(Gentle music) >> Hello and welcome to the Cube here in Palo Alto, California. I'm John Furrier here, joined by Platform nine, Amelia Bell the Chief Revenue Officer, really digging into the conversation around Kubernetes Cloud native and the journey this next generation cloud. Amelia, thanks for coming in and joining me today. >> Thank you, thank you. Great pleasure to be here. >> So, CRO, chief Revenue Officer. So you're mainly in charge of serving the customers, making sure they're they're happy with the solution you guys have. >> That's right. >> And this market must be pretty exciting. >> Oh, it's very exciting and we are seeing a lot of new use cases coming up all the time. So part of my job is to obtain new customers but then of course, service our existing customers and then there's a constant evolution. Nothing is standing still right now. >> We've had all your co-founders on, on the show here and we've kind of talked about the trends and where you guys have come from, where you guys are going now. And it's interesting, if you look at the cloud native market, the scale is still huge. You seeing now this next wave of AI coming on, which I call that's the real web three in my mind in terms of like the next experiences really still points to data infrastructure scale. These next gen apps are coming. And so that's being built on the previous generation of DevSecOps. >> Right >> And so a lot of enterprises are having to grow up really, really fast >> Right. >> And figure out, okay, I got to have scale I got large scale data, I got horizontal scalability I got to apply machine learning now the new software engineering practice. And then, oh, by the way I got the Kubernetes clusters I got to manage >> Right. >> I got what's containers weather, the security problems. This is a really complicated but important area of build out right now in the marketplace. >> Right. What are you seeing? >> So it's, it's really important that the infrastructure is not the hindrance in these cases. And we, one of our customers is in fact a large AI company and we, I met with them yesterday and asked them, you know, why are you giving that to us? You've got really smart engineers. They can run and create the infrastructure, you know in a custom way that you want it. And they said, we've got to be core to our business. There's plenty of work to do just on delivering the AI capabilities, and there's plenty of work to do. We can't get bogged down in the infrastructure. We don't want to have people running the engine we want them driving the car. We want them creating value on top of that. so they can't have the infrastructure being the bottleneck for them. >> It's interesting, the AI companies, that's their value proposition to their customers is that they don't want the technical talent. >> Right. >> Working on, you know, non-differentiated heavy lifting things. >> Right. >> And automate those and scale it up. Can you talk about the problem that you guys are solving? Because there's a lot going on here. >> Yeah. >> You can look at all aspects of the DevOps scale. There's a lot of little problems, some big problems. What are you guys focusing on? What's the bullseye for Platform known? >> Okay, so the bullseye is that Kubernetes infrastructure is really hard, right? It's really hard to create and run. So we introduce a time to market efficiency, let's get this up and running and let's get you into production and and producing results for your customers fast. But at the same time, let's reduce your cost and complexity and increase reliability. So, >> And what are some of the things that they're having problems with that are breaking? Is it more of updates on code? Is it size of the, I mean clusters they have, what what is it more operational? What are the, what are some of the things that are that kind of get them to call you guys up? What's the main thing? >> It's the operations. It's all operations. So what, what happens is that if you have a look at Kubernetes platform it's made up of many, many components. And that's where it gets complex. It's not just Kubernetes. There's load balances, networking, there's observability. All these things have to operate together. And all the piece parts have to be upgraded and maintained. The integrations need to work, you need to have probes into the system to predict where problems can be coming. So the operational part of it is complex. So you need to be observing not only your clusters in the health of the clusters and the nodes and so on but the health of the platform itself. >> We're going to get Peter Frey in on here after I talk about some of the technical issues on deployments. But what's the, what's the big decision for the customer? Because there's kind of, there's two schools of thought. One is, I'm going to build my own and have my team build it or I'm going to go with a partner >> Right. >> Say platform nine, what's the trade offs there? Because it seems to me that, that there's a there's a certain area of where it's core competency but I can outsource it or partner with it and, and work with platform nine versus trying to take it all on internally >> Right. >> Of which requires more costs. So there's a, there's a line where you kind of like figure out that customers have to figure out that, that piece >> Right >> What do, what's your view on that? Because I'm hearing that more people are saying, hey I want to, I want to focus my people on solutions. The app side, not so much the ops >> Right. >> What's the trade off? How do you talk about? >> It's a really interesting question because most companies think they have two options. It's either a DIY option and they love that engineers love playing with the new and on the latest. And then they think the other option is going to cloud, public cloud and have it semi managed by them. And you get very different out of those. So in the DIY you get flexibility coz you get to choose your infrastructure but then you've got all the complexities of the DIY piece. You've got to not only choose all your components but you've got to keep them working. Now if you go to public cloud option, you lose flexibility because a lot of those choices are made for you but you gain agility because quite frankly it's really easy to spin up clusters. So what we are, is that in the middle we bring the agility and the flexibility because we bring the control plane that allows you to spin up clusters and and lifecycle manage them very quickly. So the agility's there but you can do it on the infrastructure of your choice. And in the DIY culture, one of the hardest things to do actually is to convince them they don't have to do it themselves. They can focus on higher value activities, which are more focused on delivering outcomes to their customers. >> So you provide the solution that allows them to feel like they're billing it themselves. >> Correct. >> And get these scale and speed and the efficiencies of the op side. So it's kind of the best of both worlds. It's not a full outsource. >> Right, right. >> You're bringing them in to make their jobs easier >> Right, That's right. So they get choices. >> Yeah. >> We, we, they get choices on how they build it and then we run and operate it for them. But they, they have all the observability. The benefit is that if we are managing their operations and most of our customers choose the managed operations piece of it, then they don't. If something goes wrong, we fix that and they, they they get told, oh, by the way, you had a problem. We've dealt with it. But in the other model is they've got to create all that observability themselves and they've got to get ahead of the issues themselves, and then they've got to raise tickets to whoever they need to raise tickets to. Whereas we have things like auto ticket generation and so on where, look, just drive the car let us worry about the engine and all of that. Let us deal with that. And you can choose whatever you want about the engine but let us manage it for you. So >> What do you, what do you say to folks out there that are may have a need for platform nine? What's the signals inside their company that they should be calling you guys up and, and leaning in with platform nine? >> Right. >> Is it more sprawl on on clusters? Is it more errors? Is it more tickets? Is it more hassle? What are some of the signs? If someone's watching this say, hey I have, I have an issue with this. >> I would say, if there's operational inefficiencies you can't get things to market fast enough because you are building this and it's just taking too long you're spending way too much time operationally on the infrastructure, then you are, you are not using your resources where they should best be used. And, and that is delivering services to the customer. >> Ed me Hora on for International Women's Day. And she was talking about how they love to solve complex problems on the engineering team at Platform nine. It's going to get pretty complex with the edge emerging >> Indeed >> and cloud native on-premises distributed computing. >> Indeed. >> essentially is what it is. That's kind of the core DNA of the team. >> Yeah. >> What, how does that translate to the customers? Because IT seems to be, okay, I have virtual machines were great, now I got to scale up and and convert over a transform to containers, Kubernetes >> Right. >> And then large scale app, app applications. >> Right, so when it comes to Edge it gets complex pretty fast because it's highly distributed. So how do you have standardization and governance across all the different edge locations? So what we bring into play is an ability to, um, at each edge, location eh, provision from bare metal up all the way up to the application. So let's say you have thousands of stores and you want to modernize those stores, you know rather than having a server being sent somewhere to have an image loaded up and then sent that and then you've got to send a technical guide to the store and you've got to implement it all there. Forget all that. That's just, that's just a ridiculous waste of time. So what we've done is we've created the ability where the server can just be sent to the store. You can get your barista or your chef just to plug it in, right? You don't need to send any technical person over there. As long as we have access to it, we get access to it and we provision the whole thing from bare metal up and then we can maintain it according to the standards that are needed and upgrade accordingly. And that gives standardization across all your stores or edge locations or 5G towers or whatever it is, distribution centers. And we can create nice governance and good standardization which allows them to innovate fast as well. >> So this is a real opportunity for you guys. >> Yeah. >> This is an advantage from your expertise. >> Yes. >> The edge piece, dropping in a box, self-provisioning. >> That's right. So yeah. >> Can people do that? What's the, >> No, actually it, it's, it's very difficult to do. I I, from my understanding, we're the only people that can provision it from bare metal up, right? So if anyone has a different story, I'd love to hear about that. But that's my understanding today. >> That's a good value purpose. So talk about the value of the customer. What kind of scope do you got? Can you scope some of the customer environments you have from >> Sure. >> From, you know, small to the large, how give us an idea of the order of magnitude of the >> Yeah, so, so small customers may have 20 clusters or something like that. 20 nodes, I beg your pardon. Our large customers, like we're we are scaling one particular distributed environment from 2200 nodes to 10,000 nodes by the end of this year and 26,000 nodes next year. We have another customer that's scaling up to 10,000 nodes this year as well. So we have some very large scale, but some smaller ones too. And we're, we're happy to work with either end. >> Okay, so pretend I'm a customer. I'm really, I got pain and Kubernetes like I want to, I can't hire enough people. I want to have my all focus. What's the pitch? >> Okay. So skill shortage is something that that everyone is facing right now. And if, if you've got skill shortage it's going to be really hard to hire if you are competing against really, you know, high salary you know, offering companies that are out there. So the pitch is, let us do it for you. We have, we have a team of excellent probably the best Kubernetes engineers on the planet. We will create your environment for you. We will get it up and running. We will allow you to, you know, run your applica, just consume the platform, we'll run it for you. We'll have SLAs and up times guaranteed and you can just focus on delivering the software and the value needed to your customers. >> What are some of the testimonials that you get from people? Just anecdotally, what do they say? Oh my god, you guys save. >> Yeah. >> Our butts. >> Yeah. >> This is amazing. We just shipped our code out much faster. >> Yeah. >> What are some of the things that you hear? >> So, so the number one thing I hear is it just works right? It's, we don't have to worry about it, it just works. So that, that's a really great feedback that we get. The other thing I hear is if we do have issues that your team are amazing, they they fix things, they're proactive, you know, they're we really enjoy working with you. So from, from that perspective, that's great. But the other side of it is we hear things like if we were to do that ourselves we would've taken six to 12 months to build that. And you guys have just saved us six to 12 months. The other thing that we hear is with the same two engineers we started on, you know, a hundred nodes we're now running thousands of nodes. We have not had to increase the size of the team and expand and scale exponentially. >> Awesome. What's next for you guys? What's on your, your plate? >> Yeah. >> With CRO, what's some of the goals you have? >> Yeah, so growth of course as a CRO, you don't get away from that. We've got some very exciting, actually, initiatives coming up. One of the things that we are seeing a lot of demand for and is, is in the area of virtualization bringing virtual machine, virtual virtual containers, sorry I'm saying that all wrong. Bringing virtual machine, the virtual machines onto the cloud native infrastructure using Kubernetes technology. So that provides a, an excellent stepping stone for those guys who are in the virtualization world. And they can't move to containers, they can't refactor their applications and workloads fast enough. So just bring your virtual machine and put it onto the container infrastructure. So we're seeing a lot of demand for that, because it provides an excellent stepping stone. Why not use Kubernetes to orchestrate virtual the virtual world? And then we've got some really interesting cost optimization. >> So a lot of migration kind of thinking around VMs and >> Oh, tremendous. The, the VM world is just massively bigger than the container world right now. So you can't ignore that. So we are providing basically the evolution, the the journey for the customers to utilize the greatest of technologies without having to do that in a, in a in a way that just breaks the bank and they can't get there fast enough. So we provide those stepping stones for them. Yeah. >> Amelia thank you for coming on. Sharing. >> Thank you. >> The update on platform nine. Congratulations on your big accounts you have and >> thank you. >> And the world could get more complex, which Means >> indeed >> have more customers. >> Thank you, thank you John. Appreciate that. Thank you. >> I'm John Furry. You're watching Platform nine and the Cube Conversations here. Thanks for watching. (gentle music)

(upbeat music) >> Hello, everyone, welcome to theCUBE. I'm John Furrier, the host of theCUBE in Palo Alto, California. Also it's SiliconANGLE News. Got two great guests here to talk about AI, the impact of the future of the internet, the applications, the people. Amr Awadallah, the founder and CEO, Ed Alban is the CEO of Vectara, a new startup that emerged out of the original Cloudera, I would say, 'cause Amr's known, famous for the Cloudera founding, which was really the beginning of the big data movement. And now as AI goes mainstream, there's so much to talk about, so much to go on. And plus the new company is one of the, now what I call the wave, this next big wave, I call it the fifth wave in the industry. You know, you had PCs, you had the internet, you had mobile. This generative AI thing is real. And you're starting to see startups come out in droves. Amr obviously was founder of Cloudera, Big Data, and now Vectara. And Ed Albanese, you guys have a new company. Welcome to the show. >> Thank you. It's great to be here. >> So great to see you. Now the story is theCUBE started in the Cloudera office. Thanks to you, and your friendly entrepreneurship views that you have. We got to know each other over the years. But Cloudera had Hadoop, which was the beginning of what I call the big data wave, which then became what we now call data lakes, data oceans, and data infrastructure that's developed from that. It's almost interesting to look back 12 plus years, and see that what AI is doing now, right now, is opening up the eyes to the mainstream, and the application's almost mind blowing. You know, Sati Natel called it the Mosaic Moment, didn't say Netscape, he built Netscape (laughing) but called it the Mosaic Moment. You're seeing companies in startups, kind of the alpha geeks running here, because this is the new frontier, and there's real meat on the bone, in terms of like things to do. Why? Why is this happening now? What's is the confluence of the forces happening, that are making this happen? >> Yeah, I mean if you go back to the Cloudera days, with big data, and so on, that was more about data processing. Like how can we process data, so we can extract numbers from it, and do reporting, and maybe take some actions, like this is a fraud transaction, or this is not. And in the meanwhile, many of the researchers working in the neural network, and deep neural network space, were trying to focus on data understanding, like how can I understand the data, and learn from it, so I can take actual actions, based on the data directly, just like a human does. And we were only good at doing that at the level of somebody who was five years old, or seven years old, all the way until about 2013. And starting in 2013, which is only 10 years ago, a number of key innovations started taking place, and each one added on. It was no major innovation that just took place. It was a couple of really incremental ones, but they added on top of each other, in a very exponentially additive way, that led to, by the end of 2019, we now have models, deep neural network models, that can read and understand human text just like we do. Right? And they can reason about it, and argue with you, and explain it to you. And I think that's what is unlocking this whole new wave of innovation that we're seeing right now. So data understanding would be the essence of it. >> So it's not a Big Bang kind of theory, it's been evolving over time, and I think that the tipping point has been the advancements and other things. I mean look at cloud computing, and look how fast it just crept up on AWS. I mean AWS you back three, five years ago, I was talking to Swami yesterday, and their big news about AI, expanding the Hugging Face's relationship with AWS. And just three, five years ago, there wasn't a model training models out there. But as compute comes out, and you got more horsepower,, these large language models, these foundational models, they're flexible, they're not monolithic silos, they're interacting. There's a whole new, almost fusion of data happening. Do you see that? I mean is that part of this? >> Of course, of course. I mean this wave is building on all the previous waves. We wouldn't be at this point if we did not have hardware that can scale, in a very efficient way. We wouldn't be at this point, if we don't have data that we're collecting about everything we do, that we're able to process in this way. So this, this movement, this motion, this phase we're in, absolutely builds on the shoulders of all the previous phases. For some of the observers from the outside, when they see chatGPT for the first time, for them was like, "Oh my god, this just happened overnight." Like it didn't happen overnight. (laughing) GPT itself, like GPT3, which is what chatGPT is based on, was released a year ahead of chatGPT, and many of us were seeing the power it can provide, and what it can do. I don't know if Ed agrees with that. >> Yeah, Ed? >> I do. Although I would acknowledge that the possibilities now, because of what we've hit from a maturity standpoint, have just opened up in an incredible way, that just wasn't tenable even three years ago. And that's what makes it, it's true that it developed incrementally, in the same way that, you know, the possibilities of a mobile handheld device, you know, in 2006 were there, but when the iPhone came out, the possibilities just exploded. And that's the moment we're in. >> Well, I've had many conversations over the past couple months around this area with chatGPT. John Markoff told me the other day, that he calls it, "The five dollar toy," because it's not that big of a deal, in context to what AI's doing behind the scenes, and all the work that's done on ethics, that's happened over the years, but it has woken up the mainstream, so everyone immediately jumps to ethics. "Does it work? "It's not factual," And everyone who's inside the industry is like, "This is amazing." 'Cause you have two schools of thought there. One's like, people that think this is now the beginning of next gen, this is now we're here, this ain't your grandfather's chatbot, okay?" With NLP, it's got reasoning, it's got other things. >> I'm in that camp for sure. >> Yeah. Well I mean, everyone who knows what's going on is in that camp. And as the naysayers start to get through this, and they go, "Wow, it's not just plagiarizing homework, "it's helping me be better. "Like it could rewrite my memo, "bring the lead to the top." It's so the format of the user interface is interesting, but it's still a data-driven app. >> Absolutely. >> So where does it go from here? 'Cause I'm not even calling this the first ending. This is like pregame, in my opinion. What do you guys see this going, in terms of scratching the surface to what happens next? >> I mean, I'll start with, I just don't see how an application is going to look the same in the next three years. Who's going to want to input data manually, in a form field? Who is going to want, or expect, to have to put in some text in a search box, and then read through 15 different possibilities, and try to figure out which one of them actually most closely resembles the question they asked? You know, I don't see that happening. Who's going to start with an absolute blank sheet of paper, and expect no help? That is not how an application will work in the next three years, and it's going to fundamentally change how people interact and spend time with opening any element on their mobile phone, or on their computer, to get something done. >> Yes. I agree with that. Like every single application, over the next five years, will be rewritten, to fit within this model. So imagine an HR application, I don't want to name companies, but imagine an HR application, and you go into application and you clicking on buttons, because you want to take two weeks of vacation, and menus, and clicking here and there, reasons and managers, versus just telling the system, "I'm taking two weeks of vacation, going to Las Vegas," book it, done. >> Yeah. >> And the system just does it for you. If you weren't completing in your input, in your description, for what you want, then the system asks you back, "Did you mean this? "Did you mean that? "Were you trying to also do this as well?" >> Yeah. >> "What was the reason?" And that will fit it for you, and just do it for you. So I think the user interface that we have with apps, is going to change to be very similar to the user interface that we have with each other. And that's why all these apps will need to evolve. >> I know we don't have a lot of time, 'cause you guys are very busy, but I want to definitely have multiple segments with you guys, on this topic, because there's so much to talk about. There's a lot of parallels going on here. I was talking again with Swami who runs all the AI database at AWS, and I asked him, I go, "This feels a lot like the original AWS. "You don't have to provision a data center." A lot of this heavy lifting on the back end, is these large language models, with these foundational models. So the bottleneck in the past, was the energy, and cost to actually do it. Now you're seeing it being stood up faster. So there's definitely going to be a tsunami of apps. I would see that clearly. What is it? We don't know yet. But also people who are going to leverage the fact that I can get started building value. So I see a startup boom coming, and I see an application tsunami of refactoring things. >> Yes. >> So the replatforming is already kind of happening. >> Yes, >> OpenAI, chatGPT, whatever. So that's going to be a developer environment. I mean if Amazon turns this into an API, or a Microsoft, what you guys are doing. >> We're turning it into API as well. That's part of what we're doing as well, yes. >> This is why this is exciting. Amr, you've lived the big data dream, and and we used to talk, if you didn't have a big data problem, if you weren't full of data, you weren't really getting it. Now people have all the data, and they got to stand this up. >> Yeah. >> So the analogy is again, the mobile, I like the mobile movement, and using mobile as an analogy, most companies were not building for a mobile environment, right? They were just building for the web, and legacy way of doing apps. And as soon as the user expectations shifted, that my expectation now, I need to be able to do my job on this small screen, on the mobile device with a touchscreen. Everybody had to invest in re-architecting, and re-implementing every single app, to fit within that model, and that model of interaction. And we are seeing the exact same thing happen now. And one of the core things we're focused on at Vectara, is how to simplify that for organizations, because a lot of them are overwhelmed by large language models, and ML. >> They don't have the staff. >> Yeah, yeah, yeah. They're understaffed, they don't have the skills. >> But they got developers, they've got DevOps, right? >> Yes. >> So they have the DevSecOps going on. >> Exactly, yes. >> So our goal is to simplify it enough for them that they can start leveraging this technology effectively, within their applications. >> Ed, you're the COO of the company, obviously a startup. You guys are growing. You got great backup, and good team. You've also done a lot of business development, and technical business development in this area. If you look at the landscape right now, and I agree the apps are coming, every company I talk to, that has that jet chatGPT of, you know, epiphany, "Oh my God, look how cool this is. "Like magic." Like okay, it's code, settle down. >> Mm hmm. >> But everyone I talk to is using it in a very horizontal way. I talk to a very senior person, very tech alpha geek, very senior person in the industry, technically. they're using it for log data, they're using it for configuration of routers. And in other areas, they're using it for, every vertical has a use case. So this is horizontally scalable from a use case standpoint. When you hear horizontally scalable, first thing I chose in my mind is cloud, right? >> Mm hmm. >> So cloud, and scalability that way. And the data is very specialized. So now you have this vertical specialization, horizontally scalable, everyone will be refactoring. What do you see, and what are you seeing from customers, that you talk to, and prospects? >> Yeah, I mean put yourself in the shoes of an application developer, who is actually trying to make their application a bit more like magic. And to have that soon-to-be, honestly, expected experience. They've got to think about things like performance, and how efficiently that they can actually execute a query, or a question. They've got to think about cost. Generative isn't cheap, like the inference of it. And so you've got to be thoughtful about how and when you take advantage of it, you can't use it as a, you know, everything looks like a nail, and I've got a hammer, and I'm going to hit everything with it, because that will be wasteful. Developers also need to think about how they're going to take advantage of, but not lose their own data. So there has to be some controls around what they feed into the large language model, if anything. Like, should they fine tune a large language model with their own data? Can they keep it logically separated, but still take advantage of the powers of a large language model? And they've also got to take advantage, and be aware of the fact that when data is generated, that it is a different class of data. It might not fully be their own. >> Yeah. >> And it may not even be fully verified. And so when the logical cycle starts, of someone making a request, the relationship between that request, and the output, those things have to be stored safely, logically, and identified as such. >> Yeah. >> And taken advantage of in an ongoing fashion. So these are mega problems, each one of them independently, that, you know, you can think of it as middleware companies need to take advantage of, and think about, to help the next wave of application development be logical, sensible, and effective. It's not just calling some raw API on the cloud, like openAI, and then just, you know, you get your answer and you're done, because that is a very brute force approach. >> Well also I will point, first of all, I agree with your statement about the apps experience, that's going to be expected, form filling. Great point. The interesting about chatGPT. >> Sorry, it's not just form filling, it's any action you would like to take. >> Yeah. >> Instead of clicking, and dragging, and dropping, and doing it on a menu, or on a touch screen, you just say it, and it's and it happens perfectly. >> Yeah. It's a different interface. And that's why I love that UIUX experiences, that's the people falling out of their chair moment with chatGPT, right? But a lot of the things with chatGPT, if you feed it right, it works great. If you feed it wrong and it goes off the rails, it goes off the rails big. >> Yes, yes. >> So the the Bing catastrophes. >> Yeah. >> And that's an example of garbage in, garbage out, classic old school kind of comp-side phrase that we all use. >> Yep. >> Yes. >> This is about data in injection, right? It reminds me the old SQL days, if you had to, if you can sling some SQL, you were a magician, you know, to get the right answer, it's pretty much there. So you got to feed the AI. >> You do, Some people call this, the early word to describe this as prompt engineering. You know, old school, you know, search, or, you know, engagement with data would be, I'm going to, I have a question or I have a query. New school is, I have, I have to issue it a prompt, because I'm trying to get, you know, an action or a reaction, from the system. And the active engineering, there are a lot of different ways you could do it, all the way from, you know, raw, just I'm going to send you whatever I'm thinking. >> Yeah. >> And you get the unintended outcomes, to more constrained, where I'm going to just use my own data, and I'm going to constrain the initial inputs, the data I already know that's first party, and I trust, to, you know, hyper constrain, where the application is actually, it's looking for certain elements to respond to. >> It's interesting Amr, this is why I love this, because one we are in the media, we're recording this video now, we'll stream it. But we got all your linguistics, we're talking. >> Yes. >> This is data. >> Yep. >> So the data quality becomes now the new intellectual property, because, if you have that prompt source data, it makes data or content, in our case, the original content, intellectual property. >> Absolutely. >> Because that's the value. And that's where you see chatGPT fall down, is because they're trying to scroll the web, and people think it's search. It's not necessarily search, it's giving you something that you wanted. It is a lot of that, I remember in Cloudera, you said, "Ask the right questions." Remember that phrase you guys had, that slogan? >> Mm hmm. And that's prompt engineering. So that's exactly, that's the reinvention of "Ask the right question," is prompt engineering is, if you don't give these models the question in the right way, and very few people know how to frame it in the right way with the right context, then you will get garbage out. Right? That is the garbage in, garbage out. But if you specify the question correctly, and you provide with it the metadata that constrain what that question is going to be acted upon or answered upon, then you'll get much better answers. And that's exactly what we solved Vectara. >> Okay. So before we get into the last couple minutes we have left, I want to make sure we get a plug in for the opportunity, and the profile of Vectara, your new company. Can you guys both share with me what you think the current situation is? So for the folks who are now having those moments of, "Ah, AI's bullshit," or, "It's not real, it's a lot of stuff," from, "Oh my god, this is magic," to, "Okay, this is the future." >> Yes. >> What would you say to that person, if you're at a cocktail party, or in the elevator say, "Calm down, this is the first inning." How do you explain the dynamics going on right now, to someone who's either in the industry, but not in the ropes? How would you explain like, what this wave's about? How would you describe it, and how would you prepare them for how to change their life around this? >> Yeah, so I'll go first and then I'll let Ed go. Efficiency, efficiency is the description. So we figured that a way to be a lot more efficient, a way where you can write a lot more emails, create way more content, create way more presentations. Developers can develop 10 times faster than they normally would. And that is very similar to what happened during the Industrial Revolution. I always like to look at examples from the past, to read what will happen now, and what will happen in the future. So during the Industrial Revolution, it was about efficiency with our hands, right? So I had to make a piece of cloth, like this piece of cloth for this shirt I'm wearing. Our ancestors, they had to spend month taking the cotton, making it into threads, taking the threads, making them into pieces of cloth, and then cutting it. And now a machine makes it just like that, right? And the ancestors now turned from the people that do the thing, to manage the machines that do the thing. And I think the same thing is going to happen now, is our efficiency will be multiplied extremely, as human beings, and we'll be able to do a lot more. And many of us will be able to do things they couldn't do before. So another great example I always like to use is the example of Google Maps, and GPS. Very few of us knew how to drive a car from one location to another, and read a map, and get there correctly. But once that efficiency of an AI, by the way, behind these things is very, very complex AI, that figures out how to do that for us. All of us now became amazing navigators that can go from any point to any point. So that's kind of how I look at the future. >> And that's a great real example of impact. Ed, your take on how you would talk to a friend, or colleague, or anyone who asks like, "How do I make sense of the current situation? "Is it real? "What's in it for me, and what do I do?" I mean every company's rethinking their business right now, around this. What would you say to them? >> You know, I usually like to show, rather than describe. And so, you know, the other day I just got access, I've been using an application for a long time, called Notion, and it's super popular. There's like 30 or 40 million users. And the new version of Notion came out, which has AI embedded within it. And it's AI that allows you primarily to create. So if you could break down the world of AI into find and create, for a minute, just kind of logically separate those two things, find is certainly going to be massively impacted in our experiences as consumers on, you know, Google and Bing, and I can't believe I just said the word Bing in the same sentence as Google, but that's what's happening now (all laughing), because it's a good example of change. >> Yes. >> But also inside the business. But on the crate side, you know, Notion is a wiki product, where you try to, you know, note down things that you are thinking about, or you want to share and memorialize. But sometimes you do need help to get it down fast. And just in the first day of using this new product, like my experience has really fundamentally changed. And I think that anybody who would, you know, anybody say for example, that is using an existing app, I would show them, open up the app. Now imagine the possibility of getting a starting point right off the bat, in five seconds of, instead of having to whole cloth draft this thing, imagine getting a starting point then you can modify and edit, or just dispose of and retry again. And that's the potential for me. I can't imagine a scenario where, in a few years from now, I'm going to be satisfied if I don't have a little bit of help, in the same way that I don't manually spell check every email that I send. I automatically spell check it. I love when I'm getting type ahead support inside of Google, or anything. Doesn't mean I always take it, or when texting. >> That's efficiency too. I mean the cloud was about developers getting stuff up quick. >> Exactly. >> All that heavy lifting is there for you, so you don't have to do it. >> Right? >> And you get to the value faster. >> Exactly. I mean, if history taught us one thing, it's, you have to always embrace efficiency, and if you don't fast enough, you will fall behind. Again, looking at the industrial revolution, the companies that embraced the industrial revolution, they became the leaders in the world, and the ones who did not, they all like. >> Well the AI thing that we got to watch out for, is watching how it goes off the rails. If it doesn't have the right prompt engineering, or data architecture, infrastructure. >> Yes. >> It's a big part. So this comes back down to your startup, real quick, I know we got a couple minutes left. Talk about the company, the motivation, and we'll do a deeper dive on on the company. But what's the motivation? What are you targeting for the market, business model? The tech, let's go. >> Actually, I would like Ed to go first. Go ahead. >> Sure, I mean, we're a developer-first, API-first platform. So the product is oriented around allowing developers who may not be superstars, in being able to either leverage, or choose, or select their own large language models for appropriate use cases. But they that want to be able to instantly add the power of large language models into their application set. We started with search, because we think it's going to be one of the first places that people try to take advantage of large language models, to help find information within an application context. And we've built our own large language models, focused on making it very efficient, and elegant, to find information more quickly. So what a developer can do is, within minutes, go up, register for an account, and get access to a set of APIs, that allow them to send data, to be converted into a format that's easy to understand for large language models, vectors. And then secondarily, they can issue queries, ask questions. And they can ask them very, the questions that can be asked, are very natural language questions. So we're talking about long form sentences, you know, drill down types of questions, and they can get answers that either come back in depending upon the form factor of the user interface, in list form, or summarized form, where summarized equals the opportunity to kind of see a condensed, singular answer. >> All right. I have a. >> Oh okay, go ahead, you go. >> I was just going to say, I'm going to be a customer for you, because I want, my dream was to have a hologram of theCUBE host, me and Dave, and have questions be generated in the metaverse. So you know. (all laughing) >> There'll be no longer any guests here. They'll all be talking to you guys. >> Give a couple bullets, I'll spit out 10 good questions. Publish a story. This brings the automation, I'm sorry to interrupt you. >> No, no. No, no, I was just going to follow on on the same. So another way to look at exactly what Ed described is, we want to offer you chatGPT for your own data, right? So imagine taking all of the recordings of all of the interviews you have done, and having all of the content of that being ingested by a system, where you can now have a conversation with your own data and say, "Oh, last time when I met Amr, "which video games did we talk about? "Which movie or book did we use as an analogy "for how we should be embracing data science, "and big data, which is moneyball," I know you use moneyball all the time. And you start having that conversation. So, now the data doesn't become a passive asset that you just have in your organization. No. It's an active participant that's sitting with you, on the table, helping you make decisions. >> One of my favorite things to do with customers, is to go to their site or application, and show them me using it. So for example, one of the customers I talked to was one of the biggest property management companies in the world, that lets people go and rent homes, and houses, and things like that. And you know, I went and I showed them me searching through reviews, looking for information, and trying different words, and trying to find out like, you know, is this place quiet? Is it comfortable? And then I put all the same data into our platform, and I showed them the world of difference you can have when you start asking that question wholeheartedly, and getting real information that doesn't have anything to do with the words you asked, but is really focused on the meaning. You know, when I asked like, "Is it quiet?" You know, answers would come back like, "The wind whispered through the trees peacefully," and you know, it's like nothing to do with quiet in the literal word sense, but in the meaning sense, everything to do with it. And that that was magical even for them, to see that. >> Well you guys are the front end of this big wave. Congratulations on the startup, Amr. I know you guys got great pedigree in big data, and you've got a great team, and congratulations. Vectara is the name of the company, check 'em out. Again, the startup boom is coming. This will be one of the major waves, generative AI is here. I think we'll look back, and it will be pointed out as a major inflection point in the industry. >> Absolutely. >> There's not a lot of hype behind that. People are are seeing it, experts are. So it's going to be fun, thanks for watching. >> Thanks John. (soft music)

