(upbeat music) >> Announcer: It's theCUBE covering the virtual Vertica Big Data Conference 2020 brought to you by Vertica. >> Welcome back to the Vertica Virtual Big Data Conference, BDC 2020. You know, it was supposed to be a physical event in Boston at the Encore. Vertica pivoted to a digital event, and we're pleased that The Cube could participate because we've participated in every BDC since the inception. Rich Gaston this year is the global solutions architect for security risk and governance at Micro Focus. Rich, thanks for coming on, good to see you. >> Hey, thank you very much for having me. >> So you got a chewy title, man. You got a lot of stuff, a lot of hairy things in there. But maybe you can talk about your role as an architect in those spaces. >> Sure, absolutely. We handle a lot of different requests from the global 2000 type of organization that will try to move various business processes, various application systems, databases, into new realms. Whether they're looking at opening up new business opportunities, whether they're looking at sharing data with partners securely, they might be migrating it to cloud applications, and doing migration into a Hybrid IT architecture. So we will take those large organizations and their existing installed base of technical platforms and data, users, and try to chart a course to the future, using Micro Focus technologies, but also partnering with other third parties out there in the ecosystem. So we have large, solid relationships with the big cloud vendors, with also a lot of the big database spenders. Vertica's our in-house solution for big data and analytics, and we are one of the first integrated data security solutions with Vertica. We've had great success out in the customer base with Vertica as organizations have tried to add another layer of security around their data. So what we will try to emphasize is an enterprise wide data security approach, where you're taking a look at data as it flows throughout the enterprise from its inception, where it's created, where it's ingested, all the way through the utilization of that data. And then to the other uses where we might be doing shared analytics with third parties. How do we do that in a secure way that maintains regulatory compliance, and that also keeps our company safe against data breach. >> A lot has changed since the early days of big data, certainly since the inception of Vertica. You know, it used to be big data, everyone was rushing to figure it out. You had a lot of skunkworks going on, and it was just like, figure out data. And then as organizations began to figure it out, they realized, wow, who's governing this stuff? A lot of shadow IT was going on, and then the CIO was called to sort of reign that back in. As well, you know, with all kinds of whatever, fake news, the hacking of elections, and so forth, the sense of heightened security has gone up dramatically. So I wonder if you can talk about the changes that have occurred in the last several years, and how you guys are responding. >> You know, it's a great question, and it's been an amazing journey because I was walking down the street here in my hometown of San Francisco at Christmastime years ago and I got a call from my bank, and they said, we want to inform you your card has been breached by Target, a hack at Target Corporation and they got your card, and they also got your pin. And so you're going to need to get a new card, we're going to cancel this. Do you need some cash? I said, yeah, it's Christmastime so I need to do some shopping. And so they worked with me to make sure that I could get that cash, and then get the new card and the new pin. And being a professional in the inside of the industry, I really questioned, how did they get the pin? Tell me more about this. And they said, well, we don't know the details, but you know, I'm sure you'll find out. And in fact, we did find out a lot about that breach and what it did to Target. The impact that $250 million immediate impact, CIO gone, CEO gone. This was a big one in the industry, and it really woke a lot of people up to the different types of threats on the data that we're facing with our largest organizations. Not just financial data; medical data, personal data of all kinds. Flash forward to the Cambridge Analytica scandal that occurred where Facebook is handing off data, they're making a partnership agreement --think they can trust, and then that is misused. And who's going to end up paying the cost of that? Well, it's going to be Facebook at a tune of about five billion on that, plus some other finds that'll come along, and other costs that they're facing. So what we've seen over the course of the past several years has been an evolution from data breach making the headlines, and how do my customers come to us and say, help us neutralize the threat of this breach. Help us mitigate this risk, and manage this risk. What do we need to be doing, what are the best practices in the industry? Clearly what we're doing on the perimeter security, the application security and the platform security is not enough. We continue to have breaches, and we are the experts at that answer. The follow on fascinating piece has been the regulators jumping in now. First in Europe, but now we see California enacting a law just this year. They came into a place that is very stringent, and has a lot of deep protections that are really far-reaching