>> Announcer: Live from Atlanta, Georgia, it's theCUBE, covering AnsibleFest 2019, brought to you by Red Hat. >> Okay, welcome back, everyone, it's CUBE's live coverage here in Atlanta, Georgia, for AnsibleFest 2019, and I'm John Furrier, with Stu Miniman, my co-host. Our next guest is Massimo Ferrari, product manager with Ansible Security. Welcome to theCUBE, thanks for coming on. >> Thanks very much. Thank you for having me. >> So, security, obviously, big part of the conversation in automation. >> Obviously. >> Making things more efficient, making security, driving a lot of automation, obviously, job performance, among other things. Red Hat's done a lot of automation in other areas outside of just configuration, network automation, now security looking kind of like the same thing, but security's certainly different and more critical. >> Massimo: It is, it's more time-sensitive-- >> Talk us through the security automation angle, what's going on? >> Well, basically, there are several things going on, right? I believe the main thing is that IT organizations are changing, well, honestly, IT organizations have been changing for the last, probably five years, 10 years, and as a consequence, the infrastructures to be protected are changing as well. And there are a couple of challenges that are kind of common to other areas. As you said, automation is all over the place, so clearly, there are some challenges that are common to IT operations, or network operations, something that is peculiar for the security space. What we are seeing, basically, is that if you think about, there's a major problem of scale, right? If you think about the adoption of technologies like containers, or private and public cloud, if you are a large organization, you are introducing those technologies side by side with, for example, your legacy applications on bare metal or your fantastic digital machines, but what they do actually is introducing a problem of size, a problem of scale, and a problem of complexity connected to that, and a problem of distribution which is just unmanageable without automation. And the other problem is just complexity, that I mentioned before, is, I wasn't specifically referring to the complexity of the infrastructure per se. If we think about adopting best practices or practices like microservices or adopting functions of service, we can easily imagine how an old-school three-tiers application can be re-engineered to become something like with made of 10 hundred components, and those are microcomponents, very focused on single things, but from a security perspective, those are ingress points. And what automation did, what automation proved to be able to do, is to manage complexity for other areas. So you can be successful in IT operations, in network, and clearly, it can be successful in security, but what is unique to security is that professionals are facing a problem of speed, which means different things, but to give you an example, what we are seeing is that more and more cyberattacks are using automation and artificial intelligence, and the result of that is that the velocity and impact of those attacks is so big that you can't cope with human operators, so we are in a classic situation of fighting fire with fire. >> So, this is a great example. We had the service guys on earlier talking about the Automation Platform, and one comment was, "You don't want to boil the ocean over. "Focus on some things you can break down "and show some wins." Security professionals have that same problem, they want to throw automation and AI at the problem, "It's going to solve everything." >> Of course. >> And so, it's certainly very valuable, managing configurations, open ports, S3 buckets, there's a variety of things that are entry points for hackers and adversaries to come in, take down networks. What's the best practice? How would you see customers applying automation? What's the playbook, if you will? What's the formula for a customer to look at security and say, "Okay, how do I direct Ansible "at my security problems, or opportunities, "to manage that?" >> Well, when you discuss security automation with customers, it really depends on the kind of audience that you have. As you know, security organizations tend to be fairly structured, right? And depending on the person you are talking to, they may have a slightly different meaning for security automation. It's a broader practice in general. What we are trying to do with Ansible Security Automation is we are targeting a very specific problem. There is a well-known issue in the security world, which is the lack of integration. What we know is that if you are any large organization, you buy tens, hundred sometime, of security solutions, and those are great, they protect whatever they have to protect, but there is little to no integration between them, and the result of that is that security teams have an incredible amount of manual work to do just to correlate data coming from different dashboards, or to perform an investigation across different perimeters, or at some point, they have to remediate something that is going on and they have to apply this remediation across groups of devices that are sparse. And what we are trying to do with Ansible Security Automation is to propose Ansible as an integrational layer, as a glue, between all those different technologies. On one hand it's a matter of become more efficient, streamline the process. On the other hand is an idea of having, truly, a way to plan, use the automation as your action plan, because security is obiously is time-critical, and so, automation becomes, in this context, become even more important. >> Massimo, with the launch of the Ansible Automation Platform, we see a real enhancement of how the ecosystem's participating here. Where does security fit into the collections that are coming from the partner ecosystem of Ansible? >> Well, in one way, we have been building over the shoulders of our friends in Network Automation. They did an amazing job over four years. They did two major things. The first one is that they expanded for the first