(upbeat music) >> Hi everyone. Welcome back to this Cube conversation here in Palo Alto, California. I'm John Furrier, host of "theCUBE." Got a great conversation around Cloud Native, Cloud Native Journey, how enterprises are looking at Cloud Native and putting it all together. And it comes down to operations, developer productivity, and security. It's the hottest topic in technology. We got Chris Jones here in the studio, director of Product Management for Platform9. Chris, thanks for coming in. >> Hey, thanks. >> So when we always chat about, when we're at KubeCon. KubeConEU is coming up and in a few, in a few months, the number one conversation is developer productivity. And the developers are driving all the standards. It's interesting to see how they just throw everything out there and whatever gets adopted ends up becoming the standard, not the old school way of kind of getting stuff done. So that's cool. Security Kubernetes and Containers are all kind of now that next level. So you're starting to see the early adopters moving to the mainstream. Enterprises, a variety of different approaches. You guys are at the center of this. We've had a couple conversations with your CEO and your tech team over there. What are you seeing? You're building the products. What's the core product focus right now for Platform9? What are you guys aiming for? >> The core is that blend of enabling your infrastructure and PlatformOps or DevOps teams to be able to go fast and run in a stable environment, but at the same time enable developers. We don't want people going back to what I've been calling Shadow IT 2.0. It's, hey, I've been told to do something. I kicked off this Container initiative. I need to run my software somewhere. I'm just going to go figure it out. We want to keep those people productive. At the same time we want to enable velocity for our operations teams, be it PlatformOps or DevOps. >> Take us through in your mind and how you see the industry rolling out this Cloud Native journey. Where do you see customers out there? Because DevOps have been around, DevSecOps is rocking, you're seeing AI, hot trend now. Developers are still in charge. Is there a change to the infrastructure of how developers get their coding done and the infrastructure, setting up the DevOps is key, but when you add the Cloud Native journey for an enterprise, what changes? What is the, what is the, I guess what is the Cloud Native journey for an enterprise these days? >> The Cloud Native journey or the change? When- >> Let's start with the, let's start with what they want to do. What's the goal and then how does that happen? >> I think the goal is that promise land. Increased resiliency, better scalability, and overall reduced costs. I've gone from physical to virtual that gave me a higher level of density, packing of resources. I'm moving to Containers. I'm removing that OS layer again. I'm getting a better density again, but all of a sudden I'm running Kubernetes. What does that, what does that fundamentally do to my operations? Does it magically give me scalability and resiliency? Or do I need to change what I'm running and how it's running so it fits that infrastructure? And that's the reality, is you can't just take a Container and drop it into Kubernetes and say, hey, I'm now Cloud Native. I've got reduced cost, or I've got better resiliency. There's things that your engineering teams need to do to make sure that application is a Cloud Native. And then there's what I think is one of the largest shifts of virtual machines to containers. When I was in the world of application performance monitoring, we would see customers saying, well, my engineering team have this Java app, and they said it needs a VM with 12 gig of RAM and eight cores, and that's what we gave it. But it's running slow. I'm working with the application team and you can see it's running slow. And they're like, well, it's got all of its resources. One of those nice features of virtualization is over provisioning. So the infrastructure team would say, well, we gave it, we gave it all a RAM it needed. And what's wrong with that being over provisioned? It's like, well, Java expects that RAM to be there. Now all of a sudden, when you move to the world of containers, what we've got is that's not a set resource limit, really is like it used to be in a VM, right? When you set it for a container, your application teams really need to be paying attention to your resource limits and constraints within the world of Kubernetes. So instead of just being able to say, hey, I'm throwing over the fence and now it's just going to run on a VM, and that VMs got everything it needs. It's now really running on more, much more of a shared infrastructure where limits and constraints are going to impact the neighbors. They are going to impact who's making that decision around resourcing. Because that Kubernetes concept of over provisioning and the virtualization concept of over provisioning are not the same. So when I look at this problem, it's like, well, what changed? Well, I'll do my scale tests as an application developer and tester, and I'd see what resources it needs. I asked for that in the VM, that sets the high watermark, job's done. Well, Kubernetes, it's no longer a VM, it's a Kubernetes manifest. And well, who owns that? Who's writing it? Who's setting those limits? To me, that should be the application team. But then when it goes into operations world, they're like, well, that's now us. Can we change those? So it's that amalgamation of the two that is saying, I'm a developer. I used to pay attention, but now I need to pay attention. And an infrastructure person saying, I used to just give 'em what they wanted, but now I really need to know what they've wanted, because it's going to potentially have a catastrophic impact on what I'm running. >> So what's the impact for the developer? Because, infrastructure's code is what everybody wants. The developer just wants to get the code going and they got to pay attention to all these things, or don't they? Is that where you guys come in? How do you guys see the problem? Actually scope the problem that you guys solve? 'Cause I think you're getting at I think the core issue here, which is, I've got Kubernetes, I've got containers, I've got developer productivity that I want to focus on. What's the problem that you guys solve? >> Platform operation teams that are adopting Cloud Native in their environment, they've got that steep learning curve of Kubernetes plus this fundamental change of how an app runs. What we're doing is taking away the burden of needing to operate and run Kubernetes and giving them the choice of the flexibility of infrastructure and location. Be that an air gap environment like a, let's say a telco provider that needs to run a containerized network function and containerized workloads for 5G. That's one thing that we can deploy and achieve in a completely inaccessible environment all the way through to Platform9 running traditionally as SaaS, as we were born, that's remotely managing and controlling your Kubernetes environments on-premise AWS. That hybrid cloud experience that could be also Bare Metal, but it's our platform running your environments with our support there, 24 by seven, that's proactively reaching out. So it's removing a lot of that burden and the complications that come along with operating the environment and standing it up, which means all of a sudden your DevOps and platform operations teams can go and work with your engineers and application developers and say, hey, let's get, let's focus on the stuff that, that we need to be focused on, which is running our business and providing a service to our customers. Not figuring out how to upgrade a Kubernetes cluster, add new nodes, and configure all of the low level. >> I mean there are, that's operations that just needs to work. And sounds like as they get into the Cloud Native kind of ops, there's a lot of stuff that kind of goes wrong. Or you go, oops, what do we buy into? Because the CIOs, let's go, let's go Cloud Native. We want to, we got to get set up for the future. We're going to be Cloud Native, not just lift and shift and we're going to actually build it out right. Okay, that sounds good. And when we have to actually get done. >> Chris: Yeah. >> You got to spin things up and stand up the infrastructure. What specifically use case do you guys see that emerges for Platform9 when people call you up and you go talk to customers and prospects? What's the one thing or use case or cases that you guys see that you guys solve the best? >> So I think one of the, one of the, I guess new use cases that are coming up now, everyone's talking about economic pressures. I think the, the tap blows open, just get it done. CIO is saying let's modernize, let's use the cloud. Now all of a sudden they're recognizing, well wait, we're spending a lot of money now. We've opened that tap all the way, what do we do? So now they're looking at ways to control that spend. So we're seeing that as a big emerging trend. What we're also sort of seeing is people looking at their data centers and saying, well, I've got this huge legacy environment that's running a hypervisor. It's running VMs. Can we still actually do what we need to do? Can we modernize? Can we start this Cloud Native journey without leaving our data centers, our co-locations? Or if I do want to reduce costs, is that that thing that says maybe I'm repatriating or doing a reverse migration? Do I have to go back to my data center or are there other alternatives? And we're seeing that trend a lot. And our roadmap and what we have in the product today was specifically built to handle those, those occurrences. So we brought in KubeVirt in terms of virtualization. We have a long legacy doing OpenStack and private clouds. And we've worked with a lot of those users and customers that we have and asked the questions, what's important? And today, when we look at the world of Cloud Native, you can run virtualization within Kubernetes. So you can, instead of running two separate platforms, you can have one. So all of a sudden, if you're looking to modernize, you can start on that new infrastructure stack that can run anywhere, Kubernetes, and you can start bringing VMs over there as you are containerizing at the same time. So now you can keep your application operations in one environment. And this also helps if you're trying to reduce costs. If you really are saying, we put that Dev environment in AWS, we've got a huge amount of velocity out of it now, can we do that elsewhere? Is there a co-location we can go to? Is there a provider that we can go to where we can run that infrastructure or run the Kubernetes, but not have to run the infrastructure? >> It's going to be interesting too, when you see the Edge come online, you start, we've got Mobile World Congress coming up, KubeCon events we're going to be at, the conversation is not just about public cloud. And you guys obviously solve a lot of do-it-yourself implementation hassles that emerge when people try to kind of stand up their own environment. And we hear from developers consistency between code, managing new updates, making sure everything is all solid so they can go fast. That's the goal. And that, and then people can get standardized on that. But as you get public cloud and do it yourself, kind of brings up like, okay, there's some gaps there as the architecture changes to be more distributed computing, Edge, on-premises cloud, it's cloud operations. So that's cool for DevOps and Cloud Native. How do you guys differentiate from say, some the public cloud opportunities and the folks who are doing it themselves? How do you guys fit in that world and what's the pitch or what's the story? >> The fit that we look at is that third alternative. Let's get your team focused on what's high value to your business and let us deliver that public cloud experience on your infrastructure or in the public cloud, which gives you that ability to still be flexible if you want to make choices to run consistently for your developers in two different locations. So as I touched on earlier, instead of saying go figure out Kubernetes, how do you upgrade a hundred worker nodes in place upgrade. We've solved that problem. That's what we do every single day of the week. Don't go and try to figure out how to upgrade a cluster and then upgrade all of the, what I call Kubernetes friends, your core DNSs, your metrics server, your Kubernetes dashboard. These are all things that we package, we test, we version. So when you click upgrade, we've already handled that entire process. So it's saying don't have your team focused on that lower level piece of work. Get them focused on what is important, which is your business services. >> Yeah, the infrastructure and getting that stood up. I mean, I think the thing that's interesting, if you look at the market right now, you mentioned cost savings and recovery, obviously kind of a recession. I mean, people are tightening their belts for sure. I don't think the digital transformation and Cloud Native spend is going to plummet. It's going to probably be on hold and be squeezed a little bit. But to your point, people are refactoring looking at how to get the best out of what they got. It's not just open the tap of spend the cash like it used to be. Yeah, a couple months, even a couple years ago. So okay, I get that. But then you look at the what's coming, AI. You're seeing all the new data infrastructure that's coming. The containers, Kubernetes stuff, got to get stood up pretty quickly and it's got to be reliable. So to your point, the teams need to get done with this and move on to the next thing. >> Chris: Yeah, yeah, yeah. >> 'Cause there's more coming. I mean, there's a lot coming for the apps that are building in Data Native, AI-Native, Cloud Native. So it seems that this Kubernetes thing needs to get solved. Is that kind of what you guys are focused on right now? >> So, I mean to use a customer, we have a customer that's in AI/ML and they run their platform at customer sites and that's hardware bound. You can't run AI machine learning on anything anywhere. Well, with Platform9 they can. So we're enabling them to deliver services into their customers that's running their AI/ML platform in their customer's data centers anywhere in the world on hardware that is purpose-built for running that workload. They're not Kubernetes experts. That's what we are. We're bringing them that ability to focus on what's important and just delivering their business services whilst they're enabling our team. And our 24 by seven proactive management are always on assurance to keep that up and running for them. So when something goes bump at the night at 2:00am, our guys get woken up. They're the ones that are reaching out to the customer saying, your environments have a problem, we're taking these actions to fix it. Obviously sometimes, especially if it is running on Bare Metal, there's things you can't do remotely. So you might need someone to go and do that. But even when that happens, you're not by yourself. You're not sitting there like I did when I worked for a bank in one of my first jobs, three o'clock in the morning saying, wow, our end of day processing is stuck. Who else am I waking up? Right? >> Exactly, yeah. Got to get that cash going. But this is a great use case. I want to get to the customer. What do some of the successful customers say to you for the folks watching that aren't yet a customer of Platform9, what are some of the accolades and comments or anecdotes that you guys hear from customers that you have? >> It just works, which I think is probably one of the best ones you can get. Customers coming back and being able to show to their business that they've delivered growth, like business growth and productivity growth and keeping their organization size the same. So we started on our containerization journey. We went to Kubernetes. We've deployed all these new workloads and our operations team is still six people. We're doing way more with growth less, and I think that's also talking to the strength that we're bringing, 'cause we're, we're augmenting that team. They're spending less time on the really low level stuff and automating a lot of the growth activity that's involved. So when it comes to being able to grow their business, they can just focus on that, not- >> Well you guys do the heavy lifting, keep on top of the Kubernetes, make sure that all the versions are all done. Everything's stable and consistent so they can go on and do the build out and provide their services. That seems to be what you guys are best at. >> Correct, correct. >> And so what's on the roadmap? You have the product, direct product management, you get the keys to the kingdom. What is, what is the focus? What's your focus right now? Obviously Kubernetes is growing up, Containers. We've been hearing a lot at the last KubeCon about the security containers is getting better. You've seen verification, a lot more standards around some things. What are you focused on right now for at a product over there? >> Edge is a really big focus for us. And I think in Edge you can look at it in two ways. The mantra that I drive is Edge must be remote. If you can't do something remotely at the Edge, you are using a human being, that's not Edge. Our Edge management capabilities and being in the market for over two years are a hundred percent remote. You want to stand up a store, you just ship the server in there, it gets racked, the rest of it's remote. Imagine a store manager in, I don't know, KFC, just plugging in the server, putting in the ethernet cable, pressing the power button. The rest of all that provisioning for that Cloud Native stack, Kubernetes, KubeVirt for virtualization is done remotely. So we're continuing to focus on that. The next piece that is related to that is allowing people to run Platform9 SaaS in their data centers. So we do ag app today and we've had a really strong focus on telecommunications and the containerized network functions that come along with that. So this next piece is saying, we're bringing what we run as SaaS into your data center, so then you can run it. 'Cause there are many people out there that are saying, we want these capabilities and we want everything that the Platform9 control plane brings and simplifies. But unfortunately, regulatory compliance reasons means that we can't leverage SaaS. So they might be using a cloud, but they're saying that's still our infrastructure. We're still closed that network down, or they're still on-prem. So they're two big priorities for us this year. And that on-premise experiences is paramount, even to the point that we will be delivering a way that when you run an on-premise, you can still say, wait a second, well I can send outbound alerts to Platform9. So their support team can still be proactively helping me as much as they could, even though I'm running Platform9s control plane. So it's sort of giving that blend of two experiences. They're big, they're big priorities. And the third pillar is all around virtualization. It's saying if you have economic pressures, then I think it's important to look at what you're spending today and realistically say, can that be reduced? And I think hypervisors and virtualization is something that should be looked at, because if you can actually reduce that spend, you can bring in some modernization at the same time. Let's take some of those nos that exist that are two years into their five year hardware life cycle. Let's turn that into a Cloud Native environment, which is enabling your modernization in place. It's giving your engineers and application developers the new toys, the new experiences, and then you can start running some of those virtualized workloads with KubeVirt, there. So you're reducing cost and you're modernizing at the same time with your existing infrastructure. >> You know Chris, the topic of this content series that we're doing with you guys is finding the right path, trusting the right path to Cloud Native. What does that mean? I mean, if you had to kind of summarize that phrase, trusting the right path to Cloud Native, what does that mean? It mean in terms of architecture, is it deployment? Is it operations? What's the underlying main theme of that quote? What's the, what's? How would you talk to a customer and say, what does that mean if someone said, "Hey, what does that right path mean?" >> I think the right path means focusing on what you should be focusing on. I know I've said it a hundred times, but if your entire operations team is trying to figure out the nuts and bolts of Kubernetes and getting three months into a journey and discovering, ah, I need Metrics Server to make something function. I want to use Horizontal Pod Autoscaler or Vertical Pod Autoscaler and I need this other thing, now I need to manage that. That's not the right path. That's literally learning what other people have been learning for the last five, seven years that have been focused on Kubernetes solely. So the why- >> There's been a lot of grind. People have been grinding it out. I mean, that's what you're talking about here. They've been standing up the, when Kubernetes started, it was all the promise. >> Chris: Yep. >> And essentially manually kind of getting in in the weeds and configuring it. Now it's matured up. They want stability. >> Chris: Yeah. >> Not everyone can get down and dirty with Kubernetes. It's not something that people want to generally do unless you're totally into it, right? Like I mean, I mean ops teams, I mean, yeah. You know what I mean? It's not like it's heavy lifting. Yeah, it's important. Just got to get it going. >> Yeah, I mean if you're deploying with Platform9, your Ops teams can tinker to their hearts content. We're completely compliant upstream Kubernetes. You can go and change an API server flag, let's go and mess with the scheduler, because we want to. You can still do that, but don't, don't have your team investing in all this time to figure it out. It's been figured out. >> John: Got it. >> Get them focused on enabling velocity for your business. >> So it's not build, but run. >> Chris: Correct? >> Or run Kubernetes, not necessarily figure out how to kind of get it all, consume it out. >> You know we've talked to a lot of customers out there that are saying, "I want to be able to deliver a service to my users." Our response is, "Cool, let us run it. You consume it, therefore deliver it." And we're solving that in one hit versus figuring out how to first run it, then operate it, then turn that into a consumable service. >> So the alternative Platform9 is what? They got to do it themselves or use the Cloud or what's the, what's the alternative for the customer for not using Platform9? Hiring more people to kind of work on it? What's the? >> People, building that kind of PaaS experience? Something that I've been very passionate about for the past year is looking at that world of sort of GitOps and what that means. And if you go out there and you sort of start asking the question what's happening? Just generally with Kubernetes as well and GitOps in that scope, then you'll hear some people saying, well, I'm making it PaaS, because Kubernetes is too complicated for my developers and we need to give them something. There's some great material out there from the likes of Intuit and Adobe where for two big contributors to Argo and the Argo projects, they almost have, well they do have, different experiences. One is saying, we went down the PaaS route and it failed. The other one is saying, well we've built a really stable PaaS and it's working. What are they trying to do? They're trying to deliver an outcome to make it easy to use and consume Kubernetes. So you could go out there and say, hey, I'm going to build a Kubernetes cluster. Sounds like Argo CD is a great way to expose that to my developers so they can use Kubernetes without having to use Kubernetes and start automating things. That is an approach, but you're going to be going completely open source and you're going to have to bring in all the individual components, or you could just lay that, lay it down, and consume it as a service and not have to- >> And mentioned to it. They were the ones who kind of brought that into the open. >> They did. Inuit is the primary contributor to the Argo set of products. >> How has that been received in the market? I mean, they had the event at the Computer History Museum last fall. What's the momentum there? What's the big takeaway from that project? >> Growth. To me, growth. I mean go and track the stars on that one. It's just, it's growth. It's unlocking machine learning. Argo workflows can do more than just make things happen. Argo CD I think the approach they're taking is, hey let's make this simple to use, which I think can be lost. And I think credit where credit's due, they're really pushing to bring in a lot of capabilities to make it easier to work with applications and microservices on Kubernetes. It's not just that, hey, here's a GitOps tool. It can take something from a Git repo and deploy it and maybe prioritize it and help you scale your operations from that perspective. It's taking a step back and saying, well how did we get to production in the first place? And what can be done down there to help as well? I think it's growth expansion of features. They had a huge release just come out in, I think it was 2.6, that brought in things that as a product manager that I don't often look at like really deep technical things and say wow, that's powerful. But they have, they've got some great features in that release that really do solve real problems. >> And as the product, as the product person, who's the target buyer for you? Who's the customer? Who's making that? And you got decision maker, influencer, and recommender. Take us through the customer persona for you guys. >> So that Platform Ops, DevOps space, right, the people that need to be delivering Containers as a service out to their organization. But then it's also important to say, well who else are our primary users? And that's developers, engineers, right? They shouldn't have to say, oh well I have access to a Kubernetes cluster. Do I have to use kubectl or do I need to go find some other tool? No, they can just log to Platform9. It's integrated with your enterprise id. >> They're the end customer at the end of the day, they're the user. >> Yeah, yeah. They can log in. And they can see the clusters you've given them access to as a Platform Ops Administrator. >> So job well done for you guys. And your mind is the developers are moving 'em fast, coding and happy. >> Chris: Yeah, yeah. >> And and from a customer standpoint, you reduce the maintenance cost, because you keep the Ops smoother, so you got efficiency and maintenance costs kind of reduced or is that kind of the benefits? >> Yeah, yep, yeah. And at two o'clock in the morning when things go inevitably wrong, they're not there by themselves, and we're proactively working with them. >> And that's the uptime issue. >> That is the uptime issue. And Cloud doesn't solve that, right? Everyone experienced that Clouds can go down, entire regions can go offline. That's happened to all Cloud providers. And what do you do then? Kubernetes isn't your recovery plan. It's part of it, right, but it's that piece. >> You know Chris, to wrap up this interview, I will say that "theCUBE" is 12 years old now. We've been to OpenStack early days. We had you guys on when we were covering OpenStack and now Cloud has just been booming. You got AI around the corner, AI Ops, now you got all this new data infrastructure, it's just amazing Cloud growth, Cloud Native, Security Native, Cloud Native, Data Native, AI Native. It's going to be all, this is the new app environment, but there's also existing infrastructure. So going back to OpenStack, rolling our own cloud, building your own cloud, building infrastructure cloud, in a cloud way, is what the pioneers have done. I mean this is what we're at. Now we're at this scale next level, abstracted away and make it operational. It seems to be the key focus. We look at CNCF at KubeCon and what they're doing with the cloud SecurityCon, it's all about operations. >> Chris: Yep, right. >> Ops and you know, that's going to sound counterintuitive 'cause it's a developer open source environment, but you're starting to see that Ops focus in a good way. >> Chris: Yeah, yeah, yeah. >> Infrastructure as code way. >> Chris: Yep. >> What's your reaction to that? How would you summarize where we are in the industry relative to, am I getting, am I getting it right there? Is that the right view? What am I missing? What's the current state of the next level, NextGen infrastructure? >> It's a good question. When I think back to sort of late 2019, I sort of had this aha moment as I saw what really truly is delivering infrastructure as code happening at Platform9. There's an open source project Ironic, which is now also available within Kubernetes that is Metal Kubed that automates Bare Metal as code, which means you can go from an empty server, lay down your operating system, lay down Kubernetes, and you've just done everything delivered to your customer as code with a Cloud Native platform. That to me was sort of the biggest realization that I had as I was moving into this industry was, wait, it's there. This can be done. And the evolution of tooling and operations is getting to the point where that can be achieved and it's focused on by a number of different open source projects. Not just Ironic and and Metal Kubed, but that's a huge win. That is truly getting your infrastructure. >> John: That's an inflection point, really. >> Yeah. >> If you think about it, 'cause that's one of the problems. We had with the Bare Metal piece was the automation and also making it Cloud Ops, cloud operations. >> Right, yeah. I mean, one of the things that I think Ironic did really well was saying let's just treat that piece of Bare Metal like a Cloud VM or an instance. If you got a problem with it, just give the person using it or whatever's using it, a new one and reimage it. Just tell it to reimage itself and it'll just (snaps fingers) go. You can do self-service with it. In Platform9, if you log in to our SaaS Ironic, you can go and say, I want that physical server to myself, because I've got a giant workload, or let's turn it into a Kubernetes cluster. That whole thing is automated. To me that's infrastructure as code. I think one of the other important things that's happening at the same time is we're seeing GitOps, we're seeing things like Terraform. I think it's important for organizations to look at what they have and ask, am I using tools that are fit for tomorrow or am I using tools that are yesterday's tools to solve tomorrow's problems? And when especially it comes to modernizing infrastructure as code, I think that's a big piece to look at. >> Do you see Terraform as old or new? >> I see Terraform as old. It's a fantastic tool, capable of many great things and it can work with basically every single provider out there on the planet. It is able to do things. Is it best fit to run in a GitOps methodology? I don't think it is quite at that point. In fact, if you went and looked at Flux, Flux has ways that make Terraform GitOps compliant, which is absolutely fantastic. It's using two tools, the best of breeds, which is solving that tomorrow problem with tomorrow solutions. >> Is the new solutions old versus new. I like this old way, new way. I mean, Terraform is not that old and it's been around for about eight years or so, whatever. But HashiCorp is doing a great job with that. I mean, so okay with Terraform, what's the new address? Is it more complex environments? Because Terraform made sense when you had basic DevOps, but now it sounds like there's a whole another level of complexity. >> I got to say. >> New tools. >> That kind of amalgamation of that application into infrastructure. Now my app team is paying way more attention to that manifest file, which is what GitOps is trying to solve. Let's templatize things. Let's version control our manifest, be it helm, customize, or just a straight up Kubernetes manifest file, plain and boring. Let's get that version controlled. Let's make sure that we know what is there, why it was changed. Let's get some auditability and things like that. And then let's get that deployment all automated. So that's predicated on the cluster existing. Well why can't we do the same thing with the cluster, the inception problem. So even if you're in public cloud, the question is like, well what's calling that API to call that thing to happen? Where is that file living? How well can I manage that in a large team? Oh my God, something just changed. Who changed it? Where is that file? And I think that's one of big, the big pieces to be sold. >> Yeah, and you talk about Edge too and on-premises. I think one of the things I'm observing and certainly when DevOps was rocking and rolling and infrastructures code was like the real push, it was pretty much the public cloud, right? >> Chris: Yep. >> And you did Cloud Native and you had stuff on-premises. Yeah you did some lifting and shifting in the cloud, but the cool stuff was going in the public cloud and you ran DevOps. Okay, now you got on-premise cloud operation and Edge. Is that the new DevOps? I mean 'cause what you're kind of getting at with old new, old new Terraform example is an interesting point, because you're pointing out potentially that that was good DevOps back in the day or it still is. >> Chris: It is, I was going to say. >> But depending on how you define what DevOps is. So if you say, I got the new DevOps with public on-premise and Edge, that's just not all public cloud, that's essentially distributed Cloud Native. >> Correct. Is that the new DevOps in your mind or is that? How would you, or is that oversimplifying it? >> Or is that that term where everyone's saying Platform Ops, right? Has it shifted? >> Well you bring up a good point about Terraform. I mean Terraform is well proven. People love it. It's got great use cases and now there seems to be new things happening. We call things like super cloud emerging, which is multicloud and abstraction layers. So you're starting to see stuff being abstracted away for the benefits of moving to the next level, so teams don't get stuck doing the same old thing. They can move on. Like what you guys are doing with Platform9 is providing a service so that teams don't have to do it. >> Correct, yeah. >> That makes a lot of sense, So you just, now it's running and then they move on to the next thing. >> Chris: Yeah, right. >> So what is that next thing? >> I think Edge is a big part of that next thing. The propensity for someone to put up with a delay, I think it's gone. For some reason, we've all become fairly short-tempered, Short fused. You know, I click the button, it should happen now, type people. And for better or worse, hopefully it gets better and we all become a bit more patient. But how do I get more effective and efficient at delivering that to that really demanding- >> I think you bring up a great point. I mean, it's not just people are getting short-tempered. I think it's more of applications are being deployed faster, security is more exposed if they don't see things quicker. You got data now infrastructure scaling up massively. So, there's a double-edged swords to scale. >> Chris: Yeah, yeah. I mean, maintenance, downtime, uptime, security. So yeah, I think there's a tension around, and one hand enthusiasm around pushing a lot of code and new apps. But is the confidence truly there? It's interesting one little, (snaps finger) supply chain software, look at Container Security for instance. >> Yeah, yeah. It's big. I mean it was codified. >> Do you agree that people, that's kind of an issue right now. >> Yeah, and it was, I mean even the supply chain has been codified by the US federal government saying there's things we need to improve. We don't want to see software being a point of vulnerability, and software includes that whole process of getting it to a running point. >> It's funny you mentioned remote and one of the thing things that you're passionate about, certainly Edge has to be remote. You don't want to roll a truck or labor at the Edge. But I was doing a conversation with, at Rebars last year about space. It's hard to do brake fix on space. It's hard to do a, to roll a someone to configure satellite, right? Right? >> Chris: Yeah. >> So Kubernetes is in space. We're seeing a lot of Cloud Native stuff in apps, in space, so just an example. This highlights the fact that it's got to be automated. Is there a machine learning AI angle with all this ChatGPT talk going on? You see all the AI going the next level. Some pretty cool stuff and it's only, I know it's the beginning, but I've heard people using some of the new machine learning, large language models, large foundational models in areas I've never heard of. Machine learning and data centers, machine learning and configuration management, a lot of different ways. How do you see as the product person, you incorporating the AI piece into the products for Platform9? >> I think that's a lot about looking at the telemetry and the information that we get back and to use one of those like old idle terms, that continuous improvement loop to feed it back in. And I think that's really where machine learning to start with comes into effect. As we run across all these customers, our system that helps at two o'clock in the morning has that telemetry, it's got that data. We can see what's changing and what's happening. So it's writing the right algorithms, creating the right machine learning to- >> So training will work for you guys. You have enough data and the telemetry to do get that training data. >> Yeah, obviously there's a lot of investment required to get there, but that is something that ultimately that could be achieved with what we see in operating people's environments. >> Great. Chris, great to have you here in the studio. Going wide ranging conversation on Kubernetes and Platform9. I guess my final question would be how do you look at the next five years out there? Because you got to run the product management, you got to have that 20 mile steer, you got to look at the customers, you got to look at what's going on in the engineering and you got to kind of have that arc. This is the right path kind of view. What's the five year arc look like for you guys? How do you see this playing out? 'Cause KubeCon is coming up and we're you seeing Kubernetes kind of break away with security? They had, they didn't call it KubeCon Security, they call it CloudNativeSecurityCon, they just had in Seattle inaugural events seemed to go well. So security is kind of breaking out and you got Kubernetes. It's getting bigger. Certainly not going away, but what's your five year arc of of how Platform9 and Kubernetes and Ops evolve? >> It's to stay on that theme, it's focusing on what is most important to our users and getting them to a point where they can just consume it, so they're not having to operate it. So it's finding those big items and bringing that into our platform. It's something that's consumable, that's just taken care of, that's tested with each release. So it's simplifying operations more and more. We've always said freedom in cloud computing. Well we started on, we started on OpenStack and made that simple. Stable, easy, you just have it, it works. We're doing that with Kubernetes. We're expanding out that user, right, we're saying bring your developers in, they can download their Kube conflict. They can see those Containers that are running there. They can access the events, the log files. They can log in and build a VM using KubeVirt. They're self servicing. So it's alleviating pressures off of the Ops team, removing the help desk systems that people still seem to rely on. So it's like what comes into that field that is the next biggest issue? Is it things like CI/CD? Is it simplifying GitOps? Is it bringing in security capabilities to talk to that? Or is that a piece that is a best of breed? Is there a reason that it's been spun out to its own conference? Is this something that deserves a focus that should be a specialized capability instead of tooling and vendors that we work with, that we partner with, that could be brought in as a service. I think it's looking at those trends and making sure that what we bring in has the biggest impact to our users. >> That's awesome. Thanks for coming in. I'll give you the last word. Put a plug in for Platform9 for the people who are watching. What should they know about Platform9 that they might not know about it or what should? When should they call you guys and when should they engage? Take a take a minute to give the plug. >> The plug. I think it's, if your operations team is focused on building Kubernetes, stop. That shouldn't be the cloud. That shouldn't be in the Edge, that shouldn't be at the data center. They should be consuming it. If your engineering teams are all trying different ways and doing different things to use and consume Cloud Native services and Kubernetes, they shouldn't be. You want consistency. That's how you get economies of scale. Provide them with a simple platform that's integrated with all of your enterprise identity where they can just start consuming instead of having to solve these problems themselves. It's those, it's those two personas, right? Where the problems manifest. What are my operations teams doing, and are they delivering to my company or are they building infrastructure again? And are my engineers sprinting or crawling? 'Cause if they're not sprinting, you should be asked the question, do I have the right Cloud Native tooling in my environment and how can I get them back? >> I think it's developer productivity, uptime, security are the tell signs. You get that done. That's the goal of what you guys are doing, your mission. >> Chris: Yep. >> Great to have you on, Chris. Thanks for coming on. Appreciate it. >> Chris: Thanks very much. 0 Okay, this is "theCUBE" here, finding the right path to Cloud Native. I'm John Furrier, host of "theCUBE." Thanks for watching. (upbeat music)

