>> Hey everyone. Welcome back to theCUBE's coverage day two of CloudNative Security CON 23. Lisa Martin here in studio in Palo Alto with John Furrier. John, we've had some great conversations. I've had a global event. This was a global event. We had Germany on yesterday. We had the Boston Studio. We had folks on the ground in Seattle. Lot of great conversations, a lot of great momentum at this event. What is your number one takeaway with this inaugural event? >> Well, first of all, our coverage with our CUBE alumni experts coming in remotely this remote event for us, I think this event as an inaugural event stood out because one, it was done very carefully and methodically from the CNCF. I think they didn't want to overplay their hand relative to breaking out from CUBE CON So Kubernetes success and CloudNative development has been such a success and that event and ecosystem is booming, right? So that's the big story is they have the breakout event and the question was, was it a good call? Was it successful? Was it going to, would the dog hunt as they say, in this case, I think the big takeaway is that it was successful by all measures. One, people enthusiastic and confident that this has the ability to stand on its own and still contribute without taking away from the benefits and growth of Kubernetes CUBE CON and CloudNative console. So that was the key. Hallway conversations, the sessions all curated and developed properly to be different and focused for that reason. So I think the big takeaway is that the CNCF did a good job on how they rolled this out. Again, it was very intimate event small reminds me of first CUBE CON in Seattle, kind of let's test it out. Let's see how it goes. Again, clearly it was people successful and they understood why they're doing it. And as we commented out in our earlier segments this is not something new. Amazon Web Services has re:Invent and re:Inforce So a lot of parallels there. I see there. So I think good call. CNCF did the right thing. I think this has legs. And then as Dave pointed out, Dave Vellante, on our last keynote analysis was the business model of the hackers is better than the business model of the industry. They're making more money, it costs less so, you know, they're playing offense and the industry playing defense. That has to change. And as Dave pointed out we have to make the cost of hacking and breaches and cybersecurity higher so that the business model crashes. And I think that's the strategic imperative. So I think the combination of the realities of the market globally and open source has to go faster. It's good to kind of decouple and be highly cohesive in the focus. So to me that's the big takeaway. And then the other one is, is that there's a lot more security problems still unresolved. The emphasis on developers productivity is at risk here, if not solved. You saw supply chain software, again, front and center and then down in the weeds outside of Kubernetes, things like BIND and DNS were brought up. You're seeing the Linux kernel. Really important things got to be paid attention to. So I think very good call, very good focus. >> I would love if for us to be able to, as the months go on talk to some of the practitioners that actually got to attend. There were 72 sessions, that's a lot of content for a small event. Obviously to your point, very well curated. We did hear from some folks yesterday who were just excited to get the community back together in person. To your point, having this dedicated focus on CloudNativesecurity is incredibly important. You talked about, you know, the offense defense, the fact that right now the industry needs to be able to pivot from being on defense to being on offense. This is a challenging thing because it is so lucrative for hackers. But this seems to be from what we've heard in the last couple days, the right community with the right focus to be able to make that pivot. >> Yeah, and I think if you look at the success of Kubernetes, 'cause again we were there at theCUBE first one CUBE CON, the end user stories really drove end user participation. Drove the birth of Kubernetes. Left some of these CloudNative early adopters early pioneers that were using cloud hyperscale really set the table for CloudNative CON. I think you're seeing that here with this CloudNative SecurityCON where I think we're see a lot more end user stories because of the security, the hairs on fire as we heard from Madrona Ventures, you know, as they as an investor you have a lot of use cases out there where customers are leaning in with getting the rolling up their sleeves, working with open source. This has to be the driver. So I'm expecting to see the next level of SecurityCON to be end user focused. Much more than vendor focused. Where CUBECON was very end user focused and then attracted all the vendors in that grew the industry. I expect the similar pattern here where end user action will be very high at the beginning and that will essentially be the rising tide for the vendors to be then participating. So I expect almost a similar trajectory to CUBECON. >> That's a good path that it needs to all be about all the end users. One of the things I'm curious if what you heard was what are some of the key factors that are going to move CloudNative Security forward? What did you hear the last two days? >> I heard that there's a lot of security problems and no one wants to kind of brag about this but there's a lot of under the hood stuff that needs to get taken care of. So if automation scales, and we heard that from one of the startups we've just interviewed. If automation and scale continues to happen and with the business model of the hackers still booming, security has to be refactored quickly and there's going to be an opportunity structurally to use the cloud for that. So I think it's a good opportunity now to get dedicated focus on fixing things like the DNS stuff old school under the hood, plumbing, networking protocols. You're going to start to see this super cloud-like environment emerge where data's involved, everything's happening and so security has to be re imagined. And I think there's a do over opportunity for the security industry with CloudNative driving that. And I think this is the big thing that I see as an opportunity to, from a story standpoint from a coverage standpoint is that it's a do-over for security. >> One of the things that we heard yesterday is that there's a lot of it, it's a pretty high percentage of organizations that either don't have a SOCK or have a very primitive SOCK. Which kind of surprised me that at this day and age the risks are there. We talked about that today's focus and the keynote was a lot about the software supply chain and what's going on there. What did you hear in terms of the appetite for organizations through the voice of the practitioner to say, you know what guys, we got to get going because there's going to be the hackers are they're here. >> I didn't hear much about that in the coverage 'cause we weren't in the hallways. But from reading the tea leaves and talking to the folks on the ground, I think there's an implied like there's an unlimited money from customers. So it's a very robust from the data infrastructure stack building we cover with the angel investor Kane you're seeing data infrastructure's going to be part of the solution here 'cause data and security go hand in hand. So everyone's got basically checkbook wide open everyone wants to have the answer. And we commented that the co-founder of Palo Alto you had on our coverage yesterday was saying that you know, there's no real platform, there's a lot of tools out there. People will buy anything. So there's still a huge appetite and spend in security but the answer's not going to more tool sprawling. It's going to more platform auto, something that enables automation, fix some of the underlying mechanisms involved and fix it fast. So to me I think it's going to be a robust monetary opportunity because of the demand on the business side. So I don't see that changing at all and I think it's going to accelerate. >> It's a great point in terms of the demand for the business side because as we know as we said yesterday, the next Log4j is out there. It's not a matter of if this happens again it's when, it's the extent, it's how frequent we know that. So organizations all the way up to the board have to be concerned about brand reputation. Nobody wants to be the next big headline in terms of breaches and customer data being given to hackers and hackers making all this money on that. That has to go all the way up to the board and there needs to be alignment between the board and the executives at the organization in terms of how they're going to deal with security, and now. This is not a conversation that can wait. Yeah, I mean I think the five C's we talked about yesterday the culture of companies, the cloud is an enabler, you've got clusters of servers and capabilities, Kubernetes clusters, you've got code and you've got all kinds of, you know, things going on there. Each one has elements that are at risk for hacking, right? So that to me is something that's super important. I think that's why the focus on security's different and important, but it's not going to fork the main event. So that's why I think the spin out was, spinout, or the new event is a good call by the CNCF. >> One of the things today that struck me they're talking a lot about software supply chain and that's been in the headlines for quite a while now. And a stat that was shared this morning during the keynote just blew my brains that there was a 742% increase in the software supply chain attacks occurring over the last three years. It's during Covid times, that is a massive increase. The threat landscape is just growing so amorphously but organizations need to help dial that down because their success and the health of the individuals and the end users is at risk. Well, Covid is an environment where everyone's kind of working at home. So there was some disruption to infrastructure. Also, when you have change like that, there's opportunities for hackers, they'll arbitrage that big time. But I think general the landscape is changing. There's no perimeter anymore. It's CloudNative, this is where it is and people who are moving from old IT to CloudNative, they're at risk. That's why there's tons of ransomware. That's why there's tons of risk. There's just hygiene, from hygiene to architecture and like Nick said from Palo Alto, the co-founder, there's not a lot of architecture in security. So yeah, people have bulked up their security teams but you're going to start to see much more holistic thinking around redoing security. I think that's the opportunity to propel CloudNative, and I think you'll see a lot more coming out of this. >> Did you hear any specific information on some of the CloudNative projects going on that really excite you in terms of these are the right people going after the right challenges to solve in the right direction? >> Well I saw the sessions and what jumped out to me at the sessions was it's a lot of extensions of what we heard at CUBECON and I think what they want to do is take out the big items and break 'em out in security. Kubescape was one we just covered. They want to get more sandbox type stuff into the security side that's very security focused but also plays well with CUBECON. So we'll hear more about how this plays out when we're in Amsterdam coming up in April for CUBECON to hear how that ecosystem, because I think it'll be kind of a relief to kind of decouple security 'cause that gives more focus to the stakeholders in CUBECON. There's a lot of issues going on there and you know service meshes and whatnot. So it's a lot of good stuff happening. >> A lot of good stuff happening. One of the things that'll be great about CUBECON is that we always get the voice of the customer. We get vendors coming on with the voice of the customer talking about and you know in that case how they're using Kubernetes to drive the business forward. But it'll be great to be able to pull in some of the security conversations that spin out of CloudNative Security CON to understand how those end users are embracing the technology. You brought up I think Nir Zuk from Palo Alto Networks, one of the themes there when Dave and I did their Ignite event in December was, of 22, was really consolidation. There are so many tools out there that organizations have to wrap their heads around and they need to be able to have the right enablement content which this event probably delivered to figure out how do we consolidate security tools effectively, efficiently in a way that helps dial down our risk profile because the risks just seem to keep growing. >> Yeah, and I love the technical nature of all that and I think this is going to be the continued focus. Chris Aniszczyk who's the CTO listed like E and BPF we covered with Liz Rice is one of the most three important points of the conference and it's just, it's very nerdy and that's what's needed. I mean it's technical. And again, there's no real standards bodies anymore. The old days developers I think are super important to be the arbiters here. And again, what I love about the CNCF is that they're developer focused and we heard developer first even in security. So you know, this is a sea change and I think, you know, developers' choice will be the standards bodies. >> Lisa: Yeah, yeah. >> They decide the future. >> Yeah. >> And I think having the sandboxing and bringing this out will hopefully accelerate more developer choice and self-service. >> You've been talking about kind of putting the developers in the driver's seat as really being the key decision makers for a while. Did you hear information over the last couple of days that validates that? >> Yeah, absolutely. It's clearly the fact that they did this was one. The other one is, is that engineering teams and dev teams and script teams, they're blending together. It's not just separate silos and the ones that are changing their team dynamics, again, back to the culture are winning. And I think this has to happen. Security has to be embedded everywhere in making it frictionless and to provide kind of the guardrail so developers don't slow down. And I think where security has become a drag or an anchor or a blocker has been just configuration of how the organization's handling it. So I think when people recognize that the developers are in charge and they're should be driving the application development you got to make sure that's secure. And so that's always going to be friction and I think whoever does it, whoever unlocks that for the developer to go faster will win. >> Right. Oh, that's what I'm sure magic to a developer's ear is the ability to go faster and be able to focus on co-development in a secure fashion. What are some of the things that you're excited about for CUBECON. Here we are in February, 2023 and CUBECON is just around the corner in April. What are some of the things that you're excited about based on the groundswell momentum that this first inaugural CloudNative Security CON is generating from a community, a culture perspective? >> I think this year's going to be very interesting 'cause we have an economic challenge globally. There's all kinds of geopolitical things happening. I think there's going to be very entrepreneurial activity this year more than ever. I think you're going to see a lot more innovative projects ideas hitting the table. I think it's going to be a lot more entrepreneurial just because the cycle we're in. And also I think the acceleration of mainstream deployments of out of the CNCF's main event CUBECON will happen. You'll see a lot more successes, scale, more clarity on where the security holes are or aren't. Where the benefits are. I think containers and microservices are continuing to surge. I think the Cloud scale hyperscale as Amazon, Azure, Google will be more aggressive. I think AI will be a big theme this year. I think you can see how data is going to infect some of the innovation thinking. I'm really excited about the data infrastructure because it powers a lot of things in the Cloud. So I think the Amazon Web Services, Azure next level gen clouds will impact what happens in the CloudNative foundation. >> Did you have any conversations yesterday or today with respect to AI and security? Was that a focus of anybody's? Talk to me about that. >> Well, I didn't hear any sessions on AI but we saw some demos on stage. But they're teasing out that this is an augmentation to their mission, right? So I think a lot of people are looking at AI as, again, like I always said there's the naysayers who think it's kind of a gimmick or nothing to see here, and then some are just going to blown away. I think the people who are alpha geeks and the industry connect the dots and understand that AI is going to be an accelerant to a lot of heavy lifting that was either manual, you know, hard to do things that was boring or muck as they say. I think that's going to be where you'll see the AI stories where it's going to accelerate either ways to make security better or make developers more confident and productive. >> Or both. >> Yeah. So definitely AI will be part of it. Yeah, definitely. One of the things too that I'm wondering if, you know, we talk about CloudNative and the goal of it, the importance of it. Do you think that this event, in terms of what we were able to see, obviously being remote the event going on in Seattle, us being here in Palo Alto and Boston and guests on from Seattle and Germany and all over, did you hear the really the validation for why CloudNative Security why CloudNative is important for organizations whether it's a bank or a hospital or a retailer? Is that validation clear and present? >> Yeah, absolutely. I think it was implied. I don't think there was like anyone's trying to debate that. I think this conference was more of it's assumed and they were really trying to push the ability to make security less defensive, more offensive and more accelerated into the solving the problems with the businesses that are out there. So clearly the CloudNative community understands where the security challenges are and where they're emerging. So having a dedicated event will help address that. And they've got great co-chairs too that put it together. So I think that's very positive. >> Yeah. Do you think, is it possible, I mean, like you said several times today so eloquently the industry's on the defense when it comes to security and the hackers are on the offense. Is it really possible to make that switch or obviously get some balances. As technology advances and industry gets to take advantage of that, so do the hackers, is that balance achievable? >> Absolutely. I mean, I think totally achievable. The question's going to be what's the environment going to be like? And I remember as context to understanding whether it's viable or not, is to look at, just go back 13 years ago, I remember in 2010 Amazon was viewed as an unsecure environment. Everyone's saying, "Oh, the cloud is not secure." And I remember interviewing Steve Schmidt at AWS and we discussed specifically how Amazon Cloud was being leveraged by hackers. They made it more complex for the hackers. And he said, "This is just the beginning." It's kind of like barbed wire on a fence. It's yeah, you're not going to climb it so people can get over it. And so since then what's happened is the Cloud has become more secure than on premises for a lot of either you know, personnel reasons, culture reasons, not updating, you know, from patches to just being insecure to be more insecure. So that to me means that the flip the script can be flipped. >> Yeah. And I think with CloudNative they can build in automation and code to solve some of these problems and make it more complex for the hacker. >> Lisa: Yes. >> And increase the cost. >> Yeah, exactly. Make it more complex. Increase the cost. That'll be in interesting journey to follow. So John, here we are early February, 2023 theCUBE starting out strong as always. What year are we in, 12? Year 12? >> 13th year >> 13! What's next for theCUBE? What's coming up that excites you? >> Well, we're going to do a lot more events. We got the theCUBE in studio that I call theCUBE Center as kind of internal code word, but like, this is more about getting the word out that we can cover events remotely as events are starting to change with hybrid, digital is going to be a big part of that. So I think you're going to see a lot more CUBE on location. We're going to do, still do theCUBE and have theCUBE cover events from the studio to get deeper perspective because we can then bring people in remote through our our studio team. We can bring our CUBE alumni in. We have a corpus of content and experts to bring to table. So I think the coverage will be increased. The expertise and data will be flowing through theCUBE and so Cube Center, CUBE CUBE Studio. >> Lisa: Love it. >> Will be a integral part of our coverage. >> I love that. And we have such great conversations with guests in person, but also virtually, digitally as well. We still get the voices of the practitioners and the customers and the vendors and the partner ecosystem really kind of lauded loud and clear through theCUBE megaphone as I would say. >> And of course getting the clips out there, getting the highlights. >> Yeah. >> Getting more stories. No stories too small for theCUBE. We can make it easy to get the best content. >> The best content. John, it's been fun covering CloudNative security CON with you with you. And Dave and our guests, thank you so much for the opportunity and looking forward to the next event. >> John: All right. We'll see you at Amsterdam. >> Yeah, I'll be there. We want to thank you so much for watching TheCUBES's two day coverage of CloudNative Security CON 23. We're live in Palo Alto. You are live wherever you are and we appreciate your time and your view of this event. For John Furrier, Dave Vellante, I'm Lisa Martin. Thanks for watching guys. We'll see you at the next show.

>> John Furrier: Hello, welcome back to theCUBE's coverage of Cloud Native Security Con 2023 North America the inaugural event. I'm John Furrier, host of theCUBE, along with Dave Alonte and Lisa Martin covering from the studio. But we have on location Emmy Eide, who is with Red Hat, director of Supply Chain Security. Emmy, great to have you on from location. Thanks for joining us. >> Emmy Eide: Yeah, thank you. >> So everyone wants to know this event is new, it's an aural event, cloud native con, coup con. Very successful. Was this event successful? They all want to know what's going on there. What's the vibe? What's the tracks like? Is it different? Why this event? Was it successful? What's different? >> Yeah, I've really enjoyed being here. The food is wonderful. There's also quite a few vendors here that are just some really cool emerging technologies coming out and a lot from open source, which is really cool to see as well. The talks are very interesting. It's really, they're very diverse in subject but still all security related which is really cool to see. And there's also a lot of different perspectives of how to approach security problems and the people behind them, which I love to see. And it's very nice to hear the different innovative ideas that we can go about doing security. >> We heard from some startups as well that they're very happy with the, with the decision to have a dedicated event. Red Hat is no stranger to open source. Obviously coup con, you guys are very successful there in cloud native con, Now the security con. Why do you think they did this? What's the vibe? What's the rationale? What's your take on this? And what's different from a topic standpoint? >> For non-security specific like events? Is that what you mean? >> What's different from coup con, cloud native con, and here at the cloud native security con? Obviously security's the focus. Is it just deeper dives? Is it more under the hood? Is it root problems or is this beyond Kubernetes? What's the focus, I guess. People want to know, you know, why the new event? >> I mean, there's a lot of focus on supply chain security, right? Like that's the hot topic in security right now. So that's been a huge focus. I can't speak to the differences of those other conferences. I haven't been able to attend them. But I will say that having a security specific conference, it really focuses on the open community and how technology is evolving, and how do you apply security. It's not just talking about tools which I think other conferences tend to focus on just the tools and you can really, I think, get lost in that as someone trying to learn about security or trying to even implement security, but they talk about what it takes to implement those tools, What's behind the people behind implementing those tools? >> Let's get into some of the key topics that we've identified and get your reaction. One, supply chain security, which I know you'll give a lot of commentary on 'cause that's your focus. Also we heard, like, Liz Rice talking about the extended Berkeley packet filtering. Okay, that's big. You know, your root kernel management, that's big. Developer productivity was kind of implied around removing the blockers of security, making it, you know, more aligned with developer first mentality. So that seems to be our takeaway. What's your reaction to those things? You see the same thing? >> I don't have a specific reaction to those things. >> Do you see the same thing happening on the ground there? Are they covering supply? >> Oh, yeah. >> Those three things are they the big focus? >> Yeah. Yeah, I think it's all of those things kind of like wrapped into one, right? But yeah, there's... I'm not sure how to answer your question. >> Well, let's jump into supply chain for instance. 'Cause that has come up a lot. >> Sure. >> What's the focus there on the supply chain security? Is it SBOMs? Is it the container security? What's the key conversations and topics being discussed around supply chain security? >> Well, I think there's a lot of laughter around SBOM right now because no one can really define it, specifically, and everyone's talking about it. So there's, there's a lot more than just the SBOM conversation. We're talking about like full end-to-end development process and that whole software supply chain that goes with it. So there's everything from infrastructure, security, all the way through to like signing transparency logs. Really the full gambit of supply chain, which is is really neat to see because it is such a broad topic. I think a lot of folks now are involved in supply chain security in some way. And so just kind of bringing that to the surface of what are the different people that are involved in this space, thinking about, what's on the top of their mind when it comes to supply chain security. >> How would you scope the order of magnitude of the uptick in supply chain attacks? Is it pretty heavy right now or is it, you know, people with the hair on fire or is it... What's the, give us the taste of the temperature in the room on the supply chain attacks? >> I think most of the folks who are involved in the space understand just that it's increasing. I mean, like, what is it? A 742% increase average annual year, year over year in supply chain attacks. So the amount of attacks increasing is a little daunting, right, for most of us. But it is what it is. So I think most of us right now are just trying to come together to say, "What are you doing that works? This is what I'm doing that works." And in all the different facets of that. 'cause I think we try to throw, we try to throw tools at a lot of problems and this problem is so big and broad reaching that we really are needing to share best practices as a community and as a security community. So this has been, this conference has been really great for that. >> Yeah, I've heard that a lot. You know, too many tools, not enough platform thinking, not enough architecture, needs some structure. Are you seeing any best practice around frameworks and structure around how to start getting in and and building out more of a better approach or posture? I mean, what's that, what's the, what's the state of the union for supply chain, how to handle that? >> Well, I talked about that a little bit in my my keynote that I gave, actually, which was about... And I've heard other other leaders talk about it too. And obviously it keyed my ear just because I'm so passionate about it, about partnership. So you know, empathetic security where the security team that's enforcing the policies, creating the policies, guidelines is working with the teams that are actually doing the production and the development, hand-in-hand, right? Like I can sit there and tell you, "Hey, you have all these problems and here's your security checklist or framework you need to follow." But that's not going to do them any good and it's going to create a ton of holes, right? So actually partnering with them helping them to understand the risks that are associated with their very specific need and use case, because every product has a different kind of quirk to it, right? Like how it's being developed. It might use a different tool and if I sit there and say, "Hey, you need to log on to this, you need to like make your tool work this platform over here and it's not compatible." I'm going to have to completely reframe how I'm doing productization. I need to know that as a security practitioner because me disrupting productization is not something that I should be doing. And I've heard a couple a couple of folks kind of talking about that, the people aspect behind how we implement these tools, the frameworks and the platforms, and how do we draw out risk, right? Like how do we talk about risk with these teams and really make them understand so it's part of their core culture in their understanding. So when they go back to their, when they go back and having to make decisions without me in the room they know they can make those business decisions with the risk as part of that decision. >> I love that empathetic angle because that's really going to, what needs to happen. It's not just, "Hey, that's your department, see you later." Or not even having a knowledge of the information. This idea of team construction, team management is a huge cultural shift. I'm sure the reaction was very positive. How do you explain that to an organization that's out there? Like how do you... what's the first three steps you got to take? Is there anything that you can share for advice people watch you saying, "Yeah we need to we need to change how our teams operate and interact with each other." >> Yeah, I think the first step is to take a good hard look at yourself. And if you are standing there on an ivory tower with a clipboard, you're probably doing it wrong. Check the box security is never going to be any way that works long term. It's going to take you a long time to implement any changes. At Red Hat, we did not look ourselves. You know, we've been doing a lot of great things in supply chain security for a while, but really taking that look and saying, "How can we be more empathetic leaders in the security space?" So we looked at that, then you say, "Okay, what is my my rate of change going to happen?" So if I need to make so many security changes explaining to these organizations, you're actually going to go faster. We improved our efficiency by 2000% just by doing that, just by creating this more empathetic. So why it seems like it's more hands-on, so it's going to be harder, it's easy to send out an email and say, "Hey, meet the security standard, right?" That might seem like the easy way 'cause you don't have time to engage. It's so much faster if you actually engage and share that message and have a a common understanding between the teams that like, "I'm here to deliver a product, so is the security team. The security team's here to deliver that same product and I want to help you do it in a trusted way." Right? >> Yeah. Dave Alonte, my co-host, was just on a session. We were talking together about security teams jumping on every team and putting a C on their jersey to be like the captain of the intramural team, and being involved, and it goes beyond just like the checklist, like you said, "Oh, I got the SBOM list of materials and I got a code scanning thing." That's not enough, is what we're hearing. >> No. >> Is there a framework or a methodology to go beyond that? You got the empathetic, that's really kind of team issue. You got to go beyond some of the tactical things. What's next beyond, you got the empathy and what's that framework structure when you say where you say anything there? >> So what do you do after you have the empathy, right? >> Yeah. >> I would say Salsa is a good place to start, the software levels. Supply chain levels for software artifacts. It's a mouthful. That's a really good maturity framework to start with. No matter what size organization you have, they're just going to be coming out here soon with version one. They release 0.1 a few months back. That's a really good place to give yourself a gut check of where you are in maturity and where you can go, what are best practices. And then there's the SSDF, which is the Secure Software Development framework. I think NIST wrote that one. But that is also a really, a really good framework and they map really well to each other, actually, When you work through Salsa, you're actually working through the SSDF requirements. >> Awesome. Well, great to have you on and great to get that that knowledge. I have to ask you like coup con, I remember when it started in Seattle, their first coup con events, right? Kind of small, similar to this one, but there's a lot of end user activities. Certainly the CNCF kind of was coming together like right after that. What's the end user activity like there this week? That seems to always been the driver of these events. It's a little bit organic. You got some of the key experts coming together, focus. Have you observed any end user activity in terms of contributions, participation? What's the story on the end user piece there? Is it heavy? Is it light? What's the... >> Um, yeah... It seems moderate. I guess somewhere in the middle. I would say largely heavy, but there's definitely participation. There is a lot of communing and networking happening between different organizations to partner together, which is important. But I haven't really paid attention much to like the Twitter side of this. >> Yeah, you've been busy doing the keynotes. How's Red Hat doing all this? You guys have been great positioned with the cloud native movement. Been following the Red Hat's moves since OpenStack days. Really good, good line of product, good open source, Mojo, of course. Good product mix, right, and relevant. Where's the security focus here? Obviously, you guys are clearly focused on security. How's the Red Hat story going on over there? >> There was yesterday a really good talk that explains that super well. It was given by a Red Hatter, connecting all of the open source projects we've been a part of and kind of explaining them. And obviously again, I'm keying in 'cause it's a supply chain kind of conversation, but I'd recommend that anyone who's going to go back and watch these on YouTube to check that one out just to see kind of how we're approaching the security space as well as how we contribute back to the community in that way. >> Awesome. Great to have you on. Final word, I'll give you the final word. What's the big buzz on supply chain? How would you peg the progress there? Feeling good about where things are? What's the current progress on supply chain security? >> I think that it has opened up a lot of doors for communication between security organizations that have tended to be closed. I'm in product security. Product securities, information securities tend to not speak externally about what we're doing. So you don't want to, you know, look bad or you don't want to expose any risk that we have, right? But it is, I think, necessary to open those lines of communication, to be able to start tackling this. It's a big problem throughout all of our industries, and if one supply chain is attacked and those products are used in someone else's supply chain, that can continue, right? So I think it's good. We have a lot of work to do as an industry and the advancements in technology is going to make that a little bit more complicated. But I'm excited for it. >> You can just throw AI at it. That's the big, everyone's doing AI. Just throw AI at it, it'll solve it. Isn't that the new thing? >> I do secure AI though. >> Super important. I love what you're doing there. Supply chain, open source needs, supply chain security. Open source needs this big time. It has to be there. Thank you for the work that you do. Really appreciate you coming on. Thank you. >> Yeah, thanks for having me. >> Yeah, good stuff. Supply chain, critical to open source growth. Open source is going to be the key to success in the future with automation and AI right around the corner. And that's important. This theCUBE covers from cloud native con, security con in North America, 2023. I'm John Furrier. Thanks for watching.

