>>Welcoming into the cubes presentation of AWS startup showcase open cloud innovations. This is season two episode one of the ongoing series covering exciting hot startups from the AWS ecosystem. Today's episode. One of season two theme is open source community and the open cloud innovations. I'm your host, John farrier of the cube. And today we're excited to be joined by Loris Dajani who is the C T O chief technology officer and founder of cystic found that in his backyard with some wine and beer. Great to see you. We're here to talk about Falco finding cloud threats in real time. Thank you for joining us, Laura. Thanks. Good to see you >>Love that your company was founded in your backyard. Classic startup story. You have been growing very, very fast. And the key point of the showcase is to talk about the startups that are making a difference and, and that are winning and doing well. You guys have done extremely well with your business. Congratulations, but thank you. The big theme is security and as organizations have moved their business critical applications to the cloud, the attackers have followed. This is Billy important in the industry. You guys are in the middle of this. What's your view on this? What's your take? What's your reaction? >>Yeah. As we, as a end ecosystem are moving to the cloud as more and more, we are developing cloud native applications. We relying on CACD. We are relying on orchestrations in containers. Security is becoming more and more important. And I would say more and more complex. I mean, we're reading every day in the news about attacks about data leaks and so on. There's rarely a day when there's nothing major happening and that we can see the press from this point of view. And definitely things are evolving. Things are changing in the cloud. In for example, Cisco just released a cloud native security and usage report a few days ago. And the mundane things that we found among our user base, for example, 60, 66% of containers are running as rude. So still many organizations adopting a relatively relaxed way to deploy their applications. Not because they like doing it, but because it tends to be, you know, easier and a little bit with a little bit less ration. >>We also found that that 27% of users unnecessary route access in the 73% of the cloud accounts, public has three buckets. This is all stuff that is all good, but can generate consequences when you make a mistake, like typically, you know, your data leaks, no, because of super sophisticated attacks, but because somebody in your organization forgets maybe some data on it on a public history bucket, or because some credentials that are not restrictive enough, maybe are leaked to another team member or, or, or a Gita, you know, repository or something like that. So is infrastructures and the software becomes a let's a more sophisticated and more automated. There's also at the same time, more risks and opportunities for misconfigurations that then tend to be, you know, very often the sewers of, of issues in the cloud. >>Yeah, those self-inflicted wounds definitely come up. We've seen people leaving S3 buckets open, you know, it's user error, but, you know, w w those are small little things that get taken care of pretty quickly. That's just hygiene. It's just discipline. You know, most of the sophisticated enterprises are moving way past that, but now they're adopting more cloud native, right. And as they get into the critical apps, securing them has been challenging. We've talked to many CEOs and CSOs, and they say that to us. Yeah. It's very challenging, but we're on it. I have to ask you, what should people worry about when secure in the cloud, because they know is challenging, then they'll have the opportunity on the other side, what are they worried about? What do you see people scared of or addressing, or what should I be worried about when securing the cloud? >>Yeah, definitely. Sometimes when I'm talking about the security, I like to compare, you know, the old data center in that the old monolithic applications to a castle, you know, in middle aged castle. So what, what did you do to protect your castle? You used to build very thick walls around it, and then a small entrance and be very careful about the entrance, you know, protect the entrance very well. So what we used to doing that, that data center was protect everything, you know, the, the whole perimeter in a very aggressive way with firewalls and making sure that there was only a very narrow entrance to our data center. And, you know, as much as possible, like active security there, like firewalls or this kind of stuff. Now we're in the cloud. Now, it's everything. Everything is much more diffused, right? Our users, our customers are coming from all over the planet, every country, every geography, every time, but also our internal team is coming from everywhere because they're all accessing a cloud environment. >>You know, they often from home for different offices, again, from every different geography, every different country. So in this configuration, the metaphor data that they like to use is an amusement park, right? You have a big area with many important things inside in the users and operators that are coming from different dangerous is that you cannot really block, you know, you need to let everything come in and in operate together in these kinds of environment, the traditional protection is not really effective. It's overwhelming. And it doesn't really serve the purpose that we need. We cannot build a giant water under our amusement park. We need people to come in. So what we're finding is that understanding, getting visibility and doing, if you Rheodyne is much more important. So it's more like we need to replace the big walls with a granular network of security cameras that allow us to see what's happening in the, in the different areas of our amusement park. And we need to be able to do that in a way that is real time and allows us to react in a smart way as things happen because in the modern world of cloud five minutes of delay in understanding that something is wrong, mean that you're ready being, you know, attacked and your data's already being >>Well. I also love the analogy of the amusement park. And of course, certain rides, you need to be a certain height to ride the rollercoaster that I guess, that's it credentials or security credentials, as we say, but in all seriousness, the perimeter is dead. We all know that also moats were relied upon as well in the old days, you know, you secure the firewall, nothing comes in, goes out, and then once you're in, you don't know what's going on. Now that's flipped. There's no walls, there's no moats everyone's in. And so you're saying this kind of security camera kind of model is key. So again, this topic here is securing real time. Yeah. How do you do that? Because it's happening so fast. It's moving. There's a lot of movement. It's not at rest there's data moving around fast. What's the secret sauce to making real identifying real-time threats in an enterprise. >>Yeah. And in, in our opinion, there are some key ingredients. One is a granularity, right? You cannot really understand the threats in your amusement park. If you're just watching these from, from a satellite picture. So you need to be there. You need to be granular. You need to be located in the, in the areas where stuff happens. This means, for example, in, in security for the clowning in runtime, security is important to whoever your sensors that are distributed, that are able to observe every single end point. Not only that, but you also need to look at the infrastructure, right? From this point of view, cloud providers like Amazon, for example, offer nice facilities. Like for example, there's CloudTrail in AWS that collects in a nice opinionated consistent way, the data that is coming from multiple cloud services. So it's important from one point of view, to go deep into, into the endpoint, into the processes, into what's executing, but also collect his information like the cultural information and being able to correlate it to there's no full security without covering all of the basics. >>So a security is a matter of both granularity and being able to go deep and understanding what every single item does, but also being able to go abroad and collect the right data, the right data sources and correlated. And then the real time is really critical. So decisions need to be taken as the data comes in. So the streaming nature of security engines is becoming more and more important. So the step one of course, security, especially cost security, posture management was very much let's ball. Once in a while, let's, let's involve the API and see what's happening. This is still important. Of course, you know, you need to have the basics covered, but more and more, the paradigm needs to change to, okay, the data is coming in second by second, instead of asking for the data manually, once in a while, second by second, there's the moment it arrives. You need to be able to detect, correlate, take decisions. And so, you know, machine learning is very important. Automation is very important. The rules that are coming from the community on a daily basis are, are very important. >>Let me ask you a question, cause I love this topic because it's a data problem at the same time. There's some network action going on. I love this idea of no perimeter. You're going to be monitoring anything, but there's been trade offs in the past, overhead involved, whether you're monitoring or putting probes in the network or the different, there's all kinds of different approaches. How does the new technology with cloud and machine learning change the dynamics of the kinds of approaches? Because it's kind of not old tech, but you the same similar concepts to network management, other things, what what's going on now that's different and what makes this possible today? >>Yeah, I think from the friction point of view, which is one very important topic here. So this needs to be deployed efficiently and easily in this transparency, transparent as possible, everywhere, everywhere to avoid blind spots and making sure that everything is scheduled in front. His point of view, it's very important to integrate with the orchestration is very important to make use of all of the facilities that Amazon provides in the it's very important to have a system that is deployed automatically and not manually. That is in particular, the only to avoid blind spots because it's manual deployment is employed. Somebody would forget, you know, to deploy where somewhere where it's important. And then from the performance point of view, very much, for example, with Falco, you know, our open source front-end security engine, we really took key design decisions at the beginning to make sure that the engine would be able to support in Paris, millions of events per second, with minimal overhead. >>You know, they're barely measure measurable overhead. When you want to design something like that, you know, that you need to accept some kind of trade-offs. You need to know that you need to maybe limit a little bit this expressiveness, you know, or what can be done, but ease of deployment and performance were more important goals here. And you know, it's not uncommon for us is Dave to have users of Farco or commercial customers that they have tens of thousands, hundreds of thousands of machines. You know, I said two machines and sometimes millions of containers. And in these environments, lightweight is key. You want death, but you want overhead to be really meaningful and >>Okay, so a amusement park, a lot of diverse applications. So integration, I get that orchestration brings back the Kubernetes angle a little bit and Falco and per overhead and performance cloud scale. So all these things are working in favor. If I get that right, is that, am I getting that right? You get the cloud scale, you get the integration and open. >>Yeah, exactly. Any like ingredients over SEP, you know, and that, and with these ingredients, it's possible to bake a, a recipe to, to have a plate better, can be more usable, more effective and more efficient. That may be the place that we're doing in the previous direction. >>Oh, so I've got to ask you about Falco because it's come up a lot. We talked about it on our cube conversations already on the internet. Check that out. And a great conversation there. You guys have close to 40 million plus million downloads of, of this. You have also 80 was far gate integration, so six, some significant traction. What does this mean? I mean, what is it telling us? Why is this successful? What are people doing with Falco? I see this as a leading indicator, and I know you guys were sponsoring the project, so congratulations and propelled your business, but there's something going on here. What does this as a leading indicator of? >>Yeah. And for, for the audience, Falco is the runtime security tool of the cloud native generation such. And so when we, the Falco, we were inspired by previous generation, for example, network intrusion detection, system tools, and a post protection tools and so on. But we created essentially a unique tool that would really be designed for the modern paradigm of containers, cloud CIC, and salt and Falco essentially is able to collect a bunch of brainer information from your applications that are running in the cloud and is a religion that is based on policies that are driven by the community, essentially that allow you to detect misconfigurations attacks and normals conditions in your cloud, in your cloud applications. Recently, we announced that the extension of Falco to support a cloud infrastructure and time security by parsing