(lively music) >> Welcome back to our coverage of Cloud Native Security Con. I'm Dave Vellante, here in our Boston studio. We're connecting today, throughout the day, with Palo Alto on the ground in Seattle. And right now I'm here with Michael Foster with Red Hat. He's on the ground in Seattle. We're going to discuss the trends and containers and security and everything that's going on at the show in Seattle. Michael, good to see you, thanks for coming on. >> Good to see you, thanks for having me on. >> Lot of market momentum for Red Hat. The IBM earnings call the other day, announced OpenShift is a billion-dollar ARR. So it's quite a milestone, and it's not often, you know. It's hard enough to become a billion-dollar software company and then to have actually a billion-dollar product alongside. So congratulations on that. And let's start with the event. What's the buzz at the event? People talking about shift left, obviously supply chain security is a big topic. We've heard a little bit about or quite a bit about AI. What are you hearing on the ground? >> Yeah, so the last event I was at that I got to see you at was three months ago, with CubeCon and the talk was supply chain security. Nothing has really changed on that front, although I do think that the conversation, let's say with the tech companies versus what customers are actually looking at, is slightly different just based on the market. And, like you said, thank you for the shout-out to a billion-dollar OpenShift, and ACS is certainly excited to be part of that. We are seeing more of a consolidation, I think, especially in security. The money's still flowing into security, but people want to know what they're running. We've allowed, had some tremendous growth in the last couple years and now it's okay. Let's get a hold of the containers, the clusters that we're running, let's make sure everything's configured. They want to start implementing policies effectively and really get a feel for what's going on across all their workloads, especially with the bigger companies. I think bigger companies allow some flexibility in the security applications that they can deploy. They can have different groups that manage different ones, but in the mid to low market, you're seeing a lot of consolidation, a lot of companies that want basically one security tool to manage them all, so to speak. And I think that the features need to somewhat accommodate that. We talk supply chain, I think most people continue to care about network security, vulnerability management, shifting left and enabling developers. That's the general trend I see. Still really need to get some hands on demos and see some people that I haven't seen in a while. >> So a couple things on, 'cause, I mean, we talk about the macroeconomic climate all the time. We do a lot of survey data with our partners at ETR, and their recent data shows that in terms of cost savings, for those who are actually cutting their budgets, they're looking to consolidate redundant vendors. So, that's one form of consolidation. The other theme, of course, is there's so many tools out in the security market that consolidating tools is something that can help simplify, but then at the same time, you see opportunities open up, like IOT security. And so, you have companies that are starting up to just do that. So, there's like these countervailing trends. I often wonder, Michael, will this ever end? It's like the universe growing and tooling, what are your thoughts? >> I mean, I completely agree. It's hard to balance trying to grow the company in a time like this, at the same time while trying to secure it all, right? So you're seeing the consolidation but some of these applications and platforms need to make some promises to say, "Hey, we're going to move into this space." Right, so when you have like Red Hat who wants to come out with edge devices and help manage the IOT devices, well then, you have a security platform that can help you do that, that's built in. Then the messaging's easy. When you're trying to do that across different cloud providers and move into IOT, it becomes a little bit more challenging. And so I think that, and don't take my word for this, some of those IOT startups, you might see some purchasing in the next couple years in order to facilitate those cloud platforms to be able to expand into that area. To me it makes sense, but I don't want to hypothesize too much from the start. >> But I do, we just did our predictions post and as a security we put up the chart of candidates, and there's like dozens, and dozens, and dozens. Some that are very well funded, but I mean, you've seen some down, I mean, down rounds everywhere, but these many companies have raised over a billion dollars and it's like uh-oh, okay, so they're probably okay, maybe. But a lot of smaller firms, I mean there's just, there's too many tools in the marketplace, but it seems like there is misalignment there, you know, kind of a mismatch between, you know, what customers would like to have happen and what actually happens in the marketplace. And that just underscores, I think, the complexities in security. So I guess my question is, you know, how do you look at Cloud Native Security, and what's different from traditional security approaches? >> Okay, I mean, that's a great question, and it's something that we've been talking to customers for the last five years about. And, really, it's just a change in mindset. Containers are supposed to unleash developer speed, and if you don't have a security tool to help do that, then you're basically going to inhibit developers in some form or another. I think managing that, while also giving your security teams the ability to tell the message of we are being more secure. You know, we're limiting vulnerabilities in our cluster. We are seeing progress because containers, you know, have a shorter life cycle and there is security and speed. Having that conversation with the C-suites is a little different, especially when how they might be used to virtual machines and managing it through that. I mean, if it works, it works from a developer's standpoint. You're not taking advantage of those containers and the developer's speed, so that's the difference. Now doing that and then first challenge is making that pitch. The second challenge is making that pitch to then scale it, so you can get onboard your developers and get your containers up and running, but then as you bring in new groups, as you move over to Kubernetes or you get into more container workloads, how do you onboard your teams? How do you scale? And I tend to see a general trend of a big investment needed for about two years to make that container shift. And then the security tools come in and really blossom because once that core separation of responsibilities happens in the organization, then the security tools are able to accelerate the developer workflow and not inhibit it. >> You know, I'm glad you mentioned, you know, separation of responsibilities. We go to a lot of shows, as you know, with theCUBE, and many of them are cloud shows. And in the one hand, Cloud has, you know, obviously made the world, you know, more interesting and better in so many different ways and even security, but it's like new layers are forming. You got the cloud, you got the shared responsibility model, so the cloud is like the first line of defense. And then you got the CISO who is relying heavily on devs to, you know, the whole shift left thing. So we're asking developers to do a lot and then you're kind of behind them. I guess you have audit is like the last line of defense, but my question to you is how can software developers really ensure that cloud native tools that they're using are secure? What steps can they take to improve security and specifically what's Red Hat doing in that area? >> Yeah, well I think there's, I would actually move away from that being the developer responsibility. I think the job is the operators' and the security people. The tools to give them the ability to see. The vulnerabilities they're introducing. Let's say signing their images, actually verifying that the images that's thrown in the cloud, are the ones that they built, that can all be done and it can be done open source. So we have a DevSecOps validated pattern that Red Hat's pushed out, and it's all open source tools in the cloud native space. And you can sign your builds and verify them at runtime and make sure that you're doing that all for free as one option. But in general, I would say that the hope is that you give the developer the information to make responsible choices and that there's a dialogue between your security and operations and developer teams but security, we should not be pushing that on developer. And so I think with ACS and our tool, the goal is to get in and say, "Let's set some reasonable policies, have a conversation, let's get a security liaison." Let's say in the developer team so that we can make some changes over time. And the more we can automate that and the more we can build and have that conversation, the better that you'll, I don't say the more security clusters but I think that the more you're on your path of securing your environment. >> How much talk is there at the event about kind of recent high profile incidents? We heard, you know, Log4j, of course, was mentioned in the Keynote. Somebody, you know, I think yelled out from the audience, "We're still dealing with that." But when you think about these, you know, incidents when looking back, what lessons do you think we've learned from these events? >> Oh, I mean, I think that I would say, if you have an approach where you're managing your containers, managing the age and using containers to accelerate, so let's say no images that are older than 90 days, for example, you're going to avoid a lot of these issues. And so I think people that are still dealing with that aspect haven't set up the proper, let's say, disclosure between teams and update strategy and so on. So I don't want to, I think the Log4j, if it's still around, you know, something's missing there but in general you want to be able to respond quickly and to do that and need the tools and policies to be able to tell people how to fix that issue. I mean, the Log4j fix was seven days after, so your developers should have been well aware of that. Your security team should have been sending the messages out. And I remember even fielding all the calls, all the fires that we had to put out when that happened. But yeah. >> I thought Brian Behlendorf's, you know, talk this morning was interesting 'cause he was making an attempt to say, "Hey, here's some things that you might not be thinking about that are likely to occur." And I wonder if you could, you know, comment on them and give us your thoughts as to how the industry generally, maybe Red Hat specifically, are thinking about dealing with them. He mentioned ChatGPT or other GPT to automate Spear phishing. He said the identity problem is still not fixed. Then he talked about free riders sniffing repos essentially for known vulnerabilities that are slow to fix. He talked about regulations that might restrict shipping code. So these are things that, you know, essentially, we can, they're on the radar, but you know, we're kind of putting out, you know, yesterday's fire. What are your thoughts on those sort of potential issues that we're facing and how are you guys thinking about it? >> Yeah, that's a great question, and I think it's twofold. One, it's brought up in front of a lot of security leaders in the space for them to be aware of it because security, it's a constant battle, constant war that's being fought. ChatGPT lowers the barrier of entry for a lot of them, say, would-be hackers or people like that to understand systems and create, let's say, simple manifests to leverage Kubernetes or leverage a misconfiguration. So as the barrier drops, we as a security team in security, let's say group organization, need to be able to respond and have our own tools to be able to combat that, and we do. So a lot of it is just making sure that we shore up our barriers and that people are aware of these threats. The harder part I think is educating the public and that's why you tend to see maybe the supply chain trend be a little bit ahead of the implementation. I think they're still, for example, like S-bombs and signing an attestation. I think that's still, you know, a year, two years, away from becoming, let's say commonplace, especially in something like a production environment. Again, so, you know, stay bleeding edge, and then make sure that you're aware of these issues and we'll be constantly coming to these calls and filling you in on what we're doing and make sure that we're up to speed. >> Yeah, so I'm hearing from folks like yourself that the, you know, you think of the future of Cloud Native Security. We're going to see continued emphasis on, you know, better integration of security into the DevSecOps. You're pointing out it's really, you know, the ops piece, that runtime that we really need to shore up. You can't just put it on the shoulders of the devs. And, you know, using security focused tools and best practices. Of course you hear a lot about that and the continued drive toward automation. My question is, you know, automation, machine learning, how, where are we in that maturity cycle? How much of that is being adopted? Sometimes folks are, you know, they embrace automation but it brings, you know, unknown, unintended consequences. Are folks embracing that heavily? Are there risks associated around that, or are we kind of through that knothole in your view? >> Yeah, that's a great question. I would compare it to something like a smart home. You know, we sort of hit a wall. You can automate so much, but it has to actually be useful to your teams. So when we're going and deploying ACS and using a cloud service, like one, you know, you want something that's a service that you can easily set up. And then the other thing is you want to start in inform mode. So you can't just automate everything, even if you're doing runtime enforcement, you need to make sure that's very, very targeted to exactly what you want and then you have to be checking it because people start new workloads and people get onboarded every week or month. So it's finding that balance between policies where you can inform the developer and the operations teams and that they give them the information to act. And that worst case you can step in as a security team to stop it, you know, during the onboarding of our ACS cloud service. We have an early access program and I get on-calls, and it's not even security team, it's the operations team. It starts with the security product, you know, and sometimes it's just, "Hey, how do I, you know, set this policy so my developers will find this vulnerability like a Log4Shell and I just want to send 'em an email, right?" And these are, you know, they have the tools and they can do that. And so it's nice to see the operations take on some security. They can automate it because maybe you have a NetSec security team that doesn't know Kubernetes or containers as well. So that shared responsibility is really useful. And then just again, making that automation targeted, even though runtime enforcement is a constant thing that we talk about, the amount that we see it in the wild where people are properly setting up admission controllers and it's acting. It's, again, very targeted. Databases, cubits x, things that are basically we all know is a no-go in production. >> Thank you for that. My last question, I want to go to the, you know, the hardest part and 'cause you're talking to customers all the time and you guys are working on the hardest problems in the world. What is the hardest aspect of securing, I'm going to come back to the software supply chain, hardest aspect of securing the software supply chain from the perspective of a security pro, software engineer, developer, DevSecOps Pro, and then this part b of that is, is how are you attacking that specifically as Red Hat? >> Sure, so as a developer, it's managing vulnerabilities with updates. As an operations team, it's keeping all the cluster, because you have a bunch of different teams working in the same environment, let's say, from a security team. It's getting people to listen to you because there are a lot of things that need to be secured. And just communicating that and getting it actionable data to the people to make the decisions as hard from a C-suite. It's getting the buy-in because it's really hard to justify the dollars and cents of security when security is constantly having to have these conversations with developers. So for ACS, you know, we want to be able to give the developer those tools. We also want to build the dashboards and reporting so that people can see their vulnerabilities drop down over time. And also that they're able to respond to it quickly because really that's where the dollars and cents are made in the product. It's that a Log4Shell comes out. You get immediately notified when the feeds are updated and you have a policy in action that you can respond to it. So I can go to my CISOs and say, "Hey look, we're limiting vulnerabilities." And when this came out, the developers stopped it in production and we were able to update it with the next release. Right, like that's your bread and butter. That's the story that you want to tell. Again, it's a harder story to tell, but it's easy when you have the information to be able to justify the money that you're spending on your security tools. Hopefully that answered your question. >> It does. That was awesome. I mean, you got data, you got communication, you got the people, obviously there's skillsets, you have of course, tooling and technology is a big part of that. Michael, really appreciate you coming on the program, sharing what's happening on the ground in Seattle and can't wait to have you back. >> Yeah. Awesome. Thanks again for having me. >> Yeah, our pleasure. All right. Thanks for watching our coverage of the Cloud Native Security Con. I'm Dave Vellante. I'm in our Boston studio. We're connecting to Palo Alto. We're connecting on the ground in Seattle. Keep it right there for more coverage. Be right back. (lively music)

(rousing music) >> Hello everyone. Welcome back to "theCUBE's" day one coverage of Cloud Native Security Con 23. This is going to be an exciting panel. I've got three great guests. I'm Lisa Martin, you know our esteemed analysts, John Furrier, and Dave Vellante well. And we're excited to welcome to "theCUBE" for the first time, Yves Sandfort, the CEO of Comdivision Group, who's coming to us from Germany. As you know, Cloud Native Security Con is a global event. Everyone welcome Yves, great to have you in particular. Welcome to "theCUBE." >> Great to be here. >> Thank you for inviting me. >> Yves, tell us a little bit, before we dig into really wanting to understand your perspectives on the event and get Dave and John's feedback as well, tell us a little bit about you. >> So yeah, talking about me, or talking about Comdivision real quick. We are in the business for over 27 years already. We started as a SaaS company, then became more like an architecture and, and Cloud Native company over the last few years. But what's interesting is, and I think that's, that's, that's really interesting when we look at our industry. It hasn't really, the requirements haven't really changed over the years. It's still security. We still have to figure out how we deal with security. We still have to figure out how we deal with compliance and everything else. And I think therefore, it's more and more important that we take these items more seriously. Also, based on the fact that when we look at it, how development and other things happen nowadays, it's, it's, everybody says it's like open source. It's great because everybody can look into the code. We, I think the last few years have shown us enough example that that's not necessarily solving all the issues, but it's also code and development has changed rapidly when we look at the Cloud Native approach, where it's far more about gluing the pieces together, versus the development pieces. When I was actually doing software development 25 years ago, and had to basically build my code because I didn't have that much internet access for it. So it has evolved, but even back then we had to deal with security and everything. >> Right. The focus on security is, is incredibly important, and the focus keeps growing as you mentioned. This is, guys, and I want to get your perspectives on this. We're going to start with John. This is the first time Cloud Native Security Con is its own event being extracted from, and amplified from KubeCon. John, I want to understand from your perspective, break down the event, what you see, what you've heard, and Cloud Native Security in general. What does this mean to companies? What does it mean to customers? Is this a reality? >> Well, I think that's the topic we want to discuss, and I think Yves background, you see the VMware certification, I love that. Because what VMware did with virtualization, was abstract that from server virtualization, kind of really changed the game on things, and you start to see Cloud Native kind of go that next level of how companies will be operating their business, not just digital transformation, as digital transformation goes to completion, it's total business transformation where IT is everywhere. And so you're starting to see the trends where, "Okay, that's happening." Now you're starting to see, that's Cloud Native Con, or KubeCon, AWS re:Invent, or whatever show, or whatever way you want to look at it. But in, in the past decade, past five years, security has always been front and center as almost a separate thing, and, in and of itself, but the same thing. So you're starting to see the breakout of security conversations around how to make things work. So a lot of operational conversations around what used to be DevOps makes infrastructure as code, and that was great, that fueled that. Then DevSecOps came. So the Cloud Native next level, is more application development at scale, developers driving the standards with developer first thinking, shifting left, I get all that. But down in the lower ends of the stack, you got real operational issues. DNS we've heard in the keynote, we heard about the Colonel, the Lennox Colonel. Things that need to be managed and taken care of at a security level. These are like, seem like in the weeds, but you're starting to see that happen. And the other thing that I think's real about Cloud Native Security Con that's going to be interesting to watch, is Amazon has pretty much canceled all their re:Invent like shows except for two; Re:Invent, which is their annual conference, and Re:Inforce, which is dedicated to securities. So Cloud Native, Linux, the Linux Foundation has now breaking out Cloud Native Con and KubeCon, and now Cloud Native Security Con. They can't call it KubeCon because it's not Kubernetes, but it's like security focus. I think this is the beginning of starting to see this new developer driving, developers driving the standards, and it has it implications, what used to be called IT ops, and that's like the VMwares of the world. You saw all the stuff that was not at developer focus, but more ops, becoming much more in the application. So I think, I think it's real. The question is where does it go? How fast does it develop? So to me, I think it's a real trend, and it's worthy of a breakout, but it's not yet clear of where the landing zone is for people to start doing it, how they get started, what are the best practices. Machine learning's going to be a big part of this. So to me it's totally cool, but I'm not yet seeing the beachhead. So that's kind of my take. >> Dave, our inventor and host of breaking analysis, what's your take? >> So when you, I think when you zoom out, there's some, there's a big macro change that's been going on. I think when you look back, let's say 10, 12 years ago, the, the need for speed far trumped the, the, the security aspect, the governance, the data privacy. It was like, "Yeah, the risks, they're not that great compared to our opportunity." That has completely changed because the risks are now so much higher. And so what's happening, I think there's a, there's a major effort amongst CIOs and CISOs to try to make security not a blocker because it use to be, it still is. "Okay, I got this great initiative." Eh, give it to the SecOps pros, and let them take it for a while before we can go to market. And so a huge challenge now is to simplify, automate, AI comes in, the whole supply chain security, so the, so the companies can not be facing so much friction. And that is non-trivial. I don't think we're anywhere close there, but I think the goal is by, within the next several years, we're going to be in a position, that security, we heard today, is, wasn't designed in to the initial internet protocols. It was bolted on. And so increasingly, the fundamental architecture of the internet, the Cloud, et cetera, is, is seeing designed in security, and, and that is an imperative, or else business is going to come to a grinding halt. >> Right. It's no longer, the bolt no longer works. Yves, what's your perspective on Cloud Native Security, where it stands today? What's in it for customers, whether we're talking about banks, or hospitals, or retailers, what do you think? >> I think when we, when we look at security in the, in the modern world, is we need to as, as Dave mentioned, we need to rethink how we apply it. Very often, security in the past has been always bolted on in the end. If we continue to do that, it'll become more and more difficult, because as companies evolve, and as companies want to bring products and software to market in a much faster and faster way, it's getting more and more difficult if we bolt on the security process at the end. It's like, developers build something and then someone checks security. That's not going to work any longer. Especially if we also consider now the changes in the industry. We had Stack Overflow over the last 10 years. If I would've had Stack Overflow 15, 20, what, 25 years ago when I was a developer, it would've changed a hell lot. Looking at it now, and looking at it what we had in the last few weeks, it's like where nearly all of my team members say is like finally I don't need any script kiddies anymore because I can't go to (indistinct) who writes the code for me. Which is on one end great, because it enables us to solve certain problems in a much higher pace. But the challenge with that is, if the people who just copy and past that code, don't understand the implications of that code, we have a much higher risk continuously. And what people thought was, is challenging with Stack Overflow. Imagine that something in one of these AI engines, is actually going ballistic, and it creates holes in nearly every one of these applications. And trust me, there will be enough developers who are going to use these tools to develop codes, the same as students in university are going to take this to write their essays and everything else. And so it's really important that every developer team basically has a security person within their team, and not a security at the end. So we build something, we check it, go through QA, and then it goes to security. Security needs to be at the forefront. And I think that's where we see Cloud Native Security Con, where we see AWS. I saw it during re:Invent already where they said is like, we have reinforced next year. I think this becomes more and more of a topic, and I think companies, as much as it is become a norm that you have a firewall and everything else, it needs to become a norm that when you are doing software development, and every development team needs to have a security person on that needs to be trained. >> I love that chat comment Dave, 'cause you and I were talking about this. And I think that is going to be the issue. Do we need security chat for the chat bot? And there's like a, like a recursive model there. The biases are built in. I think, and I think our interview with the Palo Alto Network's co-founder, Dave, when he talked about zero trust as a structured way to start things, but he was referencing that with Cloud, there's a chance to rethink or do a do-over in security. So, I think this is kind of to me, where this is all going. And I think you asked Pat Gelsinger what, year 2013, 2014, can, is security a do over? I think we're in that do over time. >> He said yes. >> He said yes. (laughing) He was right. But yeah, eight years later... But this is, how do you, zero trust gives you some structure, but how do you organize and redo security? Because to me, I think that's what's happening here. >> And John you heard, Zuk at Palo Alto Network said, "Yeah, the, the words security and architecture, they don't go together historically." And so it is a total, total retake. >> Well is that because there's too many tools out there and- >> Yeah. For sure. >> Yeah, well, first of all, a lot of hardware. And then yeah, a lot of tools. You even see IIOT and industry 40, you see IOT security coming up as another stove pipe, and that's not the right approach. And, and so- >> Well let me, let me ask you a question Dave, and Yves, if you don't mind. 'Cause I was just riffing on this yesterday about this. In the ML space, you're seeing the ML models, you're seeing proprietary models versus open source. Is security going to go down this proprietary security methods and open source? Because that's interesting, because the CNCF is run by the the Linux Foundation. So you can almost maybe see a model where there's more proprietary security methods than open source. Or is it, is that a non-issue? >> I would, I would, let me, if I, if I jump in here first, I think the last, especially last five or 10 years have clearly shown the, the whole and, and I invested early on in the, in the end 90s in several open source startups in the Bay area. So, I'm well behind the whole open source idea and, and mid (indistinct) and others back then several times. But the point is, I think what we have seen is open source is not in general, more secure or less secure, because code is too complex nowadays. You have millions of lines of code, and it's not that either one way or the other is going to solve it. The ways I think we are going to look at it is more is what's the role to market, because only because something is open source doesn't necessarily mean it's going to be available for everyone. And the same for proprietary source from that perspective, even though everybody mixes licensing and payments and all that all the time, but it doesn't necessarily have anything to do with it. But I think as we are going through it, and when we also look at the industry, security industry over the last 10 plus years has been primarily hardware focused. And a lot of these vendors have done a good business out of selling hardware boxes, putting software on top of it. Whereas in reality, those were still X86 standard boxes in the end. So it was not that we had specific security ethics or anything like that in there anymore. And so overall, the question of the market is going to change. And as we are looking into Cloud Native, think about someone like an AWS, do you really envision them to have a hardware box of every supplier in their data center, and that in every availability zone in every region? Same for Microsoft, same for Google, etc? So we need to have new ways on how we can apply security. And that applies both on the backend services, but also on the front end side. >> And if I, and if I could chime in, I think the, the good, I think the answer is, is, is no and yes. And what I mean by that is if you take, antivirus and known malware, I mean pretty much anybody today can, can solve that problem, it's the unknown malware. So I think the yes part of the answer is yes, it's, it's going to be proprietary, but in the sense we're going to use open source tooling, and then apply that in a proprietary way with, with specific algorithms and unique architectures that are going to solve problems. For example, XDR with, with unknown malware. So, and that's the, that's the hard part. As somebody said, I think this morning at the keynote, it's, it's all the stuff that, that the SecOps team couldn't find. That's the really hard part. >> (laughs) Well the question will be will, is the new IP, the ability to feed ChatGPT some magical spelled insertion query string that does the job, that's unique, that might be the new IP, the the question to ask. >> Well, that's what the hackers are going to do. And I, they're on offense. (John laughs) And the offense knows what play is coming. So, they're going to start. >> So guys, let's take this conversation up a level. I want to get your perspectives on what's in this for me as a customer? We know security is a board level conversation. We talk about this all the time. We also know that they're based on, I think David, was the conversations that you and I had, with Palo Alto Networks at Ignite in December. There's a, there's a lack of alignment between the executives and the board from a security perspective. When we talk about Cloud Native Security, we all talked about the value in that, what's in it for customers? I want to get your perspectives on should this be a board level conversation, and if so, how do you advise organizations, whether it is a hospital, or a bank, or an organization that is really affected by things like ransomware? How should they be thinking about this from an organizational perspective? >> Well, I'll start first, because we had this conversation during our Super Cloud event last month, and this comes up a lot. And this is, the CEO board level. Yes it is a board level conversation for security, as is application development as in terms of transforming their business to be competitive, not to be on the wrong side of history with this wave coming. So I think that's more of a management. But the issue is, they tell their people, "Go do it." And they're like, 'cause they get sold on the idea of, "Hey, won't you transform your business, and everything's going to be data driven, and machine learning's going to power your apps, get new customers, be profitable." "Oh, sign me up for that." When you have to implement this, it's really hard. And I think the core issue is, where are companies in their life cycle of the ability to execute and architect this thing properly as Dave said, Nick Zuk said, "You can't have architecture and security, you need platforms." So, I think the re-platforming, and the re-factoring of business is a big factor, and that's got to get down into the, the organizational shifts and the people to do it. So are there skills? Do I do a managed service? How do I architect it? Are there more services? Are there developers doing applications that are going to be more agile? So, this is not an easy thing. And to move a business from IT operations that is proven, to be positioned for this enablement, is just really difficult. And it's expensive. And if you screw it up, you could be, could be on the wrong side of things. So, to me, that's the big issue is, you sell the dream and then you got to implement it. And that's really difficult. >> Yves, give us your perspective on, based on John's comments, how do organizations shift so dramatically? There's a cultural element there as well, but there's also organizations that are, have competitive competitors in the rear view mirror, and there's time to waste. What are your thoughts on that? >> I think that's exactly the point. It's like, as an organization, you need to take the decision between the time, the risk, and all the other elements we have into this game. Because you can try to achieve 100% security, but that's exactly the same as trying to, to protect gold or anything else 100%. It's most likely not going to be from a risk perspective anyway sensible. And that's the same from a corporational perspective. When you look at building new internet services, or IOT services, or any kind of new shopping experience or whatever else, you need to balance out between the risks and the advantages out of it. And you also need to be accepting that you potentially on the way make mistakes, but then it's more important than ever that you are able to quickly fix any mistakes, and to adjust to anything what's happening in the market. Because as we are building all these new Cloud Native applications, and build up all these skill sets, one of the big scenarios is we are far more depending on individual building blocks. These building blocks come out of open source communities, which have a much different way. When we look back in software development, back then we had application servers from Oracle, Web Logic, whatsoever, they had a release cycles of every three to six months. As now we have to deal with open source, where sometimes release cycles are on a four week schedule, in between security patches. So you need to be much faster in adopting that, checking that, implementing that, getting things to work. So there is a security stretch from that perspective. There is a speech stretch on the other thing companies have to deal with, and on the other side it's always a measurement between the risk, and the security you can afford. Because reality is, you will not be 100% protected no matter what you do. So, you need to balance out what you as an organization can actually build on. But I think, coming back also to the point, it's on the bot level nowadays. It's like nearly every discussion we have with companies nowadays as they move into the Cloud, especially also here in Europe where for the last five years, it was always, it's like "It's data privacy." Data privacy is no longer, I mean, yes, for certain people, it's still the point, but for many more people it's like, "How protected is my data?" "What do we do in case of ransomware attack?" "What do we do in case of a denial of service?" All of these things become more vulnerable, where in the past you were discussing these things with a becking page, or, or like a stock exchange. They were, it's like, "What the hell is going to happen if we have a denial of service?" Now all of the sudden, this now affects nearly everyone in their storefronts and everything else, because everything is depending on it. >> Yeah, I think you're right on. You think about how cultural change occurs, it's bottom ups or, bottom up, top down or middle out. And what, what's happened with security is the people in the security team cared about it, they were the, everybody said, "Oh, it's their problem." And then it just did an end run to the board, kind of mid, early last decade. And then the board sort of pushed that down. And the line of business is realizing, "Holy cow. My business, my EBIT can be dramatically affected by this, so I care." Now it's this whole house, cultural team sport. I know it's sort of a, a cliche, but it, it's true. Everybody actually is beginning to care about security because the risks are now so high, and it's going to affect not only the bottom line of the company, the bottom line of the business, their job, it's, it's, it's virtually everywhere. It's a huge cultural shift that we're seeing. >> And that's a big challenge for organizations in any industry. And Yves, you talked about ransomware service. Every industry across the globe is vulnerable to this. But how can, maybe John, we'll start with you. How can Cloud Native Security help organizations if they're able to embrace it, operationally, culturally, dial down some of the vulnerabilities that just seem to keep growing? >> Well, I mean that's the big question. The breaches are, are critical. The governances also could be a way that anchors down growth. So I think the balance between the governance compliance piece of it is key, but making the developers faster and more productive is the key to me. And I think having the security paradigm where they're not blockers, as Dave said, is critical. So I love the whole shift left, but now that we have more data focused initiatives around how that, you can use data to understand the security issues, I think data and security are together, and I think there's a going to be a data operating system model emerging, where data and security will be almost one thing. And that will be set up by the security teams, and the data teams together. And that will feed guardrails into the developer environment. So the developer should feel no pain at all in doing this. So I think the best practice will end up being what we're seeing with supply chain, security, with making sure code's verified. And you're going to see the container, security side completely address has been, and KubeCon, we just, I asked Scott Johnson, the CEO of Docker, and I asked him directly, "Are you guys all tight on container security?" He said, yes, but other people are suggesting that's not true. There's a lot of issues with the container security. So, there's all kinds of areas where there's holes. So Cloud Native is cool on one hand, and very relevant, but if it's not shored up, it's going to be a problem. But I, so I think that's where the action will be, at the developer pipeline, in the containers, and the data. So, that will be very relevant, and if companies nail that, they'll be faster, they'll have better apps, and that'll be the differentiator. And again, if they don't on this next wave, they're going to be driftwood. >> Dave, how do they prevent becoming driftwood? >> Well, I think Cloud has had a huge impact. And a Cloud's by no means a panacea, but let's face it, it's dramatically improved a lot of companies security posture. Now there's still that shared responsibility. Even though an S3 bucket is encrypted, it's still your responsibility to make sure that it doesn't get decrypted by somebody who has access to it. So there are things like that, but to Yve's earlier point, that can be, that's done through software now, it's done through best practices. Those best practices can be shared. So the way you, you don't become driftwood, is you start to, you step back, rethink that security architecture as we were talking about earlier, take advantage of the Cloud, take advantage of Cloud Native, and all the, the rapid pace of innovation that's occurring there, and you don't use, it's called before, The audit is the last line of defense. That's no longer a check box item. "Oh yeah, we're in compliance." It's, this is a business imperative, and because we're going to reduce our