>> Announcer: From theCUBE studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is "Breaking Analysis" with Dave Vellante. >> The rapid pace of cloud adoption has changed the way organizations approach cybersecurity. Specifically, the cloud is increasingly becoming the first line of cyber defense. As such, along with communicating to the board and creating a security aware culture, the chief information security officer must ensure that the shared responsibility model is being applied properly. Meanwhile, the DevSecOps team has emerged as the critical link between strategy and execution, while audit becomes the free safety, if you will, in the equation, i.e., the last line of defense. Hello, and welcome to this week's, we keep on CUBE Insights, powered by ETR. In this "Breaking Analysis", we'll share the latest data on hyperscale, IaaS, and PaaS market performance, along with some fresh ETR survey data. And we'll share some highlights and the puts and takes from the recent AWS re:Inforce event in Boston. But first, the macro. It's earning season, and that's what many people want to talk about, including us. As we reported last week, the macro spending picture is very mixed and weird. Think back to a week ago when SNAP reported. A player like SNAP misses and the Nasdaq drops 300 points. Meanwhile, Intel, the great semiconductor hope for America misses by a mile, cuts its revenue outlook by 15% for the year, and the Nasdaq was up nearly 250 points just ahead of the close, go figure. Earnings reports from Meta, Google, Microsoft, ServiceNow, and some others underscored cautious outlooks, especially those exposed to the advertising revenue sector. But at the same time, Apple, Microsoft, and Google, were, let's say less bad than expected. And that brought a sigh of relief. And then there's Amazon, which beat on revenue, it beat on cloud revenue, and it gave positive guidance. The Nasdaq has seen this month best month since the isolation economy, which "Breaking Analysis" contributor, Chip Symington, attributes to what he calls an oversold rally. But there are many unknowns that remain. How bad will inflation be? Will the fed really stop tightening after September? The Senate just approved a big spending bill along with corporate tax hikes, which generally don't favor the economy. And on Monday, August 1st, the market will likely realize that we are in the summer quarter, and there's some work to be done. Which is why it's not surprising that investors sold the Nasdaq at the close today on Friday. Are people ready to call the bottom? Hmm, some maybe, but there's still lots of uncertainty. However, the cloud continues its march, despite some very slight deceleration in growth rates from the two leaders. Here's an update of our big four IaaS quarterly revenue data. The big four hyperscalers will account for $165 billion in revenue this year, slightly lower than what we had last quarter. We expect AWS to surpass 83 billion this year in revenue. Azure will be more than 2/3rds the size of AWS, a milestone from Microsoft. Both AWS and Azure came in slightly below our expectations, but still very solid growth at 33% and 46% respectively. GCP, Google Cloud Platform is the big concern. By our estimates GCP's growth rate decelerated from 47% in Q1, and was 38% this past quarter. The company is struggling to keep up with the two giants. Remember, both GCP and Azure, they play a shell game and hide the ball on their IaaS numbers, so we have to use a survey data and other means of estimating. But this is how we see the market shaping up in 2022. Now, before we leave the overall cloud discussion, here's some ETR data that shows the net score or spending momentum granularity for each of the hyperscalers. These bars show the breakdown for each company, with net score on the right and in parenthesis, net score from last quarter. lime green is new adoptions, forest green is spending up 6% or more, the gray is flat, pink is spending at 6% down or worse, and the bright red is replacement or churn. Subtract the reds from the greens and you get net score. One note is this is for each company's overall portfolio. So it's not just cloud. So it's a bit of a mixed bag, but there are a couple points worth noting. First, anything above 40% or 40, here as shown in the chart, is considered elevated. AWS, as you can see, is well above that 40% mark, as is Microsoft. And if you isolate Microsoft's Azure, only Azure, it jumps above AWS's momentum. Google is just barely hanging on to that 40 line, and Alibaba is well below, with both Google and Alibaba showing much higher replacements, that bright red. But here's the key point. AWS and Azure have virtually no churn, no replacements in that bright red. And all four companies are experiencing single-digit numbers in terms of decreased spending within customer accounts. People may be moving some workloads back on-prem selectively, but repatriation is definitely not a trend to bet the house on, in our view. Okay, let's get to the main subject of this "Breaking Analysis". TheCube was at AWS re:Inforce in Boston this week, and we have some observations to share. First, we had keynotes from Steven Schmidt who used to be the chief information security officer at Amazon on Web Services, now he's the CSO, the chief security officer of