cloud logs, like cloud trail and so on. So now Falba can be used at the same time to protect the workloads that are running in virtual machines or containers. >>And also the cloud infrastructure to give the audience a couple of examples, focused, able to detect if somebody is running a shelf in a radius container, or if somebody is downloading a sensitive by, from an S3 bucket, all of these in real time with Falco, we decided to go really with CR study. This is Degas was one of the team members that started it, but we decided to go to the community right away, because this is one other ingredient. We are talking about the ingredients before, and there's not a successful modern security tool without being able to leverage the community and empower the community to contribute to it, to use it, to validate and so on. And that's also why we contributed Falco to the cloud native computing foundation. So that Falco is a CNCF tool and is blessed by many organizations. We are also partnering with many companies, including Amazon. Last year, we released that far gate support for Falco. And that was done is a project that was done in cooperation with Amazon, so that we could have strong runtime security for the containers that are running in. >>Well, I've got to say, first of all, congratulations. And I think that's a bold move to donate or not donate contribute to the open source community because you're enabling a lot of people to do great things. And some people might be scared. They think they might be foreclosing and beneficial in the future, but in the reality, that is the new business model open source. So I think that's worth calling out and congratulations. This is the new commercial open source paradigm. And it kind of leads into my last question, which is why is security well-positioned to benefit from open source besides the fact that the new model of getting people enabled and getting scale and getting standards like you're doing, makes everybody win. And again, that's a community model. That's not a proprietary approach. So again, source again, big part of this. Why was security benefit from opensource? >>I am a strong believer. I mean, we are in a better, we could say we are in a war, right? The good guys versus the bad guys. The internet is full of bad guys. And these bad guys are coordinated, are motivated, are sometimes we'll find it. And we'll equip. We win only if we fight this war as a community. So the old paradigm of vendors building their own Eva towers, you know, their own self-contained ecosystems and that the us as users as, as, as customers, every many different, you know, environments that don't communicate with each other, just doesn't take advantage of our capabilities. Our strength is as a community. So we are much stronger against the big guys and we have a much better chance doing when this war, if we adopt a paradigm that allows us to work together. Think only about for example, I don't know, companies any to train, you know, the workforce on the security best practices on the security tools. >>It's much better to standardize on something, build the stack that is accepted by everybody and tell it can focus on learning the stack and becoming a master of the steak rounded rather than every single organization naming the different tool. And, and then B it's very hard to attract talent and to have the right, you know, people that can help you with, with your issues in, in, in, in, in, with your goals. So the future of security is going to be open source. I'm a strong believer in that, and we'll see more and more examples like Falco of initiatives that really start with, with the community and for the community. >>Like we always say an open, open winds, always turn the lights on, put the code out there. And I think, I think the community model is winning. Congratulations, Loris Dajani CTO and founder of SIS dig congratulatory success. And thank you for coming on the cube for the ADB startup showcase open cloud innovations. Thanks for coming on. Okay. Is the cube stay with us all day long every day with the cube, check us out the cube.net. I'm John furrier. Thanks for watching.

>>mhm Yes. >>Hello and welcome back to the cubes coverage of dr khan 2021 virtual. I'm john Kerry hosted the Q got a great cube segment here. Simon Maple Field C T Oh it's technique. Great company security shifting left great to have you on Simon. Thanks for thanks for stopping by >>absolute pleasure. Thank you very much for having me. >>So you guys were on last year the big partnership with DR Conn remember that interview vividly because it was really the beginning at the beginning but really come to me the mainstream of shifting left as devops. It's not been it's been around for a while. But as a matter of practice as containers have been going super mainstream. Super ballistic in the developer community then you're seeing what's happening. It's containers everywhere. Security Now dev sec apps is the standard. So devops great infrastructure as code. We all know that but now it's def sec ops is standard. This is the real deal. Give us the update on what's going on with sneak. >>Absolutely, yeah. And you know, we're still tireless in our approach of trying to get make sure developers don't just have the visibility of security but are very much empowered in terms of actually fixing issues and secure development is what we're really striving for. So yeah, the update, we're still very, very deep into a partnership with DACA. We have updates on DR desktop which allows developers to scan the containers on the command line, providing developers that really fast feedback as as early as possible. We also have uh, you know, new updates and support for running Docker scan on Lennox. Um, and yeah, you know, we're still there on the Docker hub and providing that security insights um, to, to users who are going to Docker hub to grab their images. >>Well, for the folks watching maybe for the first time, the sneak Docker partnership, we went in great detail last year was the big reveal why Docker and sneak partnership, what is the evolution of that partnership over the year? They speak highly of you guys as a developer partner. Why Doctor? What's the evolution looked like? >>It's a it's a really great question. And I think, you know, when you look at the combination of DACA and sneak well actually let's take let's take each as an individual. Both companies are very, very developer focused. First of all, right, so our goals and will be strife or what we what we tirelessly spend their time doing is creating features and creating, creating an environment in which a developer you can do what they need to do as easily as possible. And that, you know, everyone says they want to be developer friendly, They want to be developer focused. But very few companies can achieve. And you look at a company like doctor, you're a company like sneak it really, really provides that developer with the developer experience that they need to actually get things done. Um, and it's not just about being in a place that a developer exists. It's not enough to do that. You need to provide a developer with that experience. So what we wanted to do was when we saw doctor and extremely developer friendly environment and a developer friendly company, when we saw the opportunity there to partner with Yoko, we wanted to provide our security developer friendliness and developer experience into an already developed a friendly tool. So what the partnership provides is the ease of, you know, deploying code in a container combined with the ease of testing your code for security issues and fixing security issues in your code and your container and pulling it together in one place. Now, one of the things which we as a as a security company um pride ourselves on is actually not necessarily saying we provide security tools. One of what our favorite way of saying is we're a developer tooling company. So we provide tools that are four developers now in doing that. It's important you go to where the developers are and developers on DACA are obviously in places like the Docker hub or the Docker Cli. And so it's important for us to embed that behavior and that ease of use inside Dhaka for us to have that uh that that flow. So the developer doesn't need to leave the Docker Cli developer that doesn't need to leave Docker hub in order to see that data. If you want to go deeper, then there are probably easier ways to find that data perhaps with sneak or on the sneak site or something like that. But the core is to get that insight to get that visibility and to get that remediation, you can see that directly in in the in the Dhaka environment. And so that's what makes the relationship so so powerful. The fact that you combine everything together and you do it at source >>and doing it at the point of code. >>Writing >>code is one of the big things I've always liked about the value proposition is simple shift left. Um So let's just step back for a second. I got to ask you this question because this I wanted to make sure we get this on the table. What are the main challenges uh and needs to, developers have with container security? What are you seeing as the main top uh A few things that they need to have right now for the challenges uh with container security? >>Yeah, it's a it's a very good question. And I think to answer that, I think we need to um we need to think of it in a couple of ways. First of all, you've just got developers security uh in general, across containers. Um And the that in itself is there are different levels at which developers engage with containers. Um In some organizations, you have security teams that are very stringent in terms of what developers can and can't do in other organizations. It's very much the developer that that chooses their environment, chooses their parent image, et cetera. And so there when a developer has many, many choices in which they need to need to decide on, some of those choices will lead to more issues, more risk. And when we look at a cloud native environment, um uh Let's take let's take a node uh image as an example, the number of different uh images tags you can choose from as a developer. It's you know, there are hundreds, probably thousands. That you can actually you can actually choose. What is the developer gonna do? Well, are they going to just copy paste from another doctor file, for example, most likely. What if there are issues in that docker file? They're just gonna copy paste that across mis configurations that exist. Not because the developer is making the wrong decision, but because the developer very often doesn't necessarily know that they need to add a specific directive in. Uh So it's not necessarily what you add in a conflict file, but it's very often what you admit. So there are a couple of things I would say from a developer point of view that are important when we think about cloud security, the first one is just that knowledge that understanding what they need to do, why they need to do it. Secure development doesn't need to be, doesn't mean they need to be deep in security. It means they need to understand how they can develop securely and what what the best decisions that could come from guard rails, from the security team that they provide the development team to offer. But that's the that's an important error of secure development. The second thing and I think one of the most important things is understanding or not understanding necessarily, but having the information to get an act on those things early. So we know the length of time that developers are uh working on a branch or working on um some some code changes that is reducing more and more and more so that we can push to production very, very quickly. Um What we need to do is make sure that as a developer is making their changes, they can make the right decision at the right time and they have the right information at that time. And a lot of this could be getting information from tools, could be getting information from your team where it could be getting information from your production environments and having that information early is extremely important to make. That decision. May be in isolation with your team in an autonomous way or with advice from the security team. But I would say those are the two things having that information that will allow you to make that action, that positive change. Um uh and and yeah, understanding and having that knowledge about how you can develop security. >>All right. So I have a security thing. So I'm a development team and by the way, this whole team's thing is a huge deal. I think we'll get to that. I want to come back to that in a second but just throw this out there. Got containers, got some security, it's out there and you got kubernetes clusters where containers are coming and going. Sometimes containers could have malware in them. Um and and this is, I've heard this out and about how do how that happens off container or off process? How do you know about it? Is that infected by someone else? I mean is it gonna be protected? How does the development team once it's released into the wild, so to speak. Not to be like that, but you get the idea, it's like, okay, I'm concerned off process this containers flying around. What is it How do you track all >>and you know, there's a there's a few things here that are kind of like potential potential areas that, you know, we can trip up when we think about malware that's running um there are certain things that we need to that we need to consider and what we're really looking at here are kind of, what do we have in place in the runtime that can kind of detect these issues are happening? How do we block that? And how do you provide