(energetic music plays) >> Lisa: Hey everyone, we're so glad you're here with us. theCUBE is covering Cloud Native Security Con 23. Lisa Martin here with John Furrier. This is our second day of coverage of the event. We've had some great conversations with a lot of intellectual, exciting folks, as you know cuz you've been watching. John and I are very pleased to welcome back one of our alumni to theCUBE Taylor Dolezal joins us the head of ecosystem at CNCF. Taylor, welcome back to theCUBE. Great to see you. >> Taylor: Hey everybody, great to see you again. >> Lisa: So you are on the ground in Seattle. We're jealous. We've got fomo as John would say. Talk to us about, this is a inaugural event. We were watching Priyanka keynote yesterday. Seemed like a lot of folks there, 72 sessions a lot of content, a lot of discussions. What's the buzz, what's the reception of this inaugural event from your perspective? >> Taylor: So it's been really fantastic. I think the number one thing that has come out of this conference so far is that it's a wonderful chance to come together and for people to see one another. It's, it's been a long time that we've kind of had that opportunity to be able to interact with folks or you know, it's just a couple months since last Cube Con. But this is truly a different vibe and it's nice to have that focus on security. We're seeing a lot of folks within different organizations work through different problems and then finally have a vendor neutral space in which to talk about all of those contexts and really raise everybody up with all this new knowledge and new talking points, topics, and different facets of knowledge. >> John: Taylor, we were joking on our yesterday's summary of the keynotes, Dave Vellante and I, and the guests, Lisa and I, about the CNCF having an event operating system, you know, very decoupled highly cohesive events, strung together beautifully through the Linux Foundation, you know, kind of tongue in cheek but it was kind of fun to play on words because it's a very technical community. But the business model of, of hackers is booming. The reality of businesses booming and Cloud Native is the preferred developer environment for the future application. So the emphasis, it's very clear that this is a good move to do and targeting the community around security's a solid move. Amazon's done it with reinforce and reinvent. We see that Nice segmentation. What's the goal? Because this is really where it connects to Cube Con and Cloud Native Con as well because this shift left there too. But here it's very much about hardcore Cloud Native security. What's your positioning on this? Am I getting it right or is there is that how you guys see it? >> Taylor: Yeah, so, so that's what we've see that's what we were talking about as well as we were thinking on breaking this event out. So originally this event was a co-located event during the Cube Con windows in both Europe and North America. And then it just was so consistently popular clearly a topic that people wanted to talk, which is good that people want to talk of security. And so when we saw this massive continued kind of engagement, we wanted to break this off into its own conference. When we were going through that process internally, like you had mentioned the events team is just phenomenal to work with and they, I love how easy that they make it for us to be able to do these kinds of events too though we wanted to talk through how we differentiate this event from others and really what's changed for us and kind of how we see this space is that we didn't really see any developer-centric open source kinds of conferences. Ones that were really favoring of the developer and focus on APIs and ways in which to implement these things across all of your workloads within your organization. So that's truly what we're looking to go for here during these, all of these sessions. And that's how it's been playing out so far which has been really great to see. >> John: Taylor, I want to ask you on the ecosystem obviously the built-in ecosystem at CNCF.IO with Cube Cons Cloud Cons there, this is a new ecosystem opportunity to add more people that are security focused. Is their new entrance coming into the fold and what's been the reaction? >> Taylor: So short answer is yes we've seen a huge uptick across our vendor members and those are people that are creating Cloud offerings and selling those and working with others to implement them as well as our end users. So people consuming Cloud Native projects and using them to power core parts of their business. We have gotten a lot of data from groups like IBM and security, IBM security and put 'em on institute. They gave us a cost of data breach report that Priyanka mentioned and talked about 43% of those organizations haven't started or in the early stages of updating security practices of their cloud environments and then here on the ground, you know, talking through some best practices and really sharing those out as well. So it's, I've gotten to hear pieces and parts of different conversations and and I'm certain we'll hear more about those soon but it's just really been great to, to hear everybody with that main focus of, hey, there's more that we can do within the security space and you know, let's let's help one another out on that front just because it is such a vast landscape especially in the security space. >> Lisa: It's a huge landscape. And to your point earlier, Taylor it's everyone has the feeling that it's just so great to be back together again getting folks out of the silos that they've been operating in for such a long time. But I'd love to get some of your, whatever you can share in terms of some of the Cloud Native security projects that you've heard about over the last day or so. Anything exciting that you think is really demonstrating the value already and this inaugural event? >> Taylor: Yes, so I I've been really excited to hear a lot of, personally I've really liked the talks around EBPF. There are a whole bunch of projects utilizing that as far as runtime security goes and actually getting visibility into your workloads and being able to see things that you do expect and things that you don't expect and how to remediate those. And then I keep hearing a lot of talks about open policy agents and projects like Caverno around you know, how do we actually automate different policies or within regulated industries, how do we actually start to solve those problems? So I've heard even more around CNCF projects and other contexts that have come up but truly most of them have been around the telemetry space EBPF and, and quite a few others. So really great to, to see all those projects choosing something to bind to and making it that much more accessible for folks to implement or build on top of as well. >> John: I love the reference you guys had just the ChatGPT that was mentioned in the keynote yesterday and also the reference to Dan Kaminsky who was mentioned on the reference to DNS and Bind, lot of root level security going on. It seems like this is like a Tiger team event where all the top alpha security gurus come together, Priyanka said, experts bottoms up, developer first practitioners, that's the vibe. Is that kind of how you guys want it to be more practitioners hardcore? >> Taylor: Absolutely, absolutely. I think that when it comes to security, we really want to help. It's definitely a grassroots movement. It's great to have the people that have such a deep understanding of certain security, just bits of knowledge really when it comes to EBPF. You know, we have high surveillance here that we're talking things through. Falco is here with Sysdig and so it it's great to have all of these people here, though I have seen a good spread of folks that are, you know, most people have started their security journey but they're not where they want to be. And so people that are starting at a 2 0 1, 3 0 1, 4 0 1 level of understanding definitely seeing a good spread of knowledge on that front. But it's really, it's been great to have folks from all varying experiences, but then to have the expertise of the folks that are writing these specifications and pushing the boundaries of what's possible with security to to ensure that we're all okay and updated on that front too, I think was most notable yesterday. Like you had said >> Lisa: Sorry Taylor, when we think of security, again this is an issue that, that organizations in every industry face, nobody is immune to this. We can talk about the value in it for the hackers in terms of ransomware alone for example. But you mentioned a stat that there's a good amount of organizations that are really either early in their security journeys or haven't started yet which kind of sounds a bit scary given the landscape and how much has changed in the last couple of years. But it sounds like on the good news front it isn't too late for organizations. Talk a little bit about some of the recommendations and best practices for those organizations who are behind the curve knowing that the next attack is going to happen. >> Taylor: Absolutely. So fantastic question. I think that when it comes to understanding the fact that people need to implement security and abide by best practices, it's like I I'm sure that many of us can agree on that front, you know, hopefully all of us. But when it comes to actually implementing that, that's I agree with you completely. That's where it's really difficult to find where where do I start, where do I actually look at? And there are a couple of answers on that front. So within the CNTF ecosystem we have a technical action group security, so tag security and they have a whole bunch of working groups that cover different facets of the Cloud Native experience. So if you, for example, are concerned about runtime security or application delivery concerns within there, those are some really good places to find people knowledgeable about, that even when the conference isn't going on to get a sense of what's going on. And then TAG security has also published recently version two of their security report which is free accessible online. They can actually look through that, see what some of the recent topics are and points of focus and of interest are within our community. There are also other organizations like Open SSF which is taking a deeper dive into security. You know, initially kind of having a little bit more of an academic focus on that space and then now getting further into things around software bill materials or SBOMs supply chain security and other topics as well. >> John: Well we love you guys doing this. We think it's very big deal. We think it's important. We're starting to see events post COVID take a certain formation, you know joking aside about the event operating systems smaller events are happening, but they're tied together. And so this is key. And of course the critical need is our businesses are under siege with threats, ransomware, security challenges, that's IT moves to Cloud Native, not everyone's moved over yet. So that's in progress. So there's a huge business imperative and the hackers have a business model. So this isn't like pie in the sky, this is urgent. So, that being said, how do you see this developing from who should attend the next one or who are you looking for to be involved to get input from you guys are open arms and very diverse and great great culture there, but who are you looking for? What's the makeup persona that you hope to attract and nurture and grow? >> Taylor: Absolutely. I, think that when it comes to trying the folks that we're looking for the correct answer is it varies you know, from, you know, you're asking Priyanka or our executive director or Chris Aniszczyk our CTO, I work mostly with the end users, so for me personally I really want to see folks that are operating within our ecosystem and actually pulling these down, these projects down and using them and sharing those stories. Because there are people creating these projects and contributing to them might not always have an idea of how they're used or how they can be exploited too. A lot of these groups that I work with like Mercedes or Intuit for example, they're out there in the world using these, these projects and getting a sense for, you know, what can come up. And by sharing that knowledge I think that's what's most important across the board. So really looking for those stories to be told and novel ways in which people are trying to exploit security and attacking the supply chain, or building applications, or just things we haven't thought about. So truly that that developer archetype is really helpful to have the consumers, the end users, the folks that are actually using these. And then, yeah, and I'm truly anywhere knowledgeable about security or that wants to learn more >> John: Super important, we're here to help you scale those stories up whatever you need, send them our way. We're looking forward to getting those. This is a super important movement getting the end users who are on the front lines bringing it back into the open, building, more software, making it secure and verified, all super important. We really appreciate the mission you guys are on and again we're here to help. So send those stories our way. >> Taylor: Cool, cool. We couldn't do it without you. Yeah, just everyone contributing, everyone sharing the news. This is it's people, people is the is the true operating system of our ecosystem. So really great to, really great to share. >> Lisa: That's such a great point Taylor. It is all about people. You talked about this event having a different vibe. I wanted to learn a little bit more about that as we, as we wrap up because there's so much cultural change that's required for organizations to evolve their security practices. And so people of course are at the center of culture. Talk a little bit about why that vibe is different and do you think that yeah, it's finally time. Everyone's getting on the same page here we're understanding, we're learning from each other. >> Taylor: Yes. So, so to kind of answer that, I think it's really a focus on, there's this term shift left and shift right. And talking about where do we actually put security in the mix as it comes to people adopting this and and figuring out where things go. And if you keep shifting at left, that meaning that the developers should care more deeply about this and a deeper understanding of all of these, you know, even if it's, even if they don't understand how to put it together, maybe understand a little bit about it or how these topics and, and facets of knowledge work. But you know, like with anything, if you shift everything off to one side or the other that's also not going to be efficient. You know, you want a steady stream of knowledge flowing throughout your whole organization. So I think that that's been something that has been a really interesting topic and, and hearing people kind of navigate and try to get through, especially groups that have had, you know, deployed an app and it's going to be around for 40 years as well. So I think that those are some really interesting and unique areas of focus that I've come up on the floor and then in a couple of the sessions here >> Lisa: There's got to be that, that balance there. Last question as we wrap the last 30 seconds or so what are you excited about given the success and the momentum of day one? What excites you about what's ahead for us on day two? >> Taylor: So on day two, I'm really, it's, there's just so many sessions. I think that it was very difficult for me to, you know pick which one I was actually going to go see. There are a lot of favorites that I had kind of doubled up at each of the time so I'm honestly going to be in a lot of the sessions today. So really excited about that. Supply chain security is definitely one that's close to my heart as well but I'm really curious to see what new topics, concepts or novel ideas people have to kind of exploit things. Like one for example is a package is out there it's called Browser Test but somebody came up with one called Bowser Test. Just a very simple misname and then when you go and run that it does a fake kind of like, hey you've been exploited and just even these incorrect name attacks. That's something that is really close and dear to me as well. Kind of hearing about all these wild things people wouldn't think about in terms of exploitation. So really, really excited to hear more stories on that front and better protect myself both at home and within the Cloud Community as I stand these things up. >> Lisa: Absolutely you need to clone yourself so that you can, there's so many different sessions. There needs to be multiple versions of Taylor that you can attend and then you can all get together and talk about and learn. But that's actually a really good problem to have as we mentioned when we started 72 sessions yesterday and today. Lots of great content. Taylor, we thank you for your participation. We thank you for bringing the vibe and the buzz of the event to us and we look forward as well to hearing and seeing what day two brings us today. Thank you so much for your time Taylor. >> Taylor: Thank you for having me. >> John: All right >> Lisa: Right, for our guest and John Furrier, I'm Lisa Martin. You're watching theCube's Day two coverage of Cloud Native Security Con 23. (energetic music plays)

(lively music) >> Welcome back to our coverage of Cloud Native Security Con. I'm Dave Vellante, here in our Boston studio. We're connecting today, throughout the day, with Palo Alto on the ground in Seattle. And right now I'm here with Michael Foster with Red Hat. He's on the ground in Seattle. We're going to discuss the trends and containers and security and everything that's going on at the show in Seattle. Michael, good to see you, thanks for coming on. >> Good to see you, thanks for having me on. >> Lot of market momentum for Red Hat. The IBM earnings call the other day, announced OpenShift is a billion-dollar ARR. So it's quite a milestone, and it's not often, you know. It's hard enough to become a billion-dollar software company and then to have actually a billion-dollar product alongside. So congratulations on that. And let's start with the event. What's the buzz at the event? People talking about shift left, obviously supply chain security is a big topic. We've heard a little bit about or quite a bit about AI. What are you hearing on the ground? >> Yeah, so the last event I was at that I got to see you at was three months ago, with CubeCon and the talk was supply chain security. Nothing has really changed on that front, although I do think that the conversation, let's say with the tech companies versus what customers are actually looking at, is slightly different just based on the market. And, like you said, thank you for the shout-out to a billion-dollar OpenShift, and ACS is certainly excited to be part of that. We are seeing more of a consolidation, I think, especially in security. The money's still flowing into security, but people want to know what they're running. We've allowed, had some tremendous growth in the last couple years and now it's okay. Let's get a hold of the containers, the clusters that we're running, let's make sure everything's configured. They want to start implementing policies effectively and really get a feel for what's going on across all their workloads, especially with the bigger companies. I think bigger companies allow some flexibility in the security applications that they can deploy. They can have different groups that manage different ones, but in the mid to low market, you're seeing a lot of consolidation, a lot of companies that want basically one security tool to manage them all, so to speak. And I think that the features need to somewhat accommodate that. We talk supply chain, I think most people continue to care about network security, vulnerability management, shifting left and enabling developers. That's the general trend I see. Still really need to get some hands on demos and see some people that I haven't seen in a while. >> So a couple things on, 'cause, I mean, we talk about the macroeconomic climate all the time. We do a lot of survey data with our partners at ETR, and their recent data shows that in terms of cost savings, for those who are actually cutting their budgets, they're looking to consolidate redundant vendors. So, that's one form of consolidation. The other theme, of course, is there's so many tools out in the security market that consolidating tools is something that can help simplify, but then at the same time, you see opportunities open up, like IOT security. And so, you have companies that are starting up to just do that. So, there's like these countervailing trends. I often wonder, Michael, will this ever end? It's like the universe growing and tooling, what are your thoughts? >> I mean, I completely agree. It's hard to balance trying to grow the company in a time like this, at the same time while trying to secure it all, right? So you're seeing the consolidation but some of these applications and platforms need to make some promises to say, "Hey, we're going to move into this space." Right, so when you have like Red Hat who wants to come out with edge devices and help manage the IOT devices, well then, you have a security platform that can help you do that, that's built in. Then the messaging's easy. When you're trying to do that across different cloud providers and move into IOT, it becomes a little bit more challenging. And so I think that, and don't take my word for this, some of those IOT startups, you might see some purchasing in the next couple years in order to facilitate those cloud platforms to be able to expand into that area. To me it makes sense, but I don't want to hypothesize too much from the start. >> But I do, we just did our predictions post and as a security we put up the chart of candidates, and there's like dozens, and dozens, and dozens. Some that are very well funded, but I mean, you've seen some down, I mean, down rounds everywhere, but these many companies have raised over a billion dollars and it's like uh-oh, okay, so they're probably okay, maybe. But a lot of smaller firms, I mean there's just, there's too many tools in the marketplace, but it seems like there is misalignment there, you know, kind of a mismatch between, you know, what customers would like to have happen and what actually happens in the marketplace. And that just underscores, I think, the complexities in security. So I guess my question is, you know, how do you look at Cloud Native Security, and what's different from traditional security approaches? >> Okay, I mean, that's a great question, and it's something that we've been talking to customers for the last five years about. And, really, it's just a change in mindset. Containers are supposed to unleash developer speed, and if you don't have a security tool to help do that, then you're basically going to inhibit developers in some form or another. I think managing that, while also giving your security teams the ability to tell the message of we are being more secure. You know, we're limiting vulnerabilities in our cluster. We are seeing progress because containers, you know, have a shorter life cycle and there is security and speed. Having that conversation with the C-suites is a little different, especially when how they might be used to virtual machines and managing it through that. I mean, if it works, it works from a developer's standpoint. You're not taking advantage of those containers and the developer's speed, so that's the difference. Now doing that and then first challenge is making that pitch. The second challenge is making that pitch to then scale it, so you can get onboard your developers and get your containers up and running, but then as you bring in new groups, as you move over to Kubernetes or you get into more container workloads, how do you onboard your teams? How do you scale? And I tend to see a general trend of a big investment needed for about two years to make that container shift. And then the security tools come in and really blossom because once that core separation of responsibilities happens in the organization, then the security tools are able to accelerate the developer workflow and not inhibit it. >> You know, I'm glad you mentioned, you know, separation of responsibilities. We go to a lot of shows, as you know, with theCUBE, and many of them are cloud shows. And in the one hand, Cloud has, you know, obviously made the world, you know, more interesting and better in so many different ways and even security, but it's like new layers are forming. You got the cloud, you got the shared responsibility model, so the cloud is like the first line of defense. And then you got the CISO who is relying heavily on devs to, you know, the whole shift left thing. So we're asking developers to do a lot and then you're kind of behind them. I guess you have audit is like the last line of defense, but my question to you is how can software developers really ensure that cloud native tools that they're using are secure? What steps can they take to improve security and specifically what's Red Hat doing in that area? >> Yeah, well I think there's, I would actually move away from that being the developer responsibility. I think the job is the operators' and the security people. The tools to give them the ability to see. The vulnerabilities they're introducing. Let's say signing their images, actually verifying that the images that's thrown in the cloud, are the ones that they built, that can all be done and it can be done open source. So we have a DevSecOps validated pattern that Red Hat's pushed out, and it's all open source tools in the cloud native space. And you can sign your builds and verify them at runtime and make sure that you're doing that all for free as one option. But in general, I would say that the hope is that you give the developer the information to make responsible choices and that there's a dialogue between your security and operations and developer teams but security, we should not be pushing that on developer. And so I think with ACS and our tool, the goal is to get in and say, "Let's set some reasonable policies, have a conversation, let's get a security liaison." Let's say in the developer team so that we can make some changes over time. And the more we can automate that and the more we can build and have that conversation, the better that you'll, I don't say the more security clusters but I think that the more you're on your path of securing your environment. >> How much talk is there at the event about kind of recent high profile incidents? We heard, you know, Log4j, of course, was mentioned in the Keynote. Somebody, you know, I think yelled out from the audience, "We're still dealing with that." But when you think about these, you know, incidents when looking back, what lessons do you think we've learned from these events? >> Oh, I mean, I think that I would say, if you have an approach where you're managing your containers, managing the age and using containers to accelerate, so let's say no images that are older than 90 days, for example, you're going to avoid a lot of these issues. And so I think people that are still dealing with that aspect haven't set up the proper, let's say, disclosure between teams and update strategy and so on. So I don't want to, I think the Log4j, if it's still around, you know, something's missing there but in general you want to be able to respond quickly and to do that and need the tools and policies to be able to tell people how to fix that issue. I mean, the Log4j fix was seven days after, so your developers should have been well aware of that. Your security team should have been sending the messages out. And I remember even fielding all the calls, all the fires that we had to put out when that happened. But yeah. >> I thought Brian Behlendorf's, you know, talk this morning was interesting 'cause he was making an attempt to say, "Hey, here's some things that you might not be thinking about that are likely to occur." And I wonder if you could, you know, comment on them and give us your thoughts as to how the industry generally, maybe Red Hat specifically, are thinking about dealing with them. He mentioned ChatGPT or other GPT to automate Spear phishing. He said the identity problem is still not fixed. Then he talked about free riders sniffing repos essentially for known vulnerabilities that are slow to fix. He talked about regulations that might restrict shipping code. So these are things that, you know, essentially, we can, they're on the radar, but you know, we're kind of putting out, you know, yesterday's fire. What are your thoughts on those sort of potential issues that we're facing and how are you guys thinking about it? >> Yeah, that's a great question, and I think it's twofold. One, it's brought up in front of a lot of security leaders in the space for them to be aware of it because security, it's a constant battle, constant war that's being fought. ChatGPT lowers the barrier of entry for a lot of them, say, would-be hackers or people like that to understand systems and create, let's say, simple manifests to leverage Kubernetes or leverage a misconfiguration. So as the barrier drops, we as a security team in security, let's say group organization, need to be able to respond and have our own tools to be able to combat that, and we do. So a lot of it is just making sure that we shore up our barriers and that people are aware of these threats. The harder part I think is educating the public and that's why you tend to see maybe the supply chain trend be a little bit ahead of the implementation. I think they're still, for example, like S-bombs and signing an attestation. I think that's still, you know, a year, two years, away from becoming, let's say commonplace, especially in something like a production environment. Again, so, you know, stay bleeding edge, and then make sure that you're aware of these issues and we'll be constantly coming to these calls and filling you in on what we're doing and make sure that we're up to speed. >> Yeah, so I'm hearing from folks like yourself that the, you know, you think of the future of Cloud Native Security. We're going to see continued emphasis on, you know, better integration of security into the DevSecOps. You're pointing out it's really, you know, the ops piece, that runtime that we really need to shore up. You can't just put it on the shoulders of the devs. And, you know, using security focused tools and best practices. Of course you hear a lot about that and the continued drive toward automation. My question is, you know, automation, machine learning, how, where are we in that maturity cycle? How much of that is being adopted? Sometimes folks are, you know, they embrace automation but it brings, you know, unknown, unintended consequences. Are folks embracing that heavily? Are there risks associated around that, or are we kind of through that knothole in your view? >> Yeah, that's a great question. I would compare it to something like a smart home. You know, we sort of hit a wall. You can automate so much, but it has to actually be useful to your teams. So when we're going and deploying ACS and using a cloud service, like one, you know, you want something that's a service that you can easily set up. And then the other thing is you want to start in inform mode. So you can't just automate everything, even if you're doing runtime enforcement, you need to make sure that's very, very targeted to exactly what you want and then you have to be checking it because people start new workloads and people get onboarded every week or month. So it's finding that balance between policies where you can inform the developer and the operations teams and that they give them the information to act. And that worst case you can step in as a security team to stop it, you know, during the onboarding of our ACS cloud service. We have an early access program and I get on-calls, and it's not even security team, it's the operations team. It starts with the security product, you know, and sometimes it's just, "Hey, how do I, you know, set this policy so my developers will find this vulnerability like a Log4Shell and I just want to send 'em an email, right?" And these are, you know, they have the tools and they can do that. And so it's nice to see the operations take on some security. They can automate it because maybe you have a NetSec security team that doesn't know Kubernetes or containers as well. So that shared responsibility is really useful. And then just again, making that automation targeted, even though runtime enforcement is a constant thing that we talk about, the amount that we see it in the wild where people are properly setting up admission controllers and it's acting. It's, again, very targeted. Databases, cubits x, things that are basically we all know is a no-go in production. >> Thank you for that. My last question, I want to go to the, you know, the hardest part and 'cause you're talking to customers all the time and you guys are working on the hardest problems in the world. What is the hardest aspect of securing, I'm going to come back to the software supply chain, hardest aspect of securing the software supply chain from the perspective of a security pro, software engineer, developer, DevSecOps Pro, and then this part b of that is, is how are you attacking that specifically as Red Hat? >> Sure, so as a developer, it's managing vulnerabilities with updates. As an operations team, it's keeping all the cluster, because you have a bunch of different teams working in the same environment, let's say, from a security team. It's getting people to listen to you because there are a lot of things that need to be secured. And just communicating that and getting it actionable data to the people to make the decisions as hard from a C-suite. It's getting the buy-in because it's really hard to justify the dollars and cents of security when security is constantly having to have these conversations with developers. So for ACS, you know, we want to be able to give the developer those tools. We also want to build the dashboards and reporting so that people can see their vulnerabilities drop down over time. And also that they're able to respond to it quickly because really that's where the dollars and cents are made in the product. It's that a Log4Shell comes out. You get immediately notified when the feeds are updated and you have a policy in action that you can respond to it. So I can go to my CISOs and say, "Hey look, we're limiting vulnerabilities." And when this came out, the developers stopped it in production and we were able to update it with the next release. Right, like that's your bread and butter. That's the story that you want to tell. Again, it's a harder story to tell, but it's easy when you have the information to be able to justify the money that you're spending on your security tools. Hopefully that answered your question. >> It does. That was awesome. I mean, you got data, you got communication, you got the people, obviously there's skillsets, you have of course, tooling and technology is a big part of that. Michael, really appreciate you coming on the program, sharing what's happening on the ground in Seattle and can't wait to have you back. >> Yeah. Awesome. Thanks again for having me. >> Yeah, our pleasure. All right. Thanks for watching our coverage of the Cloud Native Security Con. I'm Dave Vellante. I'm in our Boston studio. We're connecting to Palo Alto. We're connecting on the ground in Seattle. Keep it right there for more coverage. Be right back. (lively music)