Amazon. Overall, he dropped the I in his title. CJ Moses is the CISO for AWS. Kurt Kufeld of AWS also spoke, as did Lena Smart, who's the MongoDB CISO, and she keynoted and also came on theCUBE. We'll go back to her in a moment. The key point Schmidt made, one of them anyway, was that Amazon sees more data points in a day than most organizations see in a lifetime. Actually, it adds up to quadrillions over a fairly short period of time, I think, it was within a month. That's quadrillion, it's 15 zeros, by the way. Now, there was drill down focus on data protection and privacy, governance, risk, and compliance, GRC, identity, big, big topic, both within AWS and the ecosystem, network security, and threat detection. Those are the five really highlighted areas. Re:Inforce is really about bringing a lot of best practice guidance to security practitioners, like how to get the most out of AWS tooling. Schmidt had a very strong statement saying, he said, "I can assure you with a 100% certainty that single controls and binary states will absolutely positively fail." Hence, the importance of course, of layered security. We heard a little bit of chat about getting ready for the future and skating to the security puck where quantum computing threatens to hack all of the existing cryptographic algorithms, and how AWS is trying to get in front of all that, and a new set of algorithms came out, AWS is testing. And, you know, we'll talk about that maybe in the future, but that's a ways off. And by its prominent presence, the ecosystem was there enforced, to talk about their role and filling the gaps and picking up where AWS leaves off. We heard a little bit about ransomware defense, but surprisingly, at least in the keynotes, no discussion about air gaps, which we've talked about in previous "Breaking Analysis", is a key factor. We heard a lot about services to help with threat detection and container security and DevOps, et cetera, but there really wasn't a lot of specific talk about how AWS is simplifying the life of the CISO. Now, maybe it's inherently assumed as AWS did a good job stressing that security is job number one, very credible and believable in that front. But you have to wonder if the world is getting simpler or more complex with cloud. And, you know, you might say, "Well, Dave, come on, of course it's better with cloud." But look, attacks are up, the threat surface is expanding, and new exfiltration records are being set every day. I think the hard truth is, the cloud is driving businesses forward and accelerating digital, and those businesses are now exposed more than ever. And that's why security has become such an important topic to boards and throughout the entire organization. Now, the other epiphany that we had at re:Inforce is that there are new layers and a new trust framework emerging in cyber. Roles are shifting, and as a direct result of the cloud, things are changing within organizations. And this first hit me in a conversation with long-time cyber practitioner and Wikibon colleague from our early Wikibon days, and friend, Mike Versace. And I spent two days testing the premise that Michael and I talked about. And here's an attempt to put that conversation into a graphic. The cloud is now the first line of defense. AWS specifically, but hyperscalers generally provide the services, the talent, the best practices, and automation tools to secure infrastructure and their physical data centers. And they're really good at it. The security inside of hyperscaler clouds is best of breed, it's world class. And that first line of defense does take some of the responsibility off of CISOs, but they have to understand and apply the shared responsibility model, where the cloud provider leaves it to the customer, of course, to make sure that the infrastructure they're deploying is properly configured. So in addition to creating a cyber aware culture and communicating up to the board, the CISO has to ensure compliance with and adherence to the model. That includes attracting and retaining the talent necessary to succeed. Now, on the subject of building a security culture, listen to this clip on one of the techniques that Lena Smart, remember, she's the CISO of MongoDB, one of the techniques she uses to foster awareness and build security cultures in her organization. Play the clip >> Having the Security Champion program, so that's just, it's like one of my babies. That and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the Security Champion program is purely purely voluntary. We have over 100 members. And these are people, there's no bar to join, you don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually, people grade themselves when they join us. We give them a little tick box, like five is, I walk on security water, one is I can spell security, but I'd like to learn more. Mixing those groups together has been game-changing for us. >> Now, the next layer is really where it gets interesting. DevSecOps, you know, we hear about it all the time, shifting left. It implies designing security into the code at the dev level. Shift left and shield right is the kind of buzz phrase. But it's getting more and more complicated. So there are layers within the development cycle, i.e., securing the container. So the app code can't be threatened by backdoors