around personal data of consumers. Look at jurisdictions like Australia, where fiduciary responsibility now goes to the Board of Directors. That's getting attention. For a regulated entity in Australia, if you're on the Board of Directors, you better have a plan for data security. And if there is a breach, you need to follow protocols, or you personally will be liable. And that is a sea change that we're seeing out in the industry. So we're getting a lot of attention on both, how do we neutralize the risk of breach, but also how can we use software tools to maintain and support our regulatory compliance efforts as we work with, say, the largest money center bank out of New York. I've watched their audit year after year, and it's gotten more and more stringent, more and more specific, tell me more about this aspect of data security, tell me more about encryption, tell me more about money management. The auditors are getting better. And we're supporting our customers in that journey to provide better security for the data, to provide a better operational environment for them to be able to roll new services out with confidence that they're not going to get breached. With that confidence, they're not going to have a regulatory compliance fine or a nightmare in the press. And these are the major drivers that help us with Vertica sell together into large organizations to say, let's add some defense in depth to your data. And that's really a key concept in the security field, this concept of defense in depth. We apply that to the data itself by changing the actual data element of Rich Gaston, I will change that name into Ciphertext, and that then yields a whole bunch of benefits throughout the organization as we deal with the lifecycle of that data. >> Okay, so a couple things I want to mention there. So first of all, totally board level topic, every board of directors should really have cyber and security as part of its agenda, and it does for the reasons that you mentioned. The other is, GDPR got it all started. I guess it was May 2018 that the penalties went into effect, and that just created a whole Domino effect. You mentioned California enacting its own laws, which, you know, in some cases are even more stringent. And you're seeing this all over the world. So I think one of the questions I have is, how do you approach all this variability? It seems to me, you can't just take a narrow approach. You have to have an end to end perspective on governance and risk and security, and the like. So are you able to do that? And if so, how so? >> Absolutely, I think one of the key areas in big data in particular, has been the concern that we have a schema, we have database tables, we have CALMS, and we have data, but we're not exactly sure what's in there. We have application developers that have been given sandbox space in our clusters, and what are they putting in there? So can we discover that data? We have those tools within Micro Focus to discover sensitive data within in your data stores, but we can also protect that data, and then we'll track it. And what we really find is that when you protect, let's say, five billion rows of a customer database, we can now know what is being done with that data on a very fine grain and granular basis, to say that this business process has a justified need to see the data in the clear, we're going to give them that authorization, they can decrypt the data. Secure data, my product, knows about that and tracks that, and can report on that and say at this date and time, Rich Gaston did the following thing to be able to pull data in the clear. And that could be then used to support the regulatory compliance responses and then audit to say, who really has access to this, and what really is that data? Then in GDPR, we're getting down into much more fine grained decisions around who can get access to the data, and who cannot. And organizations are scrambling. One of the funny conversations that I had a couple years ago as GDPR came into place was, it seemed a couple of customers were taking these sort of brute force approach of, we're going to move our analytics and all of our data to Europe, to European data centers because we believe that if we do this in the U.S., we're going to violate their law. But if we do it all in Europe, we'll be okay. And that simply was a short-term way of thinking about it. You really can't be moving your data around the globe to try to satisfy a particular jurisdiction. You have to apply the controls and the policies and put the software layers in place to make sure that anywhere that someone wants to get that data, that we have the ability to look at that transaction and say it is or is not authorized, and that we have a rock solid way of approaching that for audit and for compliance and risk management. And once you do that, then you really open up the organization to go back and use those tools the way they were meant to be used. We can use Vertica for AI, we can use Vertica for machine learning, and for all kinds of really cool use cases that are being done with IOT, with other kinds of cases that we're seeing that require data being managed at scale, but with security. And that's the challenge, I think, in the current era, is how do we do this in an elegant way? How do we do it in a way that's future proof when CCPA comes in? How can I lay this on as another layer of audit responsibility and control