expected loss and reduce our business risk. That's part of the business case today. >> Yeah. >> It's a huge, critically important part of the business case. Yves, question for you. If you're in an elevator with a CEO, a CFO, and a CISO, and they're talking about security and Cloud Native Security, what's your value proposition to them on a, on a say a 32nd elevator ride? >> Difficult story. I think at the moment, the most important part is, we need to get people to work together, and we need to train people to work more much better together. I think that's the overall most important part for all of these solutions, because in the end, security is always a person issue. If, we can have the best tools in the industry, as long as we don't get all of these teams to work together, then we have a problem. If the security team is always seen as the end of the solution to fix everything, that's not going to work because they always are the bad guys in the game. And so we need to bring the teams together. And once we have the teams work together, I think we have a far better track on, on maintaining security. >> John and Dave, I want to get your perspectives on what Yves just said. In all the experience that the two of you have as industry analysts here on "theCUBE," Wikibon, Siliconangle Media. How do you advise organizations to get those teams together? As Eve said, that alignment is critical, but John, we'll start with you, then Dave go to you. What's your advice for organizations that need to align those teams and really don't have a lot of time to wait to do it? >> (chuckling) That's a great question. I think, I think that's everyone pays hundreds of thousands of millions of dollars to get that advice from these consultants, organizations out there doing the transformations. But I think it comes down to personnel and commitment. I think if there's a C-level commitment to the effort, you'll see the institutional structure change. So you can see really getting behind it with their, with their wallet and their, and their support of either getting more personnel to support and assist, or manage services, or giving the power to the teams to execute and doing it in a way that, that's, that's well known and best practices. Start small, build out the pilots, build the platform, and then start getting it right. And I think that's the key. Not the magic wand, the old model of rolling out stuff in, in six month cycles. It's really, get the proof points, double down and change the culture, but also execute and have real metrics. And changing the architecture, like having more penetration tests as a service. Doing pen tests is like a joke now. So that doesn't make any sense. You got to have that built in almost every day, and every minute. So, these kinds of new techniques have to be implemented and have to be tried. So that's why these communities are growing. That's why I like what open source has been doing, and I like the open source as the place to have these conversations, because that's where the action will be for new stuff. And I think people will implement open source like they did before, but with different ways, better testing, better supply chain on the software side, verifying code. So, I see open source actually getting a tailwind from this, not a headwind. So, I'm bullish on the open source piece here on, on all levels, machine learning- >> Lisa, my answer is intramural sports. And it's 'cause I think it's cultural. And what I mean by that, is you take your your best and brightest security, and this is what frankly, a lot of CISOs do, an examples is Lena Smart, MongoDB. Take your best and brightest security pros, make them captains of the intramural teams, and pair them up with pods of individuals across the organization, which is most people who don't know anything about security, and put them together, so that they can, they, so that the folks that understand security can, can realize how little people know, what, what, what, how, what the worst practices that are out there in the reverse, how they can cross pollinate. And they do that on a regular basis, I know at Mongo and other companies. And that kind of cultural assimilation is a starting point for how you get security awareness up to your question around making it a team sport. >> Absolutely critical. Yves, I want to kind of wrap things with you. We've got a couple of minutes left. When you're really looking at the Cloud Native community, the growth of it, we talked about earlier in the program, Cloud Native Security Con being now extracted and elevated out of KubeCon, what are your thoughts on the groundswell that this community is generating around Cloud Native Security, the benefits that organizations will achieve from it? >> I think overall, when we have these securities conferences, or these security arms a bit spread out and separated out of the main conference, it helps to a certain degree, because especially in the security space, when you look at at other like black hat or white hat conferences and things like that in the past, although they were not focused on Cloud Native, a lot of these security folks didn't feel well taken care of in any of the other conferences because they were always these, it's like they are always blocking us, they're always making us problems, and all these kinds of things. Now that we really take the Cloud Native piece and the security piece together, or like AWS does it with re:Inforce, I think we will see more and more that people understand is that security is a permanent topic we need to cover, but we need to bring different people together, because security also has compliance and a lot of other components in there. So we will see at these conferences moving forward, also a different audience. It's not going to be only the Cloud Native developers. And if I see some of these security audiences, I can't really imagine them to really be at KubeCon because there is too much other things going on. And you couldn't really see much of that at re:Invent because re:Invent by itself has become a complete monster of a conference. It covers too many topics. And so having this very, very important security piece separated, also gives the opportunity, I think, that we can bring in the security people, but also have the type of board level discussions potentially, between the leaders of the industry, to also discuss on how we can evolve, how we can make things better, and how, how we can actually, yeah, evolve our industry for it. Because let's face it, that threat is not going to go away. It's, it's a business. And one of the last security conferences I was on, on the ransomware part, it was one of the topics someone said is like, "Look, currently on average, it takes a hacker group roughly around they said 15 to 20 K to break into a company, and they on average make 100K. It's a business, let's face it. And it's a business we don't like. And ethically, it's no discussion that this is not good, but that's something which is happening. People are making money with it. And as long as that's going to go on, and we have enough countries where these people can hide, it's going to stay and survive. And so, with that being said, it's important for us to really build an industry around this. But I also think it's good that we have separate conferences. In the past we had more the RSA conference, which tried to cover all of these areas. But that is not really fitting Cloud Native and everything else. So I think it's good that we have these new opportunities, the Cloud Native one, but also what AWS brings up for someone. >> Yves, you just nailed it. It just comes down to simple math. It's a fraction. Revenue over cost. And if you could increase the hacker's cost, increase the denominator, their ROI will go down. And that is the game. >> Great point, Dave. What I'm hearing guys, and we can talk about technology for days and days. I know all of you. But there's, there's a big component that, that the elevation of Cloud Native Security, on its own as standalone is critical, as is the people component. You guys all talked about that. We talked about the cultural change necessary for that. Hopefully what we're seeing with Cloud Native Security Con 23, this first event is going to give us more insight over the next couple of days, and the next months or so, as to how this elevation, and how the people can come together to really help organizations from a math perspective as, as Dave talked about, really dial down the risks there, understand more of the vulnerabilities so that ransomware as a service is not as lucrative as it is today. Guys, so much appreciate your time, really breaking down Cloud Native Security, the value in it from different perspectives, and what your thoughts are on where it's going. Thanks so much for your time. >> All right. Thanks. >> Thanks, Lisa. >> Thank you. >> Thanks, Yves. >> All right. For my guests, I'm Lisa Martin. You're watching theCUBE's day one coverage of Cloud Native Security Con 23. Thanks for watching. (rousing music)

(upbeat music) >> Hey everyone and welcome to theCUBE's coverage day one of CloudNativeSecurityCon '23. Lisa Martin here with John Furrier and Dave Vellante. Dave and John, great to have you guys on the program. This is interesting. This is the first inaugural CloudNativeSecurityCon. Formally part of KubeCon, now a separate event here happening in Seattle over the next couple of days. John, I wanted to get your take on, your thoughts on this being a standalone event, the community, the impact. >> Well, this inaugural event, which is great, we love it, we want to cover all inaugural events because you never know, there might not be one next year. So we were here if it happens, we're here at creation. But I think this is a good move for the CNCF and the Linux Foundation as security becomes so important and there's so many issues to resolve that will influence many other things. Developers, machine learning, data as code, supply chain codes. So I think KubeCon, Kubernetes conference and CloudNativeCon, is all about cloud native developers. And it's a huge event and there's so much there. There's containers, there's microservices, all that infrastructure's code, the DevSecOps on that side, there's enough there and it's a huge ecosystem. Pulling it as a separate event is a first move for them. And I think there's a toe in the water kind of vibe here. Testing the waters a little bit on, does this have legs? How is it organized? Looks like they took their time, thought it out extremely well about how to craft it. And so I think this is the beginning of what will probably be a seminal event for the open source community. So let's listen to the clip from Priyanka Sharma who's a CUBE alumni and executive director of the CNCF. This is kind of a teaser- >> We will tackle issues of security together here and further on. We'll share our experiences, successes, perhaps more importantly, failures, and help with the collecting of understanding. We'll create solutions. That's right. The practitioners are leading the way. Having conversations that you need to have. That's all of you. This conference today and tomorrow is packed with 72 sessions for all levels of technologists to reflect the bottoms up, developer first nature of the conference. The co-chairs have selected these sessions and they are true blue practitioners. >> And that's a great clip right there. If you read between the lines, what she's saying there, let's unpack this. Solutions, we're going to fail, we're going to get better. Linux, the culture of iterating. But practitioners, the mention of practitioners, that was very key. Global community, 72 sessions, co-chairs, Liz Rice and experts that are crafting this program. It seems like very similar to what AWS has done with re:Invent as their core show. And then they have re:Inforce which is their cloud native security, Amazon security show. There's enough there, so to me, practitioners, that speaks to the urgency of cloud native security. So to me, I think this is the first move, and again, testing the water. I like the vibe. I think the practitioner angle is relevant. It's very nerdy, so I think this is going to have some legs. >> Yeah, the other key phrase Priyanka mentioned is bottoms up. And John, at our predictions breaking analysis, I asked you to make a prediction about events. And I think you've nailed it. You said, "Look, we're going to have many more events, but they're going to be smaller." Most large events are going to get smaller. AWS is obviously the exception, but a lot of events like this, 500, 700, 1,000 people, that is really targeted. So instead of you take a big giant event and there's events within the event, this is going to be really targeted, really intimate and focused. And that's exactly what this is. I think your prediction nailed it. >> Well, Dave, we'll call to see the event operating system really cohesive events connected together, decoupled, and I think the Linux Foundation does an amazing job of stringing these events together to have community as the focus. And I think the key to these events in the future is having, again, targeted content to distinct user groups in these communities so they can be highly cohesive because they got to be productive. And again, if you try to have a broad, big event, no one's happy. Everyone's underserved. So I think there's an industry concept and then there's pieces tied together. And I think this is going to be a very focused event, but I think it's going to grow very fast. >> 72 sessions, that's a lot of content for this small event that the practitioners are going to have a lot of opportunity to learn from. Do you guys, John, start with you and then Dave, do you think it's about time? You mentioned John, they're dipping their toe in the water. We'll see how this goes. Do you think it's about time that we have this dedicated focus out of this community on cloud native security? >> Well, I think it's definitely time, and I'll tell you there's many reasons why. On the front lines of business, there's a business model for security hackers and breaches. The economics are in favor of the hackers. That's a real reality from ransomware to any kind of breach attacks. There's corporate governance issues that's structural challenges for companies. These are real issues operationally for companies in the enterprise. And at the same time, on the tech stack side, it's been very slow movement, like glaciers in terms of security. Things like DNS, Linux kernel, there are a lot of things in the weeds in the details of the bowels of the tech world, protocol levels that just need to be refactored. And I think you're seeing a lot of that here. It was mentioned from Brian from the Linux Foundation, mentioned Dan Kaminsky who recently passed away who found that vulnerability in BIND which is a DNS construct. That was a critical linchpin. They got to fix these things and Liz Rice is talking about the Linux kernel with the extended Berkeley Packet Filtering thing. And so this is where they're going. This is stuff that needs to be paid attention to because if they don't do it, the train of automation and machine learning is going to run wild with all kinds of automation that the infrastructure just won't be set up for. So I think there's going to be root level changes, and I think ultimately a new security stack will probably be very driven by data will be emerging. So to me, I think this is definitely worth being targeted. And I think you're seeing Amazon doing the same thing. I think this is a playbook out of AWS's event focus and I think that's right. >> Dave, what are you thoughts? >> There was a lot of talk in, again, I go back to the progression here in the last decade about what's the right regime for security? Should the CISO report to the CIO or the board, et cetera, et cetera? We're way beyond that now. I think DevSecOps is being asked to do a lot, particularly DevOps. So we hear a lot about shift left, we're hearing about protecting the runtime and the ops getting much more involved and helping them do their jobs because the cloud itself has brought a lot to the table. It's like the first line of defense, but then you've really got a lot to worry about from a software defined perspective. And it's a complicated situation. Yes, there's less hardware, yes, we can rely on the cloud, but culturally you've got a lot more people that have to work together, have to share data. And you want to remove the blockers, to use an Amazon term. And the way you do that is you really, if we talked about it many times on theCUBE. Do over, you got to really rethink the way in which you approach security and it starts with culture and team. >> Well the thing, I would call it the five C's of security. Culture, you mentioned that's a good C. You got cloud, tons of issues involved in cloud. You've got access issues, identity. you've got clusters, you got Kubernetes clusters. And then you've got containers, the fourth C. And then finally is the code itself, supply chain. So all areas of cloud native, if you take out culture, it's cloud, cluster, container, and code all have levels of security risks and new things in there that need to be addressed. So there's plenty of work to get done for sure. And again, this is developer first, bottoms up, but that's where the change comes in, Dave, from a security standpoint, you always point this out. Bottoms up and then middle out for change. But absolutely, the imperative is today the business impact is real and it's urgent and you got to pedal as fast as you can here, so I think this is going to have legs. We'll see how it goes. >> Really curious to understand the cultural impact that we see being made at this event with the focus on it. John, you mentioned the four C's, five with culture. I often think that culture is probably the leading factor. Without that, without getting those teams aligned, is the rest of it set up to be as successful as possible? I think that's a question that's- >> Well to me, Dave asked Pat Gelsinger in 2014, can security be a do-over at VMWorld when he was the CEO of VMware? He said, "Yes, it has to be." And I think you're seeing that now. And Nick from the co-founder of Palo Alto Networks was quoted on theCUBE by saying, "Zero Trust is some structure to give to security, but cloud allows for the ability to do it over and get some scale going on security." So I think the best people are going to come together in this security world and they're going to work on this. So you're going to start to see more focus around these security events and initiatives. >> So I think that when you go to the, you mentioned re:Inforce a couple times. When you go to re:Inforce, there's a lot of great stuff that Amazon puts forth there. Very positive, it's not that negative. Oh, the world is falling, the sky is falling. And so I like that. However, you don't walk away with an understanding of how they're making the CISOs and the DevOps lives easier once they get beyond the cloud. Of course, it's not Amazon's responsibility. And that's where I think the CNCF really comes in and open source, that's where they pick up. Obviously the cloud's involved, but there's a real opportunity to simplify the lives of the DevSecOps teams and that's what's critical in terms of being able to solve, or at least keep up with this never ending problem. >> Yeah, there's a lot of issues involved. I took some notes here from some of the keynote you heard. Security and education, training and team structure. Detection, incidents that are happening, and how do you respond to that architecture. Identity, isolation, supply chain, and governance and compliance. These are all real things. This is not like hand-waving issues. They're mainstream and they're urgent. Literally the houses are on fire here with the enterprise, so this is going to be very, very important. >> Lisa: That's a great point. >> Some of the other things Priyanka mentioned, exposed edges and nodes. So just when you think we're starting to solve the problem, you got IOT, security's not a one and done task. We've been talking about culture. No person is an island. It's $188 billion business. Cloud native is growing at 27% a year, which just underscores the challenges, and bottom line, practitioners are leading the way. >> Last question for you guys. What are you hoping those practitioners get out of this event, this inaugural event, John? >> Well first of all, I think this inaugural event's going to be for them, but also we at theCUBE are going to be doing a lot more security events. RSA's coming up, we're going to be at re:Inforce, we're obviously going to be covering this event. We've got Black Hat, a variety of other events. We'll probably have our own security events really focused on some key areas. So I think the thing that people are going to walk away from this event is that paying attention to these security events are going to be more than just an industry thing. I think you're going to start to see group gatherings or groups convening virtually and physically around core issues. And I think you're going to start to see a community accelerate around cloud native and open source specifically to help teams get faster and better at what they do. So I think the big walkaway for the customers and the practitioners here is that there's a call to arms happening and this is, again, another signal that it's worth breaking out from the core event, but being tied to it, I think that's a good call and I think it's a well good architecture from a CNCF standpoint and a worthy effort, so I give it a thumbs up. We still don't know what it's going to look like. We'll see what day two looks like, but it seems to be experts, practitioners, deep tech, enabling technologies. These are things that tend to be good things to hear when you're at an event. I'll say the business imperative is obvious. >> The purpose of an event like this, and it aligns with theCUBE's mission, is to educate and inspire business technology pros to action. We do it in theCUBE with free content. Obviously this event is a for-pay event, but they are delivering some real value to the community that they can take back to their organizations to make change. And that's what it's all about. >> Yep, that is what it's all about. I'm looking forward to seeing over as the months unfold, the impact that this event has on the community and the impact the community has on this event going forward, and really the adoption of cloud native security. Guys, great to have you during this keynote analysis. Looking forward to hearing the conversations that we have on theCUBE today. Thanks so much for joining. And for my guests, for my co-hosts, John Furrier and Dave Vellante. I'm Lisa Martin. You're watching theCUBE's day one coverage of CloudNativeSecurityCon '23. Stick around, we got great content on theCUBE coming up. (upbeat music)

>> Narrator: TheCUBE presents Ignite '22, brought to you by Palo Alto Networks. >> Greetings from the MGM Grand Hotel in beautiful Las Vegas. It's theCUBE Live Day two of our coverage of Palo Alto Networks, ignite 22. Lisa Martin, Dave Vellante. Dave, what can I say? This has been a great couple of days. The amount of content we have created and shared with our viewers on theCUBE is second to none. >> Well, the cloud has completely changed the way that people think about security. >> Yeah. You know at first it was like, oh, the cloud, how can that be secure? And they realized, wow actually cloud is pretty secure if we do it right. And so shared responsibility model and partnerships are critical. >> Partnerships are critical, especially as more and more organizations are multicloud by default. Right? These days we're going to be bring Google into the conversation. Josh Haslet joins us. Strategic Partnership Manager at Google. Welcome. Great to have you Josh. >> Hi Lisa, thanks for having me here. >> So you are a secret squirrel from Palo Alto Networks. Talk to me a little bit about your background and about your role at Google in terms of partnership management. >> Sure, I feel like we need to add that to my title. [Lisa] You should, secret squirrel. >> Great. Yeah, so as a matter of fact, I've been at Google for two and a half years. Prior to that, I was at Palo Alto Networks. I was managing the business development relationship with Google, and I was kind of at the inception of when the cash came in and, and decided that we needed to think about how to do security in a new way from a platform standpoint, right? And so it was exciting because when I started with the partnership, we were focusing on still securing you know, workloads in the cloud with next generation firewall. And then as we went through acquisitions the Palo Alto added it expanded the capabilities of what we could do from cloud security. And so it was very exciting, you know, to, to make sure that we could onboard with Google Cloud, take a look at how not only Palo Alto was enhancing their solutions as they built those and delivered those from Google Cloud. But then how did we help customers adopt cloud in a more easy fashion by making things, you know more tightly integrated? And so that's really been a lot of what I've been involved in, which has been exciting to see the growth of both organizations as we see customers shifting to cloud transformation. And then how do they deploy these new methodologies and tools from a security perspective to embrace this new way of working and this new way of, you know creating applications and doing digital transformation. >> Important, since work is no longer a place, it's an activity. Organizations have have to be able to cater to the distributed workforce. Of course, the, the, the workforce has to be able to access everything that they need to, but it has to be done in a secure way regardless of what kind of company you are. >> Yeah, you're right, Lisa. It's interesting. I mean, the pandemic has really changed and accelerated that transformation. I think, you know really remote working has started previous to that. And I think Nikesh called that out in the keynote too right? He, he really said that this has been ongoing for a while, but I think, you know organizations had to figure out how to scale and that was something that they weren't as prepared for. And a lot of the technology that was deployed for VPN connectivity or supporting remote work that was fixed hardware. And so cloud deployment and cloud architecture specifically with Prisma access really enabled this transformation to happen in a much faster, you know, manner. And where we've come together is how do we make sure that customers, no matter what device, what user what application you're accessing. As we take a look at ZTNA, Zero Trust Network Access 2.0, how can we come together to partner to make sure the customers have that wide range of coverage and capability? >> How, how do you how would you describe Josh Google's partner strategy generally and specifically, you know, in the world of cyber and what makes it unique and different? >> Yeah, so that's a great question. I think, you know, from Google Cloud perspective we heard TK mention this in the keynote with Nikesh. You know, we focus on on building a secure platform first and foremost, right? We want to be a trusted cloud for customers to deploy on. And so, you know, we find that as customers do one of two things, they're looking at, you know, reducing cost as they move to cloud and consolidate workloads or as they embrace innovation and look at, you know leveraging things like BigQuery for analytics and you know machine learning for the way that they want to innovate and stay ahead of the competition. They have to think about how do they secure in a new way. And so, not only do we work on how do we secure our own platform, we work with trusted partners to make sure that customers have you mentioned it earlier, Dave the shared security model, right? How do they take a look at their applications and their workloads and this new way of working as they go to CI/CD pipelines, they start thinking about DevSecOps. How do they integrate tooling that is frictionless and seamless for their, for their teams to deploy but allows them to quickly embrace that cloud transformation journey. And so, yes, partners are critical to that. The other thing is, you know we find that, you mentioned earlier, Lisa that customers are multicloud, right? That's kind of the the new normal as we look at enterprises today. And so Google Cloud's going to do a great job at securing our platform, but we need partners that can help customers deploy policy that embraces not only the things that they put in Google Cloud but as they're in their transformation journey. How that embraces the estates that are in data centers the things that are still on-prem. And really this is about making sure that the applications no matter where they are, the databases no matter where they are, and the users no matter where they are are all secure in that new framework of deploying and embracing innovation on public cloud. >> One of the things that almost everybody from Palo Alto Networks talks about is their partnering strategy their acquisition strategy integrations. And I was doing some research. There's over 50 joint integrations that Google Cloud and Palo Alto Networks. Have you talked about Zero Trust Network Access 2.0 that was announced yesterday. >> Correct. >> Give us a flavor of what that is and what does it deliver that 1.0 did not? >> Well, great. And what I'd like to do is touch a little bit on those 50 integrations because it's been, you know, a a building rolling thunder, shall we say as far as how have we taken a look at customers embracing the cloud. The first thing was we took a look at at how do we make sure that Palo Alto solutions are easier for customers to deploy and to orchestrate in Google Cloud making their journey to embracing cloud seamless and easy. The second thing was how could we make that deployment and the infrastructure even more easy to adopt by doing first party integrations? So earlier this year we announced cloud IDS intrusion detection system where we actually have first party directly in our console of customers being able to simply select, they want to turn on inspection of the traffic that's running on Google Cloud and it leverages the threat detection capability from Palo Alto Networks. So we've gone from third party integration alone to first party integration. And that really takes us to, you know, the direction of what we're seeing customers need to embrace now which is, this is your Zero Trusts strategy and Zero Trust 2.0 helps customers do a number of things. The first is, you know, we don't want to just verify a user and their access into the environment once. It needs to be continuous inspection, right? Cause their state could change. I think, you know, the, the teams we're talking about some really good ways of addressing, you know for instance, TSA checkpoints, right? And how does that experience look? We need to make sure that we're constantly evaluating that user's access into the environment and then we need to make sure that the content that's being accessed or, you know, loaded into the environment is inspected. So we need continuous content inspection. And that's where our partnership really comes together very well, is not only can we take care of any app any device, any user, and especially as we take a look at you know, embracing contractor like use cases for instance where we have managed devices and unmanaged devices we bring together beyond Corp and Prisma access to take a look at how can we make sure any device, any user any application is secure throughout. And then we've got content inspection of how that ZTNA 2.0 experience looks like. >> Josh, that threat data that you just talked about. >> Yeah. >> Who has access to that? Is it available to any partner, any customer, how... it seems like there's gold in them, NAR hills, so. >> There is. But, this could be gold going both ways. So how, how do you adjudicate and, how do you make sure that first of all that that data's accessible for, for good and not in how do you protect it against, you know, wrong use? >> Well, this is one of the great things about partnering with Palo Alto because technically the the threat intelligence is coming from their ingestion of malware, known threats, and unknown threats right into their technology. Wildfire, for instance, is a tremendous example of this where unit 42 does, you know, analysis on unknown threats based upon what Nikesh said on stage. They've taken their I think he said 27 days to identification and remediation down to less than a minute, right? So they've been able to take the intelligence of what they ingest from all of their existing customers the unknown vulnerabilities that are identified quickly assessing what those look like, and then pushing out information to the rest of their customers so that they can remediate and protect against those threats. So we get this shared intelligence from the way that Palo Alto leverages that capability and we've brought that natively into Google Cloud with cloud intrusion detection. >> So, okay, so I'm, I'm I dunno why I have high frequency trading in my mind cause it used to be, you know, like the norm was, oh it's going to take a year to identify an intrusion. And, and, and now it's down to, you know take was down to 27 days. Now it's down to a minute. Now it's not. That's best practice. And I'm, again, I'm thinking high frequency trading how do I beat the speed of light? And that's kind of where we're headed, right? >> Right. >> And so that's why he said one minute's not enough. We have to keep going. >> That's right. >> So guys got your best people working on that? >> Well, as a matter of fact, so Palo Alto Networks, you know when we take a look at what Nikesh said from stage, he talked about using machine learning and AI to get ahead of what we what they look at as far as predictability not only about behaviors in the environment so things that are not necessarily known threats but things that aren't behaving properly in the environment. And you can start to detect based on that. The second piece of it then is a lot of that technology is built on Google Cloud. So we're leveraging, their leveraging the capabilities that come together with you know, aggregation of, of logs the file stitching across the entire environment from the endpoint through to cloud operations the things that they detect for network content inspection putting all those files together to understand, you know where has the threat vector entered how has it gone lateral inside the environment? And then how do you make sure that you remediate all of those points of intrusion. And so yeah it's been exciting to see how our product teams have worked together to continue to advance the capabilities for speed for customers. >> And secure speed is critical. We had the opportunity this morning to speak with Lee Claridge, the chief product officer, and you know one of the things that I had heard about Lee is that despite all of the challenges in cybersecurity and the amorphous expansion of the threat network and the sophistication of the adversaries he's really optimistic about what it's going to enable organizations to do. I see you smiling. Do you share that optimism? >> I, I do. I think, you know, when you bring, when you bring leaders together to tackle big problems, I think, you know we've got the right teams working on the right things and we understand the problems that the customers are facing. And so, you know, from a a Google cloud perspective we understand that partnering with Palo Alto Networks helps to make sure that that optimism continues. You know, we work on continuous innovation when it comes to Google Cloud security framework, but then partnering with Palo Alto brings additional capabilities to the table. >> Vision for the, for the partnership. Where do you want to see it go? What's... we're two to five years down the road, what's it look like? Maybe two to three years. Let's go. >> Well, it was interesting. I, I think neer was the one that mentioned on stage about, you know how AI is going to start replacing us in our main jobs, right? I I think there's a lot of truth to that. I think as we look forward, we see that our teams are going to continue to help with automation remediation and we're going to have the humans working on things that are more interesting and important. And so that's an exciting place to go because today the reality is that we are understaffed in cybersecurity across the industry and we just can't hire enough people to make sure that we can detect, remediate and secure, you know every user endpoint and environment out there. So it's exciting to see that we've got a capability to move in a direction to where we can make sure that we get ahead of the threat actors. >> Yeah. So he said within five years your SOC will be AI based and and basically he elaborated saying there's a lot of stuff that you're doing today that you're not going to be doing tomorrow. >> That's true. >> And that's going to continue to be a moving target I would think Google is probably ahead in that game and ahead of most, right? I mean, you guys were there early. I mean, I remember when Hadoop was all the rage like just at the beginning you guys like, yeah, you know Google's like, no, no, no, we're not doing Hadoop anymore. That's like old news. So you tended to be, I don't know, at least five maybe seven years ahead of the industry. So I imagine you using a lot of those AI techniques in your own business today. >> Absolutely. I mean, I think you see it in our consumer products, and you certainly see it in the the capabilities we make available to enterprise as far as how they can innovate on our cloud. And we want to make sure that we continue to provide those capabilities, you know not only for the tools that we build but the tools that customers use. >> What's the, as we kind of get towards the end of our conversation here, we we talk about zero trust as, as a journey, as an approach. It's not a product, it's not a tool. What is the, who's involved in the zero trust journey from the customers perspective? Is this solely with the CSO, CSO, CIOs or is this at the CEO level going, we have to be a data company but we have to be a secure data company 24/7. >> It's interesting as you've seen malware, phishing, ransomware attacks. >> Yeah. >> This is not only just a CSO CIO conversation it's a board level conversation. And so, you know the way to address this new way of working where we have very distributed environments where you can't create a perimeter anymore. You need to strategize with zero trust. And so continuously, when we're talking to customers we're hearing that as a main initiative, you know from the CIO's office and from the board level. >> Got it, last question. The upgrade path for existing customers from 1., ZTNA 1.0 to 2.0. How simple is that? >> It's easy. You know, when we take- >> Is there an easy button? >> So here's the great thing [Dave] If you're feeling lucky. [Lisa] Yeah. (group laughs) >> Well, Palo Alto, right? Billing prisma access has really taken what was traditional security that was an on-prem or a data center deployed strategy to cloud-based. And so we've worked with customers like Princeton University who had to quickly transition from in-person learning to distance learning find a way to ramp their staff their faculty and their students. And we were able to, you know Palo Alto deploy it on Google Cloud's, you know network that solution in very quick order and had those, you know, everybody back up and running. So deployment and upgrade path is, is simple when you look at cloud deployed architectures to address zero trusts network. >> That's awesome. Some of those, some of those use cases that came out of the pandemic were mind blowing but also really set the table for other organizations to go, yes, this can be done. And it doesn't have to take forever because frankly where security is concerned, we don't have time. >> That's right. And it's so much faster than traditional architectures where you had to procure hardware. >> Yeah. >> Deploy it, configure it, and then, you know push agents out to all the endpoints and and get your users provisioned. In this case, we're talking about cloud delivered, right? So I've seen, you know, with Palo Alto deploying for customers that run on Google Cloud they've deployed tens of thousands of users in a very short order. You know, we're talking It was, it's not months anymore. It's not weeks anymore. It's days >> Has to be days. Josh, it's been such a pleasure having you on the program. Thank you for stopping by and talking with Dave and me about Google Cloud, Palo Alto Networks in in addition to secret squirrel. I feel like when you were describing your background that you're like the love child of Palo Alto Networks and Google Cloud, you might put that on your cartoon. >> That is a huge compliment. I really appreciate that, Lisa, thank you so much. >> Thanks so much, Josh. [Josh] It's been a pleasure being here with you. [Dave] Thank you >> Oh, likewise. For Josh Haslett and Dave, I'm Lisa Martin. You're watching theCUBE, the leader in live coverage for emerging and enterprise tech. (upbeat outro music)