or weaknesses in the containers. Then, securing the runtime to make sure the code is maintained and compliant. Then, the DevOps platform so that change management doesn't create gaps and exposures, and screw things up. And this is just for the application security side of the equation. What about the network and implementing zero trust principles, and securing endpoints, and machine to machine, and human to app communication? So there's a lot of burden being placed on the DevOps team, and they have to partner with the SecOps team to succeed. Those guys are not security experts. And finally, there's audit, which is the last line of defense or what I called at the open, the free safety, for you football fans. They have to do more than just tick the box for the board. That doesn't cut it anymore. They really have to know their stuff and make sure that what they sign off on is real. And then you throw ESG into the mix is becoming more important, making sure the supply chain is green and also secure. So you can see, while much of this stuff has been around for a long, long time, the cloud is accelerating innovation in the pace of delivery. And so much is changing as a result. Now, next, I want to share a graphic that we shared last week, but a little different twist. It's an XY graphic with net score or spending velocity in the vertical axis and overlap or presence in the dataset on the horizontal. With that magic 40% red line as shown. Okay, I won't dig into the data and draw conclusions 'cause we did that last week, but two points I want to make. First, look at Microsoft in the upper-right hand corner. They are big in security and they're attracting a lot of dollars in the space. We've reported on this for a while. They're a five-star security company. And every time, from a spending standpoint in ETR data, that little methodology we use, every time I've run this chart, I've wondered, where the heck is AWS? Why aren't they showing up there? If security is so important to AWS, which it is, and its customers, why aren't they spending money with Amazon on security? And I asked this very question to Merrit Baer, who resides in the office of the CISO at AWS. Listen to her answer. >> It doesn't mean don't spend on security. There is a lot of goodness that we have to offer in ESS, external security services. But I think one of the unique parts of AWS is that we don't believe that security is something you should buy, it's something that you get from us. It's something that we do for you a lot of the time. I mean, this is the definition of the shared responsibility model, right? >> Now, maybe that's good messaging to the market. Merritt, you know, didn't say it outright, but essentially, Microsoft they charge for security. At AWS, it comes with the package. But it does answer my question. And, of course, the fact is that AWS can subsidize all this with egress charges. Now, on the flip side of that, (chuckles) you got Microsoft, you know, they're both, they're competing now. We can take CrowdStrike for instance. Microsoft and CrowdStrike, they compete with each other head to head. So it's an interesting dynamic within the ecosystem. Okay, but I want to turn to a powerful example of how AWS designs in security. And that is the idea of confidential computing. Of course, AWS is not the only one, but we're coming off of re:Inforce, and I really want to dig into something that David Floyer and I have talked about in previous episodes. And we had an opportunity to sit down with Arvind Raghu and J.D. Bean, two security experts from AWS, to talk about this subject. And let's share what we learned and why we think it matters. First, what is confidential computing? That's what this slide is designed to convey. To AWS, they would describe it this way. It's the use of special hardware and the associated firmware that protects customer code and data from any unauthorized access while the data is in use, i.e., while it's being processed. That's oftentimes a security gap. And there are two dimensions here. One is protecting the data and the code from operators on the cloud provider, i.e, in this case, AWS, and protecting the data and code from the customers themselves. In other words, from admin level users are possible malicious actors on the customer side where the code and data is being processed. And there are three capabilities that enable this. First, the AWS Nitro System, which is the foundation for virtualization. The second is Nitro Enclaves, which isolate environments, and then third, the Nitro Trusted Platform Module, TPM, which enables cryptographic assurances of the integrity of the Nitro instances. Now, we've talked about Nitro in the past, and we think it's a revolutionary innovation, so let's dig into that a bit. This is an AWS slide that was shared about how they protect and isolate data and code. On the left-hand side is a classical view of a virtualized architecture. You have a single host or a single server, and those white boxes represent processes on the main board, X86, or could be Intel, or AMD, or alternative architectures. And you have the hypervisor at the bottom which translates instructions to the CPU, allowing direct execution from a virtual machine into the CPU. But notice, you also have blocks for networking, and storage, and security. And