(rousing music) >> Hello everyone. Welcome back to "theCUBE's" day one coverage of Cloud Native Security Con 23. This is going to be an exciting panel. I've got three great guests. I'm Lisa Martin, you know our esteemed analysts, John Furrier, and Dave Vellante well. And we're excited to welcome to "theCUBE" for the first time, Yves Sandfort, the CEO of Comdivision Group, who's coming to us from Germany. As you know, Cloud Native Security Con is a global event. Everyone welcome Yves, great to have you in particular. Welcome to "theCUBE." >> Great to be here. >> Thank you for inviting me. >> Yves, tell us a little bit, before we dig into really wanting to understand your perspectives on the event and get Dave and John's feedback as well, tell us a little bit about you. >> So yeah, talking about me, or talking about Comdivision real quick. We are in the business for over 27 years already. We started as a SaaS company, then became more like an architecture and, and Cloud Native company over the last few years. But what's interesting is, and I think that's, that's, that's really interesting when we look at our industry. It hasn't really, the requirements haven't really changed over the years. It's still security. We still have to figure out how we deal with security. We still have to figure out how we deal with compliance and everything else. And I think therefore, it's more and more important that we take these items more seriously. Also, based on the fact that when we look at it, how development and other things happen nowadays, it's, it's, everybody says it's like open source. It's great because everybody can look into the code. We, I think the last few years have shown us enough example that that's not necessarily solving all the issues, but it's also code and development has changed rapidly when we look at the Cloud Native approach, where it's far more about gluing the pieces together, versus the development pieces. When I was actually doing software development 25 years ago, and had to basically build my code because I didn't have that much internet access for it. So it has evolved, but even back then we had to deal with security and everything. >> Right. The focus on security is, is incredibly important, and the focus keeps growing as you mentioned. This is, guys, and I want to get your perspectives on this. We're going to start with John. This is the first time Cloud Native Security Con is its own event being extracted from, and amplified from KubeCon. John, I want to understand from your perspective, break down the event, what you see, what you've heard, and Cloud Native Security in general. What does this mean to companies? What does it mean to customers? Is this a reality? >> Well, I think that's the topic we want to discuss, and I think Yves background, you see the VMware certification, I love that. Because what VMware did with virtualization, was abstract that from server virtualization, kind of really changed the game on things, and you start to see Cloud Native kind of go that next level of how companies will be operating their business, not just digital transformation, as digital transformation goes to completion, it's total business transformation where IT is everywhere. And so you're starting to see the trends where, "Okay, that's happening." Now you're starting to see, that's Cloud Native Con, or KubeCon, AWS re:Invent, or whatever show, or whatever way you want to look at it. But in, in the past decade, past five years, security has always been front and center as almost a separate thing, and, in and of itself, but the same thing. So you're starting to see the breakout of security conversations around how to make things work. So a lot of operational conversations around what used to be DevOps makes infrastructure as code, and that was great, that fueled that. Then DevSecOps came. So the Cloud Native next level, is more application development at scale, developers driving the standards with developer first thinking, shifting left, I get all that. But down in the lower ends of the stack, you got real operational issues. DNS we've heard in the keynote, we heard about the Colonel, the Lennox Colonel. Things that need to be managed and taken care of at a security level. These are like, seem like in the weeds, but you're starting to see that happen. And the other thing that I think's real about Cloud Native Security Con that's going to be interesting to watch, is Amazon has pretty much canceled all their re:Invent like shows except for two; Re:Invent, which is their annual conference, and Re:Inforce, which is dedicated to securities. So Cloud Native, Linux, the Linux Foundation has now breaking out Cloud Native Con and KubeCon, and now Cloud Native Security Con. They can't call it KubeCon because it's not Kubernetes, but it's like security focus. I think this is the beginning of starting to see this new developer driving, developers driving the standards, and it has it implications, what used to be called IT ops, and that's like the VMwares of the world. You saw all the stuff that was not at developer focus, but more ops, becoming much more in the application. So I think, I think it's real. The question is where does it go? How fast does it develop? So to me, I think it's a real trend, and it's worthy of a breakout, but it's not yet clear of where the landing zone is for people to start doing it, how they get started, what are the best practices. Machine learning's going to be a big part of this. So to me it's totally cool, but I'm not yet seeing the beachhead. So that's kind of my take. >> Dave, our inventor and host of breaking analysis, what's your take? >> So when you, I think when you zoom out, there's some, there's a big macro change that's been going on. I think when you look back, let's say 10, 12 years ago, the, the need for speed far trumped the, the, the security aspect, the governance, the data privacy. It was like, "Yeah, the risks, they're not that great compared to our opportunity." That has completely changed because the risks are now so much higher. And so what's happening, I think there's a, there's a major effort amongst CIOs and CISOs to try to make security not a blocker because it use to be, it still is. "Okay, I got this great initiative." Eh, give it to the SecOps pros, and let them take it for a while before we can go to market. And so a huge challenge now is to simplify, automate, AI comes in, the whole supply chain security, so the, so the companies can not be facing so much friction. And that is non-trivial. I don't think we're anywhere close there, but I think the goal is by, within the next several years, we're going to be in a position, that security, we heard today, is, wasn't designed in to the initial internet protocols. It was bolted on. And so increasingly, the fundamental architecture of the internet, the Cloud, et cetera, is, is seeing designed in security, and, and that is an imperative, or else business is going to come to a grinding halt. >> Right. It's no longer, the bolt no longer works. Yves, what's your perspective on Cloud Native Security, where it stands today? What's in it for customers, whether we're talking about banks, or hospitals, or retailers, what do you think? >> I think when we, when we look at security in the, in the modern world, is we need to as, as Dave mentioned, we need to rethink how we apply it. Very often, security in the past has been always bolted on in the end. If we continue to do that, it'll become more and more difficult, because as companies evolve, and as companies want to bring products and software to market in a much faster and faster way, it's getting more and more difficult if we bolt on the security process at the end. It's like, developers build something and then someone checks security. That's not going to work any longer. Especially if we also consider now the changes in the industry. We had Stack Overflow over the last 10 years. If I would've had Stack Overflow 15, 20, what, 25 years ago when I was a developer, it would've changed a hell lot. Looking at it now, and looking at it what we had in the last few weeks, it's like where nearly all of my team members say is like finally I don't need any script kiddies anymore because I can't go to (indistinct) who writes the code for me. Which is on one end great, because it enables us to solve certain problems in a much higher pace. But the challenge with that is, if the people who just copy and past that code, don't understand the implications of that code, we have a much higher risk continuously. And what people thought was, is challenging with Stack Overflow. Imagine that something in one of these AI engines, is actually going ballistic, and it creates holes in nearly every one of these applications. And trust me, there will be enough developers who are going to use these tools to develop codes, the same as students in university are going to take this to write their essays and everything else. And so it's really important that every developer team basically has a security person within their team, and not a security at the end. So we build something, we check it, go through QA, and then it goes to security. Security needs to be at the forefront. And I think that's where we see Cloud Native Security Con, where we see AWS. I saw it during re:Invent already where they said is like, we have reinforced next year. I think this becomes more and more of a topic, and I think companies, as much as it is become a norm that you have a firewall and everything else, it needs to become a norm that when you are doing software development, and every development team needs to have a security person on that needs to be trained. >> I love that chat comment Dave, 'cause you and I were talking about this. And I think that is going to be the issue. Do we need security chat for the chat bot? And there's like a, like a recursive model there. The biases are built in. I think, and I think our interview with the Palo Alto Network's co-founder, Dave, when he talked about zero trust as a structured way to start things, but he was referencing that with Cloud, there's a chance to rethink or do a do-over in security. So, I think this is kind of to me, where this is all going. And I think you asked Pat Gelsinger what, year 2013, 2014, can, is security a do over? I think we're in that do over time. >> He said yes. >> He said yes. (laughing) He was right. But yeah, eight years later... But this is, how do you, zero trust gives you some structure, but how do you organize and redo security? Because to me, I think that's what's happening here. >> And John you heard, Zuk at Palo Alto Network said, "Yeah, the, the words security and architecture, they don't go together historically." And so it is a total, total retake. >> Well is that because there's too many tools out there and- >> Yeah. For sure. >> Yeah, well, first of all, a lot of hardware. And then yeah, a lot of tools. You even see IIOT and industry 40, you see IOT security coming up as another stove pipe, and that's not the right approach. And, and so- >> Well let me, let me ask you a question Dave, and Yves, if you don't mind. 'Cause I was just riffing on this yesterday about this. In the ML space, you're seeing the ML models, you're seeing proprietary models versus open source. Is security going to go down this proprietary security methods and open source? Because that's interesting, because the CNCF is run by the the Linux Foundation. So you can almost maybe see a model where there's more proprietary security methods than open source. Or is it, is that a non-issue? >> I would, I would, let me, if I, if I jump in here first, I think the last, especially last five or 10 years have clearly shown the, the whole and, and I invested early on in the, in the end 90s in several open source startups in the Bay area. So, I'm well behind the whole open source idea and, and mid (indistinct) and others back then several times. But the point is, I think what we have seen is open source is not in general, more secure or less secure, because code is too complex nowadays. You have millions of lines of code, and it's not that either one way or the other is going to solve it. The ways I think we are going to look at it is more is what's the role to market, because only because something is open source doesn't necessarily mean it's going to be available for everyone. And the same for proprietary source from that perspective, even though everybody mixes licensing and payments and all that all the time, but it doesn't necessarily have anything to do with it. But I think as we are going through it, and when we also look at the industry, security industry over the last 10 plus years has been primarily hardware focused. And a lot of these vendors have done a good business out of selling hardware boxes, putting software on top of it. Whereas in reality, those were still X86 standard boxes in the end. So it was not that we had specific security ethics or anything like that in there anymore. And so overall, the question of the market is going to change. And as we are looking into Cloud Native, think about someone like an AWS, do you really envision them to have a hardware box of every supplier in their data center, and that in every availability zone in every region? Same for Microsoft, same for Google, etc? So we need to have new ways on how we can apply security. And that applies both on the backend services, but also on the front end side. >> And if I, and if I could chime in, I think the, the good, I think the answer is, is, is no and yes. And what I mean by that is if you take, antivirus and known malware, I mean pretty much anybody today can, can solve that problem, it's the unknown malware. So I think the yes part of the answer is yes, it's, it's going to be proprietary, but in the sense we're going to use open source tooling, and then apply that in a proprietary way with, with specific algorithms and unique architectures that are going to solve problems. For example, XDR with, with unknown malware. So, and that's the, that's the hard part. As somebody said, I think this morning at the keynote, it's, it's all the stuff that, that the SecOps team couldn't find. That's the really hard part. >> (laughs) Well the question will be will, is the new IP, the ability to feed ChatGPT some magical spelled insertion query string that does the job, that's unique, that might be the new IP, the the question to ask. >> Well, that's what the hackers are going to do. And I, they're on offense. (John laughs) And the offense knows what play is coming. So, they're going to start. >> So guys, let's take this conversation up a level. I want to get your perspectives on what's in this for me as a customer? We know security is a board level conversation. We talk about this all the time. We also know that they're based on, I think David, was the conversations that you and I had, with Palo Alto Networks at Ignite in December. There's a, there's a lack of alignment between the executives and the board from a security perspective. When we talk about Cloud Native Security, we all talked about the value in that, what's in it for customers? I want to get your perspectives on should this be a board level conversation, and if so, how do you advise organizations, whether it is a hospital, or a bank, or an organization that is really affected by things like ransomware? How should they be thinking about this from an organizational perspective? >> Well, I'll start first, because we had this conversation during our Super Cloud event last month, and this comes up a lot. And this is, the CEO board level. Yes it is a board level conversation for security, as is application development as in terms of transforming their business to be competitive, not to be on the wrong side of history with this wave coming. So I think that's more of a management. But the issue is, they tell their people, "Go do it." And they're like, 'cause they get sold on the idea of, "Hey, won't you transform your business, and everything's going to be data driven, and machine learning's going to power your apps, get new customers, be profitable." "Oh, sign me up for that." When you have to implement this, it's really hard. And I think the core issue is, where are companies in their life cycle of the ability to execute and architect this thing properly as Dave said, Nick Zuk said, "You can't have architecture and security, you need platforms." So, I think the re-platforming, and the re-factoring of business is a big factor, and that's got to get down into the, the organizational shifts and the people to do it. So are there skills? Do I do a managed service? How do I architect it? Are there more services? Are there developers doing applications that are going to be more agile? So, this is not an easy thing. And to move a business from IT operations that is proven, to be positioned for this enablement, is just really difficult. And it's expensive. And if you screw it up, you could be, could be on the wrong side of things. So, to me, that's the big issue is, you sell the dream and then you got to implement it. And that's really difficult. >> Yves, give us your perspective on, based on John's comments, how do organizations shift so dramatically? There's a cultural element there as well, but there's also organizations that are, have competitive competitors in the rear view mirror, and there's time to waste. What are your thoughts on that? >> I think that's exactly the point. It's like, as an organization, you need to take the decision between the time, the risk, and all the other elements we have into this game. Because you can try to achieve 100% security, but that's exactly the same as trying to, to protect gold or anything else 100%. It's most likely not going to be from a risk perspective anyway sensible. And that's the same from a corporational perspective. When you look at building new internet services, or IOT services, or any kind of new shopping experience or whatever else, you need to balance out between the risks and the advantages out of it. And you also need to be accepting that you potentially on the way make mistakes, but then it's more important than ever that you are able to quickly fix any mistakes, and to adjust to anything what's happening in the market. Because as we are building all these new Cloud Native applications, and build up all these skill sets, one of the big scenarios is we are far more depending on individual building blocks. These building blocks come out of open source communities, which have a much different way. When we look back in software development, back then we had application servers from Oracle, Web Logic, whatsoever, they had a release cycles of every three to six months. As now we have to deal with open source, where sometimes release cycles are on a four week schedule, in between security patches. So you need to be much faster in adopting that, checking that, implementing that, getting things to work. So there is a security stretch from that perspective. There is a speech stretch on the other thing companies have to deal with, and on the other side it's always a measurement between the risk, and the security you can afford. Because reality is, you will not be 100% protected no matter what you do. So, you need to balance out what you as an organization can actually build on. But I think, coming back also to the point, it's on the bot level nowadays. It's like nearly every discussion we have with companies nowadays as they move into the Cloud, especially also here in Europe where for the last five years, it was always, it's like "It's data privacy." Data privacy is no longer, I mean, yes, for certain people, it's still the point, but for many more people it's like, "How protected is my data?" "What do we do in case of ransomware attack?" "What do we do in case of a denial of service?" All of these things become more vulnerable, where in the past you were discussing these things with a becking page, or, or like a stock exchange. They were, it's like, "What the hell is going to happen if we have a denial of service?" Now all of the sudden, this now affects nearly everyone in their storefronts and everything else, because everything is depending on it. >> Yeah, I think you're right on. You think about how cultural change occurs, it's bottom ups or, bottom up, top down or middle out. And what, what's happened with security is the people in the security team cared about it, they were the, everybody said, "Oh, it's their problem." And then it just did an end run to the board, kind of mid, early last decade. And then the board sort of pushed that down. And the line of business is realizing, "Holy cow. My business, my EBIT can be dramatically affected by this, so I care." Now it's this whole house, cultural team sport. I know it's sort of a, a cliche, but it, it's true. Everybody actually is beginning to care about security because the risks are now so high, and it's going to affect not only the bottom line of the company, the bottom line of the business, their job, it's, it's, it's virtually everywhere. It's a huge cultural shift that we're seeing. >> And that's a big challenge for organizations in any industry. And Yves, you talked about ransomware service. Every industry across the globe is vulnerable to this. But how can, maybe John, we'll start with you. How can Cloud Native Security help organizations if they're able to embrace it, operationally, culturally, dial down some of the vulnerabilities that just seem to keep growing? >> Well, I mean that's the big question. The breaches are, are critical. The governances also could be a way that anchors down growth. So I think the balance between the governance compliance piece of it is key, but making the developers faster and more productive is the key to me. And I think having the security paradigm where they're not blockers, as Dave said, is critical. So I love the whole shift left, but now that we have more data focused initiatives around how that, you can use data to understand the security issues, I think data and security are together, and I think there's a going to be a data operating system model emerging, where data and security will be almost one thing. And that will be set up by the security teams, and the data teams together. And that will feed guardrails into the developer environment. So the developer should feel no pain at all in doing this. So I think the best practice will end up being what we're seeing with supply chain, security, with making sure code's verified. And you're going to see the container, security side completely address has been, and KubeCon, we just, I asked Scott Johnson, the CEO of Docker, and I asked him directly, "Are you guys all tight on container security?" He said, yes, but other people are suggesting that's not true. There's a lot of issues with the container security. So, there's all kinds of areas where there's holes. So Cloud Native is cool on one hand, and very relevant, but if it's not shored up, it's going to be a problem. But I, so I think that's where the action will be, at the developer pipeline, in the containers, and the data. So, that will be very relevant, and if companies nail that, they'll be faster, they'll have better apps, and that'll be the differentiator. And again, if they don't on this next wave, they're going to be driftwood. >> Dave, how do they prevent becoming driftwood? >> Well, I think Cloud has had a huge impact. And a Cloud's by no means a panacea, but let's face it, it's dramatically improved a lot of companies security posture. Now there's still that shared responsibility. Even though an S3 bucket is encrypted, it's still your responsibility to make sure that it doesn't get decrypted by somebody who has access to it. So there are things like that, but to Yve's earlier point, that can be, that's done through software now, it's done through best practices. Those best practices can be shared. So the way you, you don't become driftwood, is you start to, you step back, rethink that security architecture as we were talking about earlier, take advantage of the Cloud, take advantage of Cloud Native, and all the, the rapid pace of innovation that's occurring there, and you don't use, it's called before, The audit is the last line of defense. That's no longer a check box item. "Oh yeah, we're in compliance." It's, this is a business imperative, and because we're going to reduce our expected loss and reduce our business risk. That's part of the business case today. >> Yeah. >> It's a huge, critically important part of the business case. Yves, question for you. If you're in an elevator with a CEO, a CFO, and a CISO, and they're talking about security and Cloud Native Security, what's your value proposition to them on a, on a say a 32nd elevator ride? >> Difficult story. I think at the moment, the most important part is, we need to get people to work together, and we need to train people to work more much better together. I think that's the overall most important part for all of these solutions, because in the end, security is always a person issue. If, we can have the best tools in the industry, as long as we don't get all of these teams to work together, then we have a problem. If the security team is always seen as the end of the solution to fix everything, that's not going to work because they always are the bad guys in the game. And so we need to bring the teams together. And once we have the teams work together, I think we have a far better track on, on maintaining security. >> John and Dave, I want to get your perspectives on what Yves just said. In all the experience that the two of you have as industry analysts here on "theCUBE," Wikibon, Siliconangle Media. How do you advise organizations to get those teams together? As Eve said, that alignment is critical, but John, we'll start with you, then Dave go to you. What's your advice for organizations that need to align those teams and really don't have a lot of time to wait to do it? >> (chuckling) That's a great question. I think, I think that's everyone pays hundreds of thousands of millions of dollars to get that advice from these consultants, organizations out there doing the transformations. But I think it comes down to personnel and commitment. I think if there's a C-level commitment to the effort, you'll see the institutional structure change. So you can see really getting behind it with their, with their wallet and their, and their support of either getting more personnel to support and assist, or manage services, or giving the power to the teams to execute and doing it in a way that, that's, that's well known and best practices. Start small, build out the pilots, build the platform, and then start getting it right. And I think that's the key. Not the magic wand, the old model of rolling out stuff in, in six month cycles. It's really, get the proof points, double down and change the culture, but also execute and have real metrics. And changing the architecture, like having more penetration tests as a service. Doing pen tests is like a joke now. So that doesn't make any sense. You got to have that built in almost every day, and every minute. So, these kinds of new techniques have to be implemented and have to be tried. So that's why these communities are growing. That's why I like what open source has been doing, and I like the open source as the place to have these conversations, because that's where the action will be for new stuff. And I think people will implement open source like they did before, but with different ways, better testing, better supply chain on the software side, verifying code. So, I see open source actually getting a tailwind from this, not a headwind. So, I'm bullish on the open source piece here on, on all levels, machine learning- >> Lisa, my answer is intramural sports. And it's 'cause I think it's cultural. And what I mean by that, is you take your your best and brightest security, and this is what frankly, a lot of CISOs do, an examples is Lena Smart, MongoDB. Take your best and brightest security pros, make them captains of the intramural teams, and pair them up with pods of individuals across the organization, which is most people who don't know anything about security, and put them together, so that they can, they, so that the folks that understand security can, can realize how little people know, what, what, what, how, what the worst practices that are out there in the reverse, how they can cross pollinate. And they do that on a regular basis, I know at Mongo and other companies. And that kind of cultural assimilation is a starting point for how you get security awareness up to your question around making it a team sport. >> Absolutely critical. Yves, I want to kind of wrap things with you. We've got a couple of minutes left. When you're really looking at the Cloud Native community, the growth of it, we talked about earlier in the program, Cloud Native Security Con being now extracted and elevated out of KubeCon, what are your thoughts on the groundswell that this community is generating around Cloud Native Security, the benefits that organizations will achieve from it? >> I think overall, when we have these securities conferences, or these security arms a bit spread out and separated out of the main conference, it helps to a certain degree, because especially in the security space, when you look at at other like black hat or white hat conferences and things like that in the past, although they were not focused on Cloud Native, a lot of these security folks didn't feel well taken care of in any of the other conferences because they were always these, it's like they are always blocking us, they're always making us problems, and all these kinds of things. Now that we really take the Cloud Native piece and the security piece together, or like AWS does it with re:Inforce, I think we will see more and more that people understand is that security is a permanent topic we need to cover, but we need to bring different people together, because security also has compliance and a lot of other components in there. So we will see at these conferences moving forward, also a different audience. It's not going to be only the Cloud Native developers. And if I see some of these security audiences, I can't really imagine them to really be at KubeCon because there is too much other things going on. And you couldn't really see much of that at re:Invent because re:Invent by itself has become a complete monster of a conference. It covers too many topics. And so having this very, very important security piece separated, also gives the opportunity, I think, that we can bring in the security people, but also have the type of board level discussions potentially, between the leaders of the industry, to also discuss on how we can evolve, how we can make things better, and how, how we can actually, yeah, evolve our industry for it. Because let's face it, that threat is not going to go away. It's, it's a business. And one of the last security conferences I was on, on the ransomware part, it was one of the topics someone said is like, "Look, currently on average, it takes a hacker group roughly around they said 15 to 20 K to break into a company, and they on average make 100K. It's a business, let's face it. And it's a business we don't like. And ethically, it's no discussion that this is not good, but that's something which is happening. People are making money with it. And as long as that's going to go on, and we have enough countries where these people can hide, it's going to stay and survive. And so, with that being said, it's important for us to really build an industry around this. But I also think it's good that we have separate conferences. In the past we had more the RSA conference, which tried to cover all of these areas. But that is not really fitting Cloud Native and everything else. So I think it's good that we have these new opportunities, the Cloud Native one, but also what AWS brings up for someone. >> Yves, you just nailed it. It just comes down to simple math. It's a fraction. Revenue over cost. And if you could increase the hacker's cost, increase the denominator, their ROI will go down. And that is the game. >> Great point, Dave. What I'm hearing guys, and we can talk about technology for days and days. I know all of you. But there's, there's a big component that, that the elevation of Cloud Native Security, on its own as standalone is critical, as is the people component. You guys all talked about that. We talked about the cultural change necessary for that. Hopefully what we're seeing with Cloud Native Security Con 23, this first event is going to give us more insight over the next couple of days, and the next months or so, as to how this elevation, and how the people can come together to really help organizations from a math perspective as, as Dave talked about, really dial down the risks there, understand more of the vulnerabilities so that ransomware as a service is not as lucrative as it is today. Guys, so much appreciate your time, really breaking down Cloud Native Security, the value in it from different perspectives, and what your thoughts are on where it's going. Thanks so much for your time. >> All right. Thanks. >> Thanks, Lisa. >> Thank you. >> Thanks, Yves. >> All right. For my guests, I'm Lisa Martin. You're watching theCUBE's day one coverage of Cloud Native Security Con 23. Thanks for watching. (rousing music)

