(upbeat music) >> Hello and welcome back to theCUBE's coverage of Cloud Native SecurityCon North America 2023. Its first inaugural event. It's theCUBE's coverage. We were there at the first event for a KubeCon before CNCF kind of took it over. It was in Seattle. And so in Seattle this week is Cloud Native SecurityCon. Of course, theCUBE is there covering via our Palo Alto Studios and our experts around the world who are bringing in Bassam Tabbara who's the CEO and founder of upbound.io. That's the URL, but Upbound is the company. The creators of Crossplane. Really kind of looking at the Crossplane, across the abstraction layer, across clouds. A big part of, as we call supercloud trend. Bassam, great to see you. You've been legend in the open source community. Great to have you on. >> Thanks, John. Always good to be on theCUBE. >> I really wanted to bring you in 'cause I want to get your perspective. You've seen the movie, you've seen open source software grow, it continues to grow. Now you're starting to see the Linux Foundation, which has CNCF really expanding their realm. They got the CloudNativeCon, KubeCon, which is Kubernetes event. That's gotten so massive and so successful. We've been to every single one as you know. I've seen you there and all of them as well. So that's going great. Now they got this new event that's spins out dedicated to security. Everybody wants to know why the new event? What's the focus? Is it needed? What will they do? What's different from KubeCon? Where do I play? And so there's a little bit of a question mark in the ecosystem around this event. And so we've been reporting on it. Looking good so far. People are buzzing, again, they're keeping it small. So that kind of managing expectations like any good event would do. But I think it's been successful, which I wanted like to get your take on how you see it. Is this good? Are you indifferent? Are you excited by this? What's your take? >> I mean, look, it's super exciting to see all the momentum around cloud native. Obviously there are different dimensions of cloud native securities, an important piece. Networking, storage, compute, like all those things I think tie back together and in some ways you can look at this event as a focused event on the security aspect as it relates to cloud native. And there are lots of vendors in this space. There's lots of interesting projects in the space, but the unifying theme is that they come together and probably around the Kubernetes API and the momentum around cloud native and with Kubernetes at the center of it. >> On the focus on Kubernetes, it seems this event is kind of classic security where you want to have deep dives. Again, I call it the event operating system 'cause you decouple, make things highly cohesive, and you link them together. I don't see a problem with it. I kind of like this. I gave it good reviews if they stay focused because security is super critical. There was references to bind and DNS. There's a lot of things in the infrastructure plumbing that need to be looked at or managed or figured out or just refactored for modernization needs. And I know you've done a lot with storage, for instance, storage, networking, kernel. There's a lot of things in the old tech or tech in the cloud that needs to be kind, I won't say rebooted, but maybe reset or jump. Do you see it that way? Are there things that need to get done or is it just that there's so much complexity in the different cloud cluster code thing going on? >> It's obviously security is a very, very big space and there are so many different aspects of it that people you can go into. I think the thing that's interesting around the cloud native community is that there is a unifying theme. Like forget the word cloud native for a second, but the unifying theme is that people are building around what looks like a standardized play around Kubernetes and the Kubernetes API. And as a result you can recast a lot of the technologies that we are used to in the past in a traditional security sense. You can recast them on top of this new standardized approach or on Kubernetes, whether it's policy or protecting a supply chain or scanning, or like a lot of the access control authorization, et cetera. All of those things can be either revived to apply to this cloud native play and the Kubernetes play or creating new opportunities for companies to actually build new and interesting projects and companies around a standardized play. >> Do you think this also will help the KubeCon be more focused around the developer areas there and just touching on security versus figuring out how to take something so important in KubeCon, which the stakeholders in KubeCon have have grown so big, I can see security sucking a lot of oxygen out of the room there. So here you move it over, you keep it over here. Will anything change on the KubeCon site? We'll be there in in Amsterdam in April. What do you think the impact will be? Good? Is it good for the community? Just good swim lanes? What's your take? >> Yeah, I still think KubeCon will be an umbrella event for the whole cloud native community. I suspect that you'll see some of the same vendors and projects and everything else represented in KubeCon. The way I think about all the branched cloud native events are essentially a way to have a more focused discussion, get people together to talk about security topics or networking