(light music) (airy white noise rumbling) >> Hey everyone, welcome back to Las Vegas. It's theCUBE. We're here, day four of our coverage of AWS re:Invent 22. There's been about, we've heard, north of 55,000 folks here in person. We're seeing only a fraction of that but it's packed in the expo center. We're at the Venetian Expo, Lisa Martin, Dave Vellante. Dave, we've had such great conversations as we always do on theCUBE. With the AWS ecosystem, we're going to be talking with another partner on that ecosystem and what they're doing to innovate together next. >> Well, we know security is the number one topic on IT practitioners, mine, CIOs, CISOs. We also know that they don't have the bench strength, that's why they look to manage service providers, manage service security providers. It's a growing topic, we've talked about it. We talked about it at re:Inforce earlier this year. I think it was July, actually, and August, believe it or not, not everybody was at the Cape. It was pretty well attended conference and that's their security focus conference, exclusive on security. But there's a lot of security here too. >> Lot of security, we're going to be talking about that next. We have two guests from Capgemini joining us. Mike Wasielewski, the head of cloud security, and NextGen secure architectures, welcome Mike. Anne Saunders also joins us, the Director of Cybersecurity Technology Partnerships at Capgemini, welcome Anne. >> Thank you. >> Dave: Hey guys. >> So, day four of the show, how you feeling? >> Anne: Pretty good. >> Mike: It's a long show. >> It is a long, and it's still jamming in here. Normally on the last day, it dwindles down. Not here. >> No, the foot traffic around the booth and around the totality of this expo floor has been amazing, I think. >> It really has. Anne, I want to start with you. Capgemini making some moves in the waves in the cloud and cloud security spaces. Talk to us about what Cap's got going on there. >> Well, we actually have a variety of things going on. Very much partner driven. The SOC Essentials offering that Mike's going to talk about shortly is the kind of the starter offer where we're going to build from and build out from. SOC Essentials is definitely critical for establishing that foundation. A lot of good stuff coming along with partners. Since I manage the partners, I'm kind of keen on who we get involved with and how we work with them to build out value and focus on our overall cloud security strategy. Mike, you want to talk about SOC Essentials? >> Yeah, well, no, I mean, I think at Capgemini, we really say cybersecurity is part of our DNA and so as we look at what we do in the cloud, you'll find that security has always been an underpinning to a lot of what we deliver, whether it's on the DevSecOps services, migration services, stuff like that. But what we're really trying to do is be intentional about how we approach the security piece of the cloud in different ways, right? Traditional infrastructure, you mentioned the totality of security vendors here and at re:Inforce. We're really seeing that you have to approach it differently. So we're bringing together the right partners. We're using what's part of our DNA to really be able to drive the next generation of security inside those clouds for our clients and customers. So as Anne was talking about, we have a new service called the Capgemini Cloud SOC Essentials, and we've really brought our partners to bear, in this case Trend Micro, really bringing a lot of their intelligence and building off of what they do so that we can help customers. Services can be pretty expensive, right, when you go for the high end, or if you have to try to run one yourself, there's a lot of time, I think you mentioned earlier, right, the people's benches. It's really hard to have a really good cybersecurity people in those smaller businesses. So what we're trying to do is we're really trying to help companies, whether you're the really big buyers of the world or some of the smaller ones, right? We want to be able to give you the visibility and ability to deliver to your customers securely. So that's how we're approaching security now and we're cloud SOC Essentials, the new thing that we're announcing while we were here is really driving out of. >> When I came out of re:Invent, when you do these events, you get this Kool-Aid injection and after a while you're like hm, what did I learn? And one of the things that struck me in talking to people is you've got the shared responsibility model that the cloud has sort of created and I know there's complexities across cloud but let's just keep it at cloud generically for a moment. And then you've got the CISO, the AppDev, AppSecDev group is being asked to do a lot. They're kind of being dragged into security that's really not their wheelhouse and then you've got audit which is like the last line of defense. And so one of the things that struck me at re:Inforce is like, okay, Amazon, great job for their portion of the shared responsibility model but I didn't hear a lot in terms of making the CISO's life easier and I'm guessing that's where you guys come in. I wonder if you could talk about that trend, that conceptual layers that I just laid out and where you guys fit. >> Mike: Sure, so I think first and foremost, I always go back to a quote from, I think it's attributed to Peter Drucker, whether that's right or wrong, who knows? But culture eats strategy for breakfast, right? And I think what we've seen in our conversations with whether you're talking to the CISO, the application team, the AppDev team, wherever throughout the organization, we really see that culture is what's going to drive success or failure of security in the org, and so what we do is we really do bring that totality of perspective. We're not just cloud, not just security, not just AppDev. We can really bring across the totality of the Capgemini estate. So that when we go, and you're right, a CISO says, I'm having a hard time getting the app people to deliver what I need. If you just come from a security perspective, you're right, that's what's going to happen. So what we try to do is so, we've got a great DevSecOps service, for example in the cloud where we do that. We bring all the perspectives together, how do we align KPIs? That's a big problem, I think, for what you're seeing, making CISO's lives easier, is about making sure that the app team KPIs are aligned with the CISO's but also the CISO's KPIs are aligned with the app teams. And by doing that, we have had really great success in a number of organizations by giving them the tools then and the people on our side to be able to make those alignments at the business level, to drive the right business outcome, to drive the right security outcome, the right application outcome. That's where I think we've really come to play. >> Absolutely, and I will say from a partnering perspective, what's key in supporting that strategy is we will learn from our partners, we lean on our partners to understand what the trends they're seeing and where they're having an impact with regards to supporting the CISO and supporting the overall security strategy within a company. I mean, they're on the cutting edge. We do a lot to track their technology roadmaps. We do a lot to track how they build their buyer personas and what issues they're dealing with and what issues they're prepared to deal with regards to where they're investing and who's investing in them. A lot of strategy around which partner to bring in and support, how we're going to address the challenges, the CISO and the IT teams are having to kind of support that overall. Security is a part of everything, DNA kind of strategy. >> Yeah, do you have a favorite example, Anne, of a partner that came in with Capgemini, helped a customer really be able to do what Capgemini is doing and that is, have cybersecurity be actually part of their DNA when there's so many challenges, the skills gap. Any favorite example that really you think articulates how you're able to enable organizations to achieve just that? >> Anne: Well, actually the SOC Essentials offering that we're rolling out is a prime example of that. I mean, we work very, very closely with Trend on all fronts with regards to developing it. It's one of those completely collaborative from day one to going to the customer and that it's almost that seamless connectivity and just partnering at such a strategic level is a great example of how it's done right, and when it's done right, how successful it can be. >> Dave: Why Trend Micro? Because I mean, I'm sure you've seen, I think that's Optiv, has the eye test with all the tools and you talk to CISOs, they're like really trying to consolidate those tools. So I presume there's a portfolio play there, but tell us, tell the audience a little bit more about why Trend Micro and I mean your branding with them, why those guys? >> Well, it goes towards the technology, of course, and all the development they've done and their position within AWS and how they address assuring security for our clients who are moving onto and running their estates on AWS. There's such a long heritage with regards to their technology platform and what they've developed, that deep experience, that kind of the strength of the technology because of the longevity they've had and where they sit within their domain. I try to call partners out by their domain and their area of expertise is part of the reason, I mean. >> Yeah, I think another big part of it is Gartner is expecting, I think they published this out in the next three years, we expect to see another consolidation both inside of the enterprises as well as, I look back a couple years, when Palo Alto went on a very nice spending spree, right? And put together a lot of really great companies that built their Prisma platform. So what I think one of the reasons we picked Trend in this particular case is as we look forward for our customers and our clients, not just having point solutions, right? This isn't just about endpoint protection, this isn't just about security posture management. This is really who can take the totality of the customer's problems and deliver on the right outcomes from a single platform, and so when we look at companies like Trend, like Palo, some of the bigger partners for us, that's where we try to focus. They're definitely best in breed and we bring those to our customers too for certain things. But as we look to the future, I think really finding those partners that are going to be able to solve a swath of problems at the right price point for their customers, that is where I think we see the industry moving. >> Dave: And maybe be around as an independent company. Was that a factor as well? I mean, you see Thoma Bravo buying up all his hiring companies and right, so, and maybe they're trying to create something that could be competitive, but you're saying Trend Micros there, so. >> Well I think as Anne mentioned, the 30 year heritage, I think, of Trend Micro really driving this and I've done work with them in various past things. There's also a big part of just the people you like, the people that are good to work with, that are really trying to be customer obsessed, going back right, at an AWS event, the ones that get the cloud tend to be able to follow those Amazon LPs as well, right, just kind of naturally, and so I think when you look at the Trend Micros of the world, that's where that kind of cloud native piece comes out and I like working with that. >> In this environment, the macro environment, lets talk a bit, earning season, it's really mixed. I mean you're seeing some really good earnings, some mixed earnings, some good earnings with cautious guidance. So nobody really (indistinct), and it was for a period time there was a thinking that security was non-discretionary and it's clearly non-discretionary, but the CISO, she or he, doesn't have unlimited budgets, right? So what are you seeing in terms of how are customers dealing with this challenging macro environment? Is it through tools consolidation? Is that a play that's going on? What are you seeing in the customer base? >> Anne: I see ways, and we're working through this right now where we're actually weaving cybersecurity in at the very beginning of how we're designing offers across our entire offer portfolio, not just the cybersecurity business. So taking that approach in the long run will help contain costs and our hope, and we're already seeing it, is it's actually helping change the perception that security's that cost center and that final obstacle you have to get over and it's going to throw your margins off and all that sort of stuff. >> Dave: I like that, its at least is like a security cover charge. You're not getting in unless we do the security thing. >> Exactly, a security cover charge, that's what you should call it. >> Yeah. >> Like it. >> Another piece though, you mentioned earlier about making CISO's life easier, right? And I think, as Anne did a really absolutely true about building it in, not to the security stack but application developers, they want visibility they want observability, they want to do it right. They want CI/CD pipeline that can give them confidence in their security. So should the CISO have a budget issue, right? And they can't necessarily afford, but the application team as they're looking at what products they want to purchase, can I get a SaaS or a DaaS, right? The static or dynamic application security testing in my product up front and if the app team buys into that methodology, the CISO convinces them, yes, this is important. Now I've got two budgets to pull from, and in the end I end up with a cheaper, a lower cost of a service. So I think that's another way that we see with like DevSecOps and a few other services, that building in on day one that you mentioned. >> Lisa: Yeah. >> Getting both teams involved. >> Dave: That's interesting, Mike, because that's the alignment that you were talking about earlier in the KPIs and you're not a tech vendor saying, buy my product, you guys have deep consultancy backgrounds. >> Anne: And the customer appreciates that. >> Yeah. >> Anne: They see us as looking out for their best interest when we're trying to support them and help them and bringing it to the table at the very beginning as something that is there and we're conscientious of, just helps them in the long run and I think, they're seeing that, they appreciate that. >> Dave: Yeah, you can bring best practice around measurements, alignment, business process, stuff like that. Maybe even some industry expertise which you're not typically going to get from a product company. >> Well, one thing you just mentioned that I love talking about with Capgemini is the industry expertise, right? So when you look at systems integrators, there are a lot of really, really good ones. To say otherwise would be foolish. But Capgemini with our acquisition of Altran, a couple years ago, I think think it was, right? How many other GSIs or SIs are actually building silicon for IoT chips? So IoT's huge right now, the intelligent industry moving forward is going to drive a lot of those business outcomes that people are looking for. Who else can say we've built an autonomous vehicle, Capgemini can. Who can say that we've built the IoT devices from the ground up? We know not just how to integrate them into AWS, into the IoT services in the cloud, but to build and have that secure development for the firmware and all and that's where I think our customers really look to us as being those industry experts and being able to bring that totality of our business to bear for what they need to do to achieve their objectives to deliver to their customer. >> Dave: That's interesting. I mean, using silicon as a differentiator to drive a lot of business outcomes and security. >> Mike: Absolutely. >> I mean you see what Amazon's doing in silicon, Look at Apple. Look at what Tesla's doing with silicon. >> Dave: That's where you're seeing a lot of people start focusing 'cause not everybody can do it. >> Yeah. >> It's hard. >> Right. >> It's hard. >> And you'll see some interesting announcements from us and some interesting information and trends that we'll be driving because of where we're placed and what we have going around security and intelligent industry overall. We have a lot of investment going on there right now and again, from the partner perspective, it's an ecosystem of key partners that collectively work together to kind of create a seamless security posture for an intelligent industry initiative with these companies that we're working with. >> So last question, probably toughest question, and that's to give us a 30 second like elevator pitch or a billboard and I'm going to ask you, Anne, specifically about the SOC Essentials program powered by Trend Micro. Why should organizations look to that? >> Organizations should move to it or work with us on it because we have the expertise, we have the width and breadth to help them fill the gaps, be those eyes, be that team, the police behind it all, so to speak, and be the team behind them to make sure we're giving them the right information they need to actually act effectively on maintaining their security posture. >> Nice and then last question for you, Mike is that billboard, why should organizations in any industry work with Capgemini to help become an intelligent industrial player. >> Mike: Sure, so if you look at our board up top, right, we've got our tagline that says, "get the future you want." And that's what you're going to get with Capgemini. It's not just about selling a service, it's not just about what partners' right in reselling. We don't want that to be why you come to us. You, as a company have a vision and we will help you achieve that vision in a way that nobody else can because of our depth, because of the breadth that we have that's very hard to replicate. >> Awesome guys, that was great answers. Mike, Anne, thank you for spending some time with Dave and me on the program today talking about what's new with Capgemini. We'll be following this space. >> All right, thank you very much. >> For our guests and for Dave Vellante, I'm Lisa Martin, you're watching theCUBE, the leader in live enterprise and emerging tech coverage. (gentle light music)

(bright music) >> Well, hey, everybody. John Walls here with theCUBE continuing coverage at AWS re:Invent '22. It has been three really fantastic days here at the Venetian in Las Vegas. And we still have more to come with us to talk about Persistent Systems, the Senior Vice President of Cloud at Persistent Dominique Bastos. Dominique, good to see you. >> Pleasure to see you. >> Thanks for joining us here on the queue. >> Thank you for having me. >> Oh, you bet. You bet. >> Thank you. All right. Tell us about Persistent Systems. So, first off, core focus, what you're up to and then we'll jump in from there. >> Sure, sure. So Persistent Systems is a digital engineering solutions and services provider. They've been around for 32 years doing software engineering, innovating in several areas within different verticals. There's over 22,500 people at Persistent now as of my last count. We're in 18 countries. >> Mm. >> And in October we hit the $1 billion annualized recurring revenue mark. >> Oh, that's a good number right there. >> It's a good number. It's a great company. It's been such an interesting journey. I was with AWS for almost seven years before recently joining Persistent, and it almost felt like a such a logical transition in terms of bringing what I've seen in my entire career of interacting with customers and businesses to what Persistent can provide as people are looking to make their journey to the cloud whatever stage they might be at so. >> Right. And we should point out is that SVP of Cloud, but your focus is AWS. >> My focus AWS. >> Other options, other opportunities. >> Right. >> But you're AWS all the way. >> Right. It's a multicloud company because, you know, we really don't believe in dictating to a customer what they need. I think the benefit, one of the differentiators for Persistent is the amount of legacy history that they have across these industries and customers. I mean, 32 years is a lot, and in terms of like software engineering. So it's like really doing the hard work, the heavy lifting. And then seeing what can actually be commoditized, repeatable building solutions within these verticals to help customers accelerate their transformations. >> Mm hmm. >> So... >> You know, when we talk about cloud, I mean, this has been something that's been on the forefront feel like a long time. Right? But yet there are still many and maybe you can help me out with that percentage, whatever of companies who are either haven't begun yet, are just beginning, they're really in a nascent stage of this transformation. And yeah, I found it curious this week as we've talked with different people about where are you in your journey and so and so forth. A lot of people are way back just starting pass go, and aren't as mature as I would've thought. I mean, do you find that to be the case? >> Absolutely. And there's many reasons for that. I mean, I think what I've started, I mean I've been seeing it over the years, but we all know IT and business back then was very much kept separate. >> Two separate animals. >> Two separate animals. >> Yeah. >> IT made the decisions, not in a vacuum, but almost in a vacuum, right? Now, obviously companies who know it's necessary and have embraced it, bring together the function of looking at the technological solutions that they're adopting to solve a business problem. Right? But that business problem really is dictated by the customer need. >> Mm hmm. >> So I think I have seen, you know, in terms of like the life cycle of a business adopting technology, post cloud, there's a lot of enterprises that are still, they've made such big investments in their legacy infrastructure. >> Mm hmm. >> And in actually, you know, the developers and the people that are maintaining those systems, and the different connections to put it in layman's terms between their systems and their customers systems, right? So, that entire scenario makes it very difficult for them to move. >> Mm hmm. >> It's like moving a mountain. So, I would say there's like three ways of looking at it. You have those that kind of want to revitalize their technology, right? Their backend systems, they want to optimize costs, they want to, and my background in technology is specifically in data, kind of I came up as a DBA and built data models, and I've always loved data before it was a thing to love data. (John chuckles) So... >> You were so far ahead of the curve. >> I was ahead of the curve. I was a trendsetter. >> What a trendsetter? >> I'm a trendsetter. (Dominique chuckles) So I think from that perspective they're looking at, you know, these enormous of amounts of data that they've been capturing in these legacy systems that they're so heavily invested in, but they're not able to derive the insights to better serve their customers or to even innovate new revenue streams from that data. But, they're taking the first step to say, look, you know, we can actually operate more smoothly at a lower cost by moving to the cloud. >> Mm hmm. >> So there's that. Then there are those that are looking to actually innovate and create new revenue streams, monetize their data, look at opportunities to integrate feedback that they've been getting from their customers to provide new services. So they're using the cloud journey, they've probably already moved into the cloud. They're starting to look at analytics, and potentially using AIML to facilitate creating these solutions and services. And then there's those that, you know, want to pioneer, and break into new inventions and ways of solving the big world problems. >> Mm hmm. >> Right? I mean, I think that's one thing I noticed in this re:Invent that I thought was so special is there's like a really big focus on humanity, on humans, on you know, as we were talking earlier everything and I myself have like holding books and I don't like people being on their phone when we're having a conversation. (John chuckles) >> Right. But I think, you know, we are where we are. The reality is the world has evolved in such a way that community is no longer, it takes a small village, all, you know everybody knows each other. You have face to face interactions. You're not doing that with your customers either. There's digitally native businesses that have for a long time cropped up in the FinTech space in you know, you name the space, there's a startup that was born in the cloud that can reach customers immediately, and can provide a service that an enterprise that's kind of like weighed down with their legacy systems. They can't pivot fast enough. So, I think, you know, the pioneers think beyond that. How do we use quantum computing? You know, how do we use 3D simulation to anticipate solving big world problems? Whether it's, you know, people no longer, I don't know what the statistics are, but it's very sad. That elderly people, you know, the amount of human contact that they have is very little. You know, and if you could provide, I don't know, an experience, an immersive experience where their memories are triggered, you know, to help them with dementia, or Alzheimer's. >> Sure. >> I mean, those types of things, those are the things that I think that's what excites me about the launches that I see at re:Invent. And I think the innovation, you know, you have to take that journey. Unless you're born in the cloud, you do have to kind of take that journey. >> You got to get there. >> You have to get there. >> Right. Sure. >> But it's so worth it. >> So how about, let's just say, if I'm a health sciences company, or I'm a pharmaceutical or whatever, and so I've got this desire to create this new opportunity you know, with a human, I say, but yeah, but if you're also Persistent Systems and you're working with you know, somebody in FinTech, or somebody in EEG or whatever, you can't really understand my challenges or my problems. I mean, how do you wear those different hats so you can identify not only what the focus of that client is, but also their technology and how you're going to get them to marry up so they can achieve their goals? >> Well, the beauty of being, you know, in a company with teams of people that you work with, I cut across industries. Right? So we have vertical leaders that have very deep subject matter expertise in any number of those areas. You know, we're working with genomics for example. So, for example, you know, we engage with a customer that we've been helping over the past 32 years use technology to bring services to their customers. And now we are seeing an opportunity to help them innovate to keep up for their business for obvious reasons, but also to supply their customers with the new innovative solutions within that industry, right? 'Cause you need that vehicle to kind of deploy and deliver what customers need. The way we do it is from end to end, right? So, we have in the partnership with AWS, we're a partner of AWS, and as such we are able to collaborate with AWS and their customers or bring our customers to the cloud for all the way from assessment to planning to execution. And even within Persistent, we have ways to main operationalize the maintenance of these solutions. So it's really very easy managed services type framework that we work under. In terms of like migration planning, we have competencies within AWS. For looking at migrations we have AIML, we have DevOps. So we have the various competencies aligned with AWS to be able to execute at whatever stage the customer is. But also in terms of like the accelerators that we provide or the frameworks to look at total cost, that cuts across, right? And then we don't kind of like, here's what you needed and buy, never speak to us again. (John chuckles) I mean, I think the beauty of this company and what I really loved when I was first speaking to them is the depth of the relationships with their customers and the longevity of them. So they've really seen their customers grow. And you can only do that if you're there for the long run. >> You've got to be present. >> You have to be present. >> Sure. So how do you handle if people are making this transformation and they're moving into the cloud, but the people they have on staff might not be familiar with it, right? They have great expertise in what they've been doing on these legacy systems, but now you're moving, you're migrating to a new world, new culture, new environment, and you got to get 'em up to speed. And that's not easy. >> No. >> Right? So what do you do, or what does Persistent suggest or what are you doing and with regard to closing that gap into making that bridge so that they can maintain a little bit on their own. >> Yeah. >> They can execute and implement on their own. >> Yep. >> A little bit. They don't need somebody there to stand over their shoulder the whole time. >> I won't geek out on having joined AWS in professional services way back when to migrate a major company to the cloud, and having lived through painstakingly all those problems and blockers and adoption roadblocks that you speak of. >> Mm hmm. >> You know, I think the way Persistent handles it is what I would've done myself, right? If I were to start a company and say how do we help customers simplify their cloud journey, and remove the complexity? I think that's what Persistent Systems does. We, there's training programs that we are aligned to with AWS. So there's up-skilling of development teams, application developers. We collaborate from the top down with executives to look at the resources that they have available. Obviously mission critical systems that cannot sacrifice having engineers pulled away for a new project. You know, you take that into account. I think, you know, when I spoke earlier about assessments, you're not just assessing what needs to be lifted and shifted or refactored or rearchitected, you're looking at, you know, all these applications that are going to move to the cloud. Who owns them? >> Mm hmm. >> You know, do you have a CI/CD pipeline, or a data pipeline built? Well, we're going to need that, right? So, the continuous integration, continuous development of applications, that type of DevOps, obviously security also DevSecOps, we look at it from end to end as well. We have a very strong security practice. So, all those advisory pieces we have, but we also have the capability to execute on it. Where we're not just coming in and saying well this is what you should do. We're kind of in there saying, this is what you should do, here's how we can get you started. And then, you know, it's a collaborative effort with our customers to see how much they still want us to stay versus how much they want to take over. >> Right. It's nice to have a friend. >> Yeah. (John laughs) Who doesn't need a friend. (Dominique laughs) And Persistent Systems is your friend. Dominique, thanks for the time. >> Oh, my pleasure. >> I appreciate it. >> Thanks again for having me. >> Thanks for being here on theCUBE. You bet. >> Absolutely. >> You are watching theCUBE as you well know the leader in high tech coverage. (soft music)

>>Hello and welcome back to the Cube's coverage of AWS Reinvent 2022. I'm John Furrier, host of the Cube. We got a great conversation with Patrick Kauflin, vice president of Go to Market Strategy and specialization at Splunk. We're talking about the open cybersecurity scheme of framework, also known as the O C sf, a joint strategic collaboration between Splunk and aws. It's got a lot of traction momentum. Patrick, thanks for coming on the cube for reinvent coverage. >>John, great to be here. I'm excited for this. >>You know, I love this open source movement and open source and continues to add value, almost sets the standards. You know, we were talking at the CNCF Linux Foundation this past fall about how standards are coming outta open source. Not so much the the classic standards groups, but you start to see the developers voting with their code groups deciding what to adopt de facto standards and security is a real key part of that where data becomes key for resilience. And this has been the top conversation at reinvent and all around the industry, is how to make data a key part of building into cyber resilience. So I wanna get your thoughts about the problem that you see that's emerging that you guys are solving with this group kind of collaboration around the ocs f >>Yeah, well look, John, I I think, I think you, you've already, you've already hit the high notes there. Data is proliferating across the enterprise. The attack surface area is rapidly expanding. The threat landscape is ever changing. You know, we, we just had a, a lot of scares around open SSL before that we had vulnerabilities and, and Confluence and Atlassian, and you go back to log four J and SolarWinds before that and, and challenges with the supply chain. In this year in particular, we've had a, a huge acceleration in, in concerns and threat vectors around operational technology. In our customer base alone, we saw a huge uptake, you know, and double digit percentage of customers that we're concerned about the traditional vectors like, like ransomware, like business email compromise, phishing, but also from insider threat and others. So you've got this, this highly complex environment where data continues to proliferate and flow through new applications, new infrastructure, new services, driving different types of outcomes in the digitally transformed enterprise of today. >>And, and what happens there is, is our customers, particularly in security, are, are left with having to stitch all of this together. And they're trying to get visibility across multiple different services, infrastructure applications across a number of different point solutions that they've bought to help them protect, defend, detect, and respond better. And it's a massive challenge. And you know, when our, when our customers come to us, they are often looking for ways to drive more consolidation across a variety of different solutions. They're looking to drive better outcomes in terms of speed to detection. How do I detect faster? How do I bind the thing that when bang in the night faster? How do I then fix it quickly? And then how do I layer in some automation so hopefully I don't have to do it again? Now, the challenge there that really OCF Ocsf helps to, to solve is to do that effectively, to detect and to respond at the speed at which attackers are demanding. >>Today we have to have normalization of data across this entire landscape of tools, infrastructure, services. We have to have integration to have visibility, and these tools have to work together. But the biggest barrier to that is often data is stored in different structures and in different formats across different solution providers, across different tools that are, that are, that our customers are using. And that that lack of data, normalization, chokes the integration problem. And so, you know, several years ago, a number of very smart people, and this was, this was a initiative s started by Splunk and AWS came together and said, look, we as an industry have to solve this for our customers. We have to start to shoulder this burden for our customers. We can't, we can't make our customers have to be systems integrators. That's not their job. Our job is to help make this easier for them. And so OCS was born and over the last couple of years we've built out this, this collaboration to not just be AWS and Splunk, but over 50 different organizations, cloud service providers, solution providers in the cybersecurity space have come together and said, let's decide on a single unified schema for how we're gonna represent event data in this industry. And I'm very proud to be here today to say that we've launched it and, and I can't wait to see where we go next. >>Yeah, I mean, this is really compelling. I mean, it's so much packed in that, in that statement, I mean, data normalization, you mentioned chokes, this the, the solution and integration as you call it. But really also it's like data's not just stored in silos. It may not even be available, right? So if you don't have availability of data, that's an important point. Number two, you mentioned supply chain, there's physical supply chain that's coming up big time at reinvent this time as well as in open source, the software supply chain. So you now have the perimeter's been dead for multiple years. We've been talking with that for years, everybody knows that. But now combined with the supply chain problem, both physical and software, there's so much more to go on. And so, you know, the leaders in the industry, they're not sitting on their hands. They know this, but they're just overloaded. So, so how do leaders deal with this right now before we get into the ocs f I wanna just get your thoughts on what's the psychology of the, of the business leader who's facing this landscape? >>Yeah, well, I mean unfortunately too many leaders feel like they have to face these trade offs between, you know, how and where they are really focusing cyber resilience investments in the business. And, and often there is a siloed approach across security, IT developer operations or engineering rather than the ability to kind of drive visibility integration and, and connection of outcomes across those different functions. I mean, the truth is the telemetry that, that you get from an application for application performance monitoring or infrastructure monitoring is often incredibly valuable when there's a security incident and vice versa. Some of the security data that, that you may see in a security operation center can be incredibly valuable in trying to investigate a, a performance degradation in an application and understanding where that may come from. And so what we're seeing is this data layer is collapsing faster than the org charts are or the budget line items are in the enterprise. And so at Splunk here, you know, we believe security resilience is, is fundamentally a data problem. And one of the things that we do often is, is actually help connect the dots for our customers and bring our customers together across the silos they may have internally so that they can start to see a holistic picture of what resilience means for their enterprise and how they can drive faster detection outcomes and more automation coverage. >>You know, we recently had an event called Super Cloud, we're going into the next gen kind of a cloud, how data and security are all kind of part of this NextGen application. It's not just us. And we had a panel that was titled The Innovators Dilemma, kind of talk about you some of the challenges. And one of the panelists said, it's not the innovator's dilemma, it's the integrator's dilemma. And you mentioned that earlier, and I think this a key point right now into integration is so critical, not having the data and putting pieces together now open source is becoming a composability market. And I think having things snap together and work well, it's a platform system conversation, not a tool conversation. So I really wanna get into where the OCS f kind of intersects with this area people are working on. It's not just solution architects or cloud cloud native SREs, especially where DevSecOps is. So this that's right, this intersection is critical. How does Ocsf integrate into that integration of the data making that available to make machine learning and automation smarter and more relevant? >>Right, right. Well look, I mean, I I think that's a fantastic question because, you know, we talk about, we use Bud buzzwords like machine learning and, and AI all the time. And you know, I know they're all over the place here at Reinvent and, and the, there's so much promise and hope out there around these technologies and these innovations. However, machine learning AI is only as effective as the data is clean and normalized. And, and we will not realize the promise of these technologies for outcomes in resilience unless we have better ways to normalize data upstream and better ways to integrate that data to the downstream tools where detection and response is happening. And so Ocsf was really about the industry coming together and saying, this is no longer the job of our customers. We are going to create a unified schema that represents the, an event that we will all bite down on. >>Even some of us are competitors, you know, this is, this is that, that no longer matters because at the point, the point is how do we take this burden off of our customers and how do we make the industry safer together? And so 15 initial members came together along with AWS and Splunk to, to start to create that, that initial schema and standardize it. And if you've ever, you know, if you've ever worked with a bunch of technical grumpy security people, it's kind of hard to drive consensus about around just about anything. But, but I, I'm really happy to see how quickly this, this organization has come together, has open sourced the schema, and, and, and just as you said, like I think this, this unlocks the potential for real innovation that's gonna be required to keep up with the bad guys. But right now is getting stymied and held back by the lack of normalization and the lack of integration. >>I've always said Splunk was a, it eats data for breakfast, lunch, and dinner and turns it into insights. And I think you bring up the silo thing. What's interesting is the cross company sharing, I think this hits point on, so I see this as a valuable opportunity for the industry. What's the traction on that? Because, you know, to succeed it does take a village, it takes a community of security practitioners and, and, and architects and developers to kind of coalesce around this defacto movement has been, has been the uptake been good? How's traction? Can you share your thoughts on how this is translating across companies? >>Yeah, absolutely. I mean, look, I, I think cybersecurity has a, has a long track record of, of, of standards development. There's been some fantastic standards recently. Things like sticks and taxi for threat intelligence. There's been things like the, you know, the Mir attack framework coming outta mi mir and, and, and the adoption, the traction that we've seen with Attack in particular has been amazing to, to watch how that has kind of roared onto the scene in the last couple of years and has become table stakes for how you do security operations and incident response. And, you know, I think with ocs f we're gonna see something similar here, but, you know, we are in literally the first innings of, of this. So right now, you know, we're architecting this into our, into every part of our sort of backend systems here at Polan. I know our our collaborators at AWS and elsewhere are doing it too. >>And so I think it starts with bringing this standard now that the standard exists on a, you know, in schema format and there, there's, you know, confluence and Jira tickets around it, how do we then sort of build this into the code of, of the, the collaborators that have been leading the way on this? And you know, it's not gonna happen overnight, but I think in the coming quarters you'll start to see this schema be the standard across the leaders in this space. Companies like Splunk and AWS and others who are leading the way. And often that's what helps drive adoption of a standard is if you can get the, the big dogs, so to speak, to, to, to embrace it. And, and, you know, there's no bigger one than aws and I think there's no, no more important one than Splunk in the cybersecurity space. And so as we adopt this, we hope others will follow. And, and like I said, we've got over 50 organizations contributing to it today. And so I think we're off to a running >>Start. You know, it's interesting, choking innovation or having things kind of get, get slowed down has really been a problem. We've seen successes recently over the past few years. Like Kubernetes has really unlocked and accelerated the cloud native worlds of runtime with containers to, to kind of have the consensus of the community to say, Hey, if we just do this, it