that information back to the developer? The area that I think is, and that is very, very important in order to in order to be able to identify monitor that those environments and then feed that back. So that that that's the kind of thing that can be that can be fixed. Another aspect is, is the static issues and the static issues whether that's in your os in your OS packages, for example, that could be key binaries that exist in your in your in your docker container out the box as well or of course in your application, these are again, areas that are extremely important to detect and they can be detected very very early. So some things, you know, if it's malware in a package that has been identified as malware then absolutely. That can be that can be tracked very very early. Sometimes these things need to be detected a little bit later as well. But yeah, different tools for different for different environments and wear sneak is really focused. Is this static analysis as early as possible. >>Great, great insight there. Thanks for sharing that certainly. Certainly important. And you know, some companies classes are locked down and all of sudden incomes, you know, some some malware from a container, people worried about that. So I want to bring that up. Uh The other thing I want to ask you is this idea of end to end security um and this is a team formation thing we're seeing where modern teams have essentially visibility of their workload and to end. So this is a huge topic. And then by the way it might integrate their their app might integrate with other processes to that's great for containers as well and observe ability and microservices. So this is the trend. What's in it for the developer? If I work with sneak and docker, what benefits do I get if I want to go down that road of having these teams began to end, but I want the security built in. >>Mhm. Yeah, really, really important. And I think what's what's most important there is if we don't look end to end, there are component views and there are applications. If we don't look into end, we could have our development team fixing things that realistically aren't in production anyway or aren't the key risks that are potentially hurting us in our production environment. So it's important to have that end to end of you so that we have the right insights and can prioritize what we need to identify and look at early. Um, so I think, I think that visibility into end is extremely important. If we think about who, who is re fixing uh certain issues, again, this is gonna depend from dog to walk, but what we're seeing more and more is this becoming a developer lead initiative to not just find or be given that information, but ultimately fixed. They're getting more and more responsible for DR files for for I see for for their application code as well. So one of the areas which we've looked into as well is identifying and actually running in cuba Netease workloads to identify where the most important areas that a developer needs to look at and this is all about prioritization. So, you know, if the developer has just a component view and they have 100 different images, 100 different kubernetes conflicts, you know, et cetera. Where do they prioritize, where do they spend their time? They shouldn't consider everything equal. So this identification of where the workloads are running and what um is causing you the most risk as a business and as an organization, that is the data. That can be directly fed back into your, your your vulnerability data and then you can prioritize based on the kubernetes workloads that are in your production and that can be fed directly into the results in the dashboards. That's neat. Can provide you as well. So that end to end story really provides the context you need in order to not just develop securely, but act and action issues in a proper way. >>That's a great point. Context matters here because making it easy to do the right thing as early as possible, the right time is totally an efficiency productivity gain, you see in that that's clearly what people want. It's a great formula, success, reduce the time it takes to do something, reduced the steps and make it easy. Right, come on, that's a that's a formula. Okay, so I gotta bring that to the next level. When I ask you specifically around automation, this is one the hot topic and def sec ops, automation is part of it. You got scale, you got speed, you've got a I machine learning, you go out of all these new things. Microservices, how do you guys fit into the automation story? >>It's a great question. And you know, one of the recent reports that we that we did based on a survey data this year called the state of a state of cloud, native applications security. We we asked the question how automated our people in their in their deployment pipelines and we found some really strong correlations between value from a security point of view um in terms of in terms of having that automation in it, if I can take you through a couple of them and then I'll address that question about how we can be automated in that. So what we found is a really strong correlation as you would expect with security testing in ci in your source code repositories and all the way through the deployment ci and source code were the two of the most most well tested areas across the pipeline. However the most automated teams were twice as likely to test in I. D. S. And testing your CLS in local development. And now those are areas that are really hard to automate if at all because it's developers running running their cli developers running and testing in their I. D. So the having a full automation and full uh proper testing throughout the sclc actually encourages and and makes developers test more in their development environment. I'm not saying there's causation there but there's definite correlation. A couple of other things that this pushes is um Much much more likely to test daily or continuously being automated as you would expect because it's part of the bills as part of your monitoring. But crucially uh 73% of our respondents were able to fix a critical issue in less than a week as opposed to just over 30% of people that were not automated, so almost double people are More likely to fix within a week. 36% of people who are automated can fix a critical security issue in less than a day as opposed to 8% of people who aren't automated. So really strong data that correlates being automated with being able to react now. If you look at something like Sneak what if our um goals of obviously being developer friendly developer first and being able to integrate where developers are and throughout the pipeline we want to test everywhere and often. Okay, so we start as far left as we can um integrating into, you know, CLS integrating into Docker hub, integrating into into doctors can so at the command line you type in doctors can you get sneak embedded in DHAKA desktop to provide you those results so as early as possible, you get that data then all the way through to to uh get reposed providing that testing and automatically testing and importing results from there as well as as well as other repositories, container repositories, being at a poor from there and test then going into ci being able to run container tests in C I to make sure we're not regressing and to choose what we want to do their whether we break, whether we continue with with raising an issue or something like that, and then continuing beyond that into production. So we can monitor tests and automatically send pull requests, etcetera. As and when new issues or new fixes occur. So it's about integrating at every single stage, but providing some kind of action. So, for example, in our ui we provide the ability to say this is the base level you should be or could be at, it will reduce your number of vulnerabilities by X and as a result you're going to be that much more secure that action ability across the pipeline. >>That's a great, great data dump, that's a masterclass right there on automation. Thanks for sharing that sign. I appreciate it. I gotta ask you the next question that comes to my mind because I think this is kind of the dots connect for the customer is okay. I love this kind of hyper focus on containers and security. You guys are all over it, shift left as far as possible, be there all the time, test, test, test all through the life cycle of the code. Well, the one thing that is popping up as a huge growth areas, obviously hybrid cloud devops across both environments and the edge, whether it's five G industrial or intelligent edge, you're gonna have kubernetes clusters at the edge now. So you've got containers. The relationship to kubernetes and then ultimately cloud native work clothes at, say, the edge, which has data has containers. So there's a lot of stuff going on all over the place. What's your, what's your comment there for customer says, Hey, you know, I got, this is my architecture that's happening to me now. I'm building it out. We're comfortable with kubernetes put in containers everywhere, even on the edge how to sneak fit into that story. >>Yeah, really, really great question. And I think, you know, a lot of what we're doing right now is looking at a developer platform. So we care about, we care about everything that a developer can check in. Okay, so we care about get, we care about the repositories, we care about the artifact. So um, if you look at the expansion of our platform today, we've gone from code that people uh, third party libraries that people test. We added containers. We've also added infrastructure as code. So Cuban eighties conflicts, Terror form scripts and things like that. We're we're able to look at everything that the developer touches from their code with sneak code all the way through to your to your container. And I see, so I think, you know, as we see more and more of this pushing out into the edge, cuba Nitties conflict that that, you know, controls a lot of that. So much of this is now going to be or not going to be, but so much of the environment that we need to look at is in the configurations or the MIS configurations in that in those deployment scripts, um, these are some of the areas which which we care a lot about in terms of trying to identify those vulnerabilities, those miS configurations that exist within within those scripts. So I can see yeah more and more of this and there's a potential shift like that across to the edge. I think it's actually really exciting to be able to see, to be able to see those uh, those pushing across. I don't necessarily see any other, any, you know, different security threats or the threat landscape changing as a result of that. Um there could be differences in terms of configurations, in terms of miS configurations that that that could increase as a result, but, you know, a lot of this and it just needs to be dealt with in the appropriate way through tooling through, through education of of of of how that's done. >>Well, obviously threat vectors are all gonna look devops like there's no perimeter. So they're everywhere right? Looking at I think like a hacker to be being there. Great stuff. Quick question on the future relationship with DR. Obviously you're betting a lot here on that container relationship, a good place to start. A lot of benefits there. They have dependencies, they're going to have implications. People love them, they love to use them, helps old run with the new and helps the new run better. Certainly with kubernetes, everything gets better together. What's the future with the DACA relationship? Take us through how you see it. >>So yeah, I mean it's been an absolute blast the doctor and you know, even from looking at some of the internal internal chats, it's been it's been truly wonderful to see the, the way in which both the doctor and sneak from everything from an engineering point of view from a marketing, from a product team. It's been a pleasure to, it's been a pleasure to see that relationship grow and flourish. And, and I think there's two things, first of all, I think it's great that as companies, we, we both worked very, very well together. I think as as as users um seeing, you know, doctor and and and sneak work so so seamlessly and integrated a couple of things. I would love to see. Um, I think what we're gonna see more and more and this is one of the areas that I think, um you know, looking at the way sneak is going to be viewing security in general. We see a lot of components scanning a lot, a lot of people looking at a components can and seeing vulnerabilities in your components. Can I think what we need to, to to look more upon is consolidating a lot of the a lot of the data which we have in and around different scans. What I would love to see is perhaps, you know, if you're running something through doctors can how can you how can you view that data through through sneak perhaps how can we get that closer integration through the data that we that we see. So I would love to see a lot more of that occur, you know, within that relationship and these are kind of like, you know, we're getting to that at that stage where we see integration, it just various levels. So we have the integration where we have we are embedded but how can we make that better for say a sneak user who also comes to the sneak pages and wants to see that data through sneak. So I would love to see at that level uh more there where as I mentioned, we have we have some some additional support as well. So you can run doctors can from from Lenox as well. So I can see more and more of that support rolling out but but yeah, in terms of the future, that's where I would love to see us uh to grow more >>and I'll see in the landscape side on the