around my data so that I can satisfy those regulators as well as the folks over in Europe and Singapore and China and Turkey and Australia. It goes on and on. Each jurisdiction out there is now requiring audit. And like I mentioned, the audits are getting tougher. And if you read the news, the GDPR example I think is classic. They told us in 2016, it's coming. They told us in 2018, it's here. They're telling us in 2020, we're serious about this, and here's the finds, and you better be aware that we're coming to audit you. And when we audit you, we're going to be asking some tough questions. If you can't answer those in a timely manner, then you're going to be facing some serious consequences, and I think that's what's getting attention. >> Yeah, so the whole big data thing started with Hadoop, and Hadoop is open, it's distributed, and it just created a real governance challenge. I want to talk about your solutions in this space. Can you tell us more about Micro Focus voltage? I want to understand what it is, and then get into sort of how it works, and then I really want to understand how it's applied to Vertica. >> Yeah, absolutely, that's a great question. First of all, we were the originators of format preserving encryption, we developed some of the core basic research out of Stanford University that then became the company of Voltage; that build-a-brand name that we apply even though we're part of Micro Focus. So the lineage still goes back to Dr. Benet down at Stanford, one of my buddies there, and he's still at it doing amazing work in cryptography and keeping moving the industry forward, and the science forward of cryptography. It's a very deep science, and we all want to have it peer-reviewed, we all want to be attacked, we all want it to be proved secure, that we're not selling something to a major money center bank that is potentially risky because it's obscure and we're private. So we have an open standard. For six years, we worked with the Department of Commerce to get our standard approved by NIST; The National Institute of Science and Technology. They initially said, well, AES256 is going to be fine. And we said, well, it's fine for certain use cases, but for your database, you don't want to change your schema, you don't want to have this increase in storage costs. What we want is format preserving encryption. And what that does is turns my name, Rich, into a four-letter ciphertext. It can be reversed. The mathematics of that are fascinating, and really deep and amazing. But we really make that very simple for the end customer because we produce APIs. So these application programming interfaces can be accessed by applications in C or Java, C sharp, other languages. But they can also be accessed in Microservice Manor via rest and web service APIs. And that's the core of our technical platform. We have an appliance-based approach, so we take a secure data appliance, we'll put it on Prim, we'll make 50 of them if you're a big company like Verizon and you need to have these co-located around the globe, no problem; we can scale to the largest enterprise needs. But our typical customer will install several appliances and get going with a couple of environments like QA and Prod to be able to start getting encryption going inside their organization. Once the appliances are set up and installed, it takes just a couple of days of work for a typical technical staff to get done. Then you're up and running to be able to plug in the clients. Now what are the clients? Vertica's a huge one. Vertica's one of our most powerful client endpoints because you're able to now take that API, put it inside Vertica, it's all open on the internet. We can go and look at Vertica.com/secure data. You get all of our documentation on it. You understand how to use it very quickly. The APIs are super simple; they require three parameter inputs. It's a really basic approach to being able to protect and access data. And then it gets very deep from there because you have data like credit card numbers. Very different from a street address and we want to take a different approach to that. We have data like birthdate, and we want to be able to do analytics on dates. We have deep approaches on managing analytics on protected data like Date without having to put it in the clear. So we've maintained a lead in the industry in terms of being an innovator of the FF1 standard, what we call FF1 is format preserving encryption. We license that to others in the industry, per our NIST agreement. So we're the owner, we're the operator of it, and others use our technology. And we're the original founders of that, and so we continue to sort of lead the industry by adding additional capabilities on top of FF1 that really differentiate us from our competitors. Then you look at our API presence. We can definitely run as a dup, but we also run in open systems. We run on main frame, we run on mobile. So anywhere in the enterprise or one in the cloud, anywhere you want to be able to put secure data, and be able to access the protect data, we're going to be there and be able to support you there. >> Okay so, let's say I've talked to a lot of customers this week, and let's say I'm running in Eon mode. And I got some workload running in AWS, I've got some on Prim. I'm going to take an appliance or multiple appliances, I'm going to put it on Prim, but that will also secure my cloud workloads as part of a sort of