gets better. I think this is really compelling with the o the ocs F because if people can come together around this and get unified as well as all the other official standards, things can go highly accelerated. So I think, I think it looks really good and I think it's great initiative and I really appreciate your insight on that, on, on your relationship with Amazon. Okay. It's not just a partnership, it's a strategic collaboration. Could you share that relationship dynamic, how to start, how's it going, what's strategic about it? Share to the audience kind of the relationship between Splunk and a on this important OCS ocsf initiative. >>Look, I, I mean I think this, this year marks the, the 10th year anniversary that, that Splunk and AWS have been collaborating in a variety of different ways. I, I think our, our companies have a fantastic and, and long standing relationship and we've, we've partnered on a number of really important projects together that bring value obviously to our individual companies, but also to our shared customers. When I think about some of the most important customers at Splunk that I spend a significant amount of time with, I I I know how many of those are, are AWS customers as well, and I know how important AWS is to them. So I think it's, it's a, it's a collaboration that is rooted in, in a respect for each other's technologies and innovation, but also in a recognition that, that our shared customers want to see us work better together over time. And it's not, it's not two companies that have kind of decided in a back room that they should work together. It's actually our customers that are, that are pushing us. And I think we're, we're both very customer centric organizations and I think that has helped us actually be better collaborators and better partners together because we're, we're working back backwards from our customers >>As security becomes a physical and software approach. We've seen the trend where even Steven Schmidt at Amazon Web Services is, is the cso, he is not the CSO anymore. So, and I asked him why, he says, well, security's also physical stuff too. So, so he's that's right. Whole lens is now expanded. You mentioned supply chain, physical, digital, this is an important inflection point. Can you summarize in your mind why open cybersecurity schema for is important? I know the unification, but beyond that, what, why is this so important? Why should people pay attention to this? >>You know, I, if, if you'll let me be just a little abstract in meta for a second. I think what's, what's really meaningful at the highest level about the O C S F initiative, and that goes beyond, I think, the tactical value it will provide to, to organizations and to customers in terms of making them safer over the coming years and, and decades. I think what's more important than that is it's really the, one of the first times that you've seen the industry come together and say, we got a problem. We need to solve. That, you know, doesn't really have anything to do with, with our own economics. Our customers are, are hurt. And yeah, some of us may be competitors, you know, we got different cloud service providers that are participating in this along with aws. We got different cybersecurity solution providers participating in this along with Splunk. >>But, but folks who've come together and say, we can actually solve this problem if, if we're able to kind of put aside our competitive differences in the markets and approach this from the perspective of what's best for information security as a whole. And, and I think that's what I'm most proud of and, and what I hope we can do more of in other places in this industry, because I think that kind of collaboration from real market leaders can actually change markets. It can change the, the, the trend lines in terms of how we are keeping up with the bad guys. And, and I'd like to see a lot more of >>That. And we're seeing a lot more new kind of things emerging in the cloud next kind of this next generation architecture and outcomes are happening. I think it's interesting, you know, we always talk about sustainability, supply chain sustainability about making the earth a better place. But you're hitting on this, this meta point about businesses are under threat of going under. I mean, we want to keep businesses to businesses to be sustainable, not just, you know, the, the environment. So if a business goes outta business business, which they, their threats here are, can be catastrophic for companies. I mean, there is, there is a community responsibility to protect businesses so they can sustain and and stay Yeah. Stay producing. This is a real key point. >>Yeah. Yeah. I mean, look, I think, I think one of the things that, you know, we, we, we complain a lot of in, in cyber security about the lack of, of talent, the talent shortage in cyber security. And every year we kinda, we kind of whack ourselves over the head about how hard it is to bring people into this industry. And it's true. But one of the things that I think we forget, John, is, is how important mission is to so many people in what they do for a living and how they work. And I think one of the things that cybersecurity is strongest in information Security General and has been for decades is this sense of mission and people work in this industry be not because it's, it's, it's always the, the, the most lucrative, but because it, it really drives a sense of safety and security in the enterprises and the fabric of the economy that we use every day to go through our lives. And when I think about the spun customers and AWS customers, I think about the, the different products and tools that power my life and, and we need to secure them. And, and sometimes that means coming to work every day at that company and, and doing your job. And sometimes that means working with others better, faster, and stronger to help drive that level of, of, of maturity and security that this industry >>Needs. It's a human, is a human opportunity, human problem and, and challenge. That's a whole nother segment. The role of the talent and the human machines and with scale. Patrick, thanks so much for sharing the information and the insight on the Open cybersecurity schema frame and what it means and why it's important. Thanks for sharing on the Cube, really appreciate it. >>Thanks for having me, John. >>Okay, this is AWS Reinvent 2022 coverage here on the Cube. I'm John Furry, you're the host. Thanks for watching.

(soft electronic music) >> Good afternoon guys and gals. Welcome back to theCube's Live coverage of AWS re:Invent 2022. We've been in Sin City since Monday night, giving you a load of content. I'm sure you've been watching the whole time, so you already know. Lisa Martin here with John Furrier. John, we love having these conversations at AWS re:Invent. So many different topics of conversation. We also love talking to AWS's partner ecosystem. There's so much emphasis on it, so much growth and innovation. >> Yeah, and the thing is we got two great leaders from a very popular company that's doing very well. Security, security's a big part of the story. Data and security. Taking up all the keynote time, you're hearing a lot of it. This company's a company we've been following from the beginning. Doing really good stuff in open source, cloud native, security, shifting-left. Snyk's just a great company. With the CTO and the head of the product organization, these guys have the keys to the kingdom in security. We're going to have a great conversation. >> Yeah, we are. Both from Snyk, Manoj Nair joins us, rejoins us, for your, I believe, 11th visit. Chief Product Officer of Snyk. Adi Sharabani, Chief Technology Officer. Welcome guys. Great to have you. >> Yeah, thank you. >> Great to be back. >> So what's going on at Snyk? I know we get to talk to you often, but Manoj, give us the lowdown on what are some of the things that are new since we last connected with Snyk. >> A lot of innovation going on. We just had a major launch last month and you know when we talked to our customers three big themes are happening in parallel. One is the shift to going from traditional development to, really, DevOps, but we need to make that DevSecOps and Snyk was ahead of, that was the genesis of Snyk, but we're still, you know, maybe 15, 20% of organizations have realized that. So that one big theme. Supply chain security, top of mind for everyone. And then really, cloud and, you know, how do you really take advantage of cloud. Cloud is code. So our innovation map to those three big themes, we have done a lot in terms of that shift-left. And Adi will talk about, kind of, some of our original, like, you know, thinking behind that. But we flipped the security paradigm on its head. Was to make sure developers loved what they were, you know, experiencing with Snyk. And oh, by the way, they're fixing security issues. The second one, supply chain. So you know, SBOMs and everyone hears about this and executive orders, what do you do? Who does what with that? So we launched a few things in terms of simplifying that. You can go to our website and, you know, just upload your SBOM. It'll tell you using the best security intelligence data. In fact, the same data is used by AWS inside their products, inside Inspector. So we use that data from Snyk's intelligence to light up and tell you what vulnerabilities do your third party code have. Even things that you might not be scanning. And then the last one is really code to cloud. Cloud is code. So we have brought the ability to monitor your cloud environments all the way into your platform and the security engineering teams, rather than later on and after the fact. Those are some of the big ones that we're working on. >> Lisa: Lots going on. >> Yeah. >> Lisa: Wow. >> Lots going on there. I mean, SBOMs, Software Bill of Materials. I mean, who would've thought in the developer community, going back a decade, that we'd be talking about bill of materials, open source becomes so popular. You guys are cloud native. Developer productivity's a hot trend. Not much going on here, talking about developer productivity. Maybe Werner, keynote tomorrow will talk about it. Software supply chain, huge security risk. You guys are in the front lines. I want to understand, if you can share, why is Snyk successful? Everyone is hearing about you guys. Your business is doing great. What's the secret sauce of your success? Why are you guys so successful? >> I think that, you know, I've been doing application security for more than two decades now and in the past we always saw the potential associated with transferring, shifting-left in a sense, before the term, right? Taking those security solutions out of the hands of the security people and putting it in the hands of developers. It's speeds up the process. It's very, very clear to anyone. The problem was that we always looked at it the wrong way. We did shift-left, and shift-left is not enough because in my terminology shift-left, meaning let's take those security solution put it earlier in the cycle, but that's not enough because the developer is not speaking those terms. The developer is not a security persona. The security persona is thinking in terms of risk. What are the risks that a specific issue creates? The developer is thinking in terms of the application. What would be the impact on application of a change I would might make into it. And so the root cause of Snyk success, in my opinion, is the fact that from the get-go we scratch that, we build a solution for the developer that is based on how the workflows of the developer, whether it's the ID, whether it's the change management, the pull request. Whether it's integration with the Gits and so on. And whether it's with integration with the cloud and the interaction with the cloud providers. And doing that properly, addressing the developers how they want to context, to get, with the context they want to get as part of the issues, with the workflows they want to get. That's kind of the secret sauce, in a sense. And very easy maybe to say, but very, very hard to implement properly. >> This is huge. I want to unpack that. I want to just, great call out, great description. This is huge. This is a, we're seeing the past three years in particular, maybe three with the pandemic. Okay, maybe go a couple years earlier, then. The developers' behavior is driving the change. And you know, if you look at the past three DockerCons we've covered, we've been powering that site, been following that community very closely since the beginning, as well. It just seems in the past three to four years that the developers choices at scale, not what they're buying or who's pushing tools to them, has been one big trend. >> Yeah. >> They're setting the pace. >> Developer is the king. >> If it's self-service, we've seen self-service. Whether it's freemium to paid, that works. This is the new equation. Developer, developer choice is critical. So self-service they want. And two, the language barrier or jargon between or mindsets between security and developers. Okay, so DevOps brings IT into the workflow. Check. DevSecOps brings in there. You guys crack the code on that, is that what you're saying? >> Yes, and it's both the product, like how do you use the solution, as well as the go to market. How do you consume the solution? And you alluded to that with the PLG motion, that I think Synk has done the superb job at and that really helped our businesses. >> Okay, so Manoj, product, you got the keys to the kingdom, you got the product roadmap. I could imagine, and what I'd love to get your reaction too Adi, if you don't mind. If you do that, what you've done, the consequence of that is now security teams and the data teams can build guardrails. We're reporting a lot of that in the queue. We're hearing that we can provide guardrails. So the velocity of the developer seems to be increasing. Do you see that? Is that a consequence? >> That's something that we actually measure in the product. Right, so Snyk's focus is not finding issues, it's fixing issues. So one of the things we have been able to heuristically look at our thousands of customers and say, they're fixing issues 27 days faster than they were prior to Snyk. So, you know, I'm a Formula one fan. Guardrails, you say. I say there's a speed circuit. Developers love speed. We give them the speed. We give the security teams the ability to sit on those towers and, you know, put the right policies and guardrails in place to make sure that it's not speed without safety. >> And then I'm sure you guys are in the luxury box now, partying while the developers are (Lisa laughing) no more friction, no more fighting, right? >> The culture is changing. I had a discussion with a Fortune 50 CISO a month ago, and they told me, "Adi, it's the first time in my life where the development teams are coming to me, asking me, hey I want you to buy us this security solution." And for, that was mind blowing for him, right? Because it really changes the discussion with the security teams and the development teams >> Before Lisa jumps in, well how long, okay, let me ask you that question on that point. When did that tipping point change, culturally? Was it just the past few years? Has there, has DevOps kind of brought that in, can you? >> Yeah, I think it's a journey that happened together with Snyk's, kind of, growth. So if three years ago it was the very early adopters that were starting to consume that. So companies that are very, you know, modern in the way they developed and so on. And we saw it in our business. In the early days, most of our business came from the high tech industry. And now it's like everywhere. You have manufacturing, you have banks, you have like every segment whatsoever. >> Talk about that cultural shift. That's really challenging for organizations to achieve. Are you seeing, so that, that CISO was quite surprised that the developer came and said, this is what I want. Are you seeing more of that cultural changes? Is that becoming pervasive? >> Yeah, so I think that the root cause of that is that, you mentioned the growth, like the increased speed of velocity in applications. We have 30 million developers in the world today. 30 millions. By the end of the decade it's going to be 45 millions and all of them are using open source, third party code. Look at what's going on here in the event, right? This accelerates the speed for which they develop. So with that, what happened in the digital transformation world, the organizations are facing that huge growth, exponential growth in the amount of technology and products that are being built by their teams. But the way they manage that before, from a security perspective, just doesn't scale. And it breaks and it breaks and it breaks. This is why you need a different approach. A solution that is based on the developers, who are the ones that created the problems and the ones that will be responsible of fixing the issues. This is why we are kind of centering ourselves around them. >> And the world has changed, right? What is cloud? It's code, it's not infrastructure. Old infrastructure, hosted infrastructure. So if cloud is code and cloud native applications are all code and they're being deployed with Terraform packages and cloud formations, that's code. Why take an old school approach of scanning it outside-in. I talked to CISO today who said, I feel bad that, you know, our policy makes it such that a terraform change takes six months. What did I do? I made cloud look like infrastructure. >> Yeah, it's too slow. >> So that, you know, so both sides, you know, CISOs want something that the business, you know, accepts and adopts and it's, culture changes happen because the power is with the developers because all of this is code, and we enabled that whole seamless journey, all the way from code to cloud. So it's kind, you know, I think that this is a part of it. It's by direction, it's a bridge and both sides are meeting in the middle here. >> It's a bridge. I'm curious, how are you facilitating that bridge? You, we talk about the developers being the kings and queens and really so influential in business decisions these days. And you're talking about the developers now embracing Snyk. But you're also talking to CISOs. Is your customer conversation level changing as a result of security folks understanding why it needs to shift-left. >> We had a breakfast meeting with customers, prospects and everyone, I think this morning. It was interesting, we were remarking. There are CTOs, VPs of engineering, CISOs, VPs of AppSec. And it was such a rich conversation on both sides, right? So just the joy of facilitating that conversation and dialogue. CISOs, and so the levels are changing. It started for us in CTOs and VPs of engineering and now it's both because, you know, one of the things Adi talks about is, like, that security has to become development aware. And that's starting to be like the reality. Me getting another solution, with maybe a better acronym than the old acronym, but it's still outside-in, it's scan based. I light up up the Christmas tree, who is going to fix it? And with the speed of cloud, now I got throw in more lights. Those lights are no longer valid. >> The automation. >> The automation without prioritization and actual empowerment is useless. >> All right, I know we got a couple minutes left, but I want to get into that point about automation because inside-out, you've made me think about this. I want to get your thought Adi, if you don't mind. The integration challenges now are much more part of the ecosystem, more joint engineering. You mentioned these meetings are not just salesperson and customer buyer, it's teams are talking to each other. There's a lot of that going on. How do you guys look at that? Because now the worst things that I hear and when I talk to customers is, I hate the word PenTest and AppSec review. It slows things down. People want to go faster. So how do you guys look at that? What's Snyk doing around making the AppSec review process, integration across companies, work better? >> So I'll give you an example from the cloud and then I will relate to the AppSec. And this relates to what you mentioned before. We had a discussion yesterday with a CISO that said, we are scanning the cloud, we are opening the lights, we see this issue. Now what do I do? Who needs to fix this? So they have this long process of finding the actual team that is required to fix it. Now they get to the team and they say, why didn't you tell me about it when I developed it? The same goes for AppSec, right? The audit is a very late stage of the game. You want to make sure that the testing, that the policies, everything is under the same structure, the same policies. So when you do the same thing, it's part of the first time of code that you create, it's part of the change management, it's part of the build, it's part of the deployment and it's part of the audit. And you have everything together being done under the same platform. And this is, kind of, one of the strengths that we bring to the table. The discussion changes because now you have an aligned strategy, rather than kind of blocks that we have, kind of, mashed up together. >> So the new workflow, it's a new workflow, basically, in the mindset of the customer. They got to get their arms around that thing. If we don't design it in, the wheels could come off the bus at the 11th hour. >> Adi: Yeah. >> And everything slows down. >> I had a discussion with Amazon today, actually, that they had an internal discussion and they said, like, some of the teams were like, why have you blocked my app from being released? And they said, have you ever scanned your app? Have you ever looked at your, like, and, and they're like, if you haven't, then you're not really onboard with the platform and it just breaks. This is what happens. >> Great conversation. I know we don't, I wish we had more time. We'll do a follow up on theCube for sure. Should we get into the new twist? >> I've got one final question for you guys. We're making some Instagram reels, so think about your elevator pitch in 30 seconds. And I want to ask you about Snyk's evolution. Manoj, I want to start with you. What is that elevator pitch about Snyk's evolution to the end user customer? >> Empower developers, help them go faster, more productive and do it in a way that security is really built in, not bolted on. And that's really, you know, from a, the evolution and the power that we are giving is make the organization more productive because security is just happening as a part of making the developer more productive. >> Awesome. And Adi, question for you, how, your elevator pitch on how Snyk is really an enabler for CISOs these days? >> Yeah, so I always ask the CISO first of all, are you excited about the way your environment looks like today? Do you need to have a cultural change? Because if you need to have a cultural change, if you want to get those two teams working closely together, we are here to enable that. And it goes from the product, it goes from our education pieces that we can talk about in another section, and it works around the language that we build to allow and enable that discussion. >> Awesome. Guys, that was a double mic drop for both of you. >> Manoj: Thank you. >> Adi: Thank you, Lisa. >> Thank you so much for joining John and me, talking about what's happening with Snyk, what you're enabling customers to do and how, really, you're enabling cultural change. That's hard to do. That's awesome stuff guys. And congratulations on your 11th and your first Cube. >> Second, second, >> Second. >> Adi: I will be here more, but (laughs) >> You got it, you got it. You have to come back because we have too much to talk about. >> Adi: Exactly. (laughs) >> Thanks guys, we appreciate it. >> If we can without Manoj, so I can catch up. (Manoj laughs) >> Okay. We'll work on that. >> Bring you in the studio. (everyone laughing) >> Exactly. >> Eight straight interviews. (John and Lisa laughing) >> We hope you've enjoyed this conversation. We want to thank our guests. For John Furrier, I'm Lisa Martin. You're watching theCUBE, the leader in emerging and enterprise tech coverage. (soft electronic music)

>>Hello everyone. My name is Savannah Peterson, coming to you live from the Kim Con Show floor on the cube here in Detroit, Michigan. The energy is pulsing big event for the Cloud Native Foundation, and I'm joined by John Furrier on my left. John. Hello. >>Great, great, great to have you on the cube. Thanks for being our new host. You look great, Great segment coming up. I'm looking forward to this. Savannah, this is a great segment. A cube alumni, an OG in the cloud, native world or cloud aati. I, as I call it, been there, done that. A lot of respect, a lot of doing some really amazing, I call it the super cloud holy grail. But we'll see >>Your favorite word, >>This favorite word, It's a really strong segment. Looking forward to hearing from this guest. >>Yes, I am very excited and I'm gonna let him tee it up a little bit. But our guest and his project were actually mentioned in the opening keynote this morning, which is very, very exciting. Ladies and gentlemen, please welcome Baam Tobar Baam, thanks for being here with >>Us. Thank you guys. So good to be back here on the show and, and this exciting energy around us. So it was super, super awesome to be here. >>Yeah, it feels great. So let's start with the opening keynote. Did you know you were gonna get that shout out? >>No, not at all. I, it was, it was really cool to see, you know, I think Cruz was up there talking about how they were building their own platform for autonomous cars and what's running behind it. And they mentioned all these projects and you know, we were like, Wow, that sounds super familiar. And then, then, and then they said, Okay, yeah, we we're, you know, cross plane. They mentioned cross plane, they mentioned, Upbound mentioned the work that we're doing in this space to help folks effectively run, you know, their own layer on top of cloud computing. >>And then Tom, we've known each other, >>We're gonna do a bingo super cloud. So how many times is this Super cloud? So >>Super Cloud is super services, super apps around us. He enables a lot of great things that Brian Grace had a great podcast this week on super services. So it's super, super exciting, >>Super great time on the queue. Super, >>Super >>Cloud conversation. All seriously. Now we've known each other for a long time. You've been to every cub com, you've been in open source, you've seen the seen where it's been, where it is now. Super exciting that in mainstream conversations we're talking about super cloud extractions and around interoperability. Things that were once like really hard to do back, even back on the opens stack days. Now we're at a primetime spot where the control plane, the data planes are in play as a viable architectural component of all the biggest conversations. Yeah, you're in the middle of it. What's your take on it? Give some perspective of why this is so important. >>I mean, look, the key here is to standardize, right? Get to standardization, right? And, and what we saw, like early days of cloud native, it was mostly around Kubernetes, but it was Kubernetes as a, you know, essentially a container orchestrator, the container of wars, Docker, Mesos, et cetera. And then Kubernetes emerged as a, a, the winner in containers, right? But containers is a workload, one kind of workload. It's, I run containers on it, not everything's containers, right? And the, you know, what we're seeing now is the Kubernetes API is emerging as a way to standardize on literally everything in cloud. Not just containers, but you know, VMs, serverless, Lambda, et cetera, storage databases that all using a common approach, a common API layer, a common way to do access control, a common way to do policy, all built around open source projects and you know, the cloud data of ecosystem that you were seeing around here. And that's exciting cuz we've, for the first time we're arriving at some kind of standardization. >>Every major inflection point has this defacto standard evolution, then it becomes kind of commonplace. Great. I agree with Kubernetes. The question I wanted to ask you is what's the impact to the DevOps community? DevSecOps absolutely dominated the playbook, if you will. Developers we're saying we'll run companies cuz they'll be running the applications. It's not a department anymore. Yes, it is the business. If you believe the digital transformation finds its final conclusion, which it will at some point. So more developers doing more, ask more stuff. >>Look, if you, I'd be hard pressed to find somebody that's has a title of DevOps or SRE that can't at least spell Kubernetes, if not running in production, right? And so from that perspective, I think this is a welcome change. Standardize on something that's already familiar to everyone is actually really powerful. They don't have to go, Okay, we learned Kubernetes, now you guys are taking us down a different path of standardization. Or something else has emerged. It's the same thing. It's like we have what, eight years now of cloud native roughly. And, and people in the DevOps space welcome a change where they are basically standardizing on things that are working right? They're actually working right? And they could be used in more use cases, in more scenarios than they're actually, you know, become versatile. They become, you know, ubiquitous as >>You will take a minute to just explain what you guys are selling and doing. What's the product, what's the traction, why are people using you? What's the big, big mo position value statement you guys think? >>Yeah, so, so, so the, my company's called Upbound and where the, where the folks behind the, the cross plane project and cross plane is effective, takes Kubernetes and extends it to beyond containers and to ev managing everything in cloud, right? So if you think about that, if you love the model where you're like, I, I go to Kubernetes cluster and I tell it to run a bunch of containers and it does it for me and I walk away, you can do that for the rest of the surface area of cloud, including your VMs and your storage and across cloud vendors, hybrid models, All of it works in a consistent standardized way, you know, using crossline, right? And I found >>What do you solve? What do you solve or eliminate? What happens? Why does this work? Are you replacing something? Are you extracting away something? Are you changing >>Something? I think we're layering on top of things that people have, right? So, so you'll see people are organized differently. We see a common pattern now where there's shared services teams or platform teams as you hear within enterprises that are responsible for basically managing infrastructure and offering a self-service experience to developers, right? Those teams are all about standardization. They're all about creating things that help them reduce the toil, manage things in a common way, and then offer self-service abstractions to their, you know, developers and customers. So they don't have to be in the middle of every request. Things can go faster. We're seeing a pattern now where the, these teams are standardizing on the Kubernetes API or standardizing on cross plane and standardizing on things that make their life easier, right? They don't have to replace what they're doing, they just have to layer and use it. And I layer it's probably a, an opening for you that makes it sound >>More complex, I think, than what you're actually trying to do. I mean, you as a company are all about velocity as an ethos, which I think is great. Do you think that standardization is the key in increasing velocity for teams leveraging both cross claim, Kubernetes? Anyone here? >>Look, I mean, everybody's trying to achieve the same thing. Everybody wants to go faster, they want to innovate faster. They don't want tech to be the friction to innovation, right? Right. They want, they wanna go from feature to production in minutes, right? And so, or less to that extent, standardization is a way to achieve that. It's not the only way to achieve that. It's, it's means to achieve that. And if you've standardized, that means that less people are involved. You can automate more, you can st you can centralize. And by doing that, that means you can innovate faster. And if you don't innovate these days, you're in trouble. Yeah. You're outta business. >>Do you think that, so Kubernetes has a bit of a reputation for complexity. You're obviously creating a tool that makes things easier as you apply Kubernetes outside just an orchestration and container environment. Do you, what do you see those advantages being across the spectrum of tools that people are leveraging you >>For? Yeah, I mean, look, if Kubernetes is a platform, right? To build other things on top of, and as a, as a result, it's something that's used to kind of on the back end. Like you would never, you should put something in front of Kubernetes as an application model or consumption interface of portals or Right, Yeah. To give zero teams. But you should still capture all your policies, you know, automation and compliance governance at the Kubernetes layer, right? At the, or with cross plane at that layer as well, right? Right. And so if you follow that model, you can get the best of world both worlds. You standardize, you centralize, you are able to have, you know, common controls and policies and everything else, but you can expose something that's a dev friendly experience on top of as well. So you get the both, both the best of both worlds. >>So the problem with infrastructure is code you're saying is, is that it's not this new layer to go across environments. Does that? No, >>Infrastructure is code works slightly differently. I mean, you, you can, you can write, you know, infrastructures, codes using whatever tooling you like to go across environments. The problem with is that everybody has to learn a specific language or has to work with understanding the constructs. There's the beauty of the Kubernetes based approach and the cross playing best approach is that it puts APIs first, right? It's basically saying, look, kind of like the API meant that it, that led to AWS being created, right? Teams should interact with APIs. They're super strong contracts, right? They're visionable. Yeah. And if you, if you do that and that's kind of the power of this approach, then you can actually reach a really high level of automation and a really high level of >>Innovation. And this also just not to bring in the clouds here, but this might bring up the idea that common services create interoperability, but yet the hyper scale clouds could still differentiate on value very much faster processors if it's silicon to better functions if glam, right? I mean, so there's still, it's not killing innovation. >>It is not, And in fact I, you know, this idea of building something that looks like the lowest common denominator across clouds, we don't actually see that in practice, right? People want, people want to use the best services available to them because they don't have time to go, you know, build portability layers and everything else. But they still, even in that model want to standardize on how to call these services, how to set policy on them, how to set access control, how to actually invoke them. If you can standardize on that, you can still, you get the, you get to use these services and you get the benefits of standardization. >>Well Savannah, we were talking about this, about the Berkeley paper that came out in May, which is kind of a super cloud version they call sky computing. Their argument is that if you try to standardize too much like the old kind of OSI model back in the day, you actually gonna, the work innovations gonna stunt the growth. Do you agree with that? And how do you see, because standardization is not so much a spec and it it, it e f thing. It's not an i e committee. Yeah. It's not like that's kind of standard. It's more of defacto, >>I mean look, we've had standards emerge like, you know, if you look at my S SQL for example, and the Postgres movement, like there are now lots of vendors that offer interfaces that support Postgres even though they're differentiated completely on how it's implement. So you see that if you can stick to open interfaces and use services that offer them that tons of differentiation yet still, you know, some kind of open interface if you will. But there are also differentiated services that are, don't have open interfaces and that's okay too. As long as you're able to kind of find a way to manage them in a consistent way. I think you sh and it makes sense to your business, you should use >>Them. So enterprises like this and just not to get into the business model side real quick, but like how you guys making money? You got the project, you get the cross playing project, that's community. You guys charging what's, what's the business model? >>We we're in the business of helping people adopt and run controlled lanes that do all this management service managed service services and customer support and services, the, the plethora of things that people need where we're >>Keeping the project while >>Keeping the project. >>Correct. So that's >>The key. That's correct. Yeah. You have to balance both >>And you're all over the show. I mean, outside of the keynote mention looking here, you have four events on where can people find you if they're tuning in. We're just at the beginning and there's a lot of looks here. >>Upbound at IO is the place to find Upbound and where I have a lot of talks, you'll see Crossline mention and lots of talks and a number of talks today. We have a happy hour later today we've got a booth set up. So >>I'll be there folks. Just fyi >>And everyone will be there now. Yeah. Quick update. What's up? What's new with the cross plane project? Can you share a little commercial? What's the most important stories going on there? >>So cross plane is growing obviously, and we're seeing a ton of adoption of cross plane, especially actually in large enterprise, which is really exciting cuz they're usually the slow to move and cross plane is so central, so it's now in hundreds and thousands of deployments in woohoo, which is amazing to see. And so the, the project itself is adding a ton of features, reducing friction in terms of adoption, how people ride these control planes and alter them coverage of the space. As you know, controls are only useful when you connect them to things. And the space is like the amount of things you can connect control planes to is increasing on a day to day basis and the maturity is increasing. So it's just super exciting to see all of this right >>Now. How would you categorize the landscape? We were just talking earlier in another segment, we're in Detroit Motor City, you know, it's like teaching someone how to drive a car. Kubernetes pluss, okay, switch the gears like, you know, don't hit the other guy. You know? Now once you learn how to drive, they want a sports car. How do you keep them that progression going? How do you keep people to grow continuously? Where do you see the DevOps and or folks that are doing cross playing that are API hardcore? Cause that's a good IQ that shows 'em that they're advancing. Where's the IQ level of advancement relative to the industry? Is the adoption just like, you know, getting going? Are people advancing? Yeah. Sounds like your customers are heavily down the road on >>Yeah, the way I would describe it is there's a progression happening, right? It, it DevOps was make, initially it was like how do I keep things running right? And it transitioned to how do I automate things so that I don't have to be involved when things are running, running. Right now we're seeing a next turn, which is how do I build what looks like a product that offers shared services or a platform so that people consume it like a product, right? Yeah. And now I'm now transition becomes, well I'm an, I'm a developer on a product in operations building something that looks like a product and thinking about it as a, as a has a user interface. >>Ops of the new devs. >>That's correct. Yeah. There we go. >>Talk about layers. Talk about layers on layers on >>Layers. It's not confusing at all John. >>Well, you know, when they have the architecture architectural list product that's coming. Yeah. But this is what's, I mean the Debs are got so much DevOps in the front and the C I C D pipeline, the ops teams are now retrofitting themselves to be data and security mainly. And that's just guardrails, automation policy, seeing a lot of that kind of network. Like exactly. >>Function. >>Yep. And they're, they're composing, not maybe coding a little bit, but they not, they're not >>Very much. They're in the composition, you know that as a daily thing. They're, they're writing compositions, they're building things, they're putting them together and making them work. >>How new is this in your mind? Cause you, you've watching this progress, you're in the middle of it, you're in the front wave of this. Is it adopting faster now than ever before? I mean, if we talked five years ago, we were kind of saying this might happen, but it wasn't happening today. It kind, it is, >>It's kind of, it's kind of amazing. Like, like everybody's writing these cloud services now. Everybody's authoring things that look like API services that do things on top of the structure. That move is very much, has a ton of momentum right now and it's happening mainstream. It, it's becoming mainstream. >>Speaking of momentum, but some I saw both on your LinkedIn as well as on your badge today that you are hiring. This is your opportunity to shamelessly plug. What are you looking for? What can people expect in terms of your company culture? >>Yeah, so we're obviously hiring, we're hiring both on the go to market side or we're hiring on the product and engineering side. If you want to build, well a new cloud platform, I won't say the word super cloud again, but if you want to, if you're excited about building a cloud platform that literally sits on top of, you know, the other cloud platforms and offers services on top of this, come talk to us. We're building something amazing. >>You're creating a super cloud tool kit. I'll say it >>On that note, think John Farer has now managed to get seven uses of the word super cloud into this broadcast. We sawm tomorrow. Thank you so much for joining us today. It's been a pleasure. I can't wait to see more of you throughout the course of Cuban. My name is Savannah Peterson, everyone, and thank you so much for joining us here on the Cube where we'll be live from Detroit, Michigan all week.