industry side, um, security is going beyond the multiple control planes out there. Kubernetes surveillance service matches, etcetera, continues to be the horizontally scalable cloud world. I mean, and you got you mentioned the edge. So a lot more complexity to rein in and make easier. >>Yeah, I mean there's a lot more complexity, you know, from a security point of view, the technology is the ability to move quickly and react fast in production actually help security a lot because you know, being able to spin a container and make changes and and bring a container down. These things just weren't possible, you know, 10 years ago, 20 years ago. Pre that it's like it was it's insanely hard compared trying to trying to do that compared to just re spinning a container up. However, the issue I see from a security point of view, the concerns I see is more around a culture and an education point of view of we've got all this great tech and it's it's awesome but we need to do it correctly. So making sure that as you mentioned with making the right decision, what we want to make sure is that right decision is also the easy decision and the clear decision. So we just need to make sure that as we as we go down this journey and we're going down it fast and it's not gonna, I don't see it slowing down, we're going fast down that journey. How do we make, how do we prepare ourselves for that? We're already seeing, you know, miss configurations left, right and center in the news, I am roles as three buckets, etcetera. These are they're they're simpler fixes than we than we believe, right? We just need to identify them and and make those changes as needed. So we just need to make sure that that is in place as we go forward. But it's exciting times for sure. >>It's really exciting. And you got the scanning and right at the point of coding automation to help take that basic mis configuration, take that off the table. Not a lot of manual work, but ultimately get to that cloud scale cool stuff. >>Simon, thank you >>for coming on the cube dr khan coverage. Really appreciate your time. Drop some nice commentary there. Really appreciate it. Thank you. >>My pleasure. Thank you very much. >>Simon Maple Field C T. O. A sneak hot startup. Big partner with Docker Security, actually built in deVOPS, is now dead. Say cops. This is dr khan cube 2021 virtual coverage. I'm sean for your host. Thanks for watching. Mm.

>>from around the globe. It's the Cube with digital coverage of AWS reinvent 2020 sponsored by Intel and AWS. Yeah, hello, everyone, and welcome back to the Cubes Walter Wall coverage of AWS reinvent 2020. We've gone virtual along with reinvent and we heard in Andy Jassy is hours long. Keynote a number of new innovations in the area of storage. And with me to talk about that is Milan Thompson Bukovec. She's the vice president of Block and Object Storage and AWS. That's everything. Elastic block storage s three Glacier, the whole portfolio Milon. Thanks for coming on. >>Great to see you. >>Great to see you too. So you heard Andy. We all heard Andy talk a lot about reinventing different parts of the platform, reinventing industries and a really kind of exciting and visionary put talk that he put forth. Let's >>talk >>about storage, though. How is storage reinventing itself? >>Well, as you know, cloud storage was essentially invented by a W s a number of years ago. And whether that's in 2000 and six, when US three was launched, or 2000 and eight when CBS was launched and we first came up with this model of pay as you go for durable, attached storage. Too easy to instances. And so we haven't stopped and we haven't slowed down. If anything, we've picked up the rate of reinvention that we've done across the portfolio for storage. I think, as Andy called out, speed matters. And it matters for how customers air thinking about how do they pivot and move to the cloud as quickly as they can, particularly this year. And it matters a lot in storage as well, because the changing access patterns of what customers air doing with their new cloud applications, you know they're they're transforming their businesses and their applications, and they need a modern storage platform underneath it. And that's what you have with AWS Storage. And he talked about some of the key releases, particularly in block storage. It's actually kind of amazing. What's what's been done with CBS is here. We launched GP three GP two was the previous generation general purpose volume type. We launched that in 2000 and 14 again thief, first type of general purpose volume that had this great combination of simplicity and price, and just about everybody uses it for a boot or often a data volume. And with GP three, which was available yesterday with Andy's announcement, we added four times peak throughput on top of GP two, and it's a 20% lower storage price per gigabyte per month. And we took the feedback. The number one feedback we got on GP to which was how can I separate buying throughput and I ops from storage capacity? And that is really important. That goes back to the promise of the cloud. And it goes back to being able to pick what aspect do you want to scale your storage on? And so, with GP three, you could buy a certain amount of capacity. And if you're good with that capacity, but you need more throughput, more eye ops, you can buy those independently. And that is that fine grained customization for those changing data patterns that I just talked about. And it's available for GP three today. >>Yeah, that was I looked at that, like my life is a knob that you could turn Okay, juice my eye ops. And don't touch my capacity. I'm happy there. I don't wanna pay for more of it. >>And thio add to that it's a knob you could turn if you need it. We have more throughput, more eye ops as a baseline capacity for your storage capacity than we did for GP to. But then you can tune it based on whatever you need, not just now, but in the future. >>So so given the pandemic, I mean, how has that affected E? Everybody is talking about going to the cloud, because where else you gonna go? But But how has that affected what customers are doing this year, and does it change your roadmap at all? Does it change your thinking? >>Well, I have to say, there's two main things that we've seen. One is it's really accelerated customers thinking about getting off of on premises and into the club. It's done that because nobody really wants to manage the data center. And if there's ever a year you don't want to manage the data center, it's 2020 and it's because, particularly with storage appliances, it takes a long time to acquire. Let's just take storage area networks or sense super expensive. You get a fixed amount of capacity you have to acquire. It takes months to come in you gotta rack and stack. Then you gotta change all your networking and maintain it. Ah, lot of customers don't want to do that. And so what it's done for us is it's really, uh, you know, accelerated our thinking and you saw yesterday and Andy's keynote as well. Of how do we build the first san in the cloud? And we launched Io two. In August of this year, we introduced the first nines of durability, again reinventing how people think about durability and their block storage. But just this week we now have a Iot to block Express with 2 56 K ai ops, four K megabytes of throughput in 64 terabytes of capacity, that sand level performance. And it's available for preview because I 02 is going to be your son in the cloud. And that is a direct correlation to what we hear from customers, which is how can I get away from these expensive on premises purchases like Sands and combine the performance with the elasticity that I need? So that's the first thing. How can we accelerate getting off of these very rigid procurement cycles that we have and having to manage a data center. It's not just for EBS, its for S. Trias. Well, the second thing we're hearing from customers is how can I have the agility? So you talk to customers as well. He talked to CEOs and C. T. O s. It's been a crazy year in 2020. It was one thing that a company has to do its pivot. It's really figure out. How are you going to adjust and adjust quickly? And so we have customers like Ontario Telehealth Network up in Canada, where they went from 8000 to 30,000 users because they're doing virtual health for Ontario. And we have other customers who, you know, that's a pivot. That's an increase. And we have other customers, like APS Flyer, where their goal is to just save money without changing their application. And they also did a pivot. They used the intelligence hearing storage class, which is the most popular storage class, as three offers for data lakes, and they were able to make that change save 18% on their storage cost, no change of their application, just using the capabilities of AWS. And so his ability to pivot helped you know really make us think and accelerate what we're building as well. And so one of the things that we launched just recently for intelligent hearing is we added two new archival tears to intelligent hearing. And those are archival tears, you know, just like intelligence hearing automatically watches every object industry storage and your data lake and gives you dynamic pricing based on if it's frequently accessed in a month or inflict infrequently accessed, you can turn on archival tear. And if your object your pork a file, for example, isn't access or your backup isn't access for 90 days, intelligence hearing will automatically move it to glacier characteristics of archival or too deep archive and give you the same price. A dollar, a terabyte per month. If your data is an access to 180 days, it's done automatically, and it means you save up to 90% 95% and cost on that storage. And so, if you if you think about those two trends, how can I get away from getting locked into those on premises Hardware cycles? How can I get away from it faster for sands and other hardware appliances and then the other trend is how can I pivot and use the innovation and the reinvention in our storage services to just save money and be more agile in these changing conditions? >>So I gotta ask you follow up question on staying in the cloud, because when you think of sand, you think of switches. You think of complexity, but I get that you're connecting to the performance of a sand. But you guys are all about simplicity. So how did you What's behind there? Can you take us under the covers? Just you guys build your own little storage network because it's cloud. It's gotta be fast and simple. >>That's right. When we're thinking about performance and cost, we go down to the metal for this stuff. We think about Unicosta a very fine grained level, and when we're building new technology that we know is gonna be the foundation for everything we're doing for that high performance, we went down to the protocol level. We're using something called Us RD. It's all rolled up under the hood for Block Express, and it's the foundation of that super super high performance. As you know, there's a lot of engineering behind the scenes in the cloud and for for what we've done this year, as part of that reinvention we've reinvented all the way down to the protocol way. >>Let me ask you that the two things that come up in our survey when you talk to CEOs, they say two priorities. Security is actually second cloud migration actually popped up to the top. So where does storage fit in that whole notion about cloud migration, >>Storage eyes, usually where a lot of people start, you know, Luckily, with a W s, you don't have to choose between security or cloud of migration. Security is job one for every AWS service. And so when customers air thinking about how do I move an application, they gotta move the data first. And so they start from the from the data. What storage do I use? What is the best fit for the storage and how do I best secure that's storage? And so the innovation that we dio on storage always comes with that. That combination of, you know, migration, the set of tools that we provide for getting data from on premises into the cloud. We have tools like aws data sync which do a great job of this on. Then we also look at things like how do we continue to take the profile of security forward? And one example of that is something we launched just this week called Bucket keys s three bucket keys. And it drops the cost of using kms for service side encryption with us three by over 90%. And the way it does it is that we've integrated those two services super closely together so that you can minimize the amount of costs that you make for very, very frequent request. Because in data lakes you have millions and billions of objects and our goal is to make security so cost effective people don't even think about it. That also goes for other parts of the platform. We have guard duty for us three now, and what that does is security anomaly detection automatically to track your access patterns across as three and flag when something is not quite what it should be. And so this idea of like how do I not only get my data into the cloud? But then how do I take advantage of the breath of the storage portfolio, but also the breath of the AWS services to really maximize that security profile as well as the access patterns that I want from my application. >>Well, my way hit the major announcements and unfortunately, out of time. But I really would love to have you back and go deeper and have you share your vision of what the cloud storage piece looks like going forward. Thanks so much for coming in. The Cube is great to have you. >>Great to be here. Thanks, Dave. CIA. >>See you later and keep it right, everybody. You're watching the cubes. Coverage of aws reinvent 2020 right back.