shared responsibility model, for example? Or how does that work? >> No, that's absolutely correct. We're really flexible that we can run on Prim or in the cloud as far as our crypto engine, the key management is really hard stuff. Cryptography is really hard stuff, and we take care of all that, so we've all baked that in, and we can run that for you as a service either in the cloud or on Prim on your small Vms. So really the lightweight footprint for me running my infrastructure. When I look at the organization like you just described, it's a classic example of where we fit because we will be able to protect that data. Let's say you're ingesting it from a third party, or from an operational system, you have a website that collects customer data. Someone has now registered as a new customer, and they're going to do E-commerce with you. We'll take that data, and we'll protect it right at the point of capture. And we can now flow that through the organization and decrypt it at will on any platform that you have that you need us to be able to operate on. So let's say you wanted to pick that customer data from the operational transaction system, let's throw it into Eon, let's throw it into the cloud, let's do analytics there on that data, and we may need some decryption. We can place secure data wherever you want to be able to service that use case. In most cases, what you're doing is a simple, tiny little atomic efetch across a protected tunnel, your typical TLS pipe tunnel. And once that key is then cashed within our client, we maintain all that technology for you. You don't have to know about key management or dashing. We're good at that; that's our job. And then you'll be able to make those API calls to access or protect the data, and apply the authorization authentication controls that you need to be able to service your security requirements. So you might have third parties having access to your Vertica clusters. That is a special need, and we can have that ability to say employees can get X, and the third party can get Y, and that's a really interesting use case we're seeing for shared analytics in the internet now. >> Yeah for sure, so you can set the policy how we want. You know, I have to ask you, in a perfect world, I would encrypt everything. But part of the reason why people don't is because of performance concerns. Can you talk about, and you touched upon it I think recently with your sort of atomic access, but can you talk about, and I know it's Vertica, it's Ferrari, etc, but anything that slows it down, I'm going to be a concern. Are customers concerned about that? What are the performance implications of running encryption on Vertica? >> Great question there as well, and what we see is that we want to be able to apply scale where it's needed. And so if you look at ingest platforms that we find, Vertica is commonly connected up to something like Kafka. Maybe streamsets, maybe NiFi, there are a variety of different technologies that can route that data, pipe that data into Vertica at scale. Secured data is architected to go along with that architecture at the node or at the executor or at the lowest level operator level. And what I mean by that is that we don't have a bottleneck that everything has to go through one process or one box or one channel to be able to operate. We don't put an interceptor in between your data and coming and going. That's not our approach because those approaches are fragile and they're slow. So we typically want to focus on integrating our APIs natively within those pipeline processes that come into Vertica within the Vertica ingestion process itself, you can simply apply our protection when you do the copy command in Vertica. So really basic simple use case that everybody is typically familiar with in Vertica land; be able to copy the data and put it into Vertica, and you simply say protect as part of the data. So my first name is coming in as part of this ingestion. I'll simply put the protect keyword in the Syntax right in SQL; it's nothing other than just an extension SQL. Very very simple, the developer, easy to read, easy to write. And then you're going to provide the parameters that you need to say, oh the name is protected with this kind of a format. To differentiate it between a credit card number and an alphanumeric stream, for example. So once you do that, you then have the ability to decrypt. Now, on decrypt, let's look at a couple different use cases. First within Vertica, we might be doing select statements within Vertica, we might be doing all kinds of jobs within Vertica that just operate at the SQL layer. Again, just insert the word "access" into the Vertica select string and provide us with the data that you want to access, that's our word for decryption, that's our lingo. And we will then, at the Vertica level, harness the power of its CPU, its RAM, its horsepower at the node to be able to operate on that operator, the decryption request, if you will. So that gives us the speed and the ability to scale out. So if you start with two nodes of Vertica, we're going to operate at X number of hundreds of thousands of transactions a second, depending on what you're doing. Long strings are a little bit more intensive in terms of performance, but short strings like social security number are our sweet spot. So we operate very very high speed on that, and you won't notice the overhead with Vertica, perse, at the