time the footprint of Ansible outside the traditional IT operations space. That was amazing. And we did kind of the same thing, and we started working with some vendors that were already working with us for slightly different use cases, and we helped them to identify the right use cases for security, and expand even more what they were capable of doing through Ansible. And what we are doing now is basically working with customers, we have lighthouse customers, we call them, that guide us to understand which is the next step that we are supposed to perform, and we are gathering together a security community around Ansible. Because surprisingly, we all know that the security community has always been there, always been super vocal, but open-sourcing security's a fairly new thing, right? And so we have this ability, the important thing is that we all know that Red Hat is not a security vendor, right? We don't want to be a security vendor. That's not the ambition that we have. We are automation experts, in the case of Ansible, and we are open-source experts across the board. So what we are doing with them, we are helping them to get there, to cooperate in the open-source world. And for security, proven to be very interesting the adoption of collection, because in some way allows them to deliver the content that they want to deliver in a very, I would say, focused way, and since security relies on, again, is a matter of time to market or time to solve the problem, through collection, they have more independence, they are capable to deliver whatever they want to deliver, when they want to deliver, according to their staff needs. >> You know, one of the things you mentioned, glue layer, integration layer, and open source, your expertise on automation. It's interesting, and I want to get your reaction to this, 'cause we did a survey of CISOs in our community prior to the Amazon Web Services re:Inforce conference this past summer. It was their first, inaugural, cloud security, so, yeah, cloud security was a big part of it. But with on-premise and hybrid and multi-cloud here, being discussed, this notion of what cloud and role of enterprise is interesting to the CISOs, chief information security officer. And the trend on the survey was is that CISOs are re-hiring internal development teams to build stacks onsite in their own organizations, investing in their stack, and they're picking a cloud, and then a secondary cloud. So as that development team picks up, that seems to be a trend, one, do you agree with that? And if people want to have their own developers in-house, for security purposes, how does Ansible fit into that glue layer? Because if it's configuring all the gear and all the pipes and plumbing, it makes sense to kind of think about that. So this might be a trend that's helping you? >> So, the trend, there is a general trend in the corporate enterprise world hat more technical people are coming into traditionally, in areas that are traditionally under the purview of other people or domains, right? So, more technical people coming into business lines. We are seeing more developers coming into security, that's certainly a trend. It is a matter of managing scale and complexity. You need to have technical people there. So, in one hand, that help us to create a more efficient and more pervasive community around security. You have developers there, which means that you need to serve that corner case that you are not targeted at the moment, you have talented people that can cooperate with us and build those kinds of things. >> John: And use the open-source software. (laughs) >> Exactly, but that's the entire purpose, right? You want to drive people to contribute. They get the value back, we get the value back, they get the value back, that's the entire purpose. >> So you do see the trend of more developers being hired by enterprises in-house? >> It certainly is, and it's been going on for about, probably three to five years I've seen that, in other areas, mainly in the business area, because they want to gain that agility and want to be self-contained, in some way. Business want to be self-contained, and security, in some sense, is going the same direction. That fits clearly one angle of Ansible, so you have more contribution in the community. On the other hand, what we are trying to make sure is that we support the traditional security teams. Traditional security teams are not super developmental yet, so they want to consume the content. >> Well, DevOps is always, as infrastructure as code implies that the infrastructure has been coded, and if you look at all of the security breaches that have been big, a lot of them have been basic stuff. An exposed S3 bucket, is that Amazon's fault, or is that the operator's fault? Or patches that aren't deployed. You guys are winning with Ansible in these area. This seems to be a nice spot for you guys to come in. I mean, can you elaborate on those points, and is that true, you guys winning in those areas? 'Cause, I mean, I could see automation just solving a lot of those problems. >> Well, I will say something that's not super popular, but as a security community, we've always been horrible at the basics, right? Like any other technical people, we're chasing the latest and greatest, the fun stuff, the basics, we always been bad at that. Automation is a fairly new thing in security, And what we all know that automation does is providing you consistency and reduce human error. Most of this stuff is because somebody forgot to configure something, someone forgot to rotate a secret or something like that. >> They didn't bring their playbook to the game. (laughs) >> So, I'm not trying to guide the priorities here, but the point is that the same benefits that we get from automation-- >> There's just no excuse. If you have automation, you can basically-- >> Exactly. >> Load that patch, or configure that port properly, because a playbook exists. This only helps. >> Absolutely, but those are the basic values of automation. You're communicating a slightly different way to security, because they use different