(upbeat music) (upbeat music) >> Hi everybody, welcome back to our coverage of the Cloud Native Security Con. I'm Dave Vellante, here in our Boston studio. We're connecting today with Palo Alto, with John Furrier and Lisa Martin. We're also live from the show floor in Seattle. But right now, I'm here with Andy Thurai who's from Constellation Research, friend of theCUBE, and we're going to discuss the intersection of AI and security, the potential of AI, the risks and the future. Andy, welcome, good to see you again. >> Good to be here again. >> Hey, so let's get into it, can you talk a little bit about, I know this is a passion of yours, the ethical considerations surrounding AI. I mean, it's front and center in the news, and you've got accountability, privacy, security, biases. Should we be worried about AI from a security perspective? >> Absolutely, man, you should be worried. See the problem is, people don't realize this, right? I mean, the ChatGPT being a new shiny object, it's all the craze that's about. But the problem is, most of the content that's produced either by ChatGPT or even by others, it's an access, no warranties, no accountability, no whatsoever. Particularly, if it is content, it's okay. But if it is something like a code that you use for example, one of their site projects that GitHub's co-pilot, which is actually, open AI + Microsoft + GitHub's combo, they allow you to produce code, AI writes code basically, right? But when you write code, problem with that is, it's not exactly stolen, but the models are created by using the GitHub code. Actually, they're getting sued for that, saying that, "You can't use our code". Actually there's a guy, Tim Davidson, I think he's named the professor, he actually demonstrated how AI produces exact copy of the code that he has written. So right now, it's a lot of security, accountability, privacy issues. Use it either to train or to learn. But in my view, it's not ready for enterprise grade yet. >> So, Brian Behlendorf today in his keynotes said he's really worried about ChatGPT being used to automate spearfishing. So I'm like, okay, so let's unpack that a little bit. Is the concern there that it just, the ChatGPT writes such compelling phishing content, it's going to increase the probability of somebody clicking on it, or are there other dimensions? >> It could, it's not necessarily just ChatGPT for that matter, right? AI can, actually, the hackers are using it to an extent already, can use to individualize content. For example, one of the things that you are able to easily identify when you're looking at the emails that are coming in, the phishing attack is, you look at some of the key elements in it, whether it's a human or even if it's an automated AI based system. They look at certain things and they say, "Okay, this is phishing". But if you were to read an email that looks exact copy of what I would've sent to you saying that, "Hey Dave, are you on for tomorrow? Or click on this link to do whatever. It could individualize the message. That's where the volume at scale to individual to masses, that can be done using AI, which is what scares me. >> Is there a flip side to AI? How is it being utilized to help cybersecurity? And maybe you could talk about some of the more successful examples of AI in security. Like, are there use cases or are there companies out there, Andy, that you find, I know you're close to a lot of firms that are leading in this area. You and I have talked about CrowdStrike, I know Palo Alto Network, so is there a positive side to this story? >> Yeah, I mean, absolutely right. Those are some of the good companies you mentioned, CrowdStrike, Palo Alto, Darktrace is another one that I closely follow, which is a good company as well, that they're using AI for security purposes. So, here's the thing, right, when people say, when they're using malware detection systems, most of the malware detection systems that are in today's security and malware systems, use some sort of a signature and pattern scanning in the malware. You know how many identified malwares are there today in the repository, in the library? More than a billion, a billion. So, if you are to check for every malware in your repository, that's not going to work. The pattern based recognition is not going to work. So, you got to figure out a different way of identification of pattern of usage, not just a signature in a malware, right? Or there are other areas you could use, things like the usage patterns. For example, if Andy is coming in to work at a certain time, you could combine a facial recognition saying, that should he be in here at that time, and should he be doing things, what he is supposed to be doing. There are a lot of things you could do using that, right? And the AIOps use cases, which is one of my favorite areas that I work, do a lot of work, right? That it has use cases for detecting things that are anomaly, that are not supposed to be done in a way that's supposed to be, reducing the noise so it can escalate only the things what you're supposed to. So, AIOps is a great use case to use in security areas which they're not using it to an extent yet. Incident management is another area. >> So, in your malware example, you're saying, okay, known malware, pretty much anybody can deal with that now. That's sort of yesterday's problem. >> The unknown is the problem. >> It's the unknown malware really trying to understand the patterns, and the patterns are going to change. It's not like you're saying a common signature 'cause they're going to use AI to change things up at scale. >> So, here's the problem, right? The malware writers are also using AI now, right? So, they're not going to write the old malware, send it to you. They are actually creating malware on the fly. It is possible entirely in today's world that they can create a malware, drop in your systems and it'll it look for the, let me get that name right. It's called, what are we using here? It's called the TTPs, Tactics, Techniques and procedures. It'll look for that to figure out, okay, am I doing the right pattern? And then malware can sense it saying that, okay, that's the one they're detecting. I'm going to change it on the fly. So, AI can code itself on the fly, rather malware can code itself on the fly, which is going to be hard to detect. >> Well, and when you talk about TTP, when you talk to folks like Kevin Mandia of Mandiant, recently purchased by Google or other of those, the ones that have the big observation space, they'll talk about the most malicious hacks that they see, involve lateral movement. So, that's obviously something that people are looking for, AI's looking for that. And of course, the hackers are going to try to mask that lateral movement, living off the land and other things. How do you see AI impacting the future of cyber? We talked about the risks and the good. One of the things that Brian Behlendorf also mentioned is that, he pointed out that in the early days of the internet, the protocols had an inherent element of trust involved. So, things like SMTP, they didn't have security built in. So, they built up a lot of technical debt. Do you see AI being able to help with that? What steps do you see being taken to ensure that AI based systems are secure? >> So, the major difference between the older systems and the newer systems is the older systems, sadly even today, a lot of them are rules-based. If it's a rules-based systems, you are dead in the water and not able, right? So, the AI-based systems can somewhat learn from the patterns as I was talking about, for example... >> When you say rules-based systems, you mean here's the policy, here's the rule, if it's not followed but then you're saying, AI will blow that away, >> AI will blow that away, you don't have to necessarily codify things saying that, okay, if this, then do this. You don't have to necessarily do that. AI can somewhat to an extent self-learn saying that, okay, if that doesn't happen, if this is not a pattern that I know which is supposed to happen, who should I escalate this to? Who does this system belong to? And the other thing, the AIOps use case we talked about, right, the anomalies. When an anomaly happens, then the system can closely look at, saying that, okay, this is not normal behavior or usage. Is that because system's being overused or is it because somebody's trying to access something, could look at the anomaly detection, anomaly prevention or even prediction to an extent. And that's where AI could be very useful. >> So, how about the developer angle? 'Cause CNCF, the event in Seattle is all around developers, how can AI be integrated? We did a lot of talk at the conference about shift-left, we talked about shift-left and protect right. Meaning, protect the run time. So, both are important, so what steps should be taken to ensure that the AI systems are being developed in a secure and ethically sound way? What's the role of developers in that regard? >> How long do you got? (Both laughing) I think it could go for base on that. So, here's the problem, right? Lot of these companies are trying to see, I mean, you might have seen that in the news that Buzzfeed is trying to hire all of the writers to create the thing that ChatGPT is creating, a lot of enterprises... >> How, they're going to fire their writers? >> Yeah, they replace the writers. >> It's like automated automated vehicles and automated Uber drivers. >> So, the problem is a lot of enterprises still haven't done that, at least the ones I'm speaking to, are thinking about saying, "Hey, you know what, can I replace my developers because they are so expensive? Can I replace them with AI generated code?" There are a few issues with that. One, AI generated code is based on some sort of a snippet of a code that has been already available. So, you get into copyright issues, that's issue number one, right? Issue number two, if AI creates code and if something were to go wrong, who's responsible for that? There's no accountability right now. Or you as a company that's creating a system that's responsible, or is it ChatGPT, Microsoft is responsible. >> Or is the developer? >> Or the developer. >> The individual developer might be. So, they're going to be cautious about that liability. >> Well, so one of the areas where I'm seeing a lot of enterprises using this is they are using it to teach developers to learn things. You know what, if you're to code, this is a good way to code. That area, it's okay because you are just teaching them. But if you are to put an actual production code, this is what I advise companies, look, if somebody's using even to create a code, whether with or without your permission, make sure that once the code is committed, you validate that the 100%, whether it's a code or a model, or even make sure that the data what you're feeding in it is completely out of bias or no bias, right? Because at the end of the day, it doesn't matter who, what, when did that, if you put out a service or a system out there, it is involving your company liability and system, and code in place. You're going to be screwed regardless of what, if something were to go wrong, you are the first person who's liable for it. >> Andy, when you think about the dangers of AI, and what keeps you up at night if you're a security professional AI and security professional. We talked about ChatGPT doing things, we don't even, the hackers are going to get creative. But what worries you the most when you think about this topic? >> A lot, a lot, right? Let's start off with an example, actually, I don't know if you had a chance to see that or not. The hackers used a bank of Hong Kong, used a defect mechanism to fool Bank of Hong Kong to transfer $35 million to a fake account, the money is gone, right? And the problem that is, what they did was, they interacted with a manager and they learned this executive who can control a big account and cloned his voice, and clone his patterns on how he calls and what he talks and the whole name he has, after learning that, they call the branch manager or bank manager and say, "Hey, you know what, hey, move this much money to whatever." So, that's one way of kind of phishing, kind of deep fake that can come. So, that's just one example. Imagine whether business is conducted by just using voice or phone calls itself. That's an area of concern if you were to do that. And imagine this became an uproar a few years back when deepfakes put out the video of Tom Cruise and others we talked about in the past, right? And Tom Cruise looked at the video, he said that he couldn't distinguish that he didn't do it. It is so close, that close, right? And they are doing things like they're using gems... >> Awesome Instagram account by the way, the guy's hilarious, right? >> So, they they're using a lot of this fake videos and fake stuff. As long as it's only for entertainment purposes, good. But imagine doing... >> That's right there but... >> But during the election season when people were to put out saying that, okay, this current president or ex-president, he said what? And the masses believe right now whatever they're seeing in TV, that's unfortunate thing. I mean, there's no fact checking involved, and you could change governments and elections using that, which is scary shit, right? >> When you think about 2016, that was when we really first saw, the weaponization of social, the heavy use of social and then 2020 was like, wow. >> To the next level. >> It was crazy. The polarization, 2024, would deepfakes... >> Could be the next level, yeah. >> I mean, it's just going to escalate. What about public policy? I want to pick your brain on this because I I've seen situations where the EU, for example, is going to restrict the ability to ship certain code if it's involved with critical infrastructure. So, let's say, example, you're running a nuclear facility and you've got the code that protects that facility, and it can be useful against some other malware that's outside of that country, but you're restricted from sending that for whatever reason, data sovereignty. Is public policy, is it aligned with the objectives in this new world? Or, I mean, normally they have to catch up. Is that going to be a problem in your view? >> It is because, when it comes to laws it's always miles behind when a new innovation happens. It's not just for AI, right? I mean, the same thing happened with IOT. Same thing happened with whatever else new emerging tech you have. The laws have to understand if there's an issue and they have to see a continued pattern of misuse of the technology, then they'll come up with that. Use in ways they are ahead of things. So, they put a lot of restrictions in place and about what AI can or cannot do, US is way behind on that, right? But California has done some things, for example, if you are talking to a chat bot, then you have to basically disclose that to the customer, saying that you're talking to a chat bot, not to a human. And that's just a very basic rule that they have in place. I mean, there are times that when a decision is made by the, problem is, AI is a black box now. The decision making is also a black box now, and we don't tell people. And the problem is if you tell people, you'll get sued immediately because every single time, we talked about that last time, there are cases involving AI making decisions, it gets thrown out the window all the time. If you can't substantiate that. So, the bottom line is that, yes, AI can assist and help you in making decisions but just use that as a assistant mechanism. A human has to be always in all the loop, right? >> Will AI help with, in your view, with supply chain, the software supply chain security or is it, it's always a balance, right? I mean, I feel like the attackers are more advanced in some ways, it's like they're on offense, let's say, right? So, when you're calling the plays, you know where you're going, the defense has to respond to it. So in that sense, the hackers have an advantage. So, what's the balance with software supply chain? Are the hackers have the advantage because they can use AI to accelerate their penetration of the software supply chain? Or will AI in your view be a good defensive mechanism? >> It could be but the problem is, the velocity and veracity of things can be done using AI, whether it's fishing, or malware, or other security and the vulnerability scanning the whole nine yards. It's scary because the hackers have a full advantage right now. And actually, I think ChatGPT recently put out two things. One is, it's able to direct the code if it is generated by ChatGPT. So basically, if you're trying to fake because a lot of schools were complaining about it, that's why they came up with the mechanism. So, if you're trying to create a fake, there's a mechanism for them to identify. But that's a step behind still, right? And the hackers are using things to their advantage. Actually ChatGPT made a rule, if you go there and read the terms and conditions, it's basically honor rule suggesting, you can't use this for certain purposes, to create a model where it creates a security threat, as that people are going to listen. So, if there's a way or mechanism to restrict hackers from using these technologies, that would be great. But I don't see that happening. So, know that these guys have an advantage, know that they're using AI, and you have to do things to be prepared. One thing I was mentioning about is, if somebody writes a code, if somebody commits a code right now, the problem is with the agile methodologies. If somebody writes a code, if they commit a code, you assume that's right and legit, you immediately push it out into production because need for speed is there, right? But if you continue to do that with the AI produced code, you're screwed. >> So, bottom line is, AI's going to speed us up in a security context or is it going to slow us down? >> Well, in the current version, the AI systems are flawed because even the ChatGPT, if you look at the the large language models, you look at the core piece of data that's available in the world as of today and then train them using that model, using the data, right? But people are forgetting that's based on today's data. The data changes on a second basis or on a minute basis. So, if I want to do something based on tomorrow or a day after, you have to retrain the models. So, the data already have a stale. So, that in itself is stale and the cost for retraining is going to be a problem too. So overall, AI is a good first step. Use that with a caution, is what I want to say. The system is flawed now, if you use it as is, you'll be screwed, it's dangerous. >> Andy, you got to go, thanks so much for coming in, appreciate it. >> Thanks for having me. >> You're very welcome, so we're going wall to wall with our coverage of the Cloud Native Security Con. I'm Dave Vellante in the Boston Studio, John Furrier, Lisa Martin and Palo Alto. We're going to be live on the show floor as well, bringing in keynote speakers and others on the ground. Keep it right there for more coverage on theCUBE. (upbeat music) (upbeat music) (upbeat music) (upbeat music)

(bright music) >> Hello everyone and welcome back to AWS re:Invent, here in wonderful Las Vegas, Nevada. We're theCUBE. I am Savannah Peterson. Joined with my co-host, Dave Vellante. Day four, you look great. Your voice has come back somehow. >> Yeah, a little bit. I don't know how. I took last night off. You guys, I know, were out partying all night, but - >> I don't know what you're talking about. (Dave laughing) >> Well, you were celebrating John's birthday. John Furrier's birthday today. >> Yes, happy birthday John! >> He's on his way to England. >> Yeah. >> To attend his nephew's wedding. Awesome family. And so good luck, John. I hope you feel better, he's got a little cold. >> I know, good luck to the newlyweds. I love this. I know we're both really excited for our next guest, so I'm going to bring out, Lena Smart from MongoDB. Thank you so much for being here. >> Thank you for having me. >> How's the show going for you? >> Good. It's been a long week. And I just, not much voice left, so. >> We'll be gentle on you. >> I'll give you what's left of it. >> All right, we'll take that. >> Okay. >> You had a fireside chat, at the show? >> Lena: I did. >> Can you tell us a little bit about that? >> So we were talking about the Rise, The developer is a platform. In this massive theater. I thought it would be like an intimate, you know, fireside chat. I keep believing them when they say to me come and do these talks, it'll be intimate. And you turn up and there's a stage and a theater and it's like, oh my god. But it was really interesting. It was well attended. Got some really good questions at the end as well. Lots of follow up, which was interesting. And it was really just about, you know, how we've brought together this developer platform that's got our integrated services. It's just what developers want, it gives them time to innovate and disrupt, rather than worry about the minutia of management. >> Savannah: Do the cool stuff. >> Exactly. >> Yeah, so you know Lena, it's funny that you're saying that oh wow, the lights came on and it was this big thing. When when we were at re:Inforced, Lena was on stage and it was so funny, Lena, you were self deprecating like making jokes about the audience. >> Savannah: (indistinct) >> It was hilarious. And so, but it was really endearing to the audience and so we were like - >> Lena: It was terrifying. >> You got huge props for that, I'll tell you. >> Absolutely terrifying. Because they told me I wouldn't see anyone. Because we did the rehearsal the day before, and they were like, it's just going to be like - >> Sometimes it just looks like blackness out there. >> Yeah, yeah. It wasn't, they lied. I could see eyeballs. It was terrifying. >> Would you rather know that going in though? Or is it better to be, is ignorance bliss in that moment? >> Ignorance is bliss. >> Yeah, yeah yeah. >> Good call Savannah, right? Yeah, just go. >> The older I get, the more I'm just, I'm on the ignorance is bliss train. I just, I don't need to know anything that's going to hurt my soul. >> Exactly. >> One of the things that you mentioned, and this has actually been a really frequent theme here on the show this week, is you said that this has been a transformative year for developers. >> Lena: Yeah. >> What did you mean by that? >> So I think developers are starting to come to the fore, if you like, the fore. And I'm not in any way being deprecating about developers 'cause I love them. >> Savannah: I think everyone here does. >> I was married to one, I live with one now. It's like, they follow me everywhere. They don't. But, I think they, this is my opinion obviously but I think that we're seeing more and more the value that developers bring to the table. They're not just code geeks anymore. They're not just code monkeys, you know, churning out lines and lines of code. Some of the most interesting discussions I've had this week have been with developers. And that's why I'm so pleased that our developer data platform is going to give these folks back time, so that they can go and innovate. And do super interesting things and do the next big thing. It was interesting, I was talking to Mary, our comms person earlier and she had said that Dave I guess, my boss, was on your show - >> Dave: Yeah, he was over here last night. >> Yeah. And he was saying that two thirds of the companies that had been mentioned so far, within the whole gamut of this conference use MongoDB. And so take that, extrapolate that, of all the developers >> Wow. >> who are there. I know, isn't that awesome? >> That's awesome. Congrats on that, that's like - >> Did I hear that right now? >> I know, I just had that moment. >> I know she just told me, I'm like, really? That's - >> That's so cool. >> 'Cause the first thing I thought of was then, oh my god, how many developers are we reaching then? 'Cause they're the ones. I mean, it's kind of interesting. So my job has kind of grown from, over the years, being the security geek in the back room that nobody talks to, to avoiding me in the lift, to I've got a seat at the table now. We meet with the board. And I think that I can see that that's where the developer mindset is moving towards. It's like, give us the right tools and we'll change your world. >> And let the human capital go back to doing the fun stuff and not just the maintenance stuff. >> And, but then you say that, you can't have everything automated. I get that automation is also the buzzword of the week. And I get that, trust me. Someone has to write the code to do the automation. >> Savannah: Right. >> So, so yeah, definitely give these people back time, so that they can work on ML, AI, choose your buzzword. You know, by giving people things like queriable encryption for example, you're going to free up a whole bunch of head space. They don't have to worry about their data being, you know harvested from memory or harvested while at rest or in motion. And it's like, okay, I don't have to worry about that now, let me go do something fun. >> How about the role of the developer as it relates to SecOps, right? They're being asked to do a lot. You and I talked about this at re:Inforce. You seem to have a pretty good handle on it. Like a lot of companies I think are struggling with it. I mean, the other thing you said said to me is you don't have a lack of talent at Mongo, right? 'Cause you're Mongo. But a lot of companies do. But a lot of the developers, you know we were just talking about this earlier with Capgemini, the developer metrics or the application development team's metrics might not be aligned with the CSO's metrics. How, what are you seeing there? What, how do you deal with it within Mongo? What do you advise your customers? >> So in terms of internal, I work very closely with our development group. So I work with Tara Hernandez, who's our new VP of developer productivity. And she and her team are very much interested in making developers more productive. That's her job. And so we get together because sometimes security can definitely be seen as a blocker. You know, funnily enough, I actually had a Slack that I had to respond to three seconds before I come on here. And it was like, help, we need some help getting this application through procurement, because blah, blah, blah. And it's weird the kind of change, the shift in mindset. Whereas before they might have gone to procurement or HR or someone to ask for this. Now they're coming to the CSO. 'Cause they know if I say yes, it'll go through. >> Talk about social engineering. >> Exactly. >> You were talking about - >> But turn it around though. If I say no, you know, I don't like to say no. I prefer to be the CSO that says yes, but. And so that's what we've done. We've definitely got that culture of ask, we'll tell you the risks, and then you can go away and be innovative and do what you need to do. And we basically do the same with our customers. Here's what you can do. Our application is secure out of the box. Here's how we can help you make it even more, you know, streamlined or bespoke to what you need. >> So mobile was a big inflection point, you know, I dunno, it seems like forever ago. >> 2007. >> 2007. Yeah, iPhone came out in 2007. >> You remember your first iPhone? >> Dave: Yeah. >> Yeah? Same. >> Yeah. It was pretty awesome, actually. >> Yeah, I do too. >> Yeah, I was on the train to Boston going up to see some friends at MIT on the consortium that I worked with. And I had, it was the wee one, 'member? But you thought it was massive. >> Oh, it felt - >> It felt big. And I remember I was sitting on the train to Boston it was like the Estella and there was these people, these two women sitting beside me. And they were all like glam, like you and unlike me. >> Dave: That's awesome. >> And they, you could see them like nudging each other. And I'm being like, I'm just sitting like this. >> You're chilling. >> Like please look at my phone, come on just look at it. Ask me about it. And eventually I'm like - >> You're baiting them. >> nonchalantly laid it on the table. And you know, I'm like, and they're like, is that an iPhone? And I'm like, yeah, you want to see it? >> I thought you'd never ask. >> I know. And I really played with it. And I showed them all the cool stuff, and they're like, oh we're going to buy iPhones. And so I should have probably worked for Apple, but I didn't. >> I was going to say, where was your referral kickback on that? Especially - >> It was a little like Tesla, right? When you first, we first saw Tesla, it was Ray Wong, you know, Ray? From Pasadena? >> It really was a moment and going from the Blackberry keyboard to that - >> He's like want to see my car? And I'm like oh yeah sure, what's the big deal? >> Yeah, then you see it and you're like, ooh. >> Yeah, that really was such a pivotal moment. >> Anyway, so we lost a track, 2007. >> Yeah, what were we talking about? 2007 mobile. >> Mobile. >> Key inflection point, is where you got us here. Thank you. >> I gotchu Dave, I gotchu. >> Bring us back here. My mind needs help right now. Day four. Okay, so - >> We're all getting here on day four, we're - >> I'm socially engineering you to end this, so I can go to bed and die quietly. That's what me and Mary are, we're counting down the minutes. >> Holy. >> That's so sick. >> You're breaking my heart right now. I love it. I'm with you, sis, I'm with you. >> So I dunno where I was, really where I was going with this, but, okay, there's - >> 2007. Three things happened. >> Another inflection point. Okay yeah, tell us what happened. But no, tell us that, but then - >> AWS, clones, 2006. >> Well 2006, 2007. Right, okay. >> 2007, the iPhone, the world blew up. So you've already got this platform ready to take all this data. >> Dave: Right. >> You've got this little slab of gorgeousness called the iPhone, ready to give you all that data. And then MongoDB pops up, it's like, woo-hoo. But what we could offer was, I mean back then was awesome, but it was, we knew that we would have to iterate and grow and grow and grow. So that was kind of the three things that came together in 2007. >> Yeah, and then Cloud came in big time, and now you've got this platform. So what's the next inflection point do you think? >> Oh... >> Good question, Dave. >> Don't even ask me that. >> I mean, is it Edge? Is it IOT? Is there another disruptor out there? >> I think it's going to be artificial intelligence. >> Dave: Is it AI? >> I mean I don't know enough about it to talk about it, to any level, so don't ask me any questions about it. >> This is like one of those ignorance is bliss moments. It feels right. >> Yeah. >> Well, does it scare you, from a security perspective? Or? >> Great question, Dave. >> Yeah, it scares me more from a humanity standpoint. Like - >> More than social scared you? 'Cause social was so benign when it started. >> Oh it was - >> You're like, oh - I remember, >> It was like a yearbook. I was on the Estella and we were - >> Shout out to Amtrak there. >> I was with, we were starting basically a wikibond, it was an open source. >> Yeah, yeah. >> Kind of, you know, technology community. And we saw these and we were like enamored of Facebook. And there were these two young kids on the train, and we were at 'em, we were picking the brain. Do you like Facebook? "I love Facebook." They're like "oh, Facebook's unbelievable." Now, kids today, "I hate Facebook," right? So, but social at the beginning it was kind of, like I say, benign and now everybody's like - >> Savannah: We didn't know what we were getting into. >> Right. >> I know. >> Exactly. >> Can you imagine if you could have seen into the future 20 years ago? Well first of all, we'd have all bought Facebook and Apple stock. >> Savannah: Right. >> And Tesla stock. But apart from, but yeah apart from that. >> Okay, so what about Quantum? Does that scare you at all? >> I think the only thing that scares me about Quantum is we have all this security in place today. And I'm not an expert in Quantum, but we have all this security in place that's securing what we have today. And my worry is, in 10 years, is it still going to be secure? 'Cause we're still going to be using that data in some way, shape, or form. And my question is to the quantum geniuses out there, what do we do in 10 years like to retrofit the stuff? >> Dave: Like a Y2K moment? >> Kind of. Although I think Y2K is coming in 2038, isn't it? When the Linux date flips. I'll be off the grid by then, I'll be living in Scotland. >> Somebody else's problem. >> Somebody else's problem. I'll be with the sheep in Glasgow, in Scotland. >> Y2K was a boondoggle for tech, right? >> What a farce. I mean, that whole - >> I worked in the power industry in Y2K. That was a nightmare. >> Dave: Oh I bet. >> Savannah: Oh my God. >> Yeah, 'cause we just assumed that the world was going to stop and there been no power, and we had nuclear power plants. And it's like holy moly. Yeah. >> More than moly. >> I was going to say, you did a good job holding that other word in. >> I think I was going to, in case my mom hears this. >> I grew up near Diablo Canyon in, in California. So you were, I mean we were legitimately worried that that exactly was going to happen. And what about the waste? And yeah it was chaos. We've covered a lot. >> Well, what does worry you? Like, it is culture? Is it - >> Why are you trying to freak her out? >> No, no, because it's a CSO, trying to get inside the CSO's head. >> You don't think I have enough to worry about? You want to keep piling on? >> Well if it's not Quantum, you know? Maybe it's spiders or like - >> Oh but I like spiders, well spiders are okay. I don't like bridges, that's my biggest fear. Bridges. >> Seriously? >> And I had to drive over the Tappan Zee bridge, which is one of the longest, for 17 years, every day, twice. The last time I drove over it, I was crying my heart out, and happy as anything. >> Stay out of Oakland. >> I've never driven over it since. Stay out of where? >> Stay out of Oakland. >> I'm staying out of anywhere that's got lots of water. 'Cause it'll have bridges. >> Savannah: Well it's good we're here in the desert. >> Exactly. So what scares me? Bridges, there you go. >> Yeah, right. What? >> Well wait a minute. So if I'm bridging technology, is that the scary stuff? >> Oh God, that was not - >> Was it really bad? >> It was really bad. >> Wow. Wow, the puns. >> There's a lot of seems in those bridges. >> It is lit on theCUBE A floor, we are all struggling. I'm curious because I've seen, your team is all over the place here on the show, of course. Your booth has been packed the whole time. >> Lena: Yes. >> The fingerprint. Talk to me about your shirt. >> So, this was designed by my team in house. It is the most wanted swag in the company, because only my security people wear it. So, we make it like, yeah, you could maybe have one, if this turns out well. >> I feel like we're on the right track. >> Dave: If it turns out well. >> Yeah, I just love it. It's so, it's just brilliant. I mean, it's the leaf, it's a fingerprint. It's just brilliant. >> That's why I wanted to call it out. You know, you see a lot of shirts, a lot of swag shirts. Some are really unfortunately sad, or not funny, >> They are. >> or they're just trying too hard. Now there's like, with this one, I thought oh I bet that's clever. >> Lena: It is very cool. Yes, I love it. >> I saw a good one yesterday. >> Yeah? >> We fix shit, 'member? >> Oh yeah, yeah. >> That was pretty good. >> I like when they're >> That's a pretty good one. >> just straightforward, like that, yeah yeah. >> But the only thing with this is when you're say in front of a green screen, you look as though you've got no tummy. >> A portal through your body. >> And so, when we did our first - >> That's a really good point, actually. >> Yeah, it's like the black hole to nothingless. And I'm like wow, that's my soul. >> I was just going to say, I don't want to see my soul like that. I don't want to know. >> But we had to do like, it was just when the pandemic first started, so we had to do our big presentation live announcement from home. And so they shipped us all this camera equipment for home and thank God my partner knows how that works, so he set it all up. And then he had me test with a green screen, and he's like, you have no tummy. I'm like, what the hell are you talking about? He's like, come and see. It's like this, I dunno what it was. So I had to actually go upstairs and felt tip with a magic marker and make it black. >> Wow. >> So that was why I did for two hours on a Friday, yeah. >> Couldn't think of another alternative, huh? >> Well no, 'cause I'm myopic when it comes to marketing and I knew I had to keep the tshirt on, and I just did that. >> Yeah. >> In hindsight, yes I could have worn an "I Fix Shit" tshirt, but I don't think my husband would've been very happy. I secure shit? >> There you go, yeah. >> There you go. >> Over to you, Savannah. >> I was going to say, I got acquainted, I don't know if I can say this, but I'm going to say it 'cause we're here right now. I got acquainted with theCUBE, wearing a shirt that said "Unfuck Kubernetes," 'cause it was a marketing campaign that I was running for one of my clients at Kim Con last year. >> That's so good. >> Yeah, so - >> Oh my God. I'll give you one of these if you get me one of those. >> I can, we can do a swapskee. We can absolutely. >> We need a few edits on this film, on the file. >> Lena: Okay, this is nothing - >> We're fallin' off the wheel. Okay, on that note, I'm going to bring us to our challenge that we discussed, before we got started on this really diverse discussion that we have had in the last 15 minutes. We've covered everything from felt tip markers to nuclear power plants. >> To the darkness of my soul. >> To the darkness of all of our souls. >> All of our souls, yes. >> Which is perhaps a little too accurate, especially at this stage in the conference. You've obviously seen a lot Lena, and you've been rockin' it, I know John was in your suite up here, at at at the Venetian. What's your 30 second hot take? Most important story, coming out of the show or for you all at Mongo this year? >> Genuinely, it was when I learned that two-thirds of the customers that had been mentioned, here, are MongoDB customers. And that just exploded in my head. 'Cause now I'm thinking of all the numbers and the metrics and how we can use that. And I just think it's amazing, so. >> Yeah, congratulations on that. That's awesome. >> Yeah, I thought it was amazing. >> And it makes sense actually, 'cause Mongo so easy to use. We were talking about Tengen. >> We knew you when, I feel that's our like, we - >> Yeah, but it's true. And so, Mongo was just really easy to use. And people are like, ah, it doesn't scale. It's like, turns out it actually does scale. >> Lena: Turns out, it scales pretty well. >> Well Lena, without question, this is my favorite conversation of the show so far. >> Thank you. >> Thank you so much for joining us. >> Thank you very much for having me. >> Dave: Great to see you. >> It's always a pleasure. >> Dave: Thanks Lena. >> Thank you. >> And thank you all, tuning in live, for tolerating wherever we take these conversations. >> Dave: Whatever that was. >> I bet you weren't ready for this one, folks. We're at AWS re:Invent in Las Vegas, Nevada. With Dave Vellante, I'm Savannah Peterson. You're washing theCUBE, the leader for high tech coverage.