the hypervisor emulates or translates IOS between the physical resources and the virtual machines. And it creates some overhead. Now, companies like VMware have done a great job, and others, of stripping out some of that overhead, but there's still an overhead there. That's why people still like to run on bare metal. Now, and while it's not shown in the graphic, there's an operating system in there somewhere, which is privileged, so it's got access to these resources, and it provides the services to the VMs. Now, on the right-hand side, you have the Nitro system. And you can see immediately the differences between the left and right, because the networking, the storage, and the security, the management, et cetera, they've been separated from the hypervisor and that main board, which has the Intel, AMD, throw in Graviton and Trainium, you know, whatever XPUs are in use in the cloud. And you can see that orange Nitro hypervisor. That is a purpose-built lightweight component for this system. And all the other functions are separated in isolated domains. So very strong isolation between the cloud software and the physical hardware running workloads, i.e., those white boxes on the main board. Now, this will run at practically bare metal speeds, and there are other benefits as well. One of the biggest is security. As we've previously reported, this came out of AWS's acquisition of Annapurna Labs, which we've estimated was picked up for a measly $350 million, which is a drop in the bucket for AWS to get such a strategic asset. And there are three enablers on this side. One is the Nitro cards, which are accelerators to offload that wasted work that's done in traditional architectures by typically the X86. We've estimated 25% to 30% of core capacity and cycles is wasted on those offloads. The second is the Nitro security chip, which is embedded and extends the root of trust to the main board hardware. And finally, the Nitro hypervisor, which allocates memory and CPU resources. So the Nitro cards communicate directly with the VMs without the hypervisors getting in the way, and they're not in the path. And all that data is encrypted while it's in motion, and of course, encryption at rest has been around for a while. We asked AWS, is this an, we presumed it was an Arm-based architecture. We wanted to confirm that. Or is it some other type of maybe hybrid using X86 and Arm? They told us the following, and quote, "The SoC, system on chips, for these hardware components are purpose-built and custom designed in-house by Amazon and Annapurna Labs. The same group responsible for other silicon innovations such as Graviton, Inferentia, Trainium, and AQUA. Now, the Nitro cards are Arm-based and do not use any X86 or X86/64 bit CPUs. Okay, so it confirms what we thought. So you may say, "Why should we even care about all this technical mumbo jumbo, Dave?" Well, a year ago, David Floyer and I published this piece explaining why Nitro and Graviton are secret weapons of Amazon that have been a decade in the making, and why everybody needs some type of Nitro to compete in the future. This is enabled, this Nitro innovations and the custom silicon enabled by the Annapurna acquisition. And AWS has the volume economics to make custom silicon. Not everybody can do it. And it's leveraging the Arm ecosystem, the standard software, and the fabrication volume, the manufacturing volume to revolutionize enterprise computing. Nitro, with the alternative processor, architectures like Graviton and others, enables AWS to be on a performance, cost, and power consumption curve that blows away anything we've ever seen from Intel. And Intel's disastrous earnings results that we saw this past week are a symptom of this mega trend that we've been talking about for years. In the same way that Intel and X86 destroyed the market for RISC chips, thanks to PC volumes, Arm is blowing away X86 with volume economics that cannot be matched by Intel. Thanks to, of course, to mobile and edge. Our prediction is that these innovations and the Arm ecosystem are migrating and will migrate further into enterprise computing, which is Intel's stronghold. Now, that stronghold is getting eaten away by the likes of AMD, Nvidia, and of course, Arm in the form of Graviton and other Arm-based alternatives. Apple, Tesla, Amazon, Google, Microsoft, Alibaba, and others are all designing custom silicon, and doing so much faster than Intel can go from design to tape out, roughly cutting that time in half. And the premise of this piece is that every company needs a Nitro to enable alternatives to the X86 in order to support emergent workloads that are data rich and AI-based, and to compete from an economic standpoint. So while at re:Inforce, we heard that the impetus for Nitro was security. Of course, the Arm ecosystem, and its ascendancy has enabled, in our view, AWS to create a platform that will set the enterprise computing market this decade and beyond. Okay, that's it for today. Thanks to Alex Morrison, who is on production. And he does the podcast. And Ken Schiffman, our newest member of our Boston Studio team is also on production. Kristen Martin and Cheryl Knight help spread the word on social media and in the community. And Rob Hof is our editor in chief over at SiliconANGLE. He does some great, great work for us. Remember, all these episodes are available as podcast. Wherever you listen, just search "Breaking Analysis" podcast. I publish each week on wikibon.com and siliconangle.com. Or you can email me directly at David.Vellante@siliconangle.com or DM me @dvellante, comment on my LinkedIn post. And please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for theCUBE Insights, powered by ETR. Thanks for watching. Be well, and we'll see you next time on "Breaking Analysis." (upbeat theme music)