node level. When you scale Vertica up and you have 50 nodes, and you have large clusters of Vertica resources, then we scale with you. And we're not a bottleneck and at any particular point. Everybody's operating independently, but they're all copies of each other, all doing the same operation. Fetch a key, do the work, go to sleep. >> Yeah, you know, I think this is, a lot of the customers have said to us this week that one of the reasons why they like Vertica is it's very mature, it's been around, it's got a lot of functionality, and of course, you know, look, security, I understand is it's kind of table sticks, but it's also can be a differentiator. You know, big enterprises that you sell to, they're asking for security assessments, SOC 2 reports, penetration testing, and I think I'm hearing, with the partnership here, you're sort of passing those with flying colors. Are you able to make security a differentiator, or is it just sort of everybody's kind of got to have good security? What are your thoughts on that? >> Well, there's good security, and then there's great security. And what I found with one of my money center bank customers here in San Francisco was based here, was the concern around the insider access, when they had a large data store. And the concern that a DBA, a database administrator who has privilege to everything, could potentially exfil data out of the organization, and in one fell swoop, create havoc for them because of the amount of data that was present in that data store, and the sensitivity of that data in the data store. So when you put voltage encryption on top of Vertica, what you're doing now is that you're putting a layer in place that would prevent that kind of a breach. So you're looking at insider threats, you're looking at external threats, you're looking at also being able to pass your audit with flying colors. The audits are getting tougher. And when they say, tell me about your encryption, tell me about your authentication scheme, show me the access control list that says that this person can or cannot get access to something. They're asking tougher questions. That's where secure data can come in and give you that quick answer of it's encrypted at rest. It's encrypted and protected while it's in use, and we can show you exactly who's had access to that data because it's tracked via a different layer, a different appliance. And I would even draw the analogy, many of our customers use a device called a hardware security module, an HSM. Now, these are fairly expensive devices that are invented for military applications and adopted by banks. And now they're really spreading out, and people say, do I need an HSM? Well, with secure data, we certainly protect your crypto very very well. We have very very solid engineering. I'll stand on that any day of the week, but your auditor is going to want to ask a checkbox question. Do you have HSM? Yes or no. Because the auditor understands, it's another layer of protection. And it provides me another tamper evident layer of protection around your key management and your crypto. And we, as professionals in the industry, nod and say, that is worth it. That's an expensive option that you're going to add on, but your auditor's going to want it. If you're in financial services, you're dealing with PCI data, you're going to enjoy the checkbox that says, yes, I have HSMs and not get into some arcane conversation around, well no, but it's good enough. That's kind of the argument then conversation we get into when folks want to say, Vertica has great security, Vertica's fantastic on security. Why would I want secure data as well? It's another layer of protection, and it's defense in depth for you data. When you believe in that, when you take security really seriously, and you're really paranoid, like a person like myself, then you're going to invest in those kinds of solutions that get you best in-class results. >> So I'm hearing a data-centric approach to security. Security experts will tell you, you got to layer it. I often say, we live in a new world. The green used to just build a moat around the queen, but the queen, she's leaving her castle in this world of distributed data. Rich, incredibly knowlegable guest, and really appreciate you being on the front lines and sharing with us your knowledge about this important topic. So thanks for coming on theCUBE. >> Hey, thank you very much. >> You're welcome, and thanks for watching everybody. This is Dave Vellante for theCUBE, we're covering wall-to-wall coverage of the Virtual Vertica BDC, Big Data Conference. Remotely, digitally, thanks for watching. Keep it right there. We'll be right back right after this short break. (intense music)