>>Welcome back to the Cube, as a continued coverage here from AWS Reinvent 22. It's day three of our coverage here at the Venetian in Las Vegas, and we're part of the AWS Global Startup Showcase. With me to talk about what Kong's to in that regard is Marco Palladino, who's the, the CTO and the co-founder of Con Marco. Good >>To see you. Well, thanks for having me >>Here. Yeah, I was gonna say, by the way, I, I, you've got a beautiful exhibit down on the show floor. How's the week been for you so far as an exhibitor here? >>It's been very busy. You know, to this year we made a big investment at the WS reinvent. You know, I think this is one of the best conferences in the industry. There is technology developers, but it's also business oriented. So you can learn about all the business outcomes that our, you know, customers or, you know, people are trying to make when, when adopting these new technologies. So it's very good so far. >>Good, good, good to hear. Alright, so in your world, the API world, you know, it used to be we had this, you know, giant elephant. Now we're cutting down the little pieces, right? That's right. We're all going micro now these days. That's right. Talk about that trend a little bit, what you're seeing, and we'll jump in a little deeper as to how you're addressing that. >>Well, I think the industry learned a long time ago that running large code bases is actually quite problematic when it comes to scaling the organization and capturing new opportunities. And so, you know, we're transitioning to microservices because we want to get more opportunities in our business. We want to be able to create new products, fasters, we want to be able to leverage existing services or data that we have built, like an assembly line of software, you know, picking up APIs that other developers are building, and then assemble them together to create new experiences or new products, enter new markets. And so microservices are fantastic for that, except microservices. They also introduce significant concerns on the networking layer, on the API layer. And so this is where Kong specializes by providing API infrastructure to our customers. >>Right. So more about the problems, more about the challenges there, because you're right, it, opportunities always create, you know, big upside and, and I, I don't wanna say downside, but they do introduce new complexities. >>That's right. And introducing new complexity. It's a little bit the biggest enemy of any large organization, right? We want to reduce complexity, we want to move faster, we want to be more agile, and, and we need an API vision to be able to do that. Our teams, you know, I'm speaking with customers here at Reinvent, they're telling me that in the next five years, the organization is going to be creating more APIs than all the APIs they've created up until now. Right? So how do you >>Support, that's a mind boggling number, right? >>It's mind boggling. Yeah, exactly. How do you support that type of growth? And things have been moving so fast. I feel like there is a big dilemma in, you know, with certain organizations where, you know, we have not taught a long term strategy for APIs, whereas we do have a long term strategy for our business, but APIs are running the business. We must have a long term strategy for our APIs, otherwise we're not gonna be able to execute. And that's a big dilemma right now. Yeah. >>So, so how do we get the horse back in front of the cart then? Because it's like you said, it's almost as if we've, we're, we're reprioritizing, you know, incorrectly or inaccurately, right? You're, you're getting a little bit ahead of ourselves. >>Well, so, you know, whenever we have a long-term strategy for pretty much anything in the organization, right? We know what we want to do. We know the outcome that we want to achieve. We work backwards to, you know, determine what are the steps that are gonna bring us there. And, and the responsibility for thinking long term in, in every organization, including for APIs at the end of the day, always falls on the leaders and the should on the shoulders of the leadership and, and to see executives of the organization, right? And so we're seeing, you know, look at aws by the way. Look at Amazon. This conference would not have been possible without a very strong API vision from Amazon. And the CEO himself, Jeff Bezos, everybody talks about wanting to become an API first organization. And Amazon did that with the famous Jeff Bezos mandate today, aws, it's a hundred billion revenue for Amazon. You see, Amazon was not the first organization with, with an e-commerce, but if it was the first one that married a very strong e-commerce business execution with a very strong API vision, and here we are. >>So yeah, here we are putting you squarely in, in, in a pretty good position, right? In terms of what you're offering to the marketplace who has this high demand, you see this trend starting to explode. The hockey sticks headed up a little bit, right? You know, how are you answering that call specifically at how, how are you looking at your client's needs and, and trying to address what they need and when they need it, and how they need it. Because everybody's in a kind of a different place right now. >>Right? That's exactly right. And so you have multiple teams at different stages of their journey, right? With technology, some of them are still working on legacy, some of them are moving to the cloud. Yep. Some of them are working in containers and in microservices and Kubernetes. And so how do you, how do we provide an API vision that can fulfill the needs of the entire organization in such a way that we reduce that type of fragmentation and we don't introduce too much complexity? Well, so at con, we do it by essentially splitting the API platform in three different components. Okay. One is API management. When, whenever we want to expose APIs internally or to an ecosystem of partners, right? Or to mobile, DRA is a service mesh. You know, as we're splitting these microservices into smaller parts, we have a lot of connectivity, all, you know, across all the services that the teams are building that we need to, to manage. >>You know, the network is unreliable. It's by default, not secure, not observable. There is nothing that that works in there. And so how do we make that network reliable without asking our teams to go and build these cross-cut concerns whenever they create a new service. And so we need a service match for that, right? And then finally, we could have the best AP infrastructure in the world, millions of APIs and millions of microservices. Everything is working great. And with no API consumption, all of that would be useless. The value of our APIs and the value of our infrastructure is being driven by the consumption that we're able to drive to all of these APIs. And so there is a whole area of API productivity and discovery and design and testing and mocking that enables the application teams to be successful with APIs, even when they do have a, the proper API infrastructure in place that's made of meshes and management products and so on and so forth. Right. >>Can you gimme some examples? I mean, at least with people that you've been working with in terms of addressing maybe unique needs. Cuz again, as you've addressed, journeys are in different stages now. Some people are on level one, some people are on level five. So maybe just a couple of examples Yeah. Of clients with whom you've been working. Yeah, >>So listen, I I was talking with many organizations here at AWS Reinvent that are of course trying to migrate to the cloud. That's a very common common transformation that pretty much everybody's doing in the world. And, and how do you transition to the cloud by de-risking the migration while at the same time being able to get all the benefits of, of running in the cloud? Well, we think that, you know, we can do that in two, two ways. One, by containerizing our workloads so that we can make them portable. But then we also need to lift and shift the API connectivity in such a way that we can determine how much traffic goes to the legacy and how much traffic goes to the new cloud infrastructure. And by doing that, we're able to deal with some of these transformations that can be quite complex. And then finally, API infrastructure must support every team in the organization. >>And so being able to run on a single cloud, multi-cloud, single cluster, multi cluster VMs containers, that's important and essential because we want the entire organization to be on board. Because whenever we do not do that, then the developers will make short term decisions that are not going to be fitting into the organizational outcomes that we want to achieve. And we look at any outcome that your organization wants to achieve the cloud transformation, improving customer retention, creating new products, being more agile. At the end of the day, there is an API that's powering that outcome. >>Right? Right. Well, and, and there's always a security component, right? That you have to be concerned about. So how are you raising that specter with your clients to make them aware? Because sometimes it, I wouldn't say it's an afterthought, but sometimes it's not the first thought. And, and obviously with APIs and with their integral place, you know, in, in the system now security's gotta be included in that, right? >>API security is perhaps the biggest, biggest request that we're hearing from customers. You know, 83% of the world's internet traffic at the end of the day runs on APIs, right? That's a lot of traffic. As a matter of fact, APIs are the first attack vector for any, you know, malicious store party. Whenever there is a breach, APIs must be secured. And we can secure APIs on different layers of our infrastructure. We can secure APIs at the L four mesh layer by implementing zero trust security, for example, encrypting all the traffic, assigning an identity to every service, removing the concept of trust from our systems because trust is exploitable, right? And so we need to remove the cut zero trust, remove the concept of trust, and then once we have that underlying networking that's being secure and encrypted, we want to secure access to our APIs. >>And so this is the typical authentication, authorization concerns. You know, we can use patterns like op, op or opa open policy agent to create a security layer that does not rely on the team's writing code every time they're creating a new service. But the infrastructure is enforcing the type of layer. So for example, last week I was in Sweden, as a matter of fact speaking with the largest bank in Sweden while our customers, and they were telling us that they are implementing GDPR validation in the service mesh on the OPPA layer across every service that anybody's building. Why? Well, because you can embed the GDPR settings of the consumer into a claim in a gel token, and then you can use OPPA to validate in a blanket way that Jo Token across every service in the mesh, developers don't have to do that. It just comes out of the box like that. And then finally, so networking, security, API security for access and, and management of those APIs. And then finally we have deep inspection of our API traffic. And here you will see more exotic solutions for API security, where we essentially take a subset of our API traffic and we try to inspect it to see if there is anybody doing anything that they shouldn't be doing and, and perhaps block them or, you know, raise, raise, raise the flag, so to speak. >>Well, the answer is probably yes, they are. Somebody's trying to, somebody's trying to, yeah, you're trying to block 'em out. Before I let you go, you've had some announcements leading up here to the show that's just to hit a few of those highlights, if you would. >>Well, you know, Kong is an organization that you know, is very proud of the technology that we create. Of course, we started with a, with the API gateway Con Gateway, which was our first product, the most adopted gateway in the world. But then we've expanded our platform with service mesh. We just announced D B P F support in the service mesh. For example, we made our con gateway, which was already one of the fastest gateway, if not the fastest gateway out there, 30% faster with Con Gateway 3.0. We have shipped an official con operator for Kubernetes, both community and enterprise. And then finally we're doubling down on insomnia, insomnia's, our API productivity application that essentially connects the developers with the APIs that are creating and allows them to create a discovery mechanism for testing, mocking the bagging, those APIs, all of this, we of course ship it OnPrem, but then also on the cloud. And you know, in a cloud conference right now, of course, cloud, right? Right. Is a very important part of our corporate strategy. And our customers are asking us that. Why? Because they don't wanna manage the software, they want the API platform, they don't, don't wanna manage it. >>Well, no, nobody does. And there are a few stragglers, >>A few, a few. And for them there is the on-prem >>Platform. Fine, let 'em go. Right? Exactly. But if you wanna make it a little quick and dirty, hand it off, right? Oh, >>That's exactly right. Yes. >>Let Con do the heavy lifting for you. Hey Marco, thanks for the time. Yeah, thank you so much. We appreciate, and again, congratulations on what appears to be a pretty good show for you guys. Yeah, thank you. Well done. All right, we continue our discussions here at aws. Reinvent 22. You're watching the Cube, the leader in high tech coverage. >>Okay.

>> 10, nine, eight, (clears throat) four, three. >> Good afternoon, fellow cloud nerds and welcome back to AWS Reinvent 2022. We are live here from fabulous Las Vegas, Nevada. My name is Savannah Peterson, joined by Lisa Martin. So excited to be here Lisa, it's my first reinvent. >> Is it really? >> Yeah. >> I think it's only like my fourth or fifth. >> Only your fourth or fifth. >> Only. >> You're such a pro here. >> There's some serious veterans here in attendance that have been to all 11. >> I love that. >> Yeah. Wow, go them. I know, maybe we'll be at that level sooner. >> One day we will. >> Are you enjoying the show so far? >> Absolutely, it is. I cannot believe how many people are here. We've had 70,000 and we're only seeing what's at the foundation Expo Hall, not at the other hotel. So, I can only imagine. >> I mean, there's a world outside of this. >> Yes, and there's sunlight. There's actual sunlight outside of this room. >> Nobel idea. Well, Lisa, I'm very excited to be sitting here next to you and to welcome our fabulous guests, from TEKsystems, we have Brandon and Srini. Thank you so much for being here. How is the show going for you gentlemen so far? >> It's great. Lot of new insights and the customers are going to love what AWS is releasing in this reinvent. >> There is such a community here, and I love that vibe. It's similar to what we had at Cloud Native con in Detroit. So much collaboration going on. I assume most folks know a lot about TEKsystems who are watching, but just in case they don't, Brandon, give us the pitch. >> You bet. So full stack IT solutions firm, been in business for over 40 years, 80,000 global employees, really specializing in digital transformation, enterprise modernization services. We have partners in One Strategy, which is an an acquisition we made, but a well known premier partner in the Amazon partner ecosystem, as well as One North Interactive, who is our boutique brand, creative and digital strategy firm. So together, we really feel like we can bring full end-to-end solutions for digital and modernization initiatives. >> So, I saw some notes where TEKsystems are saying organizations need experienced AWS partners that are not afraid doing the dirty work of digital transformation, who really can advise and execute. Brandon, talk to us about how TEKsystems and AWS are working together to help customers on that journey which is nebulous of digital transformation. >> So, our real hallmark is the ability to scale. We partner with AWS in a lot of different ways. In fact, we just signed our strategic collaboration agreement. So, we're in the one percenter group in the whole partner network. >> Savanna: That's a pretty casual flex there. >> Not bad. >> I love that, top 1%, that no wonder you're wearing that partner pin so proud today. (speaking indistinctly) >> But we're working all the way on the advisory and working with their pro serve organization and then transforming that into large scale mass migration services, a lot of data modernization that Srini is an absolute expert in. I'm sure he can add some context too, but it's been a great partnership for many years now. >> In the keynote, Adam spent almost 52 minutes on data, right? So, it emphasizes how organizations are ready to take data to cloud and actually make meaningful insights and help their own customers come out of it by making meaningful decisions. So, we are glad to be part of this entire ecosystem. >> I love that you quantified how many minutes. >> I know. >> Talked about it, that was impressive. There's a little bit of data driven thinking going on here. >> I think so. >> Yeah. >> Well, we can't be at an event like this without talking about data for copious amounts of time, 52 minutes, has just used this morning. >> Right, absolutely. >> But every company these days has to be a data company. There's no choice to be successful, to thrive, to survive. I mean, even to thrive and grow, if it's a grocery store or your local gas station or what? You name it, that company has to be a data company. But the challenge of the data volume, the explosion in data is huge for organizations to really try to figure out and sift through what they have, where is all of it? How do we make sense of it? How do we act on it and get insights? That's a big challenge. How is TEKsystems helping customers tackle that challenge? >> Yeah, that's a great question because that's the whole fun of handling data. You need to ensure its meaning is first understood. So, we are not just dumping data into a storage place, but rather assign a meaningful context. In today's announcement, again, the data zone was unveiled to give meaning to data. And I think those are key concrete steps that we take to our customers as well with some good blueprints, methodical ways of approaching data and ultimately gaining business insights. >> And maybe I'll add just something real quick to that. The theme we're seeing and hearing a lot about is data monetization. So, technology companies have figured it out and used techniques to personalize things and get you ads, probably that you don't want half the time. But now all industries are really looking to do that. Looking at ways to open new revenue channels, looking at ways to drive a better customer experience, a better employee experience. We've got a ton of examples of that, Big Oil and Gas leveraging like well and machine data, coming in to be more efficient when they're pumping and moving commodities around. We work a lot in the medium entertainment space and so obviously, getting targeted ads to consumers during the right periods of TV or movies or et cetera. Especially with the advert on Netflix and all your streaming videos. So, it's been really interesting but we really see the future in leveraging data as one of your biggest corporate assets. >> Brilliant. >> So, I'm just curious on the ad thing, just real quick and I'll let you go, Lisa. So, do you still fall victim to falling for the advertising even though you know it's been strategically put there for you to consume in that moment? >> Most of the time. >> I mean, I think we all do. We're all, (indistinct), you're behind the curtain so to speak. >> The Amazon Truck shows up every day at my house, which is great, right? >> Hello again >> Same. >> But I think the power of it is you are giving the customer what they're looking for. >> That's it. >> And you know... >> Exactly. We have that expectation, we want it. >> 100%. >> We know that. >> Agree. >> We don't need to buy it. But technology has made it so easy to transact. That's like when developers started going to the cloud years ago, it was just, it was a swipe. It was so simple. Brandon, talk about the changes in cloud and cloud migration that TEKsystems has seen, particularly in the last couple of years as every company was rushing to go digital because they had to. >> So several years ago, we kind of pushed away that cloud first mentality to the side and we use more of a cloud smart kind of fashion, right? Does everything need to go to the cloud? No. Do applications, data, need to go to the cloud in a way that's modern and takes advantages of what the cloud can provide and all the new services that are being released this week and ongoing. So, the other thing we're seeing is initiatives that have traditionally been in the CTO, CIO organization aren't necessarily all that successful because we're seeing a complete misalignment between business goals and IT achievements, outcomes, et cetera. You can automate things, you can move it to the cloud, but if you didn't solve a core business problem or challenge, what'd you really do? >> Yeah, just to add on that, it's all about putting data and people together. And then how we can actually ensure the workforce is equally brought up to speed on these new technologies. That has been something that we have seen tremendous improvement in the last 24 months where customers are ready to take up new challenges and the end users are ready to learn something new and not just stick onto that status quo mindset. >> Where do you guys factor in to bringing in AWS in the customer's cloud journeys? What is that partnership like? >> We always first look for where the customer is in their cloud journey path and make sure we advise them with the right next steps. And AWS having its services across the spectrum makes it even easier for us to look at what business problem they're solving and then align it according to the process and technology so that at the end of the day, we want end user adoption. We don't want to build a fancy new gadget that no one uses. >> Just because you built it doesn't mean they'll come. And I think that's the classic engineering marketing dilemma as well as balance to healthy tension. I would say between both. You mentioned Srini, you mentioned workforce just a second ago. What sort of trends are you seeing in workforce development? >> Generally speaking, there are a lot of services now that can quantify your code for errors and then make sure that the code that you're pushing into production is well tested. So what we are trying to make sure is a healthy mix of trying to solve a business problem and asking the right questions. Like today, even in the keynote, it was all about how QuickSight, for example, has additional features now that tells why something happened. And that's the kind of mindset we want our end users to adopt. Not just restricting themselves to a reactive analytics, but rather ask the question why, why did it happen? Why did my sales go down? And I think those technologies and mindset shift is happening across the workforce. >> From a workforce development standpoint, we're seeing there's not enough workforce and the core skills of data, DevOps, standard cloud type work. So, we're actually an ATP advanced training partner, one of the few within the AWS network. So, we've developed programs like our Rising Talent Program that are allowing us to bring the workforce up to the skills that are necessary in this new world. So, it's a more build versus buy strategy because we're on talents real, though it may start to wane a little bit as we change the macroeconomic outlook in 2023, but it's still there. And we still believe that building those workforce and investing in your people is the right thing to do. >> It is, and I think there's a strong alignment there with AWS and their focus on that as well. I wanted to ask you, Brandon. >> Brandon: Absolutely. >> One of the things, so our boss, John Furrier, the co CEO of theCUBE, talked with Adam Selipsky just a week or maybe 10 days ago. He always gets an exclusive interview with the CEO of AWS before reinvent, and one of the things that Adam shared with him is that customers, CEOs and CIOs are not coming to Adam, to this head of AWS to talk about technology, they want to talk about transformation. He's talking about... >> The topic this year. >> Moving away from amorphous topic of digital transformation to business transformation. Are you seeing the same thing in your customer? >> 100%, and if you're not starting at the business level, these initiatives are going to fail. We see it all the time. Again, it's about that misalignment and there's no good answer to that. But digital, I think is amorphous to some degree. We play a lot with the One North partnership that I mentioned earlier, really focusing on that strategy element because consumer dollars are shrinking via inflation, via what we're heading into, and we have to create the best experience possible. We have to create an omnichannel experience to get our products or services to market. And if we're not looking at those as our core goals and we're looking at them as IT or technology challenges, we're not looking in the right place. >> Well, and businesses aren't going to be successful if they're looking at it in those siloed organizations. Data has to be democratizing and we've spent same data democratization for so long, but really, we're seeing that it has to be moving out into the lines of business because another thing Adam shared with John Furrier is that he sees and I'm curious what your thoughts are on this, the title of data analysts going away because everybody in different functions and different lines of business within an organization are going to have to be data analysts to some degree, to use data whether it's marketing, ops, sales, finance, are you seeing the same? >> That is true. I mean, at this point, we are all in the connected world, right? Every data point is connected in some form or shape to another data point. >> Savanna: There are many data points, just sitting here, yeah. >> Absolutely, so I think if you are strategizing, data needs to be right in the center of it. And then your business problems need to be addressed with reliable data. >> No, I mean, advertising, supply chain, marketing, they're all interconnected now, and we're looking at ways to bring a lot of that siloed data into one place so we can make use to it. It goes back to that monetization element of our data. >> That's a lot about context and situational awareness. We want what we want, when we want it, even before we knew we needed it then. I think I said that right. But you know, it's always more faster, quicker and then scaling things up. You see a lot of different customers across verticals, you have an absolutely massive team. Give us a sneak peek into 2023. What does the future hold? >> 2023 is again, to today's keynote, I'm bringing it back because it was a keynote filled with vision and limitless possibilities. And that's what we see. Right now, our customers, they are no longer scared to go and take the plunge into the cloud. And as Brandon said, it's all about being smart about those decisions. So, we are very excited that together with the partnership that we recently acquired and the services and the depth, along with the horizontal domain expertise, we can actually help customers make meaningful message out of their data points. And that keeps us really excited for next year. >> Love that, Brandon, what about you? >> I think the obvious one is DevOps and a focus on optimization, financially, security, et cetera, just for the changing times. The other one is, I still think that digital is going to continue to be a big push in 2023, namely making sure that experience is at its best, whether that's employee and combating the war on talent, keeping your people or opening new revenue streams, enhancing existing revenue streams. You got to keep working on that. >> We got to keep the people happy with the machines and the systems that we are building as we all know. But it's very nice, it's been a lot of human-centric focus and a lot of customer obsession here at the show. We know it's a big thing for you all, for Amazon, for pretty much everyone who sat here. Hopefully it is in general. Hopefully there's nobody who doesn't care about their community, we're not talking to them, if that's the case, we have a new challenge on theCUBE for the show, this year as we kind of prepped you for and can call it a bumper sticker, you can call it a 30 second sizzle reel. But this is sort of your Instagram moment, your TikTok, your thought of leadership highlight. What's the most important story coming out of the show? Srini, you've been quoting the keynotes very well, so, I'm going to you first on this one. >> I think overall, it's all about owning the change. In our TEKsystems culture, it's all about striving for excellence through serving others and owning the change. And so it makes me very excited that when we get that kind of keynote resonating the same message that we invite culturally, that's a big win-win for all the companies. >> It's all about the shared vision. A lot of people with similar vision in this room right now, in this room, like it's a room, it's a massive expo center, just to be clear, I'm sure everyone can see in the background. Brandon >> I would say partnership, continuing to enhance our strategic partnership with AWS, continuing to be our customers' partners in transformation. And bringing those two things together here has been a predominance of my time this week. And we'll continue throughout the week, but we're in it together with our customers and with AWS and looking forward to the future. >> Yeah, that's a beautiful note to end on there. Brandon, Srini, thank you both so much for being here with us. Fantastic to learn from your insights and to continue to emphasize on this theme of collaboration. We look forward to the next conversation with you. Thank all of you for tuning in wherever you happen to be hanging out and watching this fabulous live stream or the replay. We are here at AWS Reinvent 2022 in wonderful sunny Las Vegas, Nevada with Lisa Martin. My name is Savannah Peterson, we are theCUBE, the leading source for high tech coverage.

>>Good afternoon everyone, and welcome back to the Cube. I am Savannah Peterson here, coming to you from Detroit, Michigan. We're at Cuban Day three. Such a series of exciting interviews. We've done over 30, but this conversation is gonna be extra special, don't you think, John? >>Yeah, this is gonna be a good one. Griffon Labs is here with us. We're getting the conversation of what's going on in the industry management, watching the Kubernetes clusters. This is large scale conversations this week. It's gonna be a good one. >>Yeah. Yeah. I'm very excited. He's also got a fantastic Twitter handle, twitchy. H Please welcome Richie Hartman, who is the director of community here at Griffon. Richie, thank you so much for joining us. Thanks >>For having me. >>How's the show been for you? >>Busy. I, I mean, I, I, >>In >>A word, I have a ton of talks at at like maintain a thing and like the covering board searches at the TLC panel. I run forme day. So it's, it's been busy. It, yeah. Monday, I didn't have to run anything. That was quite nice. But there >>You, you have your hands in a lot. I'm not even gonna cover it. Looking at your bio, there's, there's so many different things that you're working on. I know that Grafana specifically had some announcements this week. Yeah, >>Yeah, yeah. We had quite a few, like the, the two largest ones is a, we now have a field Kubernetes integration on Grafana Cloud. So our, our approach is generally extremely open source first. So we try to push stuff into the exporters, like into the open source exporters, into mixes into things which are out there as open source for anyone to use. But that's little bit like a tool set, not a ready made solution. So when we talk integrations, we actually talk about things where you get this like one click experience, You log into your Grafana cloud, you click, I have a Kubernetes, which probably most of us have, and things just work like you in just the data. You have to write dashboards, you have to write alerts, you have to write everything to just get started with extremely opinionated dashboards, SLOs, alerts, again, all those things made by experts, so anyone can use them. And you don't have to reinvent the view for every single user. So that's the one. The other is, >>It's a big deal. >>Oh yeah, it is. Yeah. It is. It, we, we has, its heavily in integrations course. While, I mean, I don't have to convince anyone that perme is a DD factor standard in everything. Cloudnative. But again, it's, it's, it's sometimes a little bit hard to handle or a little bit not easy to get into. So, so smoothing this, this, this path onto onboarding yourself onto this stack and onto those types of solutions. Yes. Is what a lot of people need. Course, if you, if you look at the statistics from coupon, and we just heard this in the governing board session yesterday. Yeah. Like 60% of the people here are first time attendees. So there's a lot of people who just come into this thing and who need, like, this is your path. This is where you should be going. Or at least if you want to go, go there. This is how to get there. >>Here's your runway for takeoff. Yes. Yeah. I think that's a really good point. And I love that you, you had those numbers. I was curious. I, I had seen on Twitter, speaking of Twitter, I had seen, I had seen that, that there were a lot of people here coming for the first time. You're a community guy. Are we at an inflection point where this community is about to continue to scale? >>That's a very good question. Which I can't really answer. So I mean, >>Obviously I bet you're gonna try. >>I covid changed a few things. Yeah. Probably most people, >>A couple things. I mean, you know, casually, it's like such a gentle way of putting that, that was >>Beautiful. I'm gonna say yes, just to explode. All these new ERs are gonna learn Prometheus. They're gonna roll in with a open, open metrics, open telemetry. I love it, >>You know, But, but at the same time, like Cuban is, is ramping back up. But if you look at the, if you look at the registration numbers between Valencia Andro, it was more or less the same. Interesting. Which, so it didn't go onto this, onto this flu trajectory, which it was on like, up to, up to 2019. I expect this to take up again. But also with the economic situation, everything, I, I don't think >>It's, I think the jury's still out on hybrid. I think there's a lot, lot more hybrid. Let's see how the projects are gonna go. That's what I think it's gonna be the tell sign. How many people are in participating? How are the project's advancing? Some of the momentum, >>I mean, from the project level, Most of this is online anyway. Of course. That's how open source, right. I've been working for >>Ages. That's >>Cause you don't have any trouble budget or, or any office or, It's >>Always been that way. >>Yeah, precisely. So the projects are arguably spearheading this, this development and the, the online numbers. I I, I have some numbers in my head, but I'm, I'm not a hundred percent certain to, but they're higher for this time in Detroit than in volunteer as far somewhere. Cool. So that is growing and it's grown in parallel, which also is great. Cause it's much more accessible, much more inclusive. You don't have to have a budget of at least, let's say, I don't know, two to five k to, to fly over the pond and, and attend this thing. You can just do it from your home. So that is, that's a lot more inclusive. And I expect this to, to basically be a second more or less orthogonal growth, growth path. But the best thing about coupon is the hallway track. I'm just meeting people, talking to people and that kind of thing is not really possible with, >>It's, it's great to see people >>In person. No, and it makes such a difference. I mean, yeah. Even and interviewing people in person too. I mean, it does a, it's, it's, and, and this, this whole, I mean cncf, this whole community, every company here is community first. It's how these projects come to be. I think it's awesome. I feel like you got something you're saying to say, Johnny. >>Yeah. And I love some of the advancements. Rich Richie, we talked last time about, you know, open telemetry, open metrics. You're involved in dashboards. Yeah. One of the themes here is ease of use, simplicity, developer productivity. Where do you see the ease of use going from a project standpoint? For me, as you mentions everywhere, it's pretty much, it is, it's almost all corners of the world. Yep. And new people coming in. How, how are you making it easier? What's going on? Give us the update on that. >>So we also, funnily enough at precisely this topic in the TC panel just a few hours ago, about ease of use and about how to, how to make things easier to, to handle how developers currently, like if they just want to get into the cloud native seen, they have like, like we, we did some neck and math, like maybe 10 tools at least, which you have to be somewhat proficient in to just get started, which is honestly horrendous. Yeah. Course. Like with a server, I just had my survey install my thing and it runs, maybe I need a database, but that's roughly it. And this needs to change again. Like it's, it's nice that everything is, is un unraveled. And you have, you, you, you, you don't have those service boundaries which you had before. You can do all the horizontal scaling, you can do all the automatic scaling, all those things that they're super nice. But at the same time, this complexity, which used to be nicely compartmentalized, was deliberately broken up. And so it's becoming a lot harder to, to, like, we, we need to find new ways to compartmentalize this complexity back to, to human understandable levels again, in particular, as we keep onboarding new and new and new, new people, of course it's just not good use of anyone's time to, to just like learn the basics again and again and again. This is something which should be just compartmentalized and automated away. We're >>The three, We were talking to Matt Klein earlier and he was talking about as projects become mature and all over the place and have reach and and usage, you gotta work on the boring stuff. Yes. And when it's boring, that means you have success. Yes. But then you gotta work on the plumbing. What are some of the things that you guys are working on? Because people are relying on the product. >>Oh yeah. So for with my premises head on, the highlight feature is exponential or native or spars. Histograms. There's like three different names for one single concept. If you know Prometheus, you ha you currently have hard bucket boundaries where I say my latency is lower equal two seconds, one second, a hundred milliseconds, what have you. And I can put stuff into those histogram buckets accordingly to those predefined levels, which is extremely efficient, but like on the, on the code level. But it's not very nice for the humans course you need to understand your system before you're able to, to, to choose good cutoff points. And if you, if you, if you add new ones, that's completely fine. But if you want to actually change them, course you, you figured out that you made a fundamental mistake, you're going to have a break in the continue continuity of your observability data. And you cannot undo this in, into the past. So this is just gone native histograms. On the other hand, allow me to, to, okay, I'm not going to get get into the math, but basically you define a single formula, which there comes a good default. If you have good reasons, then you can change it. But if you don't, just don't talk, >>The people are in the math, Hit him up on Twitter. Twitter, h you'll get you that math. >>So the, >>The thing is people want the math, believe me. >>Oh >>Yeah. I mean we don't have time, but hit him up. Yeah. >>There's ProCon in two weeks in Munich and there will be whole talk about like the, the dirty details of all of the stuff. But the, the high level answer is it just does what people would expect it to do. And with very little overhead, you become, you get highly, highly or high resolution histograms, which is really important for a lot of use cases. But this is not just Prometheus with my open metrics head on the 2.0 feature, like the breaking highlight feature of Open Metrics 2.0 will be you guested precisely the same with my open telemetry head on. Low and behold the same underlying technology is being put or has been put into open telemetry. And we've worked for month and month and month and even longer between all different projects to, to assert that we have one single standard which is actually compatible with each other course. One of the worst things which you can have in the cloud ecosystem is if you have soly different things and they break in subtly wrong ways, like it's much better to just not work than to break in a way, which is just a little bit wrong. Of course you won't figure this out until it's too late. So we spent, like with all three hats, we spent insane amounts of time on making this happen and, and making this nice. >>Savannah, one of the things we have so much going on at Cube Con. I mean just you're unpacking like probably another day of cube. We can't go four days, but open time. >>I know, I know. I'm the same >>Open telemetry >>Challenge acceptance open. >>Sorry, we're gonna stay here. All the, They >>Shut the lights off on us last night. >>They literally gonna pull the plug on us. Yeah, yeah, yeah, yeah. They've done that before. It's not the first time we go until they kick us out. We love, love doing this. But Open telemetry is got a lot of news too. So that's, We haven't really talked much about that. >>We haven't at >>All. So there's a lot of stuff going on that, I won't call it boring. That's like code word's. That's cube talk for, for it's working. Yeah. So it's not bad, but there's a lot of stuff going on. Like open telemetry, open metrics, This is the stuff that matters cuz when you go in large scale, that's key. It's just what, missing all the, all the stuff. >>No, >>What are we missing? What are people missing? What's going on in the show that you think that's not actually being reported on? I mean it's a lot of high web assembly for instance got a lot >>Of high. Oh yeah, I was gonna say, I'm glad you're asking this because you, you've already mentioned about seven different hats that you wear. I can only imagine how many hats are actually in your hat cabinet. But you, you are someone with your, with your fingers in a lot of different things. So you can kind of give us a state of the union. Yeah. So go ahead. Let's talk about >>It. So I think you already hit a few good points. Ease of use is definitely one of them. And, and improving the developer experience and not having this like a value of pain. Yeah. That is one of the really big ones. It's going to be interesting cause it is boring. It is janitorial and it needs a different type of persona. A lot of, or maybe not most, but a large fraction of developers like the shiny stuff. And we could see this in Prometheus where like initially the people who contributed this the most where like those restless people who need to fix that one thing, this is impossible, are going to do it. Which changed over the years where the people who now contribute the most are off the janitorial. Like keep things boring, keep things running, still have substantial changes. But but not like more on the maintenance level. >>Yeah. The maintainers. I was just gonna bring that >>Up. Yeah. On the, on the keep things boring while still pushing 'em forward. Yeah. And the thing about ease of use is a lot of this is boring. A lot of this is strategy. A lot of this is toil. A lot of this takes lots of research also in areas where developers are not really good at, like UX for example, and ui like most software developers are really bad at those cause they just think differently from normal humans, I guess. >>So that's an interesting observation that you just made. I we could unpack that on a whole nother show as well. >>So the, the thing is this is going to be interesting for the open source scene course. This needs deliberate investment by companies who assign people to those projects and say, okay, fix that one thing or make it easier to use what have you. That is a lot easier with, with first party products and projects from companies cuz they can invest directly into the thing and they see much more of a value prop. It's, it's kind of normal by now to, to allow developers or even assigned developers onto open source projects. That's not so much the case for the tpms, for the architects, for the UX and your I people like for the documentation people that there's not as much awareness of that this is also driving value for everyone. Yes. And also there's not much as much. >>Yeah, that's a great point. This whole workflow production system of open source, which has grown and keeps growing and we'll keep growing. These be funded. And one of the things we were talking earlier in another session about is about the recession potentially we're hitting and the global issues, macroeconomics that might force some of these projects or companies not to get VC >>Funding. It's such a theme at the show. So, >>So to me, I said it's just not about VC funding. There's other funding mechanisms that's community oriented. There's companies participating, there's other meccas. Richie, if you could have your wishlist of how things could progress an open source, what would you want to see happen in terms of how it's, how things are funded, how things are executed. Cuz developers are going to run businesses. Cuz ultimately if you follow digital transformation to completion, it and developers aren't a department serving the business. They are the business. And that's coming fast. You know, what has to happen in your opinion, if you had the wish magic wand, what would you, what would you snap your fingers to make happen? >>If I had a magic wand that's very different from, from what is achievable. But let, let's >>Go with, Okay, go with the magic wand first. Cause we'll, we'll, we'll we'll riff on that. So >>I'm here for dreams. Yeah, yeah, >>Yeah. I mean I, I've been in open source for more than two, two decades, but now, and most of the open source is being driven forward by people who are not being paid for those. So for example, Gana is the first time I'm actually paid by a company to do my com community work. It's always been on the side. Of course I believe in it and I like doing it. I'm also not bad at it. And so I just kept doing it. But it was like at night on the weekends and everything. And to be honest, it's still at night and in the weekends, but the majority of it is during paid company time, which is awesome. Yeah. Most of the people who have driven this space forward are not in this position. They're doing it at night, they're doing it on the weekends. They're doing it out of dedication to a cause. Yeah. >>The commitment is insane. >>Yeah. At the same time you have companies mostly hyperscalers and either they have really big cloud offerings or they have really big advertisement business or both. And they're extracting a huge amount of value, which has been created in large part elsewhere. Like yes, they employ a ton of developers, but a lot of the technologies they built on and the shoulders of the giants they stand upon it are really poorly paid. And there are some efforts to like, I think the core foundation like which redistribute a little bit of money and such. But if I had my magic wand, everyone who is an open source and actually drives things forwards, get, I don't know, 20% of the value which they create just magically somehow. Yeah. >>Or, or other companies don't extract as much value and, and redistribute more like put more full-time engineers onto projects or whichever, like that would be the ideal state where the people who actually make the thing out of dedication are not more or less left on the sideline. Of course they're too dedicated to just say, Okay, I'm, I'm not doing this anymore. You figure this stuff out and let things tremble and falter. So I mean, it's like with nurses and such who, who just like, they, they know they have something which is important and they keep doing it. Of course they believe in it. >>I think this, I think this is an opportunity to start messaging this narrative because yeah, absolutely. Now we're at an inflection point where there's a big community, there is a shared responsibility in my opinion, to not spread the wealth, but make sure that it's equally balanced and, and the, and I think there's a way to do that. I don't know how yet, but I see that more than ever, it's not just come in, raid the kingdom, steal all the jewels, monetize it, and throw some token token money around. >>Well, in the burnout. Yeah, I mean I, the other thing that I'm thinking about too is it's, you know, it's, it's the, it's the financial aspect of this. It's the cognitive load. And I'm curious actually, when I ask you this question, how do you avoid burnout? You do a million different things and we're, you know, I'm sure the open source community that passion the >>Coach. Yeah. So it's just write code, >>It's, oh, my, my, my software engineering days are firmly over. I'm, I'm, I'm like, I'm the cat herer and the janitor and like this type of thing. I, I don't really write code anymore. >>It's how do you avoid burnout? >>So a i I didn't curse ahead burnout a few years ago. I was not nice, but that was still when I had like a full day job and that day job was super intense and on top I did all the things. Part of being honest, a lot of the people who do this are really dedicated and are really bad at setting boundaries between work >>And process. That's why I bring it up. Yeah. Literally why I bring it up. Yeah. >>I I I'm firmly in that area and I'm, I'm, I don't claim I have this fully figured out yet. It's also even more risky to some extent per like, it's, it's good if you're paid for this and you can do it during your work time. But on the other hand, if it's so nice and like if your hobby and your job are almost completely intersectional, it >>Becomes really, the lines are blurry. >>Yeah. And then yeah, like have work from home. You, you don't even commute anything or anymore. You just sit down at your computer and you just have fun doing your stuff and all of a sudden it's deep at night and you're still like, I want to keep going. >>Sounds like God, something cute. I >>Know. I was gonna say, I was like, passion is something we all have in common here on this. >>That's the key. That is the key point There is a, the, the passion project becomes the job. But now the contribution is interesting because now yeah, this ecosystem is, is has a commercial aspect. Again, this is the, this is the balance between commercialization and keeping that organic production system that's called open source. I mean, it's so fascinating and this is amazing. I want to continue that conversation. It's >>Awesome. Yeah. Yeah. This is, this is great. Richard, this entire conversation has been excellent. Thank you so much for joining us. How can people find you? I mean, I give em your Twitter handle, but if they wanna find out more about Grafana Prometheus and the 1700 things you do >>For grafana grafana.com, for Prometheus, promeus.io for my own stuff, GitHub slash richie age slash talks. Of course I track all my talks in there and like, I don't, I currently don't have a personal website cause I stop bothering, but my, like that repository is, is very, you find what I do over, like for example, the recording link will be uploaded to this GitHub. >>Yeah. Great. Follow. You also run a lot of events and a lot of community activity. Congratulations for you. Also, I talked about this last time, the largest IRC network on earth. You ran, built a data center from scratch. What happened? You done >>That? >>Haven't done a, he even built a cloud hyperscale compete with Amazon. That's the next one. Why don't you put that on the >>Plate? We'll be sure to feature whatever Richie does next year on the cube. >>I'm game. Yeah. >>Fantastic. On that note, Richie, again, thank you so much for being here, John, always a pleasure. Thank you. And thank you for tuning in to us here live from Detroit, Michigan on the cube. My name is Savannah Peterson and here's to hoping that you find balance in your life this weekend.