>> From The Cube studios in Palo Alto, in Boston, bringing you data driven insights from the cube and ETR. This is breaking analysis with Dave Vellante. >> Last year, we noted in a breaking analysis that the cloud ecosystem is innovating beyond the idea or notion of multi-cloud. We've said for years that multi-cloud is really not a strategy but rather a symptom of multi-vendor. And we coined this term supercloud to describe an abstraction layer that lives above the hyperscale infrastructure that hides the underlying complexities, the APIs, and the primitives of each of the respective clouds. It interconnects whether it's On-Prem, AWS, Azure, Google, stretching out to the edge and creates a value layer on top of that. So our vision is that supercloud is more than running an individual service in cloud native mode within an individual individual cloud rather it's this new layer that builds on top of the hyperscalers. And does things irrespective of location adds value and we'll get into that in more detail. Now it turns out that we weren't the only ones thinking about this, not surprisingly, the majority of the technology ecosystem has been working towards this vision in various forms, including some examples that actually don't try to hide the underlying primitives. And we'll talk about that, but give a consistent experience across the DevSecOps tool chain. Hello, and welcome to this week's Wikibon, Cube insights powered by ETR. In this breaking analysis, we're going to share some recent examples and direct quotes about supercloud from the many Cube guests that we've had on over the last several weeks and months. And we've been trying to test this concept of supercloud. Is it technically feasible? Is it business rational? Is there business case for it? And we'll also share some recent ETR data to put this into context with some of the players that we think are going after this opportunity and where they are in their supercloud build out. And as you can see I'm not in the studio, everybody's got COVID so the studios shut down temporarily but breaking analysis continues. So here we go. Now, first thing is we uncovered an article from earlier this year by Lori MacVittie, is entitled, Supercloud: The 22 Answer to Multi-Cloud Challenges. What a great title. Of course we love it. Now, what really interested us here is not just the title, but the notion that it really doesn't matter what it's called, who cares? Supercloud, distributed cloud, someone even called it Metacloud recently, and we'll get into that. But Lori is a technologist. She's a developer by background. She works at F-Five and she's partial to the supercloud definition that was put forth by Cornell. You can see it here. That's a cloud architecture that enables application migration as a service across different availability zones or cloud providers, et cetera. And that the supercloud provides interfaces to allocate, migrate and terminate resources... And can span all major public cloud providers as well as private clouds. Now, of course, we would take that as well to the edge. So sure. That sounds about right and provides further confirmation that something new is really happening out there. And that was our initial premise when we put this fourth last year. Now we want to dig deeper and hear from the many Cube guests that we've interviewed recently probing about this topic. We're going to start with Chuck Whitten. He's Dell's new Co-COO and most likely part of the Dell succession plan, many years down the road hopefully. He coined the phrase multi-cloud by default versus multi-cloud by design. And he provides a really good business perspective. He's not a deep technologist. We're going to hear from Chuck a couple of times today including one where John Furrier asks him about leveraging hyperscale CapEx. That's an important concept that's fundamental to supercloud. Now, Ashesh Badani heads products at Red Hat and he talks about what he calls Metacloud. Again, it doesn't matter to us what you call it but it's the ecosystem gathering and innovating and we're going to get his perspective. Now we have a couple of clips from Danny Allan. He is the CTO of Veeam. He's a deep technologist and super into the weeds, which we love. And he talks about how Veeam abstracts the cloud layer. Again, a concept that's fundamental to supercloud and he describes what a supercloud is to him. And we also bring with Danny the edge discussion to the conversation. Now the bottom line from Danny is we want to know is supercloud technically feasible? And is it a thing? And then we have Jeff Clarke. Jeff Clark is the Co-COO and Vice Chairman of Dell super experienced individual. He lays out his vision of supercloud and what John Furrier calls a business operating system. You're going to hear from John a couple times. And he, Jeff