topics or things that are more focused way. But I don't think it changes the the effect of KubeCon being the umbrella around all of it. So I think you'll see the same presence and maybe larger presence going forward at Amsterdam. We're planning to be there obviously and I'm excited to be there and I think it'll be a big event and having a smaller event is not going to diminish the effect of KubeCon. >> And if you look at the developer community they've all been online for a long time, from IRC chat to now Slack and now new technologies and stuff like Discord out there. The event world has changed post-pandemic. So it makes sense. And we're seeing this with all vendors, by the way, and projects. The digital community angle is huge because if you have a big tent event like KubeCon you can make that a rallying moment in the industry and then have similar smaller events that are highly focused that build off that that are just connective tissue or subnets, if you will, or communities targeted for really deeper conversations. And they could be smaller events. They don't have to be monster events, but they're connected and traverse into the main event. This might be the event format for the future for all companies, whether it's AWS or a company that has a community where you create this network effect, if you will, around the people. >> That's right. And if you look at things like AWS re:Invent, et cetera, I mean, that's a massive events. And in some ways it, if it was a set of smaller sub events, maybe it actually will flourish more. I don't know, I'm not sure. >> They just killed the San Francisco event. >> That's right. >> But they have re:Inforce, all right, so they just established that their big events are re:Invent and re:Inforce as their big. >> Oh, I didn't hear about re:Inforce. That's news to me. >> re:Inforce is their third event. So they're doing something similar as CloudNativeCon, which is you have to have an event and then they're going to create a lot of sub events underneath. So I think they are trying to do that. Very interesting. >> Very interesting for sure. >> So let's talk about what you guys are up to. I know from your standpoint, you had a lot of security conversations. How is Crossplane doing? Obviously, you saw our Supercloud coverage. You guys fit right into that model where clients, customers, enterprises are going to want to have multiple cloud operating environments for whatever the use case, whether you're using ChatGPT, you got to get an Azure instance up and running for that. Now with APIs, we're hearing a lot of developers doing that. So you're going to start to see this cross cloud as VMware calls, what we call it supercloud. There's more need for Crossplane like thinking. What's the update? >> For sure, and we see this very clearly as well. So the fact that there is a standardization layer, there is a layer that lets you converge the different vendors that you have, the different clouds that you have, the different hype models that you have, whether it's hybrid or private, public, et cetera. The unifying theme is that you're literally bringing all those things under one control plane that enables you to actually centralize and standardize on security, access control, helps you standardize on cost control, quota policy, as well as create a self-service experience for your developers. And so from a security standpoint, the beauty of this is like, you could use really popular projects like open policy agent or Kyverno or others if you want to do policy and do so uniformly across your entire stack, your entire footprint of tooling, vendors, services and across deployment models. Those things are possible because you're standardizing and consolidating on a control plane on top of all. And that's the thing that gets our customers excited. That we're seeing in the community that they could actually now normalize standardize on small number of projects and tools to manage everything. >> We were talking about that in our summary of the keynote yesterday. Dave Vellante and I were talking about the idea of clients want to have a redo of their security. They've been, just the tooling has been building up. They got zero trust in place, maybe with some big vendor, but now got the cloud native opportunity to refactor and reset and reinvent their security paradigm. And so that's the positive thing we're hearing. Now we're seeing enterprises want this cross cloud capabilities or Crossplane like thinking that you guys are talking about. What are your customers telling you? Can you share from an enterprise perspective where they're at in this journey? Because part of the security problems that we've been reporting on has been because clients are moving from IT to cloud native and not everyone's moved over yet. So they're highly vulnerable to ransomware and all kinds of other crap. So another attacks, so they're wide open, But people who are moving into cloud native, are they stepping up their game on this Crossplane opportunity? Where are they at? Can you share data on that? >> Yeah, we're grateful to be talking to a lot of customers these days. And the interesting thing is even if you talked about large financial institutions, banks, et cetera, the common theme that we hear is that they bought tools for each of the different departments and however they're organized. Sometimes you see the folks that are running