>>from around the globe. It's the Cube with digital coverage of AWS reinvent 2020 sponsored by Intel, AWS and our community partners. >>Welcome to the cubes coverage of AWS reinvent 2020. The digital version I'm Lisa Martin and I have a couple of Cuba alumni joining me from Wien. We've got Danny Allen. It's C T O and S VP of product strategy And Dave Russell, VP of Enterprise Strategy, is here as well. Danny and a Welcome back to the Cube. >>Hi, Lisa. Great to be here. >>Hey, Lisa. Great to be here. Love talking with this audience >>It and thankfully, because of technologies like this in the zoom, were still able to engage with that audience, even though we would all be gearing up to be Go spending five days in Vegas with what 47,000 of our closest friends across, you know, and walking a lot. But I wanted Thio. Danny, start with you and you guys had them on virtually this summer. That's an event known for its energy. Talk to me about some of the things that you guys announced there. And how are your customers doing with this rapid change toe? work from home and this massive amount of uncertainty. >>Well, certainly no one would have predicted this the beginning of the year. There has been such transformation. There was a statement made earlier this year that we've gone through two years of transformation in just two months, and I would say that is definitely true. If you look both internally and bean our workforce, we have 4400 employees all of a sudden, 3000 of them that had been going into the office or working from home. And that is true of our customer base as well. There's a lot of remote, uh, remote employ, mental remote working, and so that has. You would think it would have impact on the digital systems. But what it's done is it's accelerated the transformation that organizations were going through, and that's been good in a number of different aspects. One certainly cloud adoption of clouds picked up things like Microsoft teams and collaboration software is certainly picked up, so it's certainly been a challenging year on many fronts. But on the on the other hand, it's also been very beneficial for us as well. >>Yeah, I've talked to so many folks in the last few months. There's silver linings everywhere. There's opportunity everywhere. But give our audience standing an overview of who them is, what you do and how you help customers secure their data. >>Sure, so VM has been in the backup businesses. What I'll say We started right around when virtualization was taking off a little before AWS and you see two left computing services on DWI would do back up a virtual environments. You know, over the last decade, we have grown into a $1 billion company doing backup solutions that enable cloud data management. What do you mean by that? Is we do backup of all kinds of different infrastructures, from virtual to cloud based Assad's based to physical systems, You name it. And then when we ingest that data, what we do is we begin to manage it. So an example of this is we have 400,000 customers, they're going back up on premises. And one of the things that we've seen this year is this massive push of that backup data into S three into the public cloud and s. So this is something that we help our customers with as they go through this transformation. >>And so you've got a team for a ws Cloud native solution. Talk to me a little bit about that. And how does that allow business is to get that centralized view of virtual physical SAS applications? >>Yeah, I think it all starts with architecture er and fundamentally beams, architectures. ER is based upon having a portable data format that self describing. So what >>does >>that mean? That means it reduces the friction from moving data that might have been born on premises to later being Stan Shih ated in, say, the AWS cloud. Or you can also imagine now new workloads being born in the cloud, especially towards the middle and end of this year. A lot of us we couldn't get into our data center. We had to do everything remotely. So we had to try to keep those lights on operationally. But we also had to begin to lift and shift and accelerate your point about silver linings. You know, if there is a silver lining, the very prepared really benefited. And I think those that were maybe a little more laggards they caught up pretty quickly. >>Well, that's good to hear stick big sticking with you. I'd love to get your perspectives on I t challenges in the last nine months in particular, what things have changed, what remains the same. And where is back up as a priority for the the I T folks and really the business folks, too? >>Yeah, I almost want to start with that last piece. Where? Where's backup? So back up? Obviously well understood as a concept, it's well funded. I mean, almost everybody in their right mind has a backup product, especially for critical data. But yet that all sounds very much the same. What's very, very different, though? Where are those workloads? Where do they need to be going forward? What are the service level agreements? Meaning that access times required for those workloads? And while we're arguably transitioning from certain types of applications to new applications, the vast majority of us are dead in the middle of that. So we've got to be able to embrace the new while also anchoring back to the past. >>Yeah, I'm not so easily sudden, done professionally or personally, Danny, I'd love to get your perspective on how your customer conversations have changed. You know, we're executives like you, both of you are so used to getting on planes and flying around and being able Thio, engage with your customers, especially events like Vermont, and reinvent What's the change been like? And from a business perspective, are you having more conversations at that business? Little as the end of the day. If you can't recover the data, that's the whole point, right? >>Yeah, it is. I would say the conversations really have four sentiments to them. The first is always starts with the pandemic and the impact of the pandemic on the business. The second from there is it talks about resource. We talked about resource management. That's resource management, both from a cost perspective. Customers trying to shift the costs from Capex models typically on premises into Op X cloud consumption models and also resource management as well. There's the shift from customers who are used to doing business one way, and they're trying to shift the resources to make it effective in a new and better way. I'd say the third conversation actually pivots from there to things like security and governance. One of the interesting things this year we've seen a lot of is ransomware and malware and attacks, especially because the attack surface has increased with people working from home. There is more opportunity for organizations to be challenged, and then, lastly, always pivots where it ends up his digital transformation. How do I get from where I used to be to where I want to be? >>Yeah, the ransomware increase has been quite substantial. I've seen a number of big. Of course you never want to be. The brand garment was head Carnival Cruise Line. I think canon cameras as well and you're talking about you know you're right, Danny. The attacks are toe surfaces, expanding. Um, you know, with unprotected cloud databases. I think that was the Facebook Tic Tac Instagram pack. And so it's and also is getting more personal, which we have more people from home, more distractions. And that's a big challenge that organizations need to be prepared for, because, really, it's not a matter of are we going to get a hit? But it's It's when, and we need to make sure that we have that resiliency. They've talked to us about how them enables customers toe have that resiliency. >>Yeah, you know, it's a multilayered approach like you know, any good defensive mechanism. It's not one thing it's trying to do all of the right things in advance, meaning passwords and perimeter security and, ideally, virtual private networks. But to your point, some of those things can fail, especially as we're all working remotely, and there's more dependence on now. Suddenly, perhaps not so. I t sophisticated people, too. Now do the right things on a daily basis and your point about how personal is getting. If we're all getting emails about, click on this for helpful information on the pandemic, you know there's the likelihood of this goes up. So in addition to try and do good things ahead of time, we've got some early warning detection capabilities. We can alert that something looks suspicious or a novelist, and bare bears out better investigation to confirm that. But ultimately, the couple of things that we do, they're very interesting and unique to beam are we can lock down copy of the backup data so that even internal employees, even somewhat at Amazon, can't go. If it's marked immutable and destroy it, remove it, alter it in any way before it's due to be modified or deleted, erased in any way. But one of the ones I'm most excited about is we can actually recover from an old backup and now introduce updated virus signatures to ensure we don't reintroduced Day zero threats into production environment. >>Is it across all workloads, physical virtual things like, you know, Microsoft or 65 slack talked about those collaboration tools that immune ability, >>so immune ability. We're expanding out into multiple platforms today. We've got it on on premises object storage through a variety of different partners. Actually, a couple dozen different partners now, and we have something very unique with AWS s three object lock that we you can really lock down that data and ensure that can't be compromised. >>That's excellent, Danny, over to you in terms of cloud adoption, you both talked about this acceleration of digital business transformation that we've all seen. I think everyone has whiplash from that and that this adoption of cloud has increased. We've seen a lot of that is being a facilitator like, are you working with clients who are sort of, you know, maybe Dave at that point you talked about in the beginning, like kind of on that on that. Bring in the beginning and we've got to transform. We've got to go to the cloud. How do you kind of help? Maybe facilitate their adoption of public health services like AWS with the technologies that the off first? >>Yeah, I'd say it's really two things everyone wants to say, Hey, we're disrupting the market. We're changing everything about the world around us. You should come with us. Being actually is a very different approach to this one is we provide stability through the disruption around you. So as your business is changing and evolving and you're going through digital transformation, we can give you the stability through that and not only the stability through that change, but we can help in that change. And what I mean by that is if you have a customer who's been on premises and running the workloads on premises for a long while, and maybe they've been sending their backups and deaths three and flagging that impute ability. But maybe now they want to actually migrate the workloads into E. C to weaken. Do that. It's a It's a three step three clicks and workflow to hit a button and say send it up into Easy to. And then once it's in AWS, we can protect the workload when it's there. So we don't just give the stability in this changing environment around us. But we actually help customers go through that transformation and help them move the workloads to the most appropriate business location for them. >>And how does that Danny