Clark has a dropped the mic moment, where he says, if we can do this X, we'll describe what X is, it's game over. Okay. So of course we wanted to then go to HPE, one of Dell's biggest competitors and Patrick Osborne is the vice president of the storage business unit at Hewlett Packet Enterprise. And so given Jeff Clarke's game over strategy, we want to understand how HPE sees supercloud. And the bottom line, according to Patrick Osborne is that it's real. So you'll hear from him. And now Raghu Raghuram is the CEO of VMware. He threw a curve ball at this supercloud concept. And he flat out says, no, we don't want to hide the underlying primitives. We want to give developers access to those. We want to create a consistent developer experience in that DevsSecOps tool chain and Kubernetes runtime environments, and connect all the elements in the application development stack. So that's a really interesting perspective that Raghu brings. And then we end on Itzik Reich. Itzik is a technologist and a technical team leader who's worked as a go between customers and product developers for a number of years. And we asked Itzik, is supercloud technically feasible and will it be a reality? So let's hear from these experts and you can decide for yourselves how real supercloud is today and where it is, run the sizzle >> Operative phrase is multi-cloud by default that's kind of the buzz from your keynote. What do you mean by that? >> Well, look, customers have woken up with multiple clouds, multiple public clouds, On-Premise clouds increasingly as the edge becomes much more a reality for customers clouds at the edge. And so that's what we mean by multi-cloud by default. It's not yet been designed strategically. I think our argument yesterday was, it can be and it should be. It is a very logical place for architecture to land because ultimately customers want the innovation across all of the hyperscale public clouds. They will see workloads and use cases where they want to maintain an On-Premise cloud, On-Premise clouds are not going away, I mentioned edge clouds, so it should be strategic. It's just not today. It doesn't work particularly well today. So when we say multi-cloud by default we mean that's the state of the world today. Our goal is to bring multi-cloud by design as you heard. >> Really great question, actually, since you and I talked, Dave, I've been spending some time noodling just over that. And you're right. There's probably some terminology, something that will get developed either by us or in collaboration with the industry. Where we sort of almost have the next almost like a Metacloud that we're working our way towards. >> So we manage both the snapshots and we convert it into the Veeam portable data format. And here's where the supercloud comes into play. Because if I can convert it into the Veeam portable data format, I can move that OS anywhere. I can move it from physical to virtual, to cloud, to another cloud, back to virtual, I can put it back on physical if I want to. It actually abstracts the cloud layer. There are things that we do when we go between cloud some use BIOS, some use UEFI, but we have the data in backup format, not snapshot format, that's theirs, but we have it in backup format that we can move around and abstract workloads across all of the infrastructure. >> And your catalog is control in control of that. Is that right? Am I thinking about that the right way? >> Yeah it is, 100%. And you know what's interesting about our catalog, Dave, the catalog is inside the backup. Yes. So here's, what's interesting about the edge, two things, on the edge you don't want to have any state, if you can help it. And so containers help with that You can have stateless environments, some persistent data storage But we not not only provide the portability in operating systems, we also do this for containers. And that's true. If you go to the cloud and you're using say EKS with relational database services RDS for the persistent data later, we can pick that up and move it to GKE or move it to OpenShift On-Premises. And so that's why I call this the supercloud, we have all of this data. Actually, I think you termed the term supercloud. >> Yeah. But thank you for... I mean, I'm looking for a confirmation from a technologist that it's technically feasible. >> It is technically feasible and you can do it today. >> You said also technology and business models are tied together and enabler. If you believe that then you have to believe that it's a business operating system that they want. They want to leverage whatever they can. And at the end of the day, they have to differentiate what they do. >> Well, that's exactly right. If I take that in what Dave was saying and I summarize it the following way, if we can take these cloud assets and capabilities, combine them in an orchestrated way to deliver a distributed platform, game over. >> We have a number of platforms that are providing whether it's compute or networking or storage, running those workloads that they plum up into the cloud they have an operational experience in the cloud and they now they have data services that are running in the cloud for us in GreenLake. So it's a reality, we have a number of platforms that support that. We're going to have a a set of big announcements coming up at