help you to go through that. And yeah, I found a lot of the organizations that I've met so far, they're not really ready for that. I think there's still a little bit of a way to go. With all the difference, cause you got GDPR, you've got CCPA, that's going to come-- >> Yeah, yes, yup. >> any day now. >> Which, yeah I don't think a lot of organizations are ready for it. But it's a matter of starting that journey. >> Is that part of the advisory services that Softcat delivers, is to help them understand, there's no recipe for how to get ready, but obviously, you mentioned CCPA, that's probably the tip of the iceberg of more privacy. Laws that are >> Yeah. >> going to be enacted. So looking at the fines that are there, how do you advise customers, I'm sure depends right on how ready or not they are, but what's Softcat's sort of prescription for helping customers, like hey you've got to get, here's the place to start, because GDPR has been around for a while, other things are coming and if you're not compliant and a complying event happens, there's a tremendous risks to the business. >> There is yeah. I mean there's a financial risk, but it's also that impact actually of if you get audited and not compliant, that can have a really detrimental effect especially on a brand. So I mean yeah really we go in and try and first of all identify where an organization is, and that's across the board, we try and identify the problem, where are you, what do we need to do, what are, are there any sort of business challenges that it might have, any objectives, anything that we're trying to do as well as just getting compliant. And then, really it's trying to help formulate a plan. The first place that we start is building a team, of different people, of identifying, even if we do not where it is, by identifying the types of data you'll have, where it might be stored, what we think are the risky points. And starting to work from there really we're trying to formulate a plan of where you need to start actioning things, because some organizations, even if they can't put their finger on it they'll have an idea where it might be. So it's starting to help formulate that plan, formulate the teams that can bring different perspectives, because IT can bring in the technology side, but they might not be, as okay with the legal aspects. So therefore, you need legal, you might need HR, because they'll understand the employee side, you might have customers, so you might need customer relations, to understand who are the customers, what data do keep with them, so you need all these different aspects trying to get them round the table to start to understand almost, what the problem is, within each organization. There's somethings which are common, but organization has this like unique part, they might be more sort of experience in one area, less in others so it's about balancing out that risk of where they need to then focus on. >> So Andrew, I heard at the partner keynote on Monday, they talked about some new initiatives, some new incentives, especially going after new logos, you've only been on the partner side a relatively short time, but curious you're reaction, in your organization, thinking about some of the changes that are happening in the go-to-market from the Commvault standpoint. >> Yeah, yeah, the partner exchange day was a great day. I think a lot of good announcements for the partner world. I mean really there's ways to engage with Commvault better, I think the marketing that's been talked about, is a really a big thing. I think making Commvault stand out from everything else on the market. Showing those brands that we can go talk to other customers about. Sanjay's mentioned it, I think, a couple of times as well is about debunking some myths, about Commvault being complex. That's one that I have to address many times when I go into organizations. So it's great from a partner aspect to see that Commvault gained those things head on really. Because that will help Commvault, but also the partners and also it's customers, because more costumers can enjoy their great technology. So yeah, I think they're doing a lot of great work for the partner on the channel. >> I'm sure your perspective as a long time Commvault customer and now partner are going to be invaluable to the relationship. So we thank you Andrew for coming by theCUBE, and talking with Stu and me about Commvault and Softcat. Lots of exiting things are on the horizon I'm sure. >> Yeah, thank you for having me, it's been great to be at GO, it's been a great event. >> Lisa: It's a great event, isn't it? >> Yeah. >> Excellent, thank you so much. >> Thank you. >> For Stu Miniman, I'm Lisa Martin. You're watching theCUBE Commvault GO '19.