databases, networking, being separated from say, the computer app developers or they're all these different departments within an organization. And for each one of those, they've made localized decisions for tooling and services that they bought. What we're seeing now consistently is that they're all together, getting together, and trying to figure out how to standardize on a smaller one set of tooling and services that goes across all the different departments and all different aspects of the business that they're running. And this is where this discussion gets a lot very interesting. If instead of buying a different policy tool for each department, or once that fits it you could actually standardize on policy or the entire footprint of services that they're managing. And you get that by standardizing on a control plane or standardizing on effectively one point of control for everything that they're doing. And that theme is like literally, it gets all our customers excited. This is why they're engaging in all of this. It's almost the holy grail. The thing that I've been trying to do for a long time. >> I know. >> And it's finally happening. >> I know you and I have talked about this many times, but I got to ask you the one thing that jumps into everybody's head when you hear control plane is lock-in. So how do you discuss that lock-in, perception from the reality of the situation? How do you unpack that for the customer? 'Cause they want choice at the end of the day. There's the preferred vendors for sure on the hyperscale side and app side and open source, but what's the lock-in? What does the lock-in conversation look like? Or do they even have that conversation? >> Yeah. To be honest, I mean, so their lock-in could be a two dimensions here. Most of our customers and people are using Crossplane or using app on product around it. Most of our do, concentrated in, say a one cloud vendor and have others. So I don't think this is necessarily about multicloud per se or being locked into one vendor. But they do manage many different services and they have legacy tooling and they have different systems that they bought at different stages and they want to bring them all together. And by bringing them all together that helps them make choices about consulting or even replacing some of them. But right now everything is siloed, everything is separate, both organizationally as well as the code bases or investments and tooling or contracts. Everything is just completely separated and it requires humans to put them together. And organizations actually try to gather around and put them together. I don't know if lock-in is the driving goal for this, but it is standardization consolidation. That's the driving initiative. >> And so unification and building is the big driver. They're building out >> Correct, and you can ask why are they doing that? What does standardization help with? It helps them to become more productive. They can move faster, they can innovate faster. Not as a ton of, like literally revenue written all over. So it's super important to them that they achieved this, increase their pace of innovation around this and they do that by standardizing. >> The great point in all this and your success at Upbound and now CNCF success with KubeCon + CloudNativeCon and now with the inaugural event of Cloud Native SecurityCon is that the customers are involved, a lot of end users are involved. There's a big driver not only from the industry and the developers and getting architecture right and having choice. The customers want this to happen. They're leaning in, they're part of it. So that's a big driver. Where does this go? If you had to throw a dart at the board five years from now Cloud Native SecurityCon, what does it look like if you had to predict the trajectory of this event and community? >> Yeah, I mean, look, I think the trajectory one is that we have what looks like a standardization layer emerging that is all encompassing. And as a result, there is a ton of opportunity for vendors, projects, communities to build around within on top of this layer. And essentially create, I think you talked about an operating system earlier and decentralized aspect of this, but it's an opportunity to actually, what it looks like for the first time we have a convergence happening industry-wide and through open source and open source foundations. And I think that means that there'll be new opportunity and lots of new projects and things that are created in the space. And it also means that if you don't attach this space, you'll likely be left out. >> Awesome. Bassam, great to have you on, great expert commentary, obviously multi CUBE alumni and supporter of theCUBE and as you become successful we really appreciate your support for helping us get the content out there. And best of luck to your team and thanks for weighing in on Cloud Native SecurityCon. >> Awesome. It's always good talking to you, John. Thank you. >> Great stuff. This is more CUBE coverage from Palo Alto, getting folks on the ground on location, getting us the stories in Seattle. Of course, Cloud Native SecurityCon, the inaugural event, which looks like will be the beginning of a series of multi-year journey for the CNCF, focusing on security. Of course, theCUBE's here to cover it, every angle of it, and extract the signal from the noise. I'm John Furrier, thanks for watching. (upbeat music)