language, and for them, automation is still a new thing. But what you heard during the keynote, so, the entire purpose of the platform is to help different areas in the IT organization to cooperate with each other. As we know, security is not a problem of IT security anymore. It's a broader problem and needs to have a common tool to be solved. >> In the demo in the keynote this morning, I thought that they did a good job showing how the various stakeholders in the organization can all collaborate and work together. I want you to explain how security fits into that discussion, and also, they hadn't added the hardening piece in there, but I would expect for many companies that, I want to flag when I'm creating this image, that it's going to say, "Hey, "have you put the right security policies on top of it," not something that they just, "Oh, it's one of the steps that I do." How do we make sure that everybody follows those corporate edicts that we have? >> Well, it's mainly a matter, I don't want to play the usual card of cultural change, but the fact is that in security, especially, we are looking at two major shifts, and one of these shifts is that pretty much everyone, I would say private organization and government, kind of acknowledge that security, cybersecurity, is not an IT problem anymore, it's a business problem, right? Being a business problem, that means that the stakeholders involved are in all different parts of the organization, and that requires a different level of collaboration. Collaboration starts with training, and enablement of people to understand where the problems are, and understand that they are part of the same process. We used to have security as an highly specialized function of IT, right now, what happens is that, if you think about a data breach, a data breach could be caused by an IT problem, but most of the impact is on the business, right? So right now, a lot of security processes are shifting to give responsibility to the business owners, and if the government is involved, I live in London, and in Europe, for another month, I guess, we have this fantastic thing that you know, it's called GDPR. GDPR forces you to have what is called a data breach notification process, which means that now, if you're investigating a cyberthreat, you want to have legal there to make sure that everything is fine, and if this data breach could become a media thing, you want to have PR there, because you want to have a plan to mitigate whatever kind of impact you may have on your corporate image. You may also want to have there, I don't know, customer care, just to handle the calls from the customer worried for the data. So the point is that this is becoming a process that need to involve people. People needs to be aware that they are part of this process, and what we can do, as an automation provider, we are trying to enable, through the platform, the IT organizations to cooperate with each other. Having workflows, having the ability to contribute to the same process allows you to be responsible for your piece. >> Massimo, the new security track here at the show this year, for those that didn't get to come, or maybe that didn't get to see all of it, some of the highlights you want to share with the audience? >> So, this year, the general message this year is that it's the first time that we have this fantastic security track, and this is not a security conference, it is never going to be a security conference. So what we are trying to do is to enable security teams to talk with the automation experts to introduce automation in that space. So the general message that we have this year is, well, the desire is to create a bridge between the Ansible practitioners, the Ansible heroes, whatever you want to call them, to understand what the problem is, what the problem could be, and have a sort of a common language they can use to communicate. So the message that we have this year is, go back home, and sit down at the same table with your security folks, and make sure that they are aware that there's a new possibility, and you can help them, that you now have a common tool together. We had a couple of very interesting tracks. We have partners, a lot of partners are contributing to security space, we mentioned that before, and most of them have tracks here, and they are showing what they built with us, what are the possibilities of those tools. We have a couple of customer stories that are extremely interesting. I just came out from a session presenting one of our customer stories. And in general, we are trying to show also how you can integrate security in all the broader processes, like the mythical DevSecOps process. >> What's been the feedback from customers specifically around the talk, and the security conversations here at AnsibleFest? >> It wasn't unexpected, but it's going particularly well. We have very good feedbacks. And we have, we kind of-- >> John: What are they saying? >> Well, they are saying some, okay, the best quote that I can give you, the customer told me, "Oh, this year, I learned something new. "I learned that we can do something "in this space that we never thought about." Which is a good feedback to have at a conference. And a lot of people are attending these sessions. We have quite a lot of security professionals, that was kind of unexpected, so all the sessions are pretty full, but we also are seeing people that are just, they're just curious, they're coming in, and they are staying, they are paying attention. So there is the real opportunity, they see the same opportunity that we see, and hopefully, they will bring the message home. >> Massimo, thank you for coming on theCUBE and sharing your insights. Certainly, security is a main driver for automation, one of the key four bullet points that we outlined in our opening. Thanks for coming on, and sharing your insights. >> Thank you very much for having me. >> It's theCUBE coverage here at AnsibleFest 2019, where Red Hat's announced their Ansible Automation Platform. I'm John Furrier, with Stu Miniman. Stay with us for more after this short break. (upbeat music)