HPE Discover. So we led with Electra and we have a block service. We have VM backup as a service and DR on top of that. So that's something that we're providing today. GreenLake has over, I think it's actually over 60 services right now that we're providing in the GreenLake platform itself. Everything from security, single sign on, customer IDs, everything. So it's real. We have the proofpoint for it. >> Yeah. So I want to clarify something that you said because this tends to be very commonly confused by customers. I use the word abstraction. And usually when people think of abstraction, they think it hides capabilities of the cloud providers. That's not what we are trying to do. In fact, that's the last thing we are trying to do. What we are trying to do is to provide a consistent developer experience regardless of where you want to build your application. So that you can use the cloud provider services if that's what you want to use. But the DevSecOp tool chain, the runtime environment which turns out to be Kubernetes and how you control the Kubernetes environment, how do you manage and secure and connect all of these things. Those are the places where we are adding the value. And so really the VMware value proposition is you can build on the cloud of your choice but providing these consistent elements, number one, you can make better use of us, your scarce developer or operator resources and expertise. And number two, you can move faster. And number three, you can just spend less as a result of this. So that's really what we are trying to do. We are not... So I just wanted to clarify the word abstraction. In terms of where are we? We are still, I would say, in the early stages. So if you look at what customers are trying to do, they're trying to build these greenfield applications. And there is an entire ecosystem emerging around Kubernetes. There is still, Kubernetes is not a developer platform. The developer experience on top of Kubernetes is highly inconsistent. And so those are some of the areas where we are introducing new innovations with our Tanzu Application Platform. And then if you take enterprise applications, what does it take to have enterprise applications running all the time be entirely secure, et cetera. >> Well, look, the multi-cloud by default today are isolated clouds. They don't work together. Your data is siloed. It's locked up and it is expensive to move and make sense of it. So I think the word you and I were batting around before, this is an interconnected tissue. That's what the world needs. They need the clouds to work together as a single platform. That's the problem that we're trying to solve. And you saw it in some of our announcements here that we're starting to make steps on that journey to make multi-cloud work together much simpler. >> It's interesting, you mentioned the hyperscalers and all that CapEx investments. Why wouldn't you want to take advantage of a cloud and build on the CapEx and then ultimately have the solutions machine learning as one area. You see some specialization with the clouds. But you start to see the rise of superclouds, Dave calls them, and that's where you can innovate on a cloud then go to the multiple clouds. Snowflakes is one, we see a lot of examples of supercloud... >> Project Alpine was another one. I mean, it's early, but it's its clearly where you're going. The technology is just starting to come around. I mean it's real. >> Yeah. I mean, why wouldn't you want to take advantage of all of the cloud innovation out there? >> Is that something that's, that supercloud idea is a reality from a technologist perspective. >> I think it is. So for example Katie Gordon, which I believe you've interviewed earlier this week, was demonstrating the Kubernetes data mobility aspect which is another project. That's exactly part of the it's rationale, the rationale of customers being able to move some of their Kubernetes workloads to the cloud and back and between different clouds. Why are we doing? Because customers wants to have the ability to move between different cloud providers, using a common API that will be able to orchestrate all of those things with a self-service that may be offered via the APEX console itself. So it's all around enabling developers and meeting them where they are today and also meeting them into tomorrow's world where they actually may have changed their mind to do those things. So yes we are walking on all of those different aspects. >> Okay. Let's take a quick look at some of the ETR data. This is an X-Y graph. You've seen it a number of times on breaking analysis, it plots the net score or spending momentum on the Y-axis and overlap or pervasiveness in the ETR dataset on the X-axis, used to be called market share. I think that term was off putting to some people, but anyway it's an indicator of presence in the dataset. Now that red dotted line that's rarefied air where anything above that line is considered highly elevated. Now you can see we've plotted Azure and AWS in the upper right. GCP is in there and Kubernetes. We've done that as reference points. They're not necessarily building supercloud platforms. We'll see if they ever want to do so. And Kubernetes of course not a company, but we put 'em in there for context. And we've cherry picked a few players that