contending with you from a cost optimization perspective? Of course, we always talk about cost as a factor. Um, I'm going to the cloud. How does that a facilitator of, like, being able to move some of those workloads like attitude that you talked about? Is that a facilitator of cost optimization? Lower tco? I would imagine at some point Yes, >>Yes, it is. So I have this saying the cloud is not a charity right there later in margin, and often people don't understand necessarily what it's going to cost them. So one of the fundamental things that we've had in being back up for a W s since the very beginning since version one is we give cost forecasting and it's not just a rudimentary cost forecasting. We look at the storage we looked compute. We looked at the networking. We look at what all of the different factors that go into a policy, and we will tell them in advance what it's going to cost. That way you don't end up in a position where you're paying a lot more than you expected to pay. And so giving that transparency, giving the the visibility into what the costs of the cloud migration and adoption are going to be is a critical motivator for customers actually to use our software. >>Awesome. And Dave, I'm curious if we look at some of the things trends wise that have gone on, what are you seeing? I t folks in terms of work from home, the remote workers, but I am imagine they're getting their hands on this. But do you expect that a good amount of certain types of folks from industries won't go back into the office because I ts realizing, like more cost optimization? Zor Hey, we don't need to be on site because we can leverage cloud capabilities. >>Yeah, I think it works, actually, in both directions least, I think we'll see employees continue to work remotely, so the notion of skyscrapers being filled with tens of thousands of people, you know, knowledge workers, as they were once called back in the day. That may not come to pass at least any time soon. But conversely to your point everybody getting back into the data center, you know, from a business perspective, the vast majorities of CEO so they don't wanna be in the real estate business. They don't wanna be in the brick and mortar and the power cooling the facilities business. So >>that was >>a trend that was already directionally happening. And just as an accelerant, I think 2000 and 20 and probably 2021 at least the first half just continues that trend. >>Yeah, Silicon Valley is a bit lonely. The freeways there certainly emptier, which is one thing. But it is. It's one of those things that you think you could be now granted folks that worked from home regardless of the functions they were in before. It's not the same. I think we all know that it's not the same working from home during a pandemic when there's just so much more going on. But at the same time, I think businesses are realizing where they can actually get more cost optimization. Since you point not wanting to manage real estate, big data centers, things like that, that may be a ah, positive spin on what this situation has demonstrated. Daddy Last question to you. I always loved it to hear about successful customers. Talk to me about one of your favorite reference customers that really just articulates beams value, especially in this time of helping customers with so many pivots. >>Well, the whole concept of digital transformation is clearly coming to the forefront with the pandemic. And so one of my favorite customers, for example, ducks unlimited up in Canada. They have i ot sensors where they're collecting data about about climate information. They put it into a repository and they keep it for 60 years. Why 60 years? Because who knows? Over the next 60 years, when these sensors in the data they're collecting may be able to solve problems like climate change. But if you >>look at it >>a broader sense, take that same concept of collection of data. I think we're in a fantastic period right now where things like Callum medicine. Um, in the past, >>it was >>kind of in a slow roll remote education and training was on kind of a slow roll. Climate change. Slow roll. Um, but now the pandemics accelerating. Ah, lot of that. Another customer, Royal Dutch Shell, for example. Traditionally in the oil and petrochemical industry, their now taking the data that they have, they're going through this transformation faster than ever before and saying, How do I move to sustainable energy? And so a lot of people look at 2020 and say, I want how does this year? Or, you know, this is not the transformation I want. I actually take the reverse of that. The customers that we have right now are taking the data sets that they have, and they're actually optimizing for a more sustainable future, a better future for us and for our Children. And I think that's a fantastic thing, and being obviously helps in that transformation. >>That's excellent. And I agree with you, Danny, you know, the necessity is the mother of invention. And sometimes when all of these challenges air exposed, it's hard right away to see what are the what are the positives right? What are the opportunities? But from a business perspective is you guys were talking about the beginning of our segment, you know, in the beginning was keeping the lights on. Well, now we've got to get from keeping the lights on, too. Surviving to pivoting well to thriving. So that hopefully 2021 this is good as everybody hopes it's going to be. Right, Dave? >>Yeah, absolutely. It's all data driven and you're right. We have to move from keep the lights up on going the operational aspect to growing the business in new ways and ideally transforming the business in new ways. And you can see we hit on digital transformation a number of times. Why? Because its data driven, Why do we intercept that with being well? Because if it's important to you, it's probably backed up and held for long term safekeeping. So we want to be able to better leverage the data like Danny mentioned with Ducks Unlimited. >>And of course, as we know, data volumes are only growing. So next time you're on day, you have to play us out with one of your guitars. Deal >>definitely, definitely will. >>Excellent for Dave Russell and Danny Allen. I'm Lisa Martin. Guys, thank you so much for joining. You're watching the Cube

>>from around the globe. It's the Cube with coverage of Yukon and Cloud. Native Con North America. 2020. Virtual Brought to You by Red Hat, The Cloud, Native Computing Foundation and Ecosystem Partners Welcome back to the Cube. Virtual coverage of KUB Con Cloud native 2020. It's virtual this year. We're not face to face. Were normally in person where we have great interviews. Everyone's kind of jamming in the hallways, having a good time talking tech, identifying the new projects and knew where So we're not. There were remote. I'm John for your host. We've got two great gas, both Cuba alumni's Chris. And is it chief technology officer of the C and C F Chris, Welcome back. Great to see you. Thanks for coming on. Appreciate it. >>Awesome. Glad to be here. >>And, of course, another Cube alumni who is in studio. But we haven't had him at a Show Jr store meant executive director of the Fin Ops Foundation. And that's the purpose of this session. A interesting data point we're going to dig into how cloud has been enabling Mawr communities, more networks of practitioners who are still working together, and it's also a success point Chris on the C N C F vision, which has been playing out beautifully. So we're looking forward to digging. Jr. Thanks for coming on. Great to see you. >>Yeah, great to be here. Thanks, John. >>So, first of all, I want to get the facts out there. I think this is really important story that people should pay attention to the Finn Ops Foundation. That J. R. That you're running is really an interesting success point because it's it's not the c n c f. Okay. It's a practitioner that builds on cloud. Your experience in community you had is doing specific things that they're I won't say narrow but specific toe a certain fintech things. But it's really about the success of Cloud. Can you explain and and layout for take a minute to explain What is the fin Ops foundation and has it relate to see NCF? >>Yeah, definitely. So you know, if you think about this, the shift that we've had to companies deploying primarily in cloud, whether it be containers a ciencia focuses on or traditional infrastructure. The thing that typically people focus on right is the technology and innovation and speed to market in all those areas. But invariably companies hit this. We'd like to call the spend panic moment where they realize they're They're initially spending much more than they expected. But more importantly, they don't really have the processes in place or the people or the tools to do things like fully, you know, understand where their costs are going to look at how to optimize those to operate that in their organizations. And so the foundation pinups foundation eyes really focused on, uh, the people in practitioners who are in organizations doing cloud financial management, which is, you know, being those who drive this accountability of this variable spin model that's existed. So we were partnering very closely with, uh, see NCF. And we're now actually part of the Linux Foundation as of a few months ago, Uh, and you know, just to kind of put into context how that you kind of Iraq together, whereas, you know, CNC s very focused on open source coordinative projects, you know, For example, Spotify just launched their backstage cloud called Management Tool into CFCF Spotify folks, in our end, are working on the best practices around the cloud financial management that standards to go along with that. So we're there to help, you know, define this sort of cultural transformation, which is a shift to now. Engineers happen to think about costs as they never did before. On finance, people happen to partner with technology teams at the speed of cloud, and, you know executives happen to make trade off decisions and really change the way that they operate the business. With this variable page ago, engineers have all the access to spend the money in Cloud Model. >>Hey, blank check for engineers who doesn't like that rain that in its like shift left for security. And now you've got to deal with the financial Finn ops. It's really important. It's super point, Chris. In all seriousness. Putting kidding aside, this is exactly the kind of thing you see with open sores. You're seeing things like shift left, where you wanna have security baked in. You know what Jr is done in a fabulous job with his community now part of Linux Foundation scaling up, there's important things to nail down that is specific to that domain that are related to cloud. What's your thoughts on this? Because you're seeing it play out. >>Yeah, no, I mean, you know, I talked to a lot of our end user members and companies that have been adopting Cloud Native and I have lots of friends that run, you know, cloud infrastructure at companies. And Justus Jr said, You know, eventually there's been a lot of success and cognitive and want to start using a lot of things. Your bills are a little bit more higher than you expect. You actually have trouble figuring out, you know, kind of who's using what because, you know, let's be honest. A lot of the clouds have built amazing services. But let's say the financial management and cost management accounting tools charge back is not really built in well. And so I kind of noticed this this issue where it's like, great everyone's