>>Good afternoon and welcome back to Detroit, Lisa Martin here with John Furrier. We are live day two of our coverage of Coan Cloud Native Con North America. John, we've had great conversations. Yeah. All day yesterday. Half a day today. So far we're talking all things, Well, not all things Kubernetes so much more than that. We also have to talk about storage and data management solutions for Kubernetes projects, cuz that's obviously critical. >>Yeah, I mean the big trend here is Kubernetes going mainstream has been for a while. The adopt is crossing over, it's crossing the CADs and with that you're seeing security concerns. You're seeing things being gaps being filled. But enterprise grade is really the, the, the story. It's going enterprise, that's managed services, that's professional service, that's basically making things work at scale. This next segment hits that part and we are gonna talk about it in grade length >>With one of our alumni. Moral morale to Molly is back DP and GM of Port Work's Peer Storage. Great to have you back really? >>Yeah, absolutely. Delightful >>To be here. So I was looking on the website, number one in Kubernetes storage. Three years in a row. Yep. Awesome. What's Coworks doing here at KU Con? >>Well, I'll tell you, we, our engineering crew has been so productive and hard at work that I almost can't decide what to kind of tell you. But I thought what, what, what I thought I would do is kind of tell you that we are in forefront of two major trends in the world of Kubernetes. Right? And the, the two trends that I see are one is as a service, so is trend number one. So it's not software eating the world anymore. That's, that's old, old, old news. It's as a service unifying the world. The world wants easy, We all are, you know, subscribers to things like Netflix. We've been using Salesforce or other HR functions. Everything is as a service. And in the world of Kubernetes, it's a sign of that maturity that John was talking about as a platform that now as a service is the big trend. >>And so headline number one, if you will, is that Port Works is leading in the data management world for Kubernetes by providing, we're going all in on easy on as a service. So everything we do, we are satisfying it, right? So if you think, if you think about, if you think about this, that, that there are really, most of the people who are consuming Kubernetes are people who are building platforms for their dev users. And dev users want self service. That's one of the advantages of, of, of Kubernetes. And the more it is service size and made as a service, the more ready to consume it is. And so we are announcing at the show that we have, you know, the basic Kubernetes data management as a service, ha d r as a service. We have backup as a service and we have database as a service. So these are the three major components of data. And all of those are being made available as a service. And in fact, we're offering and announcing at the show our backup as a service freemium version where you can get free forever a terabyte of, of, you know, stuff to do for Kubernetes for forever. >>Congratulations on the announcement. Totally. In line with what the market wants. Developers want Selfer, they wanna also want simplicity by the way they'll leave if they don't like the service. Correct. So that you, you know that before we get into some more specifics, I want Yeah. Ask you on the industry and some of the point solutions you have, what, it's been two years since the acquisition with Pure Storage. Can you just give an update on how it's gone? Obviously as a service, you guys are hitting all your Marks, developers love it. Storage are big part of the game right now as well as these environments. Yeah. What's the update post acquisition two years. You had a great offering Stay right In >>Point Works. Yeah. So look, John, you're, you're, you're a veteran of the industry and have seen lots of acquisitions, right? And I've been acquired twice before myself. So, you know, there's, there's always best practices and poor practices in terms of acquisitions and I'm, you know, really delighted to say I think this, this acquisition has had some of the best practices. Let me just name a couple of them, right? One of them is just cultural fit, right? Cultural fit is great. Entrepreneurs, anybody, it's not just entrepreneurs. Everybody loves to work in a place they enjoy working with, with people that they, you know, thrive when they, when they interact with. And so the cultural fit with, with Pure is fantastic. The other one is the strategic intent that Pure had when they acquired us is still true. And so that goes a long way, you know, in terms of an investment profile, in terms of the ability to kind of leverage assets within the company. So Pure had kind of disrupted the world of storage using Flash and they wanted to disrupt higher up the stack using Kubernetes. And that's kind of been our role inside their strategy. And it's, it's still true. >>So culture, strategic intent. Yeah. Product market fit as well. You were, you weren't just an asset for customers or acquisition and then let the founders go through their next thing. You are part of their growth play. >>Absolutely. Right. The, the beauty of, of the kind of product market fit is, let's talk about the market is we have been always focused on the global two k and that is at the heart of, you know, purest 10,000 strong customer base, right? They have very strong presence in the, in the global two k. And we, we allow them to kind of go to those same folks with, with the offering. >>So satisfying everything that you do. What's for me as a business, whether I'm a financial services organization, I'm a hospital, I'm a retailer, what's in it for me >>As a customer? Yeah. So the, the what's in it for, for me is two things. It's speed and ease of use, which in a way are related. But, but, but you know, one is when something is provided as a service, it's much more consumable. It's instantly ready. It's like instant oatmeal, right? You just get it just ad hot water and it's there. Yep. So the world of of it has moved from owning large data centers, right? That used to be like 25 years ago and running those data centers better than everybody else to move to let me just consume a data center in the form of a cloud, right? So satisfying the cloud part of the data center. Now people are saying, well I expect that for software and services and I don't want it just from the public cloud, I want it from my own IT department. >>This is old news. And so the, the, the big news here is how fast Kubernetes has kind of moved everything. You know, you take a lot of these changes, Kubernetes is a poster child for things happening faster than the last wave. And in the last couple of years I would say that as a service model has really kind of thrived in the world of Kubernetes. And developers want to be able to get it fast. And the second thing is they want to be able to operate it fast. Self-service is the other benefit. Yeah. So speed and self-service are both benefits of, of >>This. Yeah. And, and the thing that's come up clearly in the cube, this is gonna be part of the headlines we'll probably end up getting a lot of highlights from telling my team to make a note of this, is that developers are gonna be be the, the business if you, if you take digital transformation to its conclusion, they're not a department that serves the business, they are the business that means Exactly. They have to be more productive. So developer productivity has been the top story. Yes. Security as a serves all these things. These are, these are examples to make developers more productive. But one of the things that came up and I wanna get your reaction to is, is that when you have disruption and, and the storage vision, you know what disruption it means. Cuz there's been a whole discussion around disruptive operations. When storage goes down, you have back m dr and failover. If there's a disruption that changes the nature of invisible infrastructure, developers want invisible infrastructure. That's the future steady state. So if there's a disruption in storage >>Yeah. It >>Can't affect the productivity and the tool chains and the workflows of developers. Yep. Right? So how do you guys look at that? Cuz you're a critical component. Storage is a service is a huge thing. Yeah. Storage has to, has to work seamlessly. And let's keep the developers out of the weeds. >>John. I think what, what what you put your finger on is another huge trend in the world of Kubernetes where at Cube Con, after all, which is really where, where all the leading practitioners both come and the leading vendors are. So here's the second trend that we are leading and, and actually I think it's happening not just with us, but with other, for folks in the industry. And that is, you know, the world of DevOps. Like DevOps has been such a catchphrase for all, all of us in the industry last five years. And it's been both a combination of cultural change as well as technology change. Here's what the latest is on the, in the world of DevOps. DevOps is now crystallized. It's not some kind of mysterious art form that you read about how people are practicing. DevOps is, it's broken into two, two things now. >>There is the platform part. So DevOps is now a bunch of platforms. And the other part of DevOps is a bunch of practices. So a little bit on both these, the platforms in the world of es there's only three platforms, right? There's the orchestration platforms, the, you know, eks, the open ships of the world and so on. There are the data management platforms, pro people like Port Works. And the third is security platforms, right? You know, Palo Alto Networks, others Aqua or all in this. So these are the three platforms and there are platform engineering teams now that many of our largest customers, some of the largest banks, the largest service providers, they're all operating as a ES platform engineering team. And then now developers, to your point, developers are in the practice of being able to use these platforms to launch new services. So the, the actual IT ops, the ops are run by developers now and they can do it on these platforms. And the platform engineering team provide that as an ease of use and they're there to troubleshoot when problems happen. So the idea of DevOps as a ops practice and a platform is the newest thing. E and, and ports and pure storage leading in the world of data management platforms >>There. Talk about a customer example that you think really articulates the value that Port Works and Pure Storage delivers from a data management perspective. >>Yeah, so there's so many examples. One of the, one of the longest running examples we have is a very, very large service provider that, you know, you all know and probably use, and they have been using us in the cable kinda set box or cable box business. They get streams of data from, from cable boxes all over the world. They collected all in a centralized large kind of thing and run elastic search and analytics on it. Now what they have done is they couldn't keep up with this at the scale and the depth, right? The speed of, of activity and the distributed nature of the activity. The only way to solve this was to use something like Kubernetes manage with Spark coming, bringing all the data in to deep, deep, deep silos of storage, which are all running not even on a sand, but on kind of, you know, very deep terabytes and terabytes of, of storage. So all of this is orchestrated with the Heco coworks and there's a platform engineering team. We are building that platform for them with some of these other components that allows them to kind of do analytics and, and make some changes in real time. Huge kind of setup for, for >>That. Yeah. Well, you guys have the right architecture. I love the vision. I love what you guys are doing. I think this is right in line with Pures. They've always been disruptors. I remember when we first interviewed the CEO when they started Yep. They, they stayed on path. They didn't waiver. EMC was the big player. They ended up taking their lunch and dinner as well and they beat 'em in the marketplace. But now you got this traction here. So I have to ask you, how's the business, what's the results look like? Either GM cloud native business unit of a storage company that's transformed and transforming? >>Yeah, you know, it's interesting, we just hit the two year anniversary, right John? And so what we did was just kind of like step back and hey, you know, we're running so hard, you just take a step back. And we've tripled the business in the two years since the acquisition, the two years before and, and we were growing through proven. So, you know, that that's quite a fe and we've tripled the number of people, the amount of engineering investments we have, the number of go to market investments have, have been, have been awesome. So business is going really well though, I will say. But I think, you know, we have, we can't be, we we're watching the market closely. You know, as a former ceo, I, you have to kind of learn to read the tea leaves when you invest. And I think, you know, what I would say is we're proceeding with caution in the next two quarters. I view business transformation as not a cancelable activity. So that's the, that's the good news, right? Our customers are large, it's, >>It's >>Right. All they're gonna do is say, Hey, they're gonna put their hand, their hand was always going right on the dial. Now they're kind of putting their hand on the dial going, hey, where, what is happening? But my, my own sense of this is that people will continue to invest through it. The question is at what level? And I also think that this is a six month kind of watch, the watch where, where we put the dial. So Q4 and q1 I think are kind of, you know, we have our, our watch kind of watch the market sign. But I have the highest confidence. What >>Does your gut tell you? You're an entrepreneur, >>Which my, my gut says that we'll go through a little bit of a cautious investment period in the next six months. And after that I think we're gonna be back in, back full, full in the crazy growth that we've always been. We're gonna grow by the way, in the next think >>It's core style. I think I'm, I'm more bullish. I think there's gonna be some, you know, weeding out of some overinvestment pre C or pre bubble. But I think tech's gonna continue to grow. I don't see >>It's stopping. Yeah. And, and the investment is gonna be on these core platforms. See, back to the platform story, it's gonna be in these core platforms and on unifying everything, let's consume it better rather than let's go kind of experiment with a whole bunch of things all over the map, right? So you'll see less experimentation and more kind of, let's harvest some of the investments we've made in the last couple >>Of years and actually be able to, to enable companies in any industry to truly be data companies. Because absolutely. We talked about as a service, we all have these expectations that any service we want, we can get it. Yes. There's no delay because patients has gone Yeah. From the pandemic. >>So it is kind of, you know, tightening up the screws on what they've built. They, you know, adding some polish to it, adding some more capability, like I said, a a a, a combination of harvesting and new investing. It's a combination I think is what we're gonna see. >>Yeah. What are some of the things that you're looking forward to? You talked about some of the, the growth things in the investment, but as we round out Q4 and head into a new year, what are you excited about? >>Yeah, so you know, I mentioned our, as a service kind of platform, the global two K for us has been a set of customers who we co-create stuff with. And so one of the other set of things that we are very excited about and announcing is because we're deployed at scale, we're, we're, we have upgraded our backend. So we have now the ability to go to million IOPS and more and, and for, for the right backends. And so Kubernetes is a add-on which will not slow down your, your core base infrastructure. Second thing that that we, we have is added a bunch of capability in the disaster recovery business continuity front, you know, we always had like metro kind of distance dr. We had long distance dr. We've added a near sync Dr. So now we can provide disaster recovery and business continuity for metro distances across continents and across the planet. Right? That's kind of a major change that we've done. The third thing is we've added the capability for file block and Object. So now by adding object, we're really a complete solution. So it is really that maturity of the business Yeah. That you start seeing as enterprises move to embracing a platform approach, deploying it much more widely. You talked about the early majority. Yeah. Right. And so what they require is more enterprise class capability and those are all the things that we've been adding and we're really looking forward >>To it. Well it sounds like tremendous evolution and maturation of Port Works in the two years since it's been with Pure Storage. You talked about the cultural alignment, great stuff that you're achieving. Congratulations on that. Yeah. Great stuff >>Ahead and having fun. Let's not forget that, that's too life's too short to do. It is right. >>You're right. Thank you. We will definitely, as always on the cube, keep our eyes on this space. Mur. Meley, it's been great to have you back on the program. Thank you for joining, John. >>Thank you so much. It's pleasure. Our, >>For our guests and John Furrier, Lisa Martin here live in Detroit with the cube about Coan Cloud Native Con at 22. We'll be back after a short break.

>>Hey guys and girls, welcome back to Motor City, Lisa Martin here with John Furrier on the Cube's third day of coverage of Coon Cloud Native Con North America. John, we've had some great conversations over the last two and a half days. We've been talking about identity and security management as a critical need for enterprises within the cloud native space. We're gonna have another quick conversation >>On that. Yeah, we got a great segment coming up from someone who's been in the industry, a long time expert, running a great company. Now it's gonna be one of those pieces that fits into what we call super cloud. Others are calling cloud operating system. Some are calling just Cloud 2.0, 3.0. But there's definitely a major trend happening around how cloud is going Next generation. We've been covering it. So this segment should be >>Great. Let's unpack those trends. One of our alumni is back with us, O Rika Zi, co-founder and CEO of Aerio. Omri. Great to have you back on the >>Cube. Thank you. Great to be here. >>So identity move to the cloud, Access authorization did not talk to us about why you found it assertive, what you guys are doing and how you're flipping that script. >>Yeah, so back 15 years ago, I helped start Azure at Microsoft. You know, one of the first few folks that you know, really focused on enterprise services within the Azure family. And at the time I was working for the guy who ran all of Windows server and you know, active directory. He called it the linchpin workload for the Windows Server franchise, like big words. But what he meant was we had 95% market share and all of these new SAS applications like ServiceNow and you know, Workday and salesforce.com, they had to invent login and they had to invent access control. And so we were like, well, we're gonna lose it unless we figure out how to replace active directory. And that's how Azure Active Directory was born. And the first thing that we had to do as an industry was fix identity, right? Yeah. So, you know, we worked on things like oof Two and Open, Id Connect and SAML and Jot as an industry and now 15 years later, no one has to go build login if you don't want to, right? You have companies like Odd Zero and Okta and one login Ping ID that solve that problem solve single sign-on, on the web. But access Control hasn't really moved forward at all in the last 15 years. And so my co-founder and I who were both involved in the early beginnings of Azure Active directory, wanted to go back to that problem. And that problem is even bigger than identity and it's far from >>Solved. Yeah, this is huge. I think, you know, self-service has been a developer thing that's, everyone knows developer productivity, we've all experienced click sign in with your LinkedIn or Twitter or Google or Apple handle. So that's single sign on check. Now the security conversation kicks in. If you look at with this no perimeter and cloud, now you've got multi-cloud or super cloud on the horizon. You've got all kinds of opportunities to innovate on the security paradigm. I think this is kind of where I'm hearing the most conversation around access control as well as operationally eliminating a lot of potential problems. So there's one clean up the siloed or fragmented access and two streamlined for security. What's your reaction to that? Do you agree? And if not, where, where am I missing that? >>Yeah, absolutely. If you look at the life of an IT pro, you know, back in the two thousands they had, you know, l d or active directory, they add in one place to configure groups and they'd map users to groups. And groups typically corresponded to roles and business applications. And it was clunky, but life was pretty simple. And now they live in dozens or hundreds of different admin consoles. So misconfigurations are rampant and over provisioning is a real problem. If you look at zero trust and the principle of lease privilege, you know, all these applications have these course grained permissions. And so when you have a breach, and it's not a matter of if, it's a matter of when you wanna limit the blast radius of you know what happened, and you can't do that unless you have fine grained access control. So all those, you know, all those reasons together are forcing us as an industry to come to terms with the fact that we really need to revisit access control and bring it to the age of cloud. >>You guys recently, just this week I saw the blog on Topaz. Congratulations. Thank you. Talk to us about what that is and some of the gaps that's gonna help sarto to fill for what's out there in the marketplace. >>Yeah, so right now there really isn't a way to go build fine grains policy based real time access control based on open source, right? We have the open policy agent, which is a great decision engine, but really optimized for infrastructure scenarios like Kubernetes admission control. And then on the other hand, you have this new, you know, generation of access control ideas. This model called relationship based access control that was popularized by Google Zanzibar system. So Zanzibar is how they do access control for Google Docs and Google Drive. If you've ever kind of looked at a Google Doc and you know you're a viewer or an owner or a commenter, Zanzibar is the system behind it. And so what we've done is we've married these two things together. We have a policy based system, OPPA based system, and at the same time we've brought together a directory, an embedded directory in Topaz that allows you to answer questions like, does this user have this permission on this object? And bringing it all together, making it open sources a real game changer from our perspective, real >>Game changer. That's good to hear. What are some of the key use cases that it's gonna help your customers address? >>So a lot of our customers really like the idea of policy based access management, but they don't know how to bring data to that decision engine. And so we basically have a, you know, a, a very opinionated way of how to model that data. So you import data out of your identity providers. So you connect us to Okta or oze or Azure, Azure Active directory. And so now you have the user data, you can define groups and then you can define, you know, your object hierarchy, your domain model. So let's say you have an applicant tracking system, you have nouns like job, you know, know job descriptions or candidates. And so you wanna model these things and you want to be able to say who has access to, you know, the candidates for this job, for example. Those are the kinds of rules that people can express really easily in Topaz and in assertive. >>What are some of the challenges that are happening right now that dissolve? What, what are you looking at to solve? Is it complexity, sprawl, logic problems? What's the main problem set you guys >>See? Yeah, so as organizations grow and they have more and more microservices, each one of these microservices does authorization differently. And so it's impossible to reason about the full surface area of, you know, permissions in your application. And more and more of these organizations are saying, You know what, we need a standard layer for this. So it's not just Google with Zanzibar, it's Intuit with Oddy, it's Carta with their own oddy system, it's Netflix, you know, it's Airbnb with heed. All of them are now talking about how they solve access control extracted into its own service to basically manage complexity and regain agility. The other thing is all about, you know, time to market and, and tco. >>So, so how do you work with those services? Do you replace them, you unify them? What is the approach that you're taking? >>So basically these organizations are saying, you know what? We want one access control service. We want all of our microservices to call that thing instead of having to roll out our own. And so we, you know, give you the guts for that service, right? Topaz is basically the way that you're gonna go implement an access control service without having to go build it the same way that you know, large companies like Airbnb or Google or, or a car to >>Have. What's the competition look like for you guys? I'm not really seeing a lot of competition out there. Are there competitors? Are there different approaches? What makes you different? >>Yeah, so I would say that, you know, the biggest competitor is roll your own. So a lot of these companies that find us, they say, We're sick and tired of investing 2, 3, 4 engineers, five engineers on this thing. You know, it's the gift that keeps on giving. We have to maintain this thing and so we can, we can use your solution at a fraction of the cost a, a fifth, a 10th of what it would cost us to maintain it locally. There are others like Sty for example, you know, they are in the space, but more in on the infrastructure side. So they solve the problem of Kubernetes submission control or things like that. So >>Rolling your own, there's a couple problems there. One is do they get all the corner cases who built a they still, it's a company. Exactly. It's heavy lifting, it's undifferentiated, you just gotta check the box. So probably will be not optimized. >>That's right. As Bezo says, only focus on the things that make your beer taste better. And access control is one of those things. It's part of your security, you know, posture, it's a critical thing to get right, but you know, I wanna work on access control, said no developer ever, right? So it's kind of like this boring, you know, like back office thing that you need to do. And so we give you the mechanisms to be able to build it securely and robustly. >>Do you have a, a customer story example that is one of your go-tos that really highlights how you're improving developer productivity? >>Yeah, so we have a couple of them actually. So there's the largest third party B2B marketplace in the us. Free retail. Instead of building their own, they actually brought in aer. And what they wanted to do with AER was be the authorization layer for both their externally facing applications as well as their internal apps. So basically every one of their applications now hooks up to AER to do authorization. They define users and groups and roles and permissions in one place and then every application can actually plug into that instead of having to roll out their own. >>I'd like to switch gears if you don't mind. I get first of all, great update on the company and progress. I'd like to get your thoughts on the cloud computing market. Obviously you were your legendary position, Azure, I mean look at the, look at the progress over the past few years. Just been spectacular from Microsoft and you set the table there. Amazon web service is still, you know, thundering away even though earnings came out, the market's kind of soft still. You know, you see the cloud hyperscalers just continuing to differentiate from software to chips. Yep. Across the board. So the hyperscalers kicking ass taking names, doing great Microsoft right up there. What's the future? Cuz you now have the conversation where, okay, we're calling it super cloud, somebody calling multi-cloud, somebody calling it distributed computing, whatever you wanna call it. The old is now new again, it just looks different as cloud becomes now the next computer industry, >>You got an operating system, you got applications, you got hardware, I mean it's all kind of playing out just on a massive global scale, but you got regions, you got all kinds of connected systems edge. What's your vision on how this plays out? Because things are starting to fall into place. Web assembly to me just points to, you know, app servers are coming back, middleware, Kubernetes containers, VMs are gonna still be there. So you got the progression. What's your, what's your take on this? How would you share, share your thoughts to a friend or the industry, the audience? So what's going on? What's, what's happening right now? What's, what's going on? >>Yeah, it's funny because you know, I remember doing this quite a few years ago with you probably in, you know, 2015 and we were talking about, back then we called it hybrid cloud, right? And it was a vision, but it is actually what's going on. It just took longer for it to get here, right? So back then, you know, the big debate was public cloud or private cloud and you know, back when we were, you know, talking about these ideas, you know, we said, well you know, some applications will always stay on-prem and some applications will move to the cloud. I was just talking to a big bank and they basically said, look, our stated objective now is to move everything we can to the public cloud and we still have a large private cloud investment that will never go away. And so now we have essentially this big operating system that can, you know, abstract all of this stuff. So we have developer platforms that can, you know, sit on top of all these different pieces of infrastructure and you know, kind of based on policy decide where these applications are gonna be scheduled. So, you know, the >>Operating schedule shows like an operating system function. >>Exactly. I mean like we now, we used to have schedulers for one CPU or you know, one box, then we had schedulers for, you know, kind of like a whole cluster and now we have schedulers across the world. >>Yeah. My final question before we kind of get run outta time is what's your thoughts on web assembly? Cuz that's getting a lot of hype here again to kind of look at this next evolution again that's lighter weight kind of feels like an app server kind of direction. What's your, what's your, it's hyped up now, what's your take on that? >>Yeah, it's interesting. I mean back, you know, what's, what's old is new again, right? So, you know, I remember back in the late nineties we got really excited about, you know, JVMs and you know, this notion of right once run anywhere and yeah, you know, I would say that web assembly provides a pretty exciting, you know, window into that where you can take the, you know, sandboxing technology from the JavaScript world, from the browser essentially. And you can, you know, compile an application down to web assembly and have it real, really truly portable. So, you know, we see for example, policies in our world, you know, with opa, one of the hottest things is to take these policies and can compile them to web assemblies so you can actually execute them at the edge, you know, wherever it is that you have a web assembly runtime. >>And so, you know, I was just talking to Scott over at Docker and you know, they're excited about kind of bringing Docker packaging, OCI packaging to web assemblies. So we're gonna see a convergence of all these technologies right now. They're kind of each, each of our, each of them are in a silo, but you know, like we'll see a lot of the patterns, like for example, OCI is gonna become the packaging format for web assemblies as it is becoming the packaging format for policies. So we did the same thing. We basically said, you know what, we want these policies to be packaged as OCI assembly so that you can sign them with cosign and bring the entire ecosystem of tools to bear on OCI packages. So convergence is I think what >>We're, and love, I love your attitude too because it's the open source community and the developers who are actually voting on the quote defacto standard. Yes. You know, if it doesn't work, right, know people know about it. Exactly. It's actually a great new production system. >>So great momentum going on to the press released earlier this week, clearly filling the gaps there that, that you and your, your co-founder saw a long time ago. What's next for the assertive business? Are you hiring? What's going on there? >>Yeah, we are really excited about launching commercially at the end of this year. So one of the things that we were, we wanted to do that we had a promise around and we delivered on our promise was open sourcing our edge authorizer. That was a huge thing for us. And we've now completed, you know, pretty much all the big pieces for AER and now it's time to commercially launch launch. We already have customers in production, you know, design partners, and you know, next year is gonna be the year to really drive commercialization. >>All right. We will be watching this space ery. Thank you so much for joining John and me on the keep. Great to have you back on the program. >>Thank you so much. It was a pleasure. >>Our pleasure as well For our guest and John Furrier, I'm Lisa Martin, you're watching The Cube Live. Michelle floor of Con Cloud Native Con 22. This is day three of our coverage. We will be back with more coverage after a short break. See that.