from San Francisco it's the queue covering Red Hat summit 2018 brought to you by Red Hat hey welcome back everyone live here in San Francisco California Moscone West is the cubes live coverage of Red Hat Summer 2018 I'm John furry and my co-host John Troyer our next guest is Denise Dumas vice president software engineering operating system group the Red Hat welcome back to the cube good to see you thank you so much great to be here with you so operating systems Linux the base base with everything yeah now you got all those other goodness going on you have some acquisitions permit bit we were just talking about before he came on a lot of action going on yeah what's new well you know you think that the world of operating systems would be boring but honest to god it is so not especially now right because there is a whole generation of change going on in the hardware and when the hardware changes the operating system has got to change to keep up right you look at the stuff that's going on with GPUs with FPGA right I mean and that's just like tip of the iceberg yeah and everything has to be programmable so you need software to keep track of it so it's not just the patches you gotta keep on top of the DevOps automations a big part of it and security models are changing with the cloud there's no perimeter so you have to have maybe chip level encryption os the way up this is challenging so what is it what's the impact to Red Hat as these new things come on because you know you got you know fishing out there sphere fishing is a big problem you got to handle it all how do you guys handle all the security challenges well you know it's it's actually interesting because rel is the base the core of Red Hat's product line which means that we provide the firm underpinning for everything else in the portfolio so we have the FIP certification we're doing the Common Criteria certification we provide the reliable crypto that everybody else can just expect to have in their world and we have to be the really firm basis for everything that layers on top and it's really great to have the additional products in the portfolio working very closely with us to make sure that we can be end-to-end secure end-to-end compliant and that we're looking at the bigger problems because it's not about the operating system it's about the infrastructure and what you're going to run on top of it right a lot of people have been saying security oh it's hard to do security open source is actually a problem for security and then the world shifts back and says wait a minute open source is better to attack security problem because it's out more people working on it versus the human problem of having proprietary so obviously open source is a good thing - security what's the modern approach that you see now that that that you guys are watching and building around that because that's the number one question that coot at kubernetes con we saw a great thing do some kubernetes we saw is do service meshes but Security's got to be thought of on the front end of all the application developers that means it's on you put it into the OS and it's a different world right because the application developers are not accustomed to having to deal with that because that was always the job of the IT guys right that was a problem for the infrastructure to deal with and so clearly we have to provide better security better better tooling available to them but the operations guys right they still they need help in this new world as well because suddenly there's this explosion of containers in their environment and who knows what's in those containers right we've got to have the ability to scan the containers and make sure that they get patched regularly right so it's just it's a whole different set of problems but it all starts with making sure it's secure underneath all the rest of it well so that's that brings up the console of this concept of layers right there's all the operational things there's the apps and the containers and then you know rail is running underneath that that's the hardware and the micro code and all the rest of the stuff so this year we the whole entire IT industry - the kind of a gasp with with the meltdown inspector problems that that surfaced or you know I guess it was in January I think yeah when they were Republican what that was that was how the colonel team spent their Christmas vacation oh my goodness yeah I the colonel team the performance team the security team the virtualization team all those guys so Red Hat shuts down for a week at Christmastime if they didn't yeah that was exciting I mean we've been trained security is one of these things but there's another one coming because cyber attacks are there what's that what's the viewpoint how do you keep on how do you how do you keep on top of it yeah well you know we have a fabulous security team so if you happen to get up to the second floor go talk with chrome Chris Robinson his guys they monitor what's going on in the upstreams they work with mitre they work with the organization's right and when they discover that something is in the wind they come to us and disclose people as needed and then we get to go and figure out how we're gonna get fixes in usually a lot of this stuff happens as you know under embargo so we really we can't talk about it that's a real problem if a lot of the upstream hasn't been read in right so like for instance with meltdown inspector a lot of that was going on not so much in the upstream so there were kind of divergent patches that we got to bring back together that was really we knew that well we had a really strong suspicion that the embargo was gonna break early there that's why my guys were over Christmas right they had to have something ready secure for when it broke and then we could worry about the performance afterwards yeah right and then you had to roll that out into the entire customer base there's some fairly standard mechanisms was there anything special with that because it was fairly high priority I suppose yeah well I mean anything like that we make available a synchronously cuz we want to have it available that