using all these services. Everything is great, But costs are a little bit confusing, hard to manage and, you know, you know, scientifically, you know, I ran into, you know, Jr and his community out there because my community was having a need of like, you know, there's just not good tools, standards, no practices out there. And, you know, the Finau Foundation was working on these kind of great things. So we started definitely found a way to kind of work together and be under the same umbrella foundation, you know, under the under Linux Foundation. In my personal opinion, I see more and more standards and tools to be created in this space. You know, there's, you know, very few specifications or standards and trying to get cost, you know, data out of different clouds and tools out there, I predict, Ah, lot more work is going to be done. Um, in this space, whether it's done and defendants foundation itself, CNC f, I think will probably be, uh, collaboration amongst communities. Can I truly figure this out? So, uh, engineers have any easier understanding of, you know, if I spent up the service or experiment? How much is this actually going to potentially impact the cost of things and and for a while, You know, uh, engineers just don't think about this. When I was at Twitter, we spot up services all time without really care about cost on, and that's happening a lot of small companies now, which don't necessarily have as a big bucket. So I'm excited about the space. I think you're gonna see a huge amount of focus on cloud financial management drops in the near future. >>Chris, thanks for that great insight. I think you've got a great perspective. You know, in some cases, it's a fast and loose environment. Like Twitter. You mentioned you've got kind of a blank check and the rocket ships going. But, Jr, this brings up to kind of points. This kind of like the whole code side of it. The software piece where people are building code, but also this the human error. I mean, we were playing with clubs, so we have a big media cloud and Amazon and we left there. One of the buckets open on the switches and elemental. We're getting charged. Massive amounts for us cash were like, Wait a minute, not even using this thing. We used it once, and it left it open. It was like the water was flowing through the pipes and charging us. So you know, this human error is throwing the wrong switch. I mean, it was simply one configuration error, in some cases, just more about planning and thinking about prototypes. >>Yeah. I mean, so take what your experience there. Waas and multiply by 1000 development teams in a big organization who all have access to cloud. And then, you know, it's it's and this isn't really about a set of new technologies. It's about a new set of processes and a cultural change, as Chris mentioned, you know, engineers now thinking about cost and this being a whole new efficiency metric for them to manage, right? You know, finance teams now see this world where it's like tomorrow. The cost could go three x the next day they could go down. You've got, you know, things spending up by the second. So there's a whole set of cross functional, and that's the majority of the work that are members do is really around. How do we get these cross functional teams working together? How do we get you know, each team up leveled on what they need, understand with cloud? Because not only is it, you know, highly variable, but it's highly decentralized now, and we're seeing, you know, cloud hit. These sort of material spend levels where you know, the big, big cloud spenders out there spending, you know, high nine figures in some cases you know, in cloud and it's this material for their for their businesses. >>And let's just let's be honest. Here is like Clouds, for the most part, don't really have a huge incentive in offering limits and so on. It's just, you know, like, hey, the more usage that the better And hopefully getting a group of practitioners in real figures. Well, holy put pressure to build better tools and services in this area. I think actually it is happening. I think Jared could correct me if wrong. I think AWS recently announced a feature where I think it's finally like quotas, you know, enabled, you know, you have introducing quotas now for and building limits at some level, which, you know, I think it's 2020 Thank you know, >>just to push back a little bit in support of our friends, you ask Google this company, you know, for a long time doing this work, we were worried that the cloud would be like, What are you doing? Are you trying to get our trying to minimize commitments and you know the dirty secret of this type of work? And I were just talking a bunch of practitioners today is that cloud spend never really goes down. When you do this work, you actually end up spending more because you know you're more comfortable with the efficiency that you're getting, and your CEO is like, let's move more workloads over. But let's accelerate. Let's let's do Maurin Cloud goes out more data centers. And so the cloud providers air actually largely incentivized to say, Yeah, we want people to be officially don't understand this And so it's been a great collaboration with those companies. As you said, you know, aws, Google, that you're certainly really focused in this area and ship more features and more data for you. It's >>really about getting smart. I mean, you know, they no, >>you could >>do it. I mean, remember the old browser days you could switch the default search engine through 10 menus. You could certainly find the way if you really wanted to dig in and make policy a simple abstraction layer feature, which is really a no brainer thing. So I think getting smarter is the right message. I want to get into the synergy Chris, between this this trend, because I think this points to, um kind of what actually happened here if you look at it at least from my perspective and correct me if I'm wrong. But you had jr had a community of practitioners who was sharing information. Sounds like open source. They're talking and sharing, you know? Hey, don't throw that switch. Do This is the best practice. Um, that's what open communities do. But now you're getting into software. You have to embed cost management into everything, just like security I mentioned earlier. So this trend, I think if you kind of connect the dots is gonna happen in other areas on this is really the synergy. Um, I getting that right with CNC >>f eso The way I see it is, and I dream of a future where developers, as they develop software, will be able to have some insight almost immediately off how much potential, you know, cost or impact. They'll have, you know, on maybe a new service or spinning up or potentially earlier in the development cycle saying, Hey, maybe you're not doing this in a way that is efficient. Maybe you something else. Just having that feedback loop. Ah lot. You know, closer to Deb time than you know a couple weeks out. Something crazy happens all of a sudden you notice, You know, based on you know, your phase or financial folks reaching out to you saying, Hey, what's going on here? This is a little bit insane. So I think what we'll see is, as you know, practitioners and you know, Jr spinoffs, foundation community, you know, get together share practices. A lot of them, you know, just as we saw on sense. Yeah, kind of build their own tools, models, abstractions. And, you know, they're starting to share these things. And once you start sharing these things, you end up with a you know, a dozen tools. Eventually, you know, sharing, you know, knowledge sharing, code sharing, you know, specifications. Sharing happens Eventually, things kind of, you know, become de facto tools and standards. And I think we'll see that, you know, transition in the thin ops community over the next 12 to 4 months. You know, very soon in my thing. I think that's kind of where I see things going, >>Jr. This really kind of also puts a riel, you know, spotlight and illustrates the whole developer. First cliche. I mean, it's really not a cliche. It's It's happening. Developers first, when you start getting into the calculations of our oi, which is the number one C level question is Hey, what's the are aware of this problem Project or I won't say cover your ass. But I mean, if someone kind of does a project that it breaks the bank or causes a, you know, financial problem, you know, someone gets pulled out to the back would shed. So, you know, here you're you're balancing both ends of the spectrum, you know, risk management on one side, and you've got return on investment on the other. Is that coming out from the conversation where you guys just in the early stages, I could almost imagine that this is a beautiful tailwind for you? These thes trends, >>Yeah. I mean, if you think about the work that we're doing in our practice you're doing, it's not about saving money. It's about making money because you actually want empower those engineers to be the innovation engines in the organization to deliver faster to ship faster. At the same time, they now can have, you know, tangible financial roo impacts on the business. So it's a new up leveling skill for them. But then it's also, I think, to Christmas point of, you know, people seeing this stuff more quickly. You know what the model looks like when it's really great is that engineers get near real time visibility into the impact of their change is on the business, and they can start to have conversations with the business or with their finance partners about Okay, you know, if you want me to move fast, I could move fast, But it's gonna cost this if you want me to optimize the cost. I could do that or I can optimize performance. And there's actually, you know, deeper are like conversation the candidate up. >>Now I know a lot of people who watch the Cube always share with me privately and Chris, you got great vision on this. We talked many times about it. We're learning a lot, and the developers are on the front lines and, you know, a lot of them don't have MBAs and, you know they're not in the business, but they can learn quick. If you can code, you can learn business. So, you know, I want you to take a minute Jr and share some, um, educational knowledge to developers were out there who have to sit in these meetings and have to say, Hey, I got to justify this project. Buy versus build. I need to learn all that in business school when I had to see s degree and got my MBA, so I kind of blended it together. But could you share what the community is doing and saying, How does that engineer sit in the meeting and defend or justify, or you some of the best practices what's coming out of the foundation? >>Yeah, I mean, and we're looking at first what a core principles that the whole organization used to line around. And then for each persona, like engineers, what they need to know. So I mean, first and foremost, it's It's about collaboration, you know, with their partners andan starting to get to that world where you're thinking about your use of cloud from a business value driver, right? Like, what is the impact of this? The critical part of that? Those early decentralization where you know, now you've got everybody basically taking ownership for their cloud usage. So for engineers, it's yes, we get that information in front of us quickly. But now we have a new efficiency metric. And engineers don't like inefficiency, right? They want to write fishing code. They wanna have efficient outcomes. Um, at the same time, those engineers need to now, you know, have ah, we