we believe are building out or are important for supercloud build out. Let's start with Snowflake. We've talked a lot about this company. You can see they're highly elevated on the vertical axis. We see the data cloud as a supercloud in the making. You've got pure storage in there. They made the public, the early part of its supercloud journey at Accelerate 2019 when it unveiled a hybrid block storage service inside of AWS, it connects its On-Prem to AWS and creates that singular experience for pure customers. We see Hashi, HashiCorp as an enabling infrastructure, as code. So they're enabling infrastructure as code across different clouds and different locations. You see Nutanix. They're embarking on their multi-cloud strategy but it's doing so in a way that we think is supercloud, like now. Now Veeam, we were just at VeeamON. And this company has tied Dell for the number one revenue player in data protection. That's according to IDC. And we don't think it won't be long before it holds that position alone at the top as it's growing faster than in Dell in the space. We'll see, Dell is kind of waking up a little bit and putting more resource on that. But Veeam, they're a pure play vendor in data protection. And you heard their CTO, Danny Allan's view on Supercloud, they're doing it today. And we heard extensive comments as well from Dell that's clearly where they're headed, project Alpine was an early example from Dell technologies world of Supercloud in our view. And HPE with GreenLake. Finally beginning to talk about that cross cloud experience. I think it in initially HPE has been more focused on the private cloud, we'll continue to probe. We'll be at HPE discover later on the spring, actually end of June. And we'll continue to probe to see what HPE is doing specifically with GreenLake. Now, finally, Cisco, we put them on the chart. We don't have direct quotes from recent shows and events but this data really shows you the size of Cisco's footprint within the ETR data set that's on the X-axis. Now the cut of this ETR data includes all sectors across the ETR taxonomy which is not something that we commonly show but you can see the magnitude of Cisco's presence. It's impressive. Now, they had better, Cisco that is, had better be building out a supercloud in our view or they're going to be left behind. And I'm quite certain that they're actually going to do so. So we have a lot of evidence that we're putting forth here and seeing in the marketplace what we said last year, the ecosystem is take taking shape, supercloud is forming and becoming a thing. And really in our view, is the future of cloud. But there are always risks to these predictive scenarios and we want to acknowledge those. So first, look, we could end up with a bunch of bespoke superclouds. Now one supercloud is better than three separate cloud native services that do fundamentally the same thing from the same vendor. One for AWS, one for GCP and one for Azure. So maybe that's not all that bad. But to point number two, we hope there evolves a set of open standards for self-service infrastructure, federated governance, and data sharing that will evolve as a horizontal layer versus a set of proprietary vendor specific tools. Now, maybe a company like Veeam will provide that as a data management layer or some of Veeam's competitors or maybe it'll emerge again as open source. As well, and this next point, we see the potential for edge disruptions, changing the economics of the data center. Edge in fact could evolve on its own, independent of the cloud. In fact, David Floria sees the edge somewhat differently from Danny Allan. Floria says he sees a requirement for distributed stateful environments that are ephemeral where recovery is built in. And I said, David, stateful? Ephemeral? Stateful ephemeral? Isn't that an oxymoron? And he responded that, look, if it's not ephemeral the costs are going to be prohibitive. He said the biggest mistake the companies could make is thinking that the edge is simply an extension of their current cloud strategies. We're seeing that a lot. Dell largely talks about the edge as retail. Now, and Telco is a little bit different, but back to Floria's comments, he feels companies have to completely reimagine an integrated file and recovery system which is much more data efficient. And he believes that the technology will evolve with massive volumes and eventually seep into enterprise cloud and distributed data centers with better economics. In other words, as David Michelle recently wrote, we're about 15 years into the most recent cloud cycle and history shows that every 15 years or so, something new comes along that is a blind spot and highly disruptive to existing leaders. So number four here is really important. Remember, in 2007 before AWS introduced the modern cloud, IBM outpost, sorry, IBM outspent Amazon and Google and RND and CapEx and was really comparable to Microsoft. But instead of inventing cloud, IBM spent hundreds of billions of dollars on stock buybacks and dividends. And so our view is that innovation rewards leaders. And while it's not without risks, it's what powers the technology industry it always has and likely always will. So we'll be watching that very closely, how companies choose to spend their free cash flow. Okay. That's it for now