(upbeat music) >> Hello, brilliant humans and welcome back to theCUBE. We're live from Detroit, Michigan. My name is Savannah Peterson. Joined here with John Furrier, John, so exciting, day three. >> Day three, cranking along, doing great, final day of KubeCon, it wraps up. This next segment's going to be great. It's about WebAssembly, the hottest trend here, at KubeCon that nobody knows about cause they just got some funding and it's got some great traction. Multiple players in here. People are really interested in this and they're really discovering it. They're digging into it. So, we're going to hear from one of the founders of the company that's involved. So, it'll be great. >> Yeah, I think we're right at the tip of the iceberg really. We started off the show with Scott from Docker talking about this, but we have a thought leader in this space. Please welcome Matt Butcher the CEO and co-founder of Fermyon Thank you for being here. Welcome. >> Yeah, thanks so much for having me. Favorite thing to talk about is WebAssembly after that is coffee but WebAssembly first. >> Hey, it's the morning. We can talk about both those on the show. (all chuckles) >> It might get confusing, but I'm willing to try. >> If you can use coffee as a metaphor to teach everyone about WebAssembly throughout the rest of the show. >> All right. That would be awesome. >> All right I'll keep that in mind. >> So when we were talking before we got on here I thought it was really fun because I think the hype is just starting in the WebAssembly space. Very excited about it. Where do you think we're at, set the stage? >> Honestly, we were really excited to come here and see that kind of first wave of hype. We came here expecting to have to answer the question you know, what is WebAssembly and why is anybody looking at it in the cloud space, and instead people have been coming up to us and saying, you know this WebAssembly thing, we're hearing about it. What are the problems it's solving? >> Savannah: Yeah. >> We're really excited to hear about it. So, people literally have been stopping us in restaurants and walking down the street, hey, "You're at KubeCon, you're the WebAssembly people. Tell us more about what's going on." >> You're like awesome celeb. I love this. >> Yeah, and I, >> This is great >> You know the, the description I used was I expected to come here shouting into the void. Hey, you know anybody, somebody, let me tell you about WebAssembly. Instead it's been people coming to us and saying "We've heard about it. Get us excited about it," and I think that's a great place to be. >> You know, one of the things that's exciting too is that this kind of big trend with this whole extraction layer conversation, multicloud, it reminds me of the old app server days where, you know there was a separation between the back end and front end, and then we're kind of seeing that now with this WebAssembly Wasm trend where the developers just want to have the apps run everywhere and the coding to kind of fall in, take a minute to explain what this is, why it's important, why are people jazzed about there's other companies like Cosmonic is in there. There's a lot of open source movement behind it. You guys are out there, >> Savannah: Docker. >> 20 million in fresh funding. Why is this important? What is it and why is it relevant right now? Why are people talking about it? >> I mean, we can't... There is no penasia in the tech world much for the good of all of us, right? To keep us employed. But WebAssembly seems to be that technology that just sort of arose at the right time to solve a number of problems that were really feeling intractable not very long ago. You know, at the core of what is WebAssembly? Well it's a binary format, right? But there's, you know, built on the same, strain of development that Java was built on in the 90's and then the .net run time. But with a couple of little fundamental changes that are what have made it compelling today. So when we think about the cloud world, we think about, okay well security's a big deal to us. Virtual machines are a way for us to run other people's untrusted operating systems on our hardware. Containers come along, they're a... The virtual machine is really the heavyweight class. This is the big thing. The workhorse of the cloud. Then along come Containers, they're a little slimmer. They're kind of the middleweight class. They provide us this great way to sort of package up just the application, not the entire operating system just the application and the bits we care about and then be able to execute those in a trusted environment. Well you know, serverless was the buzzword a few years ago. But one thing that serverless really identified for us is that we didn't actually have the kind of cloud side architecture that was the compute layer that was going to be able to fulfill the promise of serverless. >> Yeah. >> And you know, at that time I was at Microsoft we got to see behind the curtain and see how Azure operates and see the frustration with going, okay how do we get this faster? How do we get this startup time down from seconds to hundreds of milliseconds, WebAssembly comes along and we're able to execute these things in sub one millisecond, which means there is almost no cost to starting up one of these. >> Sub one millisecond. I just want to let everyone rest on that for a second. We've talked a lot about velocity and scale on the show. I mean everyone here is trying to do things faster >> Yep >> Obviously, but that is a real linchpin that makes a very big difference when we're talking about deploying things. Yeah. >> Yeah, and I mean when you think about the ecological and the cost impact of what we're building with the cloud. When we leave a bunch of things running in idle we're consuming electricity if nothing else. The electricity bill keeps going up and we're paying for it via cloud service charges. If you can start something in sub one millisecond then there's no reason you have to leave it running when nobody's using it. >> Savannah: Doesn't need to be in the background. >> That's right. >> So the lightweight is awesome. So, this new class comes up. So, like Java was a great metaphor there. This is kind of like that for the modern era of apps. >> Yeah. >> Where is this going to apply most, do you think? Where's it going to impact most? >> Well, you know, I think there are really four big categories. I think there's the kind of thing I was just talking about I think serverless and edge computing and kind of the server class of problem space. I think IOT is going to benefit, Amazon, Disney Plus, >> Savannah: Yes, edge. >> And PBS, sorry BBC, they all use WebAssembly for the players because they need to run the same player on thousands of different devices. >> I didn't even think about that use case. What a good example. >> It's a brilliant way to apply it. IOT is a hard space period and to be able to have that kind of layer of abstraction. So, that's another good use case >> Savannah: Yeah. >> And then I think this kind of plugin model is another one. You see it was Envoy proxy using this as a way to extend the core features. And I think that one's going to be very, very promising as well. I'm forgetting one, but you know. (all chuckles) I think you end up with these kind of discreet compartments where you can easily fit WebAssembly in here and it's solving a problem that we didn't have the technology that was really adequately solving it before. >> No, I love that. One of the things I thought was interesting we were all at dinner, we were together on Tuesday. I was chatting with Paris who runs Deliveroo at Apple and I can't say I've heard this about too many tools but when we were talking about WebAssembly she said "This is good for everybody" And, it's really nice when technologies come along that will raise the water level across the board. And I love that you're leading this. Speaking of you just announced a huge series aid, 20 million dollars just a few days ago. What does that mean for you and the team? >> I mean there's a little bit of economic uncertainty and it's always nice, >> Savannah: Just a little bit. >> Little bit. >> Savannah: It's come up on the show a little bit this week >> Just smidge. and it's nice to know that we're at a critical time developing this kind of infrastructure layer developing this kind of developer experience where they can go from, you know, blinking cursor to deployed application in two minutes or less. It would be a tragedy if that got forestalled merely because you can't achieve the velocity you need to carry it out. So, what's very exciting about being able to raise around like that at this critical time is that gives us the ability to grow strategically, be able to continue releasing products, building a community around WebAssembly as a whole and of course around our products at Fermyon is a little smaller circle in the bigger circle, and that's why we are so excited about having closed around, that's the perfect one to extend a runway like that. >> Well I'm super excited by this because one I love the concept. I think it's very relevant, like how you progress heavyweight, middleweight, maybe this is lightweight class. >> I know, I'm here for the analogy. No, it's great, its great. >> Maybe it's a lightweight class. >> And we're slimming, which not many of us can say in these times so that's awesome. >> Maybe it's more like the tractor trailer, the van, now you got the sports car. >> Matt: Yeah, I can go.. >> Now you're getting Detroit on us. >> I was trying for a coffee, when I just couldn't figure it out. (all chuckles) >> So, you got 20 million. I noticed the investors amplify very good technical VC and early stage firm. >> Amazing, yeah. >> Insight, they do early stage, big early stage like this. Also they're on the board of Docker. Docker was intent to put a tool out there. There's other competition out there. Cosmonic is out there. They're funded. So you got VC funded companies like yourselves and Cosmonic and others. What's that mean? Different tool chains, is it going to create fragmentation? Is there a common mission? How do you look at the competition as you get into the market >> When you see an ecosystem form. So, here we are at KubeCon, the cloud native ecosystem at this point I like to think of them as like concentric rings. You have the kind of core and then networking and storage and you build these rings out and the farther out you get then the easier it is to begin talking about competition and differentiation. But, when you're looking at that core piece everybody's got to be in there together working on the same stuff, because we want interoperability, we want standards based solutions. We want common ways of building things. More than anything, we want the developers and operators and users who come into the ecosystem to be able to like instantly feel like, okay I don't have to learn. Like you said, you know, 50 different tools for 50 different companies. "I see how this works", and they're doing this and they're doing this. >> Are you guys all contributing into the same open source? >> Yep, yeah, so... >> All the funding happens. >> Both CNCF and the ByteCode Alliance are organizations that are really kind of pushing forward that core technology. You know, you mentioned Cosmonic, Microsoft, SOSA, Red Hat, VMware, they're all in here too. All contributing and again, with all of us knowing this is that nascent stage where we got to execute it. >> How? >> Do it together. >> How are you guys differentiating? Because you know, open source is a great thing. Rising Tide floats all boats. This is a hot area. Is there a differentiation discussion or is it more let's see how it goes, kind of thing? >> Well for us, we came into it knowing very specifically what the problem was we wanted to solve. We wanted this serverless architecture that executed in sub one millisecond to solve, to really create a new wave of microservices. >> KubeCon loves performance. They want to run their stuff on the fastest platform possible. >> Yeah, and it shouldn't be a roadblock, you know, yeah. >> And you look at someone like SingleStore who's a database company and they're in it because they want to be able to run web assemblies close to the data. Instead of doing a sequel select and pulling it way out here and munging it and then pushing it back in. They move the code in there and it's executing in there. So everybody's kind of finding a neat little niche. You know, Cosmonic has really gone more for an enterprise play where they're able to provide a lot of high level security guarantees. Whereas we've been more interested in saying, "Hey, this your first foray into WebAssembly and you're interested in serverless we'll get you going in like a couple of minutes". >> I want to ask you because we had Scott Johnston on earlier opening keynote so we kind of chatted one-on-one and I went off form cause I really wanted to talk to him because Docker is one of the most important companies since their pivot, when they did their little reset after the first Docker kind of then they sold the enterprise off to Mirantis they've been doing really, really well. What's your relationship to Docker? He was very bullish with you guys. Insights, joint investor. Is there a relationship? You guys talk, what's going on there? >> I mean, I'm going to have to admit a little bit of hero worship on my part. I think Scott is brilliant. I just do, and having come from the Kubernetes world the Fermyon team, we've always kind of kept an eye on Docker communicated with a lot of them. We've known Justin Cormack for years. Chris Cornett. (indistinct) I mean yeah, and so it has been a very natural >> Probably have been accused of every Docker Con and we've did the last three years on the virtual side with them. So, we know them really well. >> You've always got your finger on the pulse for them. >> Do you have a relationship besides a formal relationship or is it more of pass shoot score together in the industry? >> Yeah. No, I think it is kind of the multi-level one. You come in knowing people. You've worked together before and you like working with each other and then it sort of naturally extends onto saying, "Hey, what can we do together?" And also how do we start building this ecosystem around us with Docker? They've done an excellent job of articulating why WebAssembly is a complimentary technology with Containers. Which is something I believe very wholeheartedly. You need all three of the heavyweight, middleweight, lightweight. You can't do all the with just one, and to have someone like that sort of with a voice profoundly be able to express, look we're going to start integrating it to show you how it works this way and prevent this sort of like needless drama where people are going, oh Dockers dead, now everything's WebAssembly, and that's been a great.. >> This fight that's been going on. I mean, Docker, Kubernetes, WebAssembly, Containers. >> Yeah. >> We've seen on the show and we both know this hybrid is the future. We're all going to be using a variety of different tools to achieve our goals and I think that you are obviously one of them. I'm curious because just as we were going on you mentioned that you have a PhD in philosophy. (Matt chuckles) >> Matt: Yeah. >> Which is a wild card. You're actually our second PhD in philosophy working in a very technical role on the show this week, which is kind of cool. So, how does that translate into the culture at Fermyon? What's it like on the team? >> Well, you know, a philosophy degree if nothing else teaches you to think in systems and both human systems and formal systems. So that helps and when you approach the process of building a company, you need to be thinking both in terms of how are we organizing this? How are we organizing the product? How do we organize the team? We have really learned that culture is a major deal and culture philosophy, >> Savannah: Why I'm bringing it up. >> We like that, you know, we've been very forward. We have our chip values, curiosity, humility inclusivity and passion, and those are kind of the four things that we feel like that each of us every day should strive to be exhibiting these kinds of things. Curiosity, because you can't push the envelope if you don't ask the hard questions. Humility, because you know, it's easy to get cocky and talk about things as if you knew all the answers. We know we don't and that means we can learn from Docker and Microsoft >> Savannah: That's why you're curious. >> And the person who stops by the booth that we've never met before and says, "hey" and inclusivity, of course, building a community if you don't execute on that well you can't build a good community. The diversity of the community is what makes it stronger than a singular.. >> You have to come in and be cohesive with the community. >> Matt: Yeah. >> The app focus is a really, I think, relevant right now. The timing of this is right online. I think Scott had a good answer I thought on the relationship and how he sees it. I think it's going to be a nice extension to not a extension that way, but like. >> It probably will be as well. >> Almost a pun there John, almost a pun. >> There actually might be an extension, but evolution what we're going to get to which I think is going to be pure application server, like. >> Yep, yep. Like performance for new class of developer. Then now the question comes up and we've been watching developer productivity. That is a big theme and our belief is that if you take digital transformation to its conclusion IT and developers aren't a department serving the business they are the business. That means the developer workflows will have to be radically rebuilt to handle the velocity and new tech for just coding. I call it architectural list. >> I like that. I might steal that. >> It's a pun, but it's also brings up the provocative question. You shouldn't have to need an architecture to code. I mean, Java was great for that reason in many ways. So, if that happens if the developers are running the business that means more apps. The apps is the business. You got to have tool chains and productivity. You can't have fragmentation. Some people are saying WebAssembly might, fork tool chains, might challenge the developer productivity. what's your answer to that? How would you address that objection? >> I mean the threat of forking is always lurking in the corner in open source. In a way it's probably a positive threat because it keeps us honest it keeps us wanting to be inclusive again and keep people involved. Honestly though, I'm not particularly worried about it. I know that the W-3 as a standards body, of course, one of the most respected standards bodies on the planet. They do html, they do cascading style sheets. WebAssembly is in that camp and those of us in the core are really very interested in saying, you know, come on in, let's build something that's going to be where the core is solid and you know what you got and then you can go into the resurgence of the application server. I mean, I wholeheartedly agree with you on that, and we can only get there if we say, all right, here are the common paradigms that we're all going to agree to use, now let's go build stuff. >> And as we've been saying, developers are setting, I think are going to set the standards and they're going to vote with their code and their feet, if you will. >> Savannah: A hundred percent. >> They will decide if you're not aligning with what they want to do. okay. On how they want to self-serve and or work, you'll figure that out. >> Yep, yep. >> You'll get instant feedback. >> Yeah. >> Well, you know, again, I tell you a huge fan of Docker. One of the things that Docker understood at the very outset, is that they had an infrastructure tool and developers were the way to get adoption, and if you look at how fast they got adoption versus many, many other technologies that are profoundly impacted. >> Savannah: Wild. >> Yeah. >> Savannah: It's a cool story. >> It's because they got the developers to go, "This is amazing, hey infrastructure folks, here's an infrastructure tool that we like" and the infrastructure folks are used to code being tossed over the wall are going, "Are you for real?" I mean, and that was a brilliant way to do it and I think that what.. >> John: Yeah, yeah. >> We want to replay in the WebAssembly world is making it developer friendly and you know the kind of infrastructure that we can actually operate. >> Well congratulations to the entire community. We're huge fans of the concept. I kind of see where it's going with connect the dots. You guys getting a lot of buzz. I have to ask you, my final question is the hype is beyond all recognition at this point. People are super pumped and enthusiastic about it and people are looking at it maybe some challenging it, but that's all good things. How do you get to the next level where people are confident that this is actually going to go the next step? Hype to confidence. We've seen great hype. Envoy was hyped up big time before it came in, then it became great. That was one of my favorite examples. Hype is okay, but now you got to put some meat on the bone. The sizzle on the stake so to speak. So what's going to be the stake for you guys as you see this going forward? What's the need? >> Yeah, you know, I talk about our first guiding story was, you know, blinking cursor to deployed application in two minutes. That's what you need to win developers initially. So, what's the next story after that? It's got to be, Fermyon can run real world applications that solve real world problems. That's where hype often fails. If you can build something that's neat but nobody's quite sure what to do with it, to use it, maybe somebody will discover a good use. But, if you take that gambling asset, >> Savannah: It's that ending answer that makes the difference. >> Yeah, yeah. So we say, all right, what are developers trying to build with our platform and then relentlessly focus on making that easier and solving the real world problem that way. That's the crucial thing that's going to drive us out of that sort of early hype stage into a well adopted technology and I talk from Fermyon point of view but really that's for all of us in the WebAssembly. >> John: Absolutely. >> Very well stated Matt, just to wrap us up when we're interviewing you here on theCUBE next year, what do you hope to be able to say then that you can't say today? >> All this stuff about coffee we didn't cover today, but also.. (all chuckles) >> Savannah: Here for the coffee show. Only analogies, that's a great analogy. >> I want to walk here and say, you know last time we talked about being able to achieve density in servers that was, you know, 10 times Kubernetes. Next year I want to say no, we're actually thousands of times beyond Kubernetes that we're lowering people's electricity bill by making these servers more efficient and the developers love it. >> That your commitment to the environment is something I want to do an entirely different show on. We learned that 7-8% of all the world's powers actually used on data centers through the show this week which is jarring quite frankly. >> Yeah, yeah. Tragic would be a better way of saying that. >> Yeah, I'm holding back so that we don't go over time here quite frankly. But anyways, Matt Butcher thank you so much for being here with us. >> Thank you so much for having me it was pleasure.. >> You are worth the hype you are getting. I am grateful to have you as our WebAssembly thought leader. In addition to Scott today from Docker earlier in the show. John Furrier, thanks for being my co-host and thank all of you for tuning into theCUBE here, live from Detroit. I'm Savannah Peterson and we'll be back with more soon. (ambient music)

>>Good evening, brilliant humans. My name is Savannah Peterson and very delighted to be streaming to you. Live from the Cube Studios here in Motor City, Michigan. I've got John Furrier on my left. John, this is our last interview of the day. Energy just seems to keep oozing. How >>You doing? Take two, Three days of coverage, the queue love segments. This one's great cuz we have a practitioner who's implementing all the hard core talks to be awesome. Can't wait to get into it. >>Yeah, I'm very excited for this one. If it's not very clear, we are a community focused community is a huge theme here at the show at Cape Con. And our next guests are actually a provider and a customer. Turning it over to you. Lisa and Jake, welcome to the show. >>Thank you so much for having us. >>It's great to be here. It is our pleasure. Lisa, you're with Cockroach. Just in case the audience isn't familiar, give us a quick little sound bite. >>We're a distributed sequel database. Highly scalable, reliable. The database you can't kill, right? We will survive the apocalypse. So very resilient. Our customers, mostly retail, FinTech game meet online gambling. They, they, they need that resiliency, they need that scalability. So the indestructible database is the elevator pitch >>And the success has been very well documented. Valuation obviously is a scorp guard, but huge customers. We were at the Escape 19. Just for the record, the first ever multi-cloud conference hasn't come back baby. Love it. It'll come back soon. >>Yeah, well we did a similar version of it just a month ago and I was, that was before Cockroach. I was a different company there talking a lot about multi-cloud. So, but I'm, I've been a car a couple of years now and I run community, I run developer relations. I'm still also a CNCF ambassador, so I lead community as well. I still run a really large user group in the San Francisco Bay area. So we've just >>Been in >>Community, take through the use case. Jake's story set us up. >>Well I would like Jake to take him through the use case and Cockroach is a part of it, but what they've built is amazing. And also Jake's history is amazing. So you can start Jake, >>Wherever you take >>Your Yeah, sure. I'm Jake, I'm CEO and co-founder of Offset. Oted is the commercial entity behind Spice Dvy and Spice Dvy is a permission service. Cool. So a permission service is something that lets developers and let's platform teams really unlock the full potential of their applications. So a lot of people get stuck on My R back isn't flexible enough. How do I do these fine grain things? How do I do these complex sharing workflows that my product manager thinks is so important? And so our service enables those platform teams and developers to do those kinds of things. >>What's your, what's your infrastructure? What's your setup look like? What, how are you guys looking like on the back end? >>Sure. Yeah. So we're obviously built on top of Kubernetes as well. One of the reasons that we're here. So we use Kubernetes, we use Kubernetes operators to orchestrate everything. And then we use, use Cockroach TV as our production data store, our production backend data store. >>So I'm curious, cause I love when these little matchmakers come together. You said you've now been presenting on a little bit of a road show, which is very exciting. Lisa, how are you and the team surfacing stories like Jakes, >>Well, I mean any, any place we can obviously all the social medias, all the blogs, How >>Are you finding it though? >>How, how did you Oh, like from our customers? Yeah, we have an open source version so people start to use us a long time before we even sometimes know about them. And then they'll come to us and they'll be like, I love Cockroach, and like, tell me about it. Like, tell me what you build and if it's interesting, you know, we'll we'll try to give it some light. And it's always interesting to me what people do with it because it's an interesting technology. I like what they've done with it. I mean the, the fact that it's globally distributed, right? That was like a really important thing to you. Totally. >>Yeah. We're also long term fans of Cockroach, so we actually all work together out of Workbench, which was a co-working space and investor in New York City. So yeah, we go way back. We knew the founders. I, I'm constantly saying like if I could have invested early in cockroach, that would've been the easiest check I could have ever signed. >>Yeah, that's awesome. And then we've been following that too and you guys are now using them, but folks that are out there looking to have the, the same challenges, what are the big challenges on selecting the database? I mean, as you know, the history of Cockroach and you're originating the story, folks out there might not know and they're also gonna choose a database. What's the, what's the big challenge that they can solve that that kind of comes together? What, what would you describe that? >>Sure. So we're, as I said, we're a permission service and per the data that you store in a permission service is incredibly sensitive. You need it to be around, right? You need it to be available. If the permission service goes down, almost everything else goes down because it's all calling into the permission service. Is this user allowed to do this? Are they allowed to do that? And if we can't answer those questions, then our customer is down, right? So when we're looking at a database, we're looking for reliability, we're looking for durability, disaster recovery, and then permission services are one of the only services that you usually don't shard geographically. So if you look at like AWS's iam, that's a global service, even though the individual things that they run are actually sharded by region. So we also needed a globally distributed database with all of those other properties. So that's what led us >>To, this is a huge topic. So man, we've been talking about all week the cloud is essentially distributed database at this point and it's distributed system. So distributed database is a hot topic, totally not really well reported. A lot of people talking about it, but how would you describe this distributed trend that's going on? What are the key reasons that they're driving it? What's making this more important than ever in your mind, in your opinion? >>I mean, for our use case, it was just a hard requirement, right? We had to be able to have this global service. But I think just for general use cases, a distributed database, distributed database has that like shared nothing architecture that allows you to kind of keep it running and horizontally scale it. And as your requirements and as your applications needs change, you can just keep adding on capacity and keep adding on reliability and availability. >>I'd love to get both of your opinion. You've been talking about the, the, the, the phases of customers, the advanced got Kubernetes going crazy distributed, super alpha geek. Then you got the, the people who are building now, then you got the lagers who are coming online. Where do you guys see the market now in terms of, I know the Alphas are all building all the great stuff and you guys had great success with all the top logos and they're all doing hardcore stuff. As the mainstream enterprise comes in, where's their psychology, what's on their mind? What's, you share any insight into your perspective on that? Because we're seeing a lot more of it folks becoming like real cloud players. >>Yeah, I feel like in mainstream enterprise hasn't been lagging as much as people think. You know, certainly there's been pockets in big enterprises that have been looking at this and as distributed sequel, it gives you that scalability that it's absolutely essential for big enterprises. But also it gives you the, the multi-region, you know, the, you have to be globally distributed. And for us, for enterprises, you know, you need your data near where the users are. I know this is hugely important to you as well. So you have to be able to have a multi-region functionality and that's one thing that distributed SQL lets you build and that what we built into our product. And I know that's one of the things you like too. >>Yeah, well we're a brand new product. I mean we only founded the company two years ago, but we're actually getting inbound interest from big enterprises because we solve the kinds of challenges that they have and whether, I mean, most of them already do have a cockroach footprint, but whether they did or didn't, once they need to bring in our product, they're going to be adopting cockroach transitively anyway. >>So, So you're built on top of Cockroach, right? And Spice dv, is that open source or? >>It >>Is, yep. Okay. And explain the role of open source and your business model. Can you take a minute to talk about the relevance of that? >>Yeah, open source is key. My background is, before this I was at Red Hat. Before that we were at CoreOS, so CoreOS acquisition and before that, >>One of the best acquisitions that ever happened for the value. That was a great, great team. Yeah, >>We, we, we had fun and before that we built Qua. So my co-founders and I, we built Quay, which is a, a first private docker registry. So CoreOS and, and all of those things are all open source or deeply open source. So it's just in our dna. We also see it as part of our go-to market motion. So if you are a database, a lot of people won't even consider what you're doing without being open source. Cuz they say, I don't want to take a, I don't want to, I don't want to end up in an Oracle situation >>Again. Yeah, Oracle meaning they go, you get you locked in, get you in a headlock, Increase prices. >>Yeah. Oh yeah, >>Can, can >>I got triggered. >>You need to talk about your PTSD there >>Or what. >>I mean we have 20,000 stars on GitHub because we've been open and transparent from the beginning. >>Yeah. And it >>Well, and both of your projects were started based on Google Papers, >>Right? >>That is true. Yep. And that's actually, so we're based off of the Google Zans of our paper. And as you know, Cockroach is based off of the Google Span paper and in the the Zanzibar paper, they have this globally distributed database that they're built on top of. And so when I said we're gonna go and we're gonna make a company around the Zabar paper, people would go, Well, what are you gonna do for Span? And I was like, Easy cockroach, they've got us covered. >>Yeah, I know the guys and my friends. Yeah. So the question is why didn't you get into the first round of Cockroach? She said don't answer that. >>The question he did answer though was one of those age old arguments in our community about pronunciation. We used to argue about Quay, I always called it Key of course. And the co-founder obviously knows how it's pronounced, you know, it's the et cd argument, it's the co cuddl versus the control versus coo, CTL Quay from the co-founder. That is end of argument. You heard it here first >>And we're keeping it going with Osted. So awesome. A lot of people will say Zeed or, you know, so we, we just like to have a little ambiguity >>In the, you gotta have some semantic arguments, arm wrestling here. I mean, it keeps, it keeps