the day that that embargo goes public right because that's when we're gonna be getting the phone calls that's when people say oh my god now what do I do but if but the hard part with this one was that you had to have the microcode as well right but we had to do a lot of Education because this was this the side channel attacks it's just a different way of thinking right it's not so much a flaw in the code as in the overall hardware architecture that we get to deal with that stuff what did you learn what's the learnings that were magnifying we have to be as transparent as we can possibly be because security researchers are going to keep on looking for this kind of flaw and we you know we just have to be able to work as much in the open as we can but we also have to have an education function right this is not an area of core expertise for a lot of people who are working in databases right or who are who are designing Java apps and yet we have to be able to explain to them why there's a performance impact on some of the stuff that they're doing and how we can work together to try to get back some of that performance over time no meltdown inspector that's kind of off my radar now but I don't think we're completely out of it right you people have had to patch and reboot and and update but it sounds like we're not I don't think we're at 100% for sure of all systems yeah well you know IT infrastructure right there's your window in which you can actually afford to reboot your systems and I think a lot of those are very tightly scheduled I mean we have customers who get you know ten minutes a year yeah up times of years and years I mean old rebooting is kind of old fashioned at this point yeah really right as it should be as it should be but but when it's the minor code you're kind of stuck yeah I mean that's a hardware thing getting back to the hardware still hardware's even though cloud is extracting away the complexities Hardware still is out there so you never gonna go away for you and as you said it's changing look at the GPU side and you got all kinds of new things coming on the horizon like blockchain and decentralized infrastructure that's encrypted amen right so you know this is you know systems level code mm-hmm with software guys who don't know micro code mm-hmm so you guys got to be on top of it so so I guess the big question is is that operating system that you guys have is very reliable and the support is phenomenal use of industries how do you take the support and the engineering in rel and operating systems and bring that operate system mindset to the next level up as you move up the stack kubernetes new OpenStack as well openshift yeah and apps they all want the same reliability you all want the same kind of robustness nature of an ecosystem at the same time more people are being certified yeah so you have a balance of growth and reliability how do you how do you guys see that and it's also speed and time to market right which is the other factor because there's so much pressure on any emerging technology to get the features out there that you end up carrying the technical debt right or you end up not being able to be as hardened as you might like to be the instant that you go out the door and so it's always gonna be a balancing act and a trade-off so you I know you guys were just talking with Mark Oh bill Peter and he was probably talking about how we're trying to focus on use cases right we need to understand the use cases that our customers have and now those are clearly across the entire product portfolio right but those are the test scenarios that I need to get in flight and those are also the the paths that I need to make sure we've optimized for right and so it's a partnership with the rest of the products in the portfolio and we really do a lot to work together as tightly as we can which is one of the benefits of being at the core right I'm working with everybody yeah and you got the instrumentation too so the other theme yeah the automation big time theme here is breaking down the two of real granular level sets of services which actually is a good thing because if you can instrument it then it's just easy to manage because then he can isolate things so I mean this is a good thing in the OS people love this because you can see couple and make things work well but the instrumentation if you have the API API and you need the instrumentation and looking in so how is that created a challenge because it's all those great for Red Hat's business and then you see in the the forecast and the analysts are seeing the growth you guys are seeing the successes but it makes your job harder a bit that one's a harder but I mean it's you know you get it right more code and make glue layers of abstraction layers yeah but I wouldn't want it to be boring well I do want it to I want it to be boring for our customers I want our customers to just be able to pick up and no drum and exciting homes not ringing with no spectra again it's working like a charm no problem yeah drama llama does not live here yeah yeah that's an interesting point though just a lot of talk about the whole Red Hat stack here right and you got as we've said you the base of it where does where does Linux where is this Linux and especially rail go from here what are you looking at that over the next few years some different technologies you're looking to pull it etc mm-hmm there's always I mean