call it, call it a common lexicon. Or for Hitchhiker's Guide to the Galaxy, folks. Ah, Babel fish that needs to be developed between these teams. So a lot of the conversations with engineers right now is in the foundation is okay. What What financial terms do I need to understand? To have meaningful conversations about Op X and Capex? And what I'm going to make a commitment to a cloud provider like a committed use discount, Google or reserved instance or savings Planet AWS. You know, Is it okay for me to make that? What? How does that impact our, you know, cost of capital. And then and then once I make that, how do I ensure that I could work with those teams to get that allocated and accounted? The right area is not just for charge back purposes, but also so that my teams can see my portion of the estate, right? And they were having the flip side of that conversation with all the finance folks of like, You need to understand how the variable cloud, you know, model works. And you need to understand what these things mean and how they impact the business. And then all that's coming together. And to the point of like, how we're working with C and C f you know, into best practices White papers, you know, training Siri's etcetera, sets of KP eyes and capabilities. Onda. All these problems have been around for years, and I wouldn't say they're solved. But the knowledge is out there were pulling it together. The new level that we're trying to talk with the NCF is okay. In the old world of Cloud, you had 1 to 1 use of a resource. You're running a thing on an instance in the new world, you're running in containers and that, you know, cluster may have lots of pods and name spaces, things inside of it that may be doing lots of different workloads, and you can no longer allocate. I've got this easy to instance and this storage to this thing it's now split up and very ephemeral. And it is a whole new layer of virtualization on top of virtual ization that we didn't have to deal with before. >>And you've got multiple cloud. I'll throw that in there, just make another dimension on it. Chris, tie this together cause this is nice energy to scale up what he's built with the community now, part of the Linux Foundation. This fits nicely into your vision, you know, perfectly. >>Yeah, no, 100% like, you know, so little foundation. You know, as you're well, well aware, is just a federation of open source foundations of groups working together to share knowledge. So it definitely fits in kind of the little foundation mission of, you know, building the largest share technology investment for, you know, humankind. So definitely good there with my kind of C and C f c T o hat, you know, on is, you know, I want to make sure that you know, you know my community and and, you know, the community of cloud native has access and, you know, knowledge about modern. You know, cloud financial management practices out there. If you look at some of the new and upcoming projects in ciencia things like, you know, you know, backstage, which came out of Spotify. They're starting to add functionality that, you know, you know, originally backstage kind of started out as this, you know, everyone builds their own service catalog to go catalog, and you know who owns what and, you know and all that goodness and developers used it. And eventually what happened is they started to add cost, you know, metrics to each of these services and so on. So it surfaces things a little bit closer, you know, a depth time. So my whole goal is to, you know, take some of these great, you know, practices and potential tools that were being built by this wonderful spinoffs community and trying to bring it into the project. You know, front inside of CNC F. So having more projects either exposed, you know, useful. You know, Finn, ops related metrics or, you know, be able to, you know, uh, you know, tool themselves to quickly be able to get useful metrics that could be used by thin ox practitioners out there. That's my kind of goal. And, you know, I just love seeing two communities, uh, come together to improve, improve the state of the world. >>It's just a great vision, and it's needed so and again. It's not about saving money. Certainly does that if you play it right, but it's about growth and people. You need better instrumentation. You need better data. You've got cloud scale. Why not do something there, right? >>Absolutely. It's just maturity after the day because, you know, a lot of engineers, you know, they just love this whole like, you know, rental model just uses many Resource is they want, you know, without even thinking about just basic, you know, metrics in terms of, you know, how many idle instances do I have out there and so, like, people just don't think about that. They think about getting the work done, getting the job done. And if they anything we do to kind of make them think a little bit earlier about costs and impact efficiency, charge back, you know, I think the better the world isn't Honestly, you know, I do see this to me. It's It's almost like, you know, with my hippie hat on. It's like Stephen Green or for the more efficient we are. You know, the better the world off cloud is coming. Can you grow? But we need to be more efficient and careful about the resource is that we use in sentencing >>and certainly with the pandemic, people are virtually you wanted mental health, too. I mean, if people gonna be pulling their hair out, worrying about dollars and cents at scale, I mean, people are gonna be freaking out and you're in meetings justifying why you did things. I mean, that's a time waster, right? I mean, you know, talking about wasting time. >>I have a lot of friends who, you know, run infrastructure at companies. And there's a lot of you know, some companies have been, you know, blessed during this, you know, crazy time with usage. But there is a kind of laser focused on understanding costs and so on and you not be. Do not believe how difficult it is sometimes even just to get, you know, reporting out of these systems, especially if you're using, you know, multiple clouds and multiple services across them. It's not. It's non trivial. And, you know, Jared could speak to this, But, you know, a lot of this world runs in like terrible spreadsheets, right and in versus kind of, you know, nice automated tools with potential, a p I. So there's a lot of this stuff. It's just done sadly in spreadsheets. >>Yeah, salute the flag toe. One standard to rally around us. We see this all the time Jr and emerging inflection points. No de facto kind of things develop. Kubernetes took that track. That was great. What's your take on what he just said? I mean, this is a critical path item for people from all around. >>Yeah, and it's It's really like becoming this bigger and bigger data problem is well, because if you look at the way the clouds are building, they're building per seconds and and down to the very fine grain detail, you know, or functions and and service. And that's amazing for being able to have accountability. But also you get people with at the end of the month of 300 gigabyte billing files, with hundreds of millions of rows and columns attached. So, you know, that's where we do see you companies come together. So yeah, it is a spreadsheet problem, but you can now no longer open your bill in a spreadsheet because it's too big. Eso you know, there's the native tools are doing a lot of work, you know, as you mentioned, you know, AWS and Azure Google shipping a lot. There's there's great, you know, management platforms out there. They're doing work in this area, you know, there's there's people trying to build their own open source the things like Chris was talking about as well. But really, at the end of the day like this, this is This is not a technology. Changes is sort of a cultural shift internally, and it's It's a lot like the like, you know, move from data center to cloud or like waterfall to Dev ops. It's It's a shift in how we're managing, you know, the finances of the money in the business and bringing these groups together. So it it takes time and it takes involvement. I'm also amazed I look like the job titles of the people who are plugged into the Phenoms Foundation and they range from like principal engineers to tech procurement. Thio you know, product leaders to C. T. O. S. And these people are now coming together in the classic to get a seat at the table right toe, Have these conversations and talk about not How do we reduce, you know, cost in the old eighties world. But how do we work together to be more quickly to innovate, to take advantage of these cognitive technologies so that we could be more competitive? Especially now >>it's automation. I mean, all these things are at play. It's about software. I mean, software defined operations is clearly the trend we've been covering. You guys been riding the wave cloud Native actually is so important in all these modern APS, and it applies to almost every aspect of stacks, so makes total sense. Great vision. Um, Chris props to you for that, Jr. Congratulations on a great community, Jerry. I'll give you the final word. Put a plug in for the folks watching on the fin ops Foundation where you're at. What are you looking to do? You adding people, What's your objectives? Take a minute to give the plug? >>Yeah, definitely. We were in open source community, which means we thrive on people contributing inputs. You know, we've got now almost 3000 practitioner members, which is up from 1500 just this this summer on You know, we're looking for those who have either an interesting need to plug into are checked advisory council to help define standards as part of this event, The cognitive gone we're launching Ah, white paper on kubernetes. Uh, and how to do confidential management for it, which was a collaborative effort of a few dozen of our practitioners, as well as our vendor members from VM Ware and Google and APP Thio and a bunch of others who have come together to basically defined how to do this. Well, and, you know, we're looking for folks to plug into that, you know, because at the end of the day, this is about everybody sort of up leveling their skills and knowledge and, you know, the knowledge is out there, nobody's head, and we're focused on how toe drive. Ah, you know, a central collection of that be the central community for it. You enable the people doing this work to get better their jobs and, you know, contribute more of their companies. So I invite you to join us. You know, if your practitioner ITT's Frito, get in there and plug into all the bits and there's great slack interaction channels where people are talking about kubernetes or pinups kubernetes or I need to be asked Google or where we want to go. So I hope you consider joining in the community and join the conversation. >>Thanks for doing that, Chris. Good vision. Thanks for being part of the segment. And, as always, C N C F. This is an enablement model. You throw out the soil, but the 1000 flowers bloom. You don't know what's going to come out of it. You know, new standards, new communities, new vendors, new companies, some entrepreneur Mike jump in this thing and say, Hey, I'm gonna build a better tool. >>Love it. >>You never know. Right? So thanks so much for you guys for coming in. Thanks for the insight. Appreciate. >>Thanks so much, John. >>Thank you for having us. >>Okay. I'm John Furry, the host of the Cube covering Coop Con Cloud, Native Con 2020 with virtual This year, we wish we could be there face to face, but it's cute. Virtual. Thanks for watching