everyone entertained, especially on the over the weekend. What's, what's next? You got obviously Kubernetes in there. Can you explain the relationship between Kubernetes, how you're handling Spice dv? What, what does the Kubernetes piece fit in and where, where is that going to be going? >>Yeah, great question. Our flagship product right now is a dedicated, and in a dedicated, what we're doing is we're spinning up a single tenant Kubernetes cluster. We're installing all of our operator suite, and then we're installing the application and running it in a single tenant fashion for our customers in the same region, in the same data center where they're running their applications to minimize latency. Because of this, as an authorization service, latency gets passed on directly to the end user. So everybody's trying to squeeze the latency down as far as they can. And our strategy is to just run these single tenant stacks for people with the minimal latency that we can and give them a VPC dedicated link very similar to what Cockroach does in their dedicated >>Product. And the distributed architecture makes that possible because it's lighter way, it's not as heavy. Is that one of the reasons? >>Yep. And Kubernetes really gives us sort of like a, a level playing field where we can say, we're going going to take the provider, the cloud providers Kubernetes offering, normalize it, lay down our operators, and then use that as the base for delivering >>Our application. You know, Jake, you made me think of something I wanted to bring up with other guests, but now since you're here, you're an expert, I wanna bring that up, but talk about Super Cloud. We, we coined that term, but it's kind of multi-cloud, is that having workloads on multiple clouds is hard. I mean there are, they are, there are workloads on, on clouds, but the complexity of one clouds, let's take aws, they got availability zones, they got regions, you got now data issues in each one being global, not that easy on one cloud, nevermind all clouds. Can you share your thoughts on how you see that progression? Because when you start getting, as its distributed database, a lot of good things might come up that could fit into solving the complexity of global workloads. Could you share your thoughts on or scoping that problem space of, of geography? Yeah, because you mentioned latency, like that's huge. What are some of the other challenges that other people have with mobile? >>Yeah, absolutely. When you have a service like ours where the data is small, but very critical, you can get a vendor like Cockroach to step in and to fill that gap and to give you that globally distributed database that you can call into and retrieve the data. I think the trickier issues come up when you have larger data, you have huge binary blobs. So back when we were doing Quay, we wanted to be a global service as well, but we had, you know, terabytes, petabytes of data that we were like, how do we get this replicated everywhere and not go broke? Yeah. So I think those are kind of the interesting issues moving forward is what do you do with like those huge data lakes, the huge amount of data, but for the, the smaller bits, like the things that we can keep in a relational database. Yeah, we're, we're happy that that's quickly becoming a solved >>Problem. And by the way, that that data problem also is compounded when the architecture goes to the edge. >>Totally. >>I mean this is a big issue. >>Exactly. Yeah. Edge is something that we're thinking a lot about too. Yeah, we're lucky that right now the applications that are consuming us are in a data center already. But as they start to move to the edge, we're going to have to move to the edge with them. And it's a story that we're gonna have to figure out. >>All right, so you're a customer cockroach, what's the testimonial if I put you on the spot, say, hey, what's it like working with these guys? You know, what, what's the, what's the, you know, the founders, so you know, you give a good description, little biased, but we'll, we'll we'll hold you on it. >>Yeah. Working with Cockroach has been great. We've had a couple things that we've run into along the way and we've gotten great support from our account managers. They've brought in the right technical expertise when we need it. Cuz what we're doing with Cockroach is not you, you couldn't do it on Postgres, right? So it's not just a simple rip and replace for us, we're using all of the features of Cockroach, right? We're doing as of system time queries, we're doing global replication. We're, you know, we're, we're consuming it all. And so we do need help from them sometimes and they've been great. Yeah. >>And that's natural as they grow their service. I mean the world's changing. >>Well I think one of the important points that you mentioned with multi-cloud, we want you to have the choice. You know, you can run it in in clouds, you can run it hybrid, you can run it OnPrem, you can do whatever you want and it's just, it's one application that you can run in these different data centers. And so really it's up to you how do you want to build your infrastructure? >>And one of the things we've been talking about, the super cloud concept that we've been issue getting a lot of contrary, but, but people are leaning into it is that it's the refactoring and taking advantage of the services. Like what you mentioned about cockroach. People are doing that now on cloud going the lift and shift market kind of had it time now it's like hey, I can start taking advantage of these higher level services or capability of someone else's stack and refactoring it. So I think that's a dynamic that I'm seeing a lot more of. And it sounds like it's working out great in this situation. >>I just came from a talk and I asked them, you know, what don't you wanna put in the cloud and what don't you wanna run in Kubernetes or on containers and good Yeah. And the customers that I was on stage with, one of the guys made a joke and he said I would put my dog in a container room. I could, he was like in the category, which is his right, which he is in the category of like, I'll put everything in containers and these are, you know, including like mis critical apps, heritage apps, since they don't wanna see legacy anymore. Heritage apps, these are huge enterprises and they wanna put everything in the cloud. Everything >>You so want your dog that gets stuck on the airplane when it's on the tarmac. >>Oh >>God, that's, she was the, don't take that analogy. Literally don't think about that. Well that's, >>That's let's not containerize. >>There's always supply chain concern. >>It. So I mean going macro and especially given where we are cncf, it's all about open source. Do y'all think that open source builds a better future? >>Yeah and a better past. I mean this is, so much of this software is founded on open source. I, we wouldn't be here really. I've been in open source community for many, many years so I wouldn't say I'm biased. I would say this is how we build software. I came from like in a high school we're all like, oh let's build a really cool application. Oh you know what? I built this cuz I needed it, but maybe somebody else needs it too. And you put it out there and that is the ethos of Silicon Valley, right? That's where we grew up. So I've always had that mindset, you know, and social coding and why I have three people, right? Working on the same thing when one person you could share it's so inefficient. All of that. Yeah. So I think it's great that people work on what they're really good at. You know, we all, now you need some standardization, you need some kind of control around this whole thing. Sometimes some foundations to, you know, herd the cats. Yeah. But it's, it's great. Which is why I'm a c CF ambassador and I spend a lot of time, you know, in my free time talking about open source. Yeah, yeah. >>It's clear how passionate you are about it. Jake, >>This is my second company that we founded now and I don't think either of them could have existed without the base of open source, right? Like when you look at I have this cool idea for an app or a company and I want to go try it out, the last thing I want to do is go and negotiate with a vendor to get like the core data component. Yeah. To even be able to get to the >>Prototypes. NK too, by the way. Yeah. >>Hey >>Nk >>Or hire, you know, a bunch of PhDs to go and build that core component for me. So yeah, I mean nobody can argue that >>It truly is, I gotta say a best time if you're a developer right now, it's awesome to be a developer right now. It's only gonna get better. As we were riff from the last session about productivity, we believe that if you follow the digital transformation to its conclusion, developers and it aren't a department serving the business, they are the business. And that means they're running the show, which means that now their entire workflow is gonna change. It's gonna be have to be leveraging services partnering. So yeah, open source just fills that. So the more code coming up, it's just no doubt in our mind that that's go, that's happening and will accelerate. So yeah, >>You know, no one company is gonna be able to compete with a community. 50,000 users contributing versus you riding it yourself in your garage with >>Your dogs. Well it's people driven too. It's humans not container. It's humans working together. And here you'll see, I won't say horse training, that's a bad term, but like as projects start to get traction, hey, why don't we come together as, as the world starts to settle and the projects have traction, you start to see visibility into use cases, functionality. Some projects might not be, they have to kind of see more kind >>Of, not every feature is gonna be development. Oh. So I mean, you know, this is why you connect with truly brilliant people who can architect and distribute sequel database. Like who thought of that? It's amazing. It's as, as our friend >>You say, Well let me ask you a question before we wrap up, both by time, what is the secret of Kubernetes success? What made Kubernetes specifically successful? Was it timing? Was it the, the unambitious nature of it, the unification of it? Was it, what was the reason why is Kubernetes successful, right? And why nothing else? >>Well, you know what I'm gonna say? So I'm gonna let Dave >>First don't Jake, you go first. >>Oh boy. If we look at what was happening when Kubernetes first came out, it was, Mesosphere was kind of like the, the big player in the space. I think Kubernetes really, it had the backing from the right companies. It had the, you know, it had the credibility, it was sort of loosely based on Borg, but with the story of like, we've fixed everything that was broken in Borg. Yeah. And it's better now. Yeah. So I think it was just kind and, and obviously people were looking for a solution to this problem as they were going through their containerization journey. And I, yeah, I think it was just right >>Place, the timing consensus of hey, if we just let this happen, something good might come together for everybody. That's the way I felt. I >>Think it was right place, right time, right solution. And then it just kind of exploded when we were at Cores. Alex Povi, our ceo, he heard about Kubernetes and he was like, you know, we, we had a thing called Fleet D or we had a tool called Fleet. And he's like, Nope, we're all in on Kubernetes now. And that was an amazing Yeah, >>I remember that interview. >>I, amazing decision. >>Yeah, >>It's clear we can feel the shift. It's something that's come up a lot this week is is the commitment. Everybody's all in. People are ready for their transformation and Kubernetes is definitely gonna be the orchestrator that we're >>Leveraging. Yeah. And it's an amazing community. But it was, we got lucky that the, the foundational technology, I mean, you know, coming out of Google based on Go conferences, based on Go, it's no to coincidence that this sort of nature of, you know, pods horizontally, scalable, it's all fits together. I does make sense. Yeah. I mean, no offense to Python and some of the other technologies that were built in other languages, but Go is an awesome language. It's so, so innovative. Innovative things you could do with it. >>Awesome. Oh definitely. Jake, I'm very curious since we learned on the way and you are a Detroit native? >>I am. Yep. I grew up in the in Warren, which is just a suburb right outside of Detroit. >>So what does it mean to you as a Michigan born bloke to be here, see your entire community invade? >>It is, I grew up coming to the Detroit Auto Show in this very room >>That brought me to Detroit the first time. Love n a I a s. Been there with our friends at Ford just behind us. >>And it's just so interesting to me to see the accumulation, the accumulation of tech coming to Detroit cuz it's really not something that historically has been a huge presence. And I just love it. I love to see the activity out on the streets. I love to see all the restaurants and coffee shops full of people. Just, I might tear up. >>Well, I was wondering if it would give you a little bit of that hometown pride and also the joy of bringing your community together. I mean, this is merging your two probably most core communities. Yeah, >>Yeah. Your >>Youth and your, and your career. It doesn't get more personal than that really. Right. >>It's just been, it's been really exciting to see the energy. >>Well thanks for going on the queue. Thanks for sharing. Appreciate it. Thanks >>For having us. Yeah, thank you both so much. Lisa, you were a joy of ball of energy right when you walked up. Jake, what a compelling story. Really appreciate you sharing it with us. John, thanks for the banter and the fabulous questions. I'm >>Glad I could help out. >>Yeah, you do. A lot more than help out sweetheart. And to all of you watching the Cube today, thank you so much for joining us live from Detroit, the Cube Studios. My name is Savannah Peterson and we'll see you for our event wrap up next.

>>Hello everyone and welcome back to Motor City, Michigan. We're live from the Cube and my name is Savannah Peterson. Joined this afternoon with my co-host John Ferer. John, how you doing? Doing >>Great. This next segment's gonna be awesome about application modernization, scaling pluses. This is what's gonna, how are the next generation software revolution? It's gonna be >>Fun. You know, it's kind of been a theme of our day today is scale. And when we think about the complex orchestration platform that is Kubernetes, everyone wants to scale faster, quicker, more efficiently, and our guests are here to tell us all about that. Please welcome to Char and Andy, thank you so much for being here with us. You were on the Red Hat OpenShift team. Yeah. I suspect most of our audience is familiar, but just in case, let's give 'em a quick one-liner pitch so everyone's on the same page. Tell us about OpenShift. >>I, I'll take that one. OpenShift is our ES platform is our ES distribution. You can consume it as a self-managed platform or you can consume it as a managed service on on public clouds. And so we just call it all OpenShift. So it's basically Kubernetes, but you know, with a CNCF ecosystem around it to make things more easier. So maybe there's two >>Lights. So what does being at coupon mean for you? How does it feel to be here? What's your initial takes? >>Exciting. I'm having a fantastic time. I haven't been to coupon since San Diego, so it's great to be back in person and see old friends, make new friends, have hallway conversations. It's, it's great as an engineer trying to work in this ecosystem, just being able to, to be in the same place with these folks. >>And you gotta ask, before we came on camera, you're like, this is like my sixth co con. We were like, we're seven, you know, But that's a lot of co coupons. It >>Is, yes. I mean, so what, >>Yes. >>Take us status >>For sure. Where we are now. Compare and contrast co. Your first co con, just scope it out. What's the magnitude of change? If you had to put a pin on that, because there's a lot of new people coming in, they might not have seen where it's come from and how we got here is maybe not how we're gonna get to the next >>Level. I've seen it grow tremendously since the first one I went to, which I think was Austin several years ago. And what's great is seeing lots of new people interested in contributing and also seeing end users who are trying to figure out the best way to take advantage of this great ecosystem that we have. >>Awesome. And the project management side, you get the keys to the Kingdom with Red Hat OpenShift, which has been successful. Congratulations by the way. Thank you. We watched that grow and really position right on the wave. It's going great. What's the update on on the product? Kind of, you're in a good, good position right now. Yeah, >>No, we we're feeling good about it. It's all about our customers. Obviously the fact that, you know, we have thousands of customers using OpenShift as the cloud native platform, the container platform. We're very excited. The great thing about them is that, I mean you can go to like OpenShift Commons is kind of a user group that we run on the first day, like on Tuesday we ran. I mean you should see the number of just case studies that our customers went through there, you know? And it is fantastic to see that. I mean it's across so many different industries, across so many different use cases, which is very exciting. >>One of the things we've been reporting here in the Qla scene before, but here more important is just that if you take digital transformation to the, to its conclusion, the IT department and developers, they're not a department to serve the business. They are the business. Yes. That means that the developers are deciding things. Yeah. And running the business. Prove their code. Yeah. Okay. If that's, if that takes place, you gonna have scale. And we also said on many cubes, certainly at Red Hat Summit and other ones, the clouds are distributed computer, it's distributed computing. So you guys are focusing on this project, Andy, that you're working on kcp. >>Yes. >>Which is, I won't platform Kubernetes platform for >>Control >>Planes. Control planes. Yes. Take us through, what's the focus on why is that important and why is that relate to the mission of developers being in charge and large scale? >>Sure. So a lot of times when people are interested in developing on Kubernetes and running workloads, they need a cluster of course. And those are not cheap. It takes time, it takes money, it takes resources to get them. And so we're trying to make that faster and easier for, for end users and everybody involved. So with kcp, we've been able to take what looks like one normal Kubernetes and partition it. And so everybody gets a slice of it. You're an administrator in your little slice and you don't have to ask for permission to install new APIs and they don't conflict with anybody else's APIs. So we're really just trying to make it super fast and make it super flexible. So everybody is their own admin. >>So the developer basically looks at it as a resource blob. They can do whatever they want, but it's shared and provisioned. >>Yes. One option. It's like, it's like they have their own cluster, but you don't have to go through the process of actually provisioning a full >>Cluster. And what's the alternative? What's the what's, what's the, what's the benefit and what was the alternative to >>This? So the alternative, you spin up a full cluster, which you know, maybe that's three control plane nodes, you've got multiple workers, you've got a bunch of virtual machines or bare metal, or maybe you take, >>How much time does that take? Just ballpark. >>Anywhere from five minutes to an hour you can use cloud services. Yeah. Gke, E Ks and so on. >>Keep banging away. You're configuring. Yeah. >>Those are faster. Yeah. But it's still like, you still have to wait for that to happen and it costs money to do all of that too. >>Absolutely. And it's complex. Why do something that's been done, if there's a tool that can get you a couple steps down the path, which makes a ton of sense. Something that we think a lot when we're talking about scale. You mentioned earlier, Tohar, when we were chatting before the cams were alive, scale means a lot of different things. Can you dig in there a little bit? >>Yeah, I >>Mean, so when, when >>We talk about scale, >>We are talking about from a user perspective, we are talking about, you know, there are more users, there are more applications, there are more workloads, there are more services being run on Kubernetes now, right? So, and OpenShift. So, so that's one dimension of this scale. The other dimension of the scale is how do you manage all the underlying infrastructure, the clusters, the name spaces, and all the observability data, et cetera. So that's at least two levels of scale. And then obviously there's a third level of scale, which is, you know, there is scale across not just different clouds, but also from cloud to the edge. So there is that dimension of scale. So there are several dimensions of this scale. And the one that again, we are focused on here really is about, you know, this, the first one that I talk about is a user. And when I say user, it could be a developer, it could be an application architect, or it could be an application owner who wants to develop Kubernetes applications for Kubernetes and wants to publish those APIs, if you will, and make it discoverable and then somebody consumes it. So that's the scale we are talking about >>Here. What are some of the enterprise, you guys have a lot of customers, we've talked to you guys before many, many times and other subjects, Red Hat, I mean you guys have all the customers. Yeah. Enterprise, they've been there, done that. And you know, they're, they're savvy. Yeah. But the cloud is a whole nother ballgame. What are they thinking about? What's the psychology of the customer right now? Because now they have a lot of choices. Okay, we get it, we're gonna re-platform refactor apps, we'll keep some legacy on premises for whatever reasons. But cloud pretty much is gonna be the game. What's the mindset right now of the customer base? Where are they in their, in their psych? Not the executive, but more of the the operators or the developers? >>Yeah, so I mean, first of all, different customers are at different levels of maturity, I would say in this. They're all on a journey how I like to describe it. And in this journey, I mean, I see a customers who are really tip of the sphere. You know, they have containerized everything. They're cloud native, you know, they use best of tools, I mean automation, you know, complete automation, you know, quick deployment of applications and all, and life cycle of applications, et cetera. So that, that's kind of one end of this spectrum >>Advanced. Then >>The advances, you know, and, and I, you know, I don't, I don't have any specific numbers here, but I'd say there are quite a few of them. And we see that. And then there is kind of the middle who are, I would say, who are familiar with containers. They know what app modernization, what a cloud application means. They might have tried a few. So they are in the journey. They are kind of, they want to get there. They have some other kind of other issues, organizational or talent and so, so on and so forth. Kinds of issues to get there. And then there are definitely the quota, what I would call the lag arts still. And there's lots of them. But I think, you know, Covid has certainly accelerated a lot of that. I hear that. And there is definitely, you know, more, the psychology is definitely more towards what I would say public cloud. But I think where we are early also in the other trend that I see is kind of okay, public cloud great, right? So people are going there, but then there is the so-called edge also. Yeah. That is for various regions. You, you gotta have a kind of a regional presence, a edge presence. And that's kind of the next kind of thing taking off here. And we can talk more >>About it. Yeah, let's talk about that a little bit because I, as you know, as we know, we're very excited about Edge here at the Cube. Yeah. What types of trends are you seeing? Is that space emerges a little bit more firmly? >>Yeah, so I mean it's, I mean, so we, when we talk about Edge, you're talking about, you could talk about Edge as a, as a retail, I mean locations, right? >>Could be so many things edges everywhere. Everywhere, right? It's all around us. Quite literally. Even on the >>Scale. Exactly. In space too. You could, I mean, in fact you mentioned space. I was, I was going to >>Kinda, it's this world, >>My space actually Kubernetes and OpenShift running in space, believe it or not, you know, So, so that's the edge, right? So we have Industrial Edge, we have Telco Edge, we have a 5g, then we have, you know, automotive edge now and, and, and retail edge and, and more, right? So, and space, you know, So it's very exciting there. So the reason I tag back to that question that you asked earlier is that that's where customers are. So cloud is one thing, but now they gotta also think about how do I, whatever I do in the cloud, how do I bring it to the edge? Because that's where my end users are, my customers are, and my data is, right? So that's the, >>And I think Kubernetes has brought that attention to the laggards. We had the Laed Martin on yesterday, which is an incredible real example of Kubernetes at the edge. It's just incredible story. We covered it also wrote a story about it. So compelling. Cuz it makes it real. Yes. And Kubernetes is real. So then the question is developer productivity, okay, Things are starting to settle in. We've got KCP scaling clusters, things are happening. What about the tool chains? And how do I develop now I got scale of development, more code coming in. I mean, we are speculating that in the future there's so much code in open source that no one has to write code anymore. Yeah. At some point it's like this gluing things together. So the developers need to be productive. How are we gonna scale the developer equation and eliminate the, the complexity of tool chains and environments. Web assembly is super hyped up at this show. I don't know why, but sounds good. No one, no one can tell me why, but I can kind of connect the dots. But this is a big thing. >>Yeah. And it's fitting that you ask about like no code. So we've been working with our friends at Cross Plain and have integrated with kcp the ability to no code, take a whole bunch of configuration and say, I want a database. I want to be a, a provider of databases. I'm in an IT department, there's a bunch of developers, they don't wanna have to write code to create databases. So I can just take, take my configuration and make it available to them. And through some super cool new easy to use tools that we have as a developer, you can just say, please give me a database and you don't have to write any code. I don't have to write any code to maintain that database. I'm actually using community tooling out there to get that spun up. So there's a lot of opportunities out there. So >>That's ease of use check. What about a large enterprise that's got multiple tool chains and you start having security issues. Does that disrupt the tool chain capability? Like there's all those now weird examples emerging, not weird, but like real plumbing challenges. How do you guys see that evolving with Red >>Hat and Yeah, I mean, I mean, talking about that, right? The software, secure software supply chain is a huge concern for everyone after, especially some of the things that have happened in the past few >>Years. Massive team here at the show. Yeah. And just within the community, we're all a little more aware, I think, even than we were before. >>Before. Yeah. Yeah. And, and I think the, so to step back, I mean from, so, so it's not just even about, you know, run time vulnerability scanning, Oh, that's important, but that's not enough, right? So we are talking about, okay, how did that container, or how did that workload get there? What is that workload? What's the prominence of this workload? How did it get created? What is in it? You know, and what, what are, how do I make, make sure that there are no unsafe attack s there. And so that's the software supply chain. And where Red Hat is very heavily invested. And as you know, with re we kind of have roots in secure operating system. And rel one of the reasons why Rel, which is the foundation of everything we do at Red Hat, is because of security. So an OpenShift has always been secure out of the box with things like scc, rollbacks access control, we, which we added very early in the product. >>And now if you kind of bring that forward, you know, now we are talking about the complete software supply chain security. And this is really about right how from the moment the, the, the developer rights code and checks it into a gateway repository from there on, how do you build it? How do you secure it at each step of the process, how do you sign it? And we are investing and contributing to the community with things like cosign and six store, which is six store project. And so that secures the supply chain. And then you can use things like algo cd and then finally we can do it, deploy it onto the cluster itself. And then we have things like acs, which can do vulnerability scanning, which is a container security platform. >>I wanna thank you guys for coming on. I know Savannah's probably got a last question, but my last question is, could you guys each take a minute to answer why has Kubernetes been so successful today? What, what was the magic of Kubernetes that made it successful? Was it because no one forced it? Yes. Was it lightweight? Was it good timing, right place at the right time community? What's the main reason that Kubernetes is enabling all this, all this shift and goodness that's coming together, kind of defacto unifies people, the stacks, almost middleware markets coming around. Again, not to use that term middleware, but it feels like it's just about to explode. Yeah. Why is this so successful? I, >>I think, I mean, the shortest answer that I can give there really is, you know, as you heard the term, I think Satya Nala from Microsoft has used it. I don't know if he was the original person who pointed, but every company wants to be a software company or is a software company now. And that means that they want to develop stuff fast. They want to develop stuff at scale and develop at, in a cloud native way, right? You know, with the cloud. So that's, and, and Kubernetes came at the right time to address the cloud problem, especially across not just one public cloud or two public clouds, but across a whole bunch of public clouds and infrastructure as, and what we call the hybrid clouds. I think the ES is really exploded because of hybrid cloud, the need for hybrid cloud. >>And what's your take on the, the magic Kubernetes? What made it, what's making it so successful? >>I would agree also that it came about at the right time, but I would add that it has great extensibility and as developers we take it advantage of that every single day. And I think that the, the patterns that we use for developing are very consistent. And I think that consistency that came with Kubernetes, just, you have so many people who are familiar with it and so they can follow the same patterns, implement things similarly, and it's just a good fit for the way that we want to get our software out there and have, and have things operate. >>Keep it simple, stupid almost is that acronym, but the consistency and the de facto alignment Yes. Behind it just created a community. So, so then the question is, are the developers now setting the standards? That seems like that's the new way, right? I mean, >>I'd like to think so. >>So I mean hybrid, you, you're touching everything at scale and you also have mini shift as well, right? Which is taking a super macro micro shift. You ma micro shift. Oh yeah, yeah, exactly. It is a micro shift. That is, that is fantastic. There isn't a base you don't cover. You've spoken a lot about community and both of you have, and serving the community as well as your engagement with them from a, I mean, it's given that you're both leaders stepping back, how, how Community First is Red Hat and OpenShift as an organization when it comes to building the next products and, and developing. >>I'll take and, and I'm sure Andy is actually the community, so I'm sure he'll want to a lot of it. But I mean, right from the start, we have roots in open source. I'll keep it, you know, and, and, and certainly with es we were one of the original contributors to Kubernetes other than Google. So in some ways we think about as co-creators of es, they love that. And then, yeah, then we have added a lot of things in conjunction with the, I I talk about like SCC for Secure, which has become part security right now, which the community, we added things like our back and other what we thought were enterprise features needed because we actually wanted to build a product out of it and sell it to customers where our customers are enterprises. So we have worked with the community. Sometimes we have been ahead of the community and we have convinced the community. Sometimes the community has been ahead of us for other reasons. So it's been a great collaboration, which is I think the right thing to do. But Andy, as I said, >>Is the community well set too? Are well said. >>Yes, I agree with all of that. I spend most of my days thinking about how to interact with the community and engage with them. So the work that we're doing on kcp, we want it to be a community project and we want to involve as many people as we can. So it is a heavy focus for me and my team. And yeah, we we do >>It all the time. How's it going? How's the project going? You feel good >>About it? I do. It is, it started as an experiment or set of prototypes and has grown leaps and bounds from it's roots and it's, it's fantastic. Yeah. >>Controlled planes are hot data planes control planes. >>I >>Know, I love it. Making things work together horizontally scalable. Yeah. Sounds like cloud cloud native. >>Yeah. I mean, just to add to it, there are a couple of talks that on KCP at Con that our colleagues s Stephan Schemanski has, and I, I, I would urge people who have listening, if they have, just Google it, if you will, and you'll get them. And those are really awesome talks to get more about >>It. Oh yeah, no, and you can tell on GitHub that KCP really is a community project and how many people are participating. It's always fun to watch the action live to. Sure. Andy, thank you so much for being here with us, John. Wonderful questions this afternoon. And thank all of you for tuning in and listening to us here on the Cube Live from Detroit. I'm Savannah Peterson. Look forward to seeing you again very soon.