we have to keep up with the hardware advances clearly right but then there's let's oh look at our permaban what a great ad right so perma bit for people who don't know they do a video virtual data optimizer so they do D dupe and compression on the fly on the path to the disk and with rail 75 as part of your subscription you get so we buy we buy companies and we open-source their soft code side their software and we make it available to you as part of your subscription right how good is that so is when you deploy 75 in your environment now suddenly you're gonna need a whole lot less storage right depending on of course it depends upon your data footprint right but but you might find that you're able to shrink the amount of all that expensive storage and expensive cloud storage particularly that you need significantly and you get the compression right was avenge compression was very popular we know we followed in fallen permit bit question on permit bit for you was that open source was that they build their front open stores because now and are you guys open sourcing that that's okay so you have to go gain and and then open it up and do a review and clean it up and yeah yeah and we have to help them get it into an upstream right so they actually they were fabulous the perma because they have been so fabulous to work with best acquisition ever seems to be pretty good at acquiring companies and incorporating their tacit that seems to be part of the culture here yeah that's cuz we're not you know people think we're like big and scary right I'll tell you I have worked for companies that are big and scary Red Hat is not it we're really open and it's really in many ways in engineering culture which is wonderful it's a great fit if you happen to be from a startup culture because we don't overwhelm you with process right I mean we a lot of smart people again I can attest to my interactions over the years smart people very humble a lot of systems people to which is cooperating system hello the world's turning into an operating system good for that but humble and plays the long game you guys I've been you deserve credit for that and that's that's attracting and reason why you successful but you know the thing is we really believe in our core values right we really truly honest-to-god believe in open source and the power that it has to change the world that you know you say oh yeah sure right she's part of the management change she's gonna see him anyway yeah but you guys are growing so I mean over the years again since we started the cube nine years ago we've watched red add just in that time span grow significantly I'll see it's well documented an alternative to the other proprietary os's second-tier citizen now running the world the first tier great job so the youth success business model of open source is now mainstream but you got to onboard more people more ecosystem partners in a really dynamic big wave of innovation coming yeah how do you maintain the recruiting how do you get the great people how do you preserve the culture I'm sure these are questions how do you the more inclusion and diversity questions this is all happening right they're gonna have to catch him at nine years old and grown I mean although honest to god we do a lot of university outreach right if you look in the Czech Republic for instance we have a huge operation in Brno which is the second largest city there and we are so tied in to the university system we bring in lots and lots and lots of interns and it's wonderful right because we want to teach people about open-source we find people who have passion projects and we bring them in this is this is our world right we don't we want non-traditional people as well as traditional computer science majors open-source is a great leveler your CV is online I mean imagine right you're you want to change careers you want a new life you love to code you've been working on writing games in your in your spare time you are our people that's the code your code is who you are your code is it's your CV well this is what Oh doing your things on the open means and also it's been great for your business and we had gym writers on earlier there's no a/b testing they just go into the community and find out what's they want and they just that's the a B C's e testing it's just right there you guys do the due diligence sometimes make big time real fun decisions on features based upon what is in demand practically speaking not just focusing on the new tech that's a good business model we hope so cuz you know I mean as as one of our former CFO I said there are a lot of people a lot of Associates at Red Hat who are dependent on Red Hat for a paycheck and it's very important to us that we remain profitable stable and and really good for our people right we've got a lot of people that we need to take care of in the time it's a good place to be in the timing spray with kubernetes and containers we're taking it up a notch and bringing that extensibility you know just beyond stand-alone Linux so congratulations Denise thanks for coming on and sharing your perspective as always we love these conversations in the cube talk and everything from operating systems to core OS and kubernetes and culture as the cue here out in the open on the floor at Moscone West John Troy yer stay with us we'll be back with more day two of three days of live coverage on the cube net we'll be right back