(upbeat music) >> Hello everyone, welcome to this special Cube conversation here in Palo Alto, California. I'm John Furrier, host of theCUBE in theCUBE Studios. We've got a special video here. We love when we have startups that are launching. It's an exclusive video of a hot startup that's launching. Got great reviews so far. You know, word on the street is, they got something different and unique. We're going to' dig into it. Amit Govrin who's the CEO and co-founder of Kubiya, which stands for Cube in Hebrew, and they're headquartered in Bay Area and in Tel Aviv. Amit, congratulations on the startup launch and thanks for coming in and talk to us in theCUBE >> Thank you, John, very nice to be here. >> So, first of all, a little, 'cause we love the Cube, 'cause theCUBE's kind of an open brand. We've never seen the Cube in Hebrew, so is that true? Kubiya is? >> Kubiya literally means cube. You know, clearly there's some additional meanings that we can discuss. Obviously we're also launching a KubCon, so there's a dual meaning to this event. >> KubCon, not to be confused with CubeCon. Which is an event we might have someday and compete. No, I'm only kidding, good stuff. I want to get into the startup because I'm intrigued by your story. One, you know, conversational AI's been around, been a category. We've seen chat bots be all the rage and you know, I kind of don't mind chat bots on some sites. I can interact with some, you know, form based knowledge graph, whatever, knowledge database and get basic stuff self served. So I can see that, but it never really scaled or took off. And now with Cloud Native kind of going to the next level, we're starting to see a lot more open source and a lot more automation, in what I call AI as code or you know, AI as a service, machine learning, developer focused action. I think you guys might have an answer there. So if you don't mind, could you take a minute to explain what you guys are doing, what's different about Kubiya, what's happening? >> Certainly. So thank you for that. Kubiya is what we would consider the first, or one of the first, advanced virtual assitants with a domain specific expertise in DevOps. So, we respect all of the DevOps concepts, GitOps, workflow automation, of those categories you've mentioned, but also the added value of the conversational AI. That's really one of the few elements that we can really bring to the table to extract what we call intent based operations. And we can get into what that means in a little bit. I'll save that maybe for the next question. >> So the market you're going after is kind of, it's, I love to hear starters when they, they don't have a Gartner Magic quadrant, they can fit nicely, it means they're onto something. What is the market you're going after? Because you're seeing a lot of developers driving a lot of the key successes in DevOps. DevOps has evolved to the point where, and DevSecOps, where developers are driving the change. And so having something that's developer focused is key. Are you guys targeting the developers, IT buyers, cloud architects? Who are you looking to serve with this new opportunity? >> So essentially self-service in the world of DevOps, the end user typically would be a developer, but not only, and obviously the operators, those are the folks that we're actually looking to help augment a lot of their efforts, a lot of the toil that they're experiencing in a day to day. So there's subcategories within that. We can talk about the different internal developer tools, or platforms, shared services platforms, service catalogs are tangential categories that this kind of comes on. But on top of that, we're adding the element of conversational AI. Which, as I mentioned, that's really the "got you". >> I think you're starting to see a lot of autonomous stuff going on, autonomous pen testing. There's a company out there doing I've seen autonomous AI. Automation is a big theme of it. And I got to ask, are you guys on the business side purely in the cloud? Are you born in the cloud, is it a cloud service? What's the product choice there? It's a service, right? >> Software is a service. We have the classic, Multi-Tenancy SAAS, but we also have a hybrid SAAS solution, which allows our customers to run workflows using remote runners, essentially hosted at their own location. >> So primary cloud, but you're agnostic on where they could consume, how they want to' consume the product. >> Technology agnostic. >> Okay, so that's cool. So let's get into the problem you're solving. So take me through, this will drive a lot of value here, when you guys did the company, what problems did you hone in on and what are you guys seeing as the core problem that you solve? >> So we, this is a unique, I don't know how unique, but this is a interesting proposition because I come from the business side, so call it the top down. I've been in enterprise sales, I've been in a CRO, VP sales hat. My co-founder comes from the bottom up, right? He ran DevOps teams and SRE teams in his previous company. That's actually what he did. So, we met each other halfway, essentially with me seeing a lot of these problems of self-service not being so self-service after all, platforms hitting walls with adoption. And he actually created his own self-service platform, within his last company, to address his own personal pains. So we essentially kind of met with both perspectives. >> So you're absolutely hardcore on self-service. >> We're enabling self-service. >> And that basically is what everybody wants. I mean, the developers want self-service. I mean, that's kind of like, you know, that's the nirvana. So take us through what you guys are offering, give us an example of use cases and who's buying your product, why, and take us through that whole piece. >> Do you mind if I take a step back and say why we believe self-service has somewhat failed or not gotten off. >> Yeah, absolutely. >> So look, this is essentially how we're looking at it. All the analysts and the industry insiders are talking about self-service platforms as being what's going to' remove the dependency of the operator in the loop the entire time, right? Because the operator, that scarce resource, it's hard to hire, hard to train, hard to retain those folks, Developers are obviously dependent on them for productivity. So the operators in this case could be a DevOps, could be a SecOps, it could be a platform engineer. It comes in different flavors. But the common denominator, somebody needs an access request, provisioning a new environment, you name it, right? They go to somebody, that person is operator. The operator typically has a few things on their plate. It's not just attending and babysitting platforms, but it's also innovating, spinning up, and scaling services. So they see this typically as kind of, we don't really want to be here, we're going to' go and do this because we're on call. We have to take it on a chin, if you may, for this. >> It's their child, they got to' do it. >> Right, but it's KTLOs, right, keep the lights on, this is maintenance of a platform. It's not what they're born and bred to do, which is innovate. That's essentially what we're seeing, we're seeing that a lot of these platforms, once they finally hit the point of maturity, they're rolled out to the team. People come to serve themselves in platform, and low and behold, it's not as self-service as it may seem. >> We've seen that certainly with Kubernetes adoption being, I won't say slow, it's been fast, but it's been good. But I think this is kind of the promise of what SRE was supposed to be. You know, do it once and then babysit in the sense of it's working and automated. Nothing's broken yet. Don't call me unless you need something, I see that. So the question, you're trying to make it easier then, you're trying to free up the talent. >> Talent to operate and have essentially a human, like in the loop, essentially augment that person and give the end users all of the answers they require, as if they're talking to a person. >> I mean it's basically, you're taking the virtual assistant concept, or chat bot, to a level of expertise where there's intelligence, jargon, experience into the workflows that's known. Not just talking to chat bot, get a support number to rebook a hotel room. >> We're converting operational workflows into conversations. >> Give me an example, take me through an example. >> Sure, let's take a simple example. I mean, not everyone provisions EC2's with two days (indistinct). But let's say you want to go and provision new EC2 instances, okay? If you wanted to do it, you could go and talk to the assistant and say, "I want to spin up a new server". If it was a human in the loop, they would ask you the following questions: what type of environment? what are we attributing this to? what type of instance? security groups, machine images, you name it. So, these are the questions that typically somebody needs to be armed with before they can go and provision themselves, serve themselves. Now the problem is users don't always have these questions. So imagine the following scenario. Somebody comes in, they're in Jira ticket queue, they finally, their turn is up and the next question they don't have the answer to. So now they have to go and tap on a friend, or they have to go essentially and get that answer. By the time they get back, they lost their turn in queue. And then that happens again. So, they lose a context, they lose essentially the momentum. And a simple access request, or a simple provision request, can easily become a couple days of ping pong back and forth. This won't happen with the virtual assistant. >> You know, I think, you know, and you mentioned chat bots, but also RPA is out there, you've seen a lot of that growth. One of the hard things, and you brought this up, I want to get your reaction to, is contextualizing the workflow. It might not be apparent, but the answer might be there, it disrupts the entire experience at that point. RPA and chat bots don't have that contextualization. Is that what you guys do differently? Is that the unique flavor here? Is that difference between current chat bots and RPA? >> The way we see it, I alluded to the intent based operations. Let me give a tangible experience. Even not from our own world, this will be easy. It's a bidirectional feedback loop 'cause that's actually what feeds the context and the intent. We all know Waze, right, in the world of navigation. They didn't bring navigation systems to the world. What they did is they took the concept of navigation systems that are typically satellite guided and said it's not just enough to drive down the 280, which typically have no traffic, right, and to come across traffic and say, oh, why didn't my satellite pick that up? So they said, have the end users, the end nodes, feed that direction back, that feedback, right. There has to be a bidirectional feedback loop that the end nodes help educate the system, make the system be better, more customized. And that's essentially what we're allowing the end users. So the maintenance of the system isn't entirely in the hands of the operators, right? 'Cause that's the part that they dread. And the maintenance of the system is democratized across all the users that they can teach the system, give input to the system, hone in the system in order to make it more of the DNA of the organization. >> You and I were talking before you came on this camera interview, you said playfully that the Siri for DevOps, which kind of implies, hey infrastructure, do something for me. You know, we all know Siri, so we get that. So that kind of illustrates kind of where the direction is. Explain why you say that, what does that mean? Is that like a NorthStar vision that you guys are approaching? You want to' have a state where everything's automated in it's conversational deployments, that kind of thing. And take us through why that Siri for DevOps is. >> I think it helps anchor people to what a virtual assistant is. Because when you hear virtual assistant, that can mean any one of various connotations. So the Siri is actually a conversational assistant, but it's not necessarily a virtual assistant. So what we're saying is we're anchoring people to that thought and saying, we're actually allowing it to be operational, turning complex operations into simple conversations. >> I mean basically they take the automate with voice Google search or a query, what's the score of the game? And, it also, and talking to the guy who invented Siri, I actually interviewed on theCUBE, it's a learning system. It actually learns as it gets more usage, it learns. How do you guys see that evolving in DevOps? There's a lot of jargon in DevOps, a lot of configurations, a lot of different use cases, a lot of new technologies. What's the secret sauce behind what you guys do? Is it the conversational AI, is it the machine learning, is it the data, is it the model? Take us through the secret sauce. >> In fact, it's all the above. And I don't think we're bringing any one element to the table that hasn't been explored before, hasn't been done. It's a recipe, right? You give two people the same ingredients, they can have complete different results in terms of what they come out with. We, because of our domain expertise in DevOps, because of our familiarity with developer workflows with operators, we know how to give a very well suited recipe. Five course meal, hopefully with Michelin stars as part of that. So a few things, maybe a few of the secret sauce element, conversational AI, the ability to essentially go and extract the intent of the user, so that if we're missing context, the system is smart enough to go and to get that feedback and to essentially feed itself into that model. >> Someone might say, hey, you know, conversational AI, that was yesterday's trend, it never happened. It was kind of weak, chat bots were lame. What's different now and with you guys, and the market, that makes a redo or a second shot at this, a second bite at the apple, as they say. What do you guys see? 'Cause you know, I would argue that it's, you know, it's still early, real early. >> Certainly. >> How do you guys view that? How would you handle that objection? >> It's a fair question. I wasn't around the first time around to tell you what didn't work. I'm not afraid to share that the feedback that we're getting is phenomenal. People understand that we're actually customizing the workflows, the intent based operations to really help hone in on the dark spots. We call it last mile, you know, bottlenecks. And that's really where we're helping. We're helping in a way tribalize internal knowledge that typically hasn't been documented because it's painful enough to where people care about it but not painful enough to where you're going to' go and sit down an entire day and document it. And that's essentially what the virtual assistant can do. It can go and get into those crevices and help document, and operationalize all of those toils. And into workflows. >> Yeah, I mean some will call it grunt work, or low level work. And I think the automation is interesting. I think we're seeing this in a lot of these high scale situations where the talented hard to hire person is hired to do, say, things that were hard to do, but now harder things are coming around the corner. So, you know, serverless is great and all this is good, but it doesn't make the complexity go away. As these inflection points continue to drive more scale, the complexity kind of grows, but at the same time so is the ability to abstract away the complexity. So you're starting to see the smart, hired guns move to higher, bigger problems. And the automation seems to take the low level kind of like capabilities or the toil, or the grunt work, or the low level tasks that, you know, you don't want a high salaried person doing. Or I mean it's not so much that they don't want to' do it, they'll take one for the team, as you said, or take it on the chin, but there's other things to work on. >> I want to add one more thing, 'cause this goes into essentially what you just said. Think about it's not the virtual system, what it gives you is not just the intent and that's one element of it, is the ability to carry your operations with you to the place where you're not breaking your workflows, you're actually comfortable operating. So the virtual assistant lives inside of a command line interface, it lives inside of chat like Slack, and Teams, and Mattermost, and so forth. It also lives within a low-code editor. So we're not forcing anyone to use uncomfortable language or operations if they're not comfortable with. It's almost like Siri, it travels in your mobile phone, it's on your laptop, it's with you everywhere. >> It makes total sense. And the reason why I like this, and I want to' get your reaction on this because we've done a lot of interviews with DevOps, we've met at every CubeCon since it started, and Kubernetes kind of highlights the value of the containers at the orchestration level. But what's really going on is the DevOps developers, and the CICD pipeline, with infrastructure's code, they're basically have a infrastructure configuration at their disposal all the time. And all the ops challenges have been around that, the repetitive mundane tasks that most people do. There's like six or seven main use cases in DevOps. So the guardrails just need to be set. So it sounds like you guys are going down the road of saying, hey here's the use cases you can bounce around these use cases all day long. And just keep doing your jobs cause they're bolting on infrastructure to every application. >> There's one more element to this that we haven't really touched on. It's not just workflows and use cases, but it's also knowledge, right? Tribal knowledge, like you asked me for an example. You can type or talk to the assistant and ask, "How much am I spending on AWS, on US East 1, on so and so customer environment last week?", and it will know how to give you that information. >> Can I ask, should I buy a reserve instances or not? Can I ask that question? 'Cause there's always good trade offs between buying the reserve instances. I mean that's kind of the thing that. >> This is where our ecosystem actually comes in handy because we're not necessarily going to' go down every single domain and try to be the experts in here. We can tap into the partnerships, API, we have full extensibility in API and the software development kit that goes into. >> It's interesting, opinionated and declarative are buzzwords in developer language. So you started to get into this editorial thing. So I can bring up an example. Hey cube, implement the best service mesh. What answer does it give you? 'Cause there's different choices. >> Well this is actually where the operator, there's clearly guard rails. Like you can go and say, I want to' spin up a machine, and it will give you all of the machines on AWS. Doesn't mean you have to get the X one, that's good for a SAP environment. You could go and have guardrails in place where only the ones that are relevant to your team, ones that have resources and budgetary, you know, guidelines can be. So, the operator still has all the control. >> It was kind of tongue in cheek around the editorialized, but actually the answer seems to be as you're saying, whatever the customer decided their service mesh is. So I think this is where it gets into as an assistant to architecting and operating, that seems to be the real value. >> Now code snippets is a different story because that goes on to the web, that goes onto stock overflow, and that's actually one of the things. So inside the CLI, you could actually go and ask for code snippets and we could actually go and populate that, it's a smart CLI. So that's actually one of the things that are an added value of that. >> I was saying to a friend and we were talking about open source and how when I grew up, there was no open source. If you're a developer now, I mean there's so much code, it's not so much coding anymore as it is connecting and integrating. >> Certainly. >> And writing glue layers, if you will. I mean there's still code, but it's not, you don't have to build it from scratch. There's so much code out there. This low-code notion of a smart system is interesting 'cause it's very matrix like. It can build its own code. >> Yes, but I'm also a little wary with low-code and no code. I think part of the problem is we're so constantly focused on categories and categorizing ourselves, and different categories take on a life of their own. So low-code no code is not necessarily, even though we have the low-code editor, we're not necessarily considering ourselves low-code. >> Serverless, no code, low-code. I was so thrown on a term the other day, architecture-less. As a joke, no we don't need architecture. >> There's a use case around that by the way, yeah, we do. Show me my AWS architecture and it will build the architect diagram for you. >> Again, serverless architect, this is all part of infrastructure's code. At the end of the day, the developer has infrastructure with code. Again, how they deploy it is the neuron. That's what we've been striving for. >> But infrastructure is code. You can destroy, you know, terraform, you can go and create one. It's not necessarily going to' operate it for you. That's kind of where this comes in on top of that. So it's really complimentary to infrastructure. >> So final question, before we get into the origination story, data and security are two hot areas we're seeing fill the IT gap, that has moved into the developer role. IT is essentially provisioned by developers now, but the OP side shifted to large scale SRE like environments, security and data are critical. What's your opinion on those two things? >> I agree. Do you want me to give you the normal data as gravity? >> So you agree that IT is now, is kind of moved into the developer realm, but the new IT is data ops and security ops basically. >> A hundred percent, and the lines are so blurred. Like who's what in today's world. I mean, I can tell you, I have customers who call themselves five different roles in the same day. So it's, you know, at the end of the day I call 'em operators 'cause I don't want to offend anybody because that's just the way it is. >> Architectural-less, we're going to' come back to that. Well, I know we're going to' see you at CubeCon. >> Yes. >> We should catch up there and talk more. I'm looking forward to seeing how you guys get the feedback from the marketplace. It should be interesting to hear, the curious question I have for you is, what was the origination story? Why did you guys come together, was it a shared problem? Was it a big market opportunity? Was it an itch you guys were scratching? Did you feel like you needed to come together and start this company? What was the real vision behind the origination? Take a take a minute to explain the story. >> No, absolutely. So I've been living in Palo Alto for the last couple years. Previous, also a founder. So, you know, from my perspective, I always saw myself getting back in the game. Spent a few years in AWS essentially managing partnerships for tier one DevOps partners, you know, all of the known players. Some in public, some of them not. And really the itch was there, right. I saw what everyone's doing. I started seeing consistency in the pains that I was hearing back, in terms of what hasn't been solved. So I already had an opinion where I wanted to go. And when I was visiting actually Israel with the family, I was introduced by a mutual friend to Shaked, Shaked Askayo, my co-founder and CTO. Amazing guy, unbelievable technologists, probably one the most, you know, impressive folks I've had a chance to work with. And he actually solved a very similar problem, you know, in his own way in a previous company, BlueVine, a FinTech company where he was head of SRE, having to, essentially, oversee 200 developers in a very small team. The ratio was incongruent to what the SRE guideline would tell. >> That's more than 10 x rate developer. >> Oh, absolutely. Sure enough. And just imagine it's four different time zones. He finishes day shift and you already had the US team coming, asking for a question. He said, this is kind of a, >> Got to' clone himself, basically. >> Well, yes. He essentially said to me, I had no day, I had no life, but I had Corona, I had COVID, which meant I could work from home. And I essentially programed myself in the form of a bot. Essentially, when people came to him, he said, "Don't talk to me, talk to the bot". Now that was a different generation. >> Just a trivial example, but the idea was to automate the same queries all the time. There's an answer for that, go here. And that's the benefit of it. >> Yes, so he was able to see how easy it was to solve, I mean, how effective it was solving 70% of the toil in his organization. Scaling his team, froze the headcount and the developer team kept on going. So that meant that he was doing some right. >> When you have a problem, and you need to solve it, the creativity comes out of the woodwork, you know, invention is the mother of necessity. So final question for you, what's next? Got the launch, what are you guys hope to do over the next six months to a year, hiring? Put a plug in for the company. What are you guys looking to do? Take a minute to share the future vision and get a plug in. >> A hundred percent. So, Kubiya, as you can imagine, announcing ourselves at CubeCon, so in a couple weeks. Opening the gates towards the public beta and NGA in the next couple months. Essentially working with dozens of customers, Aston Martin, and business earn in. We have quite a few, our website's full of quotes. You can go ahead. But effectively we're looking to go and to bring the next operator, generation of operators, who value their time, who value the, essentially, the value of tribal knowledge that travels between organizations that could be essentially shared. >> How many customers do you guys have in your pre-launch? >> It's above a dozen. Without saying, because we're actually looking to onboard 10 more next week. So that's just an understatement. It changes from day to day. >> What's the number one thing people are saying about you? >> You got that right. I know it's, I'm trying to be a little bit more, you know. >> It's okay, you can be cocky, startups are good. But I mean they're obviously, they're using the product and you're getting good feedback. Saving time, are they saying this is a dream product? Got it right, what are some of the things? >> I think anybody who doesn't feel the pain won't know, but the folks who are in the trenches, or feeling the pain, or experiencing this toil, who know what this means, they said, "You're doing this different, you're doing this right. You architected it right. You know exactly what the developer workflows," you know, where all the areas, you know, where all the skeletons are hidden within that. And you're attending to that. So we're happy about that. >> Everybody wants to clone themselves, again, the tribal knowledge. I think this is a great example of where we see the world going. Make things autonomous, operationally automated for the use cases you know are lock solid. Why wouldn't you just deploy? >> Exactly, and we have a very generous free tier. People can, you know, there's a plugin, you can sign up for free until the end of the year. We have a generous free tier. Yeah, free forever tier, as well. So we're looking for people to try us out and to give us feedback. >> I think the self-service, I think the point is, we've talked about it on the Cube at our events, everyone says the same thing. Every developer wants self-service, period. Full stop, done. >> What they don't say is they need somebody to help them babysit to make sure they're doing it right. >> The old dashboard, green, yellow, red. >> I know it's an analogy that's not related, but have you been to Whole Foods? Have you gone through their self-service line? That's the beauty of it, right? Having someone in a loop helping you out throughout the time. You don't get confused, if something's not working, someone's helping you out, that's what people want. They want a human in the loop, or a human like in the loop. We're giving that next best thing. >> It's really the ratio, it's scale. It's a scaling. It's force multiplier, for sure. Amit, thanks for coming on, congratulations. >> Thank you so much. >> See you at KubeCon. Thanks for coming in, sharing the story. >> KubiyaCon. >> CubeCon. Cube in Hebrew, Kubiya. Founder, co-founder and CEO here, sharing the story in the launch. Conversational AI for DevOps, the theory of DevOps, really kind of changing the game, bringing efficiency, solving a lot of the pain points of large scale infrastructure. This is theCUBE, CUBE conversation, I'm John Furrier, thanks for watching. (upbeat electronic music)

(gentle music) >> Hi everybody, this is Dave Vellante of TheCUBE. This is day two of Fal.Con 2022, CrowdStrike's big customer event. Over 2000 people here, a hundred sessions, a lot of deep security talk. Amol Kulkarni is here. He's the chief product and engineering officer at CrowdStrike, and we're going to get into it. Amol, thanks for coming to theCUBE. >> Great to be here. >> I enjoyed your keynote today. It was very informative. First of all, how's the show going for you? >> It's going fantastic. I mean, first and foremost, like to be having everyone here in person, after three years, that's just out the world, right? So great to meet and a lot of great conversations across the board with customers, partners. It's been fantastic. >> Yeah, so I want to start with Cloud Native, it's kind of your dogma. This whole, the new acronym is CNAP Cloud Native Application Protection Platform. >> Amol: That's right. >> There's a mouthful. What is that? How does it relate to what you guys are doing? >> Yeah, so CNAP is what Gartner has coined as the term for covering entire cloud security. And they have identified various components in it. The first and foremost is the runtime protection, cloud workload protection, as we call it. Second is posture management. That's CSBM cloud security posture management. Third is CIEM, which we announced today. And then the fourth is shift left, kind of Dev SecOps part of cloud security. And all together Gartner coins that as a solution or a suite, if you will, to cover various aspects of cloud security. >> Okay, so shift left and then shield right. You still got to shield right. Is that where network security comes in? Which is not your main focus, but okay. So now it explains... Gartner is an acronym. Now I get it. But the CIEM announcement cloud infrastructure entitlement management. So you're managing identities. Is that right? Explain that in more detail. >> So, yeah, so I mean, as in the on-premise world, but even more exacerbated in the crowd world you have lots and lots of identities, both human identities and service accounts that are accessing cloud services. And lot of the time the rigor is not there in terms of what permissions those identities are provisioned with. So are they over provisioned? Do they have lots of rights that they should not have? Are they able... Are services able to connect to resources that they should not be able to connect to all of that falls under the entitlement management, the identity entitlement management part. And that's where CIEM comes in. So what we said is, we have a great identity security story for on-premise, right? And now we are applying that to understand identities, the entitlements they have, secrets that are lying around, maybe leaked, or just, available for adversaries to exploit in the cloud security world. So taking all of that into account and giving you... Giving customers a snapshot view of one single view to say; these are the identities, these are their permissions, this is where you can trim them down because these are the dependencies that are present across services. And you see something that's not right from a dependency perspective, you can say, okay, this connection doesn't make sense. There's something malicious going on here. So there's a lot that you can do by having that scope of identities. Be very narrowed down. It's a first step in the zero trust journey for the cloud infrastructure. >> So I have to ask you when you now extend this conversation to the edge, and operations technology. Traditionally the infrastructure has been air gapped by, you know, brute force air gap. Don't worry about it. And maybe hasn't had to worry so much about the hygiene. So now as you... as the business drives and forces essentially digital connect... Digital transformation and connectivity >> Connectivity. Yeah. >> I mean, wow, that's a playground for the hackers. >> You absolutely nailed it. So most of these infrastructure was not designed with security in mind, unfortunately, right? As you said, most of it was air-gapped, disconnected. And now everything is getting to be connected because the updates are being pushed rapidly changes are happening. So, and that really, in some sense has changed the environment in which these devices are operating. The operational technology, industrial control. We had the colonial pipeline breach last year. And, that really opened people's eyes like, Hey, nation state adversaries are going to come after critical infrastructure. And that can... That is going to cause impact directly to the end end users, to the citizens. So we have to protect this infrastructure. And that's why we announced discover for IOT as a new module that looks at and understands all the IOT and industrial control systems assets. >> So that didn't require an architectural change though. Right? That was a capability that you introduced with partners. Right? Am I right about that? You don't have to re-architect anything. It's just... Your architecture fits perfectly into those scenarios. >> Absolutely, absolutely. Yeah, yeah, yeah. You actually... While the pace of change is there, architectural change is almost very difficult, because these are very large systems. They are built up over time. It take an industrial control system. The tracing speed is very different from a laptop. So yeah, you can't impose any architectural change. It has to be seamless from what the customers have. >> You were talking, I want to go back to CNAP. You were talking about the protecting the run time. You can do that with an agent. You had said agent... In your keynote. Agentless solutions don't give you runtime security protection. Can you double click on that and just elaborate? >> Yeah, absolutely. So what agentless solutions today are doing they're essentially tapping into APIs from AWS or Azure CloudTrail, for example and looking at misconfigurations. So that is indeed a challenge. So that is one part of the story, but that only gives you a partial view. Let's say that an attacker attacks and uses a existing credential. A legitimate credential to access one of the cloud services. And from there they escalate the privileges and then now start branching off the, the CSP, and the agentless-only solutions will not catch that. Right? So what you need is you, you need this agentless part but you have to couple that with; seeing the activity that's actually happening the living of the land attacks that cannot be caught by the CSP end-piece. So you need a combination of agentless and agent runtime to give that overall protection. >> What's the indicator of attack for a hacker that's living off the land, meaning using your own tools against you. >> That's right. So the indicators of attack are saying accessing services, for example, that are not normally accessed or escalating privileges. So you come in as a normal user, but then suddenly you have admin privileges because you have escalated those privileges, or you are moving laterally very rapidly from one place to another, or spraying across a lot of services in order to do reconnaissance and understand what is out there. So it's almost like looking for what is an abnormal attack path, abnormal behavior compared to what is normal and the good part is cloud. There's a lot that is normal, right? It's fairly constrained. It's not like a end user who is downloading stuff from the internet. And like doing all sorts of things. Cloud services are fairly constrained, so you can profile and you can figure out where there is a drift from the normal. And that's really the indicator of attack. In some sense, from cloud services >> In a previous life I want to change subjects. In a previous life. I spent a lot of time with CIOs. Helping them look at their application portfolio, understanding what to rationalize, what to get rid of, what to invest in, you know, bringing in new projects, cause you know, it's just you never throw a stuff away in IT. >> There is no obsolescence >> Right. So, but they wanted to... Anytime you go through these rationalization exercises change management is everything. And one of the hardest things to do was to map and understand the business impact of all the dependencies across the portfolio. Cause when application A needs this dataset. If you retire it, you're going to... It has ripple effects. And you talked about that in a security context today when you were talking about the asset graph and the threat graphs giving you the ability to understand those dependencies. Can you add some color to that? >> Absolutely. Absolutely. So what we've done with the asset graph; It's a fundamental piece of technology that we've been building now for some time that complements the thread graph. And the asset graph looks at: Assets, identities, applications, and configuration. All of those aspects. And the interconnections between them. So if a user is accessing an application on a server, all those, and in what role, all of that relationship is tied together in the asset graph. So what that does now is, it gives you an ability to say this application connects to this application. And that's the dependency on that port, for example. So you can now build up a dependency map and then the thread graph, what it does, it looks at the continuous activity that's happening. So if you now take the events that are coming into the thread graph and the graphical representation of those, combine it with the asset graph, you get that full dependency map. And now you can start doing that impact analysis that you talked about. Which is... It's an unsolved problem, right? And that's why security as I said in my keynote is most people do not have their security tools enabled to the highest level or they don't have full coverage just because the pace of change is so rapid. They cannot keep up with it. So we want to enable change management, at a rapid pace where businesses and customers can say; we are confident about the change management, about the change we are going to implement. Because we know what the potential impact would be. We can validate, test it in a smaller subset and then roll it out quickly. And that's the journey we are on. Sort of the theme of my talk was to make IT and security friends again. >> Right, you talked about that gap and bringing those two together. You also had a great quote in there; 'The pace of change and securities is insane.' And so this assets graph capability, dependencies and the threat graph, help you manage that accelerating pace of change. Before I forget, I want to ask you about your interview with Girls Who Code. What was that like? Who'd you interview? I unfortunately couldn't see it. I apologize. >> Yeah, fantastic. So, Reshma Saujani she heads Girls Who Code and she first off had a very very powerful talk just from her own own experiences. And essentially, like, what do we need to do to get more women into computer science first, but then within that, into cybersecurity. and what all have they done with Girls Who Code. So very, I mean, we were very touched at the audience was like super into her talk. And then I had a chance to chat with her for a few minutes, ask her a few questions. Just my view was more like, okay. What can we do together? What can CrowdStrike do in our position, in to attract more women? We've done a lot in terms of tailoring our job descriptions to make sure it's more... Remove the biases. Tuning the interview processes to be more welcoming and Reshma gave an example saying; 'Hey, many of these interviews, they start with a baseball discussion.' And I mean, some women may maybe interested in it but may not all maybe. And so is that the right? Is it a gender kind-of affirming or gender neutral kind-of discussion or do you want to have other topics? So a lot of that is about training the interviewers because most of the interviewers are men, unfortunately. That's the mix we have. And it was a great discussion. I mean, just like very practical. She's very much focused on increasing the number of people and increasing the pipeline which is honestly the biggest problem. Because if we have a lot of candidates we would definitely hire them and essentially improve the diversity. And we've done a great job with our intern program, for example, which has helped significantly improve the diversity on our workforce. >> And, but the gap keeps getting bigger in terms of unfulfilled jobs. That leads me to developers as a constituency. Because you guys are building the security cloud. You're on a mission to do that. And to me, if you have a security cloud, it's got to be programmable. You're going to have developers there. You don't... From what I can tell you have a specific developer platform, but it's organic. It's sort of happening out there. What's the strategy around, I mean, the developer today is so critical in terms of implementing a lot of security strategy and putting it into action. They've got to secure the run time. They got to worry about the APIs. They got to secure the PaaS. They got to secure the containers. Right, and so what's your developer strategy. >> Yeah, so within cloud security, enabling developers to implement DevSecOps as a as a philosophy, as a strategy, is critical. And so we, we have a lot of offerings there on the shift-left side, for example, you talked about securing containers. So we have container image assessment where we plug in into the container repositories to check for vulnerabilities and bad configuration in the container images. We then complement that with the runtime side where our agent can protect the container from runtime violations, from breakouts, for example. So it's a combination. It's a full spectrum, right? From the developer building an application, all the way to the end. Second I'd say is, we are a very much an API first company. So all of the things that you can do from a user interface perspective, you can do from APIs what is enable that is a bunch of partners a rich partner ecosystem that is building using those APIs. So the developers within our partners are leveraging those APIs to build very cool applications. And the manifestation of that is CrowdStrike store where essentially we have as Josh mentioned, in his ski-notes, we have a agent cloud architecture that is very rich. And we said, okay, why can't we open that up for partners to enable them to leverage that architecture for their scenarios? So we have a lot of applications that are built on the CrowdStrike store, leveraging our platform, right. Areas that we are not in, for example. >> And here, describe it. Is there a PaaS layer that's purpose-built for CrowdStrike so that developers can build applications? >> That's a great question. So I'll say that we have a beginnings of a PaaS layer. We definitely talked about CrowdStrike store as being passed for cybersecurity but there's a lot more to do. And we are in the process of building up an application platform so that customers can build the applications for their SOC workflow or IT workflow and and Falcon Fusion is a key part of that. So Falcon Fusion is our automation platform built right into the security cloud. And what that enables customers to do is to define... Encode their business process the way they want and leverage the platform the way they want. >> It seems like a logical next step. Because you're going to enable a consistent experience across the board. And fulfill your promise, your brand promise, and the capabilities that you bring. And this ecosystem will explode once you announce that. >> And that's the notion we talk about of being the sales force of security. >> Right, right. Yeah. That's the next step. Amol, thank you so much. I got to run and wrap. We really appreciate you coming on theCUBE. >> Thank you very much. >> Congratulations on your keynote and all the success and great event. >> Appreciate it. Thank you very much for the time and great chatting with you. >> You're very welcome. All right, keep it right there. We'll be back very shortly to wrap up from Fal.Con 2022. This is Dave Vellante for theCUBE. (soft electronic music)

(soft music) >> Welcome back everyone, is Supercloud 22 live in the Palo Alto office. Our stage performance we're streaming virtually it's our pilot event, our inaugural event, Supercloud 22. I'm John fury, with my coach Dave Vellante. Got a featured Keynote conversation with Kit Colbert. Who's the CTO of VMware, got to delay it all out. Break it down, Kit, great to see you. Thanks for joining us for Supercloud 22 our inaugural event. >> Yeah, I'm excited to be here. Thanks for having me. >> So we had great distinguished panels coming up through. We heard Victoria earlier to the Keynote. There's a shift happening. The shift has happened that's called cloud. You just published a white paper that kind of brings out these new challenges around the complexity of how companies want to run their business. >> Yep. >> It's not born in the cloud, it's cloud everywhere. Seems to be the theme. What's your take on Supercloud? what's the roadmap for multicloud? >> Yeah, well, the reason that we got interested in this was just talking to our customers and the reality is everybody is using multiple clouds today, multiple public clouds, they got things on-prem, they got stuff at the edge. And so their applications are essentially distributed everywhere. And the challenges they start running into there is that there's just a lot of heterogeneity there. There's like different APIs, different capabilities, inconsistencies, incompatibility, in terms of workload, placement, data, migration, security, as we just heard about, et cetera. And so I think everyone's struggling with trying to figure out how do I drive consistency across all that diversity and what sort of consistency do I want? And one of the things that became really interesting in our conversations with customers is that there is no one size fits all that different folks are in different places. And the types of consistency that they want to prioritize will be different based on their individual business requirements. And so this started forming a picture for us saying, okay, what we need are a set of capabilities of multi-cloud cross cloud services that deliver that consistency across all the different environments where applications may be running. And that is what formed the early thinking and sort of the paper that we wrote on it, as well as some of the work and that I think eventually leads to this vision of Supercloud, right? 'Cause I think you guys have the right idea, which is, hey, how does all this stuff come together? And what does that bigger picture look like? And so I think between the sort of the native services that are there individually for each cloud that offer great value by the way, and people definitely should be taking advantage of in addition to another set of services, which are multi-cloud that go across clouds and provide that consistency, looking at that together. That's my picture where super cloud is. >> So the paper's called, the era of multi-cloud services arrive, VMware executive outlook for IT, leaders and decision makers, I'm sure you can get on your website. >> Yep. >> And in there, you talked about, well, first of all, I think you would agree that multicloud has fundamentally been a symptom of multi-vendor or M&A, I mean, you talked about that in the paper, right? >> Yeah. >> It was never really a strategy. It was just like, hey, we woke up in the 2020s and here we are with multiple clouds, right? >> Yeah, it was one of those situations where most folks that we talked to didn't plan to be multi-cloud now that's changed a little bit in the past year or two. >> Sure. >> But certainly in the earlier days of cloud, people would go all in saying, hey, I'm going to go all in on one, one of the major hyperscalers and go for it there. And that's great and offers a lot of advantages, right? There is internal consistency there. There's usually pretty good integration between their services so on and so forth. The problem though that you start facing is that to your point, acquisitions, you acquire companies using a different cloud. Okay, now I got two different clouds or sometimes you have the phenomenon of shadow IT, still happening where some random line of business is going to go off and use a different cloud for whatever reason. The other thing that we've seen is that over time that you may have standardized on one, but then over time technology changes, another cloud makes major advancements in the state of the art, or let's say in machine learning and you say, hey, I want to go to this other cloud for that. So what we start to see is that people now are choosing public clouds based on best of breed service capabilities, and that they're going to make those decisions that fairly fine grained manner, right? Sometimes down to the team, the line of business, et cetera. And so this is where customers and companies find themselves. Now it's like, oh boy, now have all these clouds. And what's happened is that they kind of dealt with it in an ad hoc manner. They would spin up individual operations teams, security teams, et cetera, that specialized in each of the clouds. They had knowledge about how to do that. But now people found that, okay, I'm duplicating all this. There's not really consistency in my approach here. Is there a better way? And I think this is, again, the advent of a lot of the thinking of multi-cloud services and Supercloud. >> And I think one of the things too, in listening to you talk is that the old model used to be, solve complexity with more complexity. Okay, and customers don't want that from what we're observing. And what you're saying is they've seen the benefits of DevOps, DevSecOps. So they know the value. >> Yep. >> 'Cause they've been on, say one native cloud. Now they say, okay, I'm on premise and we heard from Victoria said, there's a lot of private cloud going on, but essentially makes that another cloud, out by default as well. So hybrid is multicloud. >> Hybrid is a subset, yeah. Hybrid is like, we kind of had this evolution of thinking, right? Where you kind of had all the sort of different locations. And then I think hybrid was attempt to say, okay, let's try to connect one location or a set of locations on premises with a public cloud and have some level of consistency there. But really what we look at here with multicloud or Supercloud is that that's really a generalization of that. And we're not talking about one or two locations on prem in one cloud. We're talking about everything now. And moreover, I think hybrid cloud tended to focus a lot on sort of core infrastructure and management. This looks across the board, we're talking about security, we're talking about application development, talking about end user experience. Things like Zero Trust. We're talking about infrastructure, data. So it goes much, much broader, I think than when we talked about hybrid cloud a few years ago. >> So in your paper you've essentially, Kit, laid out an early framework. >> Yep. >> Let's call it for what we call Supercloud, what you call cross cloud services. So what do you see as the technical enablers that are, the salient aspects of again multi-cloud or Supercloud? >> Yep. Well, so for me it comes down to, so, okay, taking a step back. So we have this problem, right? Where you have a lot of diversity across different clouds and customers are looking for some levels of consistency. But as I said, rarely do I see two customers that want exactly the same types of consistency. And so what we're trying to do is step back. And first of all, establish a taxonomy and by that I mean, one of the different types of consistency that you might want. And so there's things around infrastructure consistency, security consistency, software supply chain security is probably the top of mind one that I hear from customers. Application and application services of things like databases, messaging streaming services, AIML services, et cetera, and user capabilities and then of course, data as well. And so in the paper we say, okay, here's these kind of five areas of consistency. And that's the first piece, the second one then turns more to an architectural question of what exactly is a multi-cloud service. What does that mean for a cloud service to be multi-cloud and what are the properties there? So essentially we said, okay, we see three different types of those. There's one where that service could run on a single cloud, but could support multiple clouds. So think about for instance, a service that does cost analysis. Now it may have maybe executing on AWS let's say, but it could do cost analysis for Azure or Google or AWS or anybody, right? So that's the first type. The second type is a bit more advanced where now you're saying, I can actually instantiate that same service into multiple clouds. And we see that oftentimes with things like databases that have a lot of performance latency, et cetera, requirements, and that you can't be accessing that database remotely, that doesn't, from a different cloud, that's going to be too slow. You have it on the same cloud that you're in. And so again, you see various vendors out there, implementing that, where that database can be instantiated wherever you'd like. And then the third one would be going even further. And this is where we really get into some of the much more difficult use cases where customers want a workload to be on prem. And sometimes, especially for those that are very regulatory compliant, they may need even in an air gap or disconnected environment. So there, can you take that same service, but now run it without your operators, being able to manage it 24/7. So those are the three categories. So are a single cloud supporting, single cloud instance supporting multiple clouds, multi-cloud instance, multi-cloud instance disconnected. >> So you're abstracting you as the the R&D arm you're abstracting that complexity. How do you handle this problem where you've got one cloud maybe has a better service than the other clouds? Do you have to devolve to the lowest common denominator or? How do you mask that? >> Well, so that's a really good question and we've debated it and there's been a lot of thought on it. Our current point of view is that we really want to leave it, up to the company themselves to make that decision. Again, cause we see different use cases. So for instance, I talk to customers in the defense sector and they are like, hey, if a foreign adversary is attacking one of these public cloud that we're in, we got to be able to evacuate our applications from there, sometimes in minutes, right? In order to maintain our operational capabilities. And so there, there does need to be at least common denominator approach just because of that requirement. I see other folks, you look at the financial banking industries they're also regulated. I think for them, it's oftentimes 90 days to get out of the cloud, so they can do a little bit of re-architecture. You got times rolled the sleeves and change some things. So maybe it's not quite as strict. Whereas other companies say, you know what? I want to take advantage of these best of breed services native to the clouds. So we don't try to prescribe a certain approach there, but we say, you got to align it with what your business requirements are. >> How about the APIs layer? So one of the things we've said is that we felt like a super pass was a requirement of the Supercloud because it's a purpose built pass that helps you with that objective, whatever that is. And you say in the paper for developers each cloud provider has unique infrastructure interfaces and APIs that add work and slow the pace of their releases for operators. Each additional cloud increases the complexity of their architecture, fragmenting security, performance optimization and cost management. So are you building a super pass? What's your philosophy? Victoria said, we want to have our cake, we want to eat at two and we want to lose weight. So how do you do that? >> Yeah, so I think it's, so first things first, what the paper is trying to present in the end is really sort of an architectural point of view on how to approach this, right? And then, yeah, we at VMware, we've got a lot of solutions, towards some of those things, but we also realize we can't do everything ourselves, right? The space is too large. So it's very much a partner strategy there. Now that being said, on things like on the past side, we are doing a lot for instance around Tanzu, which is our modern apps portfolio products. And the focus there really is to, yes, provide some of that consistency across different clouds, enabling customers to take advantage of either cross cloud paths type services or cloud native or native cloud services, I should say. And so we really give customers that choice. And I think that's for us where it's at, because again, we don't see it as a one size fits for all. >> So there's your cake at edit to too. So you're saying the developer experience can be identical across clouds. >> Yep. >> Unless the developers don't want it to be. >> Yeah, and maybe the team makes that decision. Look there's a lot of reasons why you may want to make that or may not. The reality is that these native cloud services do add a lot of value and oftentimes are very easy to consume, to get started with, to get going. And so trade off you got to think about, and I don't think there's a right answer. >> So Kit, I got to ask on you. You said you can't do it alone. >> Yeah. >> VMware, I know for a fact, you guys have been working on this for many, many years. >> Yep. >> (indistinct) remember, I interviewed him in 2016 when he did the deal with AWS with Andy Jassy that really moved the needle. Things got really great from there with VMware. So would you be open to a consortium to oversee cause you guys have a lot of investment in this as a company, but I also don't hear you trying to do the lock in thing. So yeah, would you guys be open to a consortium to kind of try to figure out what these buildings blocks look like? Or is it a bag of Legos what people want? >> Absolutely, and you know what we offer in the paper is really just a starting point. It's pretty simple, we're trying to define a few basic of the taxonomy and some outlines sketches if you will, of what that architectural picture might look like. But it's very much that like just a starting point, and this is not something we can do alone. This is something that we really need the entire industry to rally around. Cause again, I think what's important here are standards. >> Yeah. >> That there's got to be, this sort of decomposition of functionality, breakdown in the different, sort of logical layers of functionality. What do those APIs or interfaces look like? How do we ensure interoperability? Because we do want people to be able to get the best of breed, to be able to bring together different vendor solutions to enable that. >> And I was watching, it was had a Silicon a day just last week, talking about their advances in Silicon. What's you guys position on that because you're seeing the (indistinct) as players, almost getting more niche and more better at the hardware matters more, Silicon speed, latency GPUs, So that seems to me be an enabler opportunity for the ecosystem to innovate at the past and SAS relationship. Where do you guys see? Where are you guys strong and where do you need work to do on? If you had to say there was some white space at VMware like say, hey, we own this area. We we're solid here. Here's some white spaces that VMware could use some help with. >> Yeah, well I think the infrastructure space, you just mentioned is clearly one that we've been focused on for a long time. We're expanding into the modern app space, expanding into security. We've been strong and end user for a while. So a lot of the different multi-cloud capabilities we've actually been to your point developing for a while. And I think that's exactly, again, what went into this like what we started noticing was all of our different product teams were reacting to the same thing and we weren't necessarily talking about it together yet. >> Like what? >> Well, this whole challenge of multiple clouds of dealing with that heterogeneity of wanting choice and flexibility into where to place a workload or where to place a virtual desktop or whatever it might be. And so each of the teams was responding individually to that customer feedback. And so I think what we recognized was like, hey, let's up level this, and what's the bigger picture. And what's the sort of common architecture across all of it, right? So I think that's what the really interesting aspect here was is that this is very much driven by what we're hearing directly from customers. >> You kind of implied just recently that the paper was pretty straightforward, pretty basic, early days, but it's well thought out. And one of the things you talked about was the type of multi-cloud services. >> Yep. >> You had data plan and user services, security infrastructure, which is your wheelhouse and application services. >> Yep. >> And you sort of went to detail defining those where is management and all that. So these are the ones you're going after. What about management? What are your thoughts on that? >> Yeah, so it's a really good question we debated this for a long time. Does management actually get a separate sort of layer that we could add a six one perhaps, or is it sort of baked in to the different ones? And we kind of went with the ladder where it sort of baked in there's infrastructure management, there's modern app management, there's management and users. It's kind of management for each security obviously. So we see a lot of different management plans, control plans across each of those different layers. Now does there need to be a separate one that has its own layer? Arguably yes, I mean, I think there are good arguments for that, and this is exactly why we put this out there though, is to like get people to read it, people to give give us feedback. And going back to the consortium idea, let's come together as a group of practitioners across the industry to really figure out an industry viewpoint on this. >> So what are the trade offs there? So what would be the benefit of having that separate layer? I presume it's simpler to do it the way you've done it, but what would be the benefit of having a separate. >> Yeah, I think it was probably more about simplicity to start with, like you could imagine like 20 different layers. and maybe that's where it's going to go, but also I think it's how do you define the layer? And for us it was more around sort of some of these functional aspects as an infrastructure versus application level versus end user and management is more of a commonality across those. But again, I could see our arguments be made. >> Logical place to start. >> Yeah. >> The other thing you said in here multi-cloud application services can route request for a particular service such as a database and deploy the service on the correct individual cloud, using the most appropriate technology for the use case, et cetera, et cetera. >> Yep. >> That to me, sounds like a metadata problem. And so can you talk about how you you've approach that? You mentioned AWS RDS, great examples as your sequel on Oracle Database, et cetera, et cetera and multiple endpoint. How do you approach that? >> Yeah, well, I think there's a bunch of different approaches there. And so again, so the idea is that, and I know there's been reference to sort of like the operating system for Supercloud. What does that look like, right? But I think it totally, we don't actually use that term, but I do like the concept of an operating system. 'Cause a lot of things you just talk about there, these are things operating systems. Do you got to have a scheduler? And so you look across many different clouds and you got to figure out, okay, where do I actually want in this case, let's say a database instance to go and be provisioned. And then really it's up to, I think the vendor or in this case, the multi-cloud service creator to define how they want to want to do that. They could leverage the native cloud services or they could build their own technology. Which a lot of the vendors are doing. And so the point though, is that really you get this night from a end user standpoint, it goes back to your complexity, simplicity question, you get the simplicity of a single API that the implementation you don't really need to deal with. 'Cause you're like, I'm getting a service and I need the database and has certain properties and I want it here versus there versus wherever. But it's up to that multi-cloud service to figure out a lot of those implementation specifics. >> So are you the Supercloud OS? >> I think it is VMware's goal to become the Supercloud OS for sure. But like any good operating system, as we said, like it's all about applications, right? So you have a platform point of view, but you got to partner widely. >> And you got to get the hardware relationship. >> Yes. >> The Silicon chips. >> Yep. >> Right. >> Yeah, and actually that was a good point. I want to go back to that one. 'Cause you mentioned that earlier, the innovation that we're seeing, things like arm processors and like graviton and a lot of these things happening. And so I think that's another really interesting area where you're seeing tremendous innovation there in the public cloud. One of the challenges though for public cloud is actually at scale and that it takes longer to release newer hardware at that scale. So in some cases, if you want bleeding edge stuff, you can't go with public cloud 'cause it's just not there yet, right? So that's again, another interesting thing where you... >> Well, some will say that they launch 5,000 new services, every year at AWS. >> No, but I'm talking, >> They have some bleeding edge stuff. >> Well, no, no, no, sorry, sorry, let me clarify, let me clarify. I'm not talking about the software, I'm talking about the hardware side. >> Okay, got it, okay. >> Like the Silicon? >> Yeah, like the latest and greatest GPU, FBGA. >> Why can't they? >> 'Cause cause they do like tens of thousands of them, hundreds of thousands of them. >> Oh just because it's just so many. >> It's a scale. Yeah, that's the point, right? >> Right. >> And it's fundamental to the model in terms of how big they are. And so that's why we do see some customers who need, who have very specialized hardware requirements, need to do it in the private cloud, right on prem or possibly a colo. >> Or edge. >> Or edge. >> Edge is a great example of... >> But we often see, again, people like the latest bleeding edge GPUs, whatever they are, even something a bit more experimental that they're going to go on on prem for that. >> Yeah. >> And so look, do not want to disparage the public cloud, please don't take that away. It's just an artifact when it gets to heart, like software they can scale and they do (indistinct). >> Well it's context of the OS conversation, OS has to right to hardware and enable applications. >> Where I was getting caught up in that is Kit, is they're all developing their own Silicon and they're developing it, most of it's arm based and they're developing at a much, much faster cycle. They can go from design to tape out much faster than Intel historically has. And you're seeing it. >> Intel just posted along. >> Yeah, I think if you look at the overall system, you're absolutely right. >> Yeah, but it's the deployment because of the scale 'cause at one availability zone and another and another region and that's. >> Well, yeah, but so counter point to what I just said would be, hey, like they have very well controlled environments, very well controled system. So they don't need to support a million different configuration settings or whatever they've got theirs that they use, right? So from a system standpoint and so forth. Yeah, I agree that there's a lot they can do there. I was speaking specifically, to different types of hardware accelerators being a bit of a (indistinct). >> If it's not in the 5,000 services that they offer, you can't get it, whereas on-prem you can say, I want that, here it is. >> I'm not saying that on-prem is necessarily fundamentally better in any way. I'm just saying for this particular area >> It's use case driven. >> It is use, and that's the whole point of all this, right? Like and I know a lot of people in their heads associate VMware with on-prem, but we are not dogmatic at all. And you know, as you guys know, but many people may not like we partner with all the public cloud hyperscalers. And so our point of view is very much, much more nuance saying, look, we're happy to run workloads wherever you want to. In fact, that's what we hear from customers. They want to run them everywhere, but it's about finding the right tool for the right job. And that's what really what this multi-cloud approach. >> Yeah, and I think the structural change of the virtualization hypervisor this new shift to V2 Supercloud, this something happening fundamentally that's use case driven, it's not about dogma, whatever. I mean, cloud's great. But native clouds have the pros and cons. >> And I would say that Supercloud, prerequisite for Supercloud has got to be running in a public cloud. But I'd say it also has to be inclusive of on-prem data. >> Yes, absolutely. >> And you're not going to just move all that data into prem, maybe in the fullness of time, but I don't personally believe that, but you look at what Goldman Sachs has done with AWS they've got their on-prem data and they're connecting to the AWS cloud. >> Yep. >> What Walmart's doing with Azure and that's going to happen in a lot of different industries. >> Yeah. >> Well I think security will drive that too. We had that conversation because no one wants to increase the surface area. Number one, they want complexity to be reduced and they want economic benefits. That's the super cloud kind of (indistinct). >> It's a security but it's also differentiatable advantage that you actually have on prem that you don't necessarily. >> Right, well, we're going to debate this now, Kit, thank you for coming on and giving that Keynote, we're going to have a panel to debate and discuss the blockers that enablers to Supercloud. And there are some enablers and potentially blockers. >> Yep, absolutely. >> So we'll get, into that, okay, up next, the panel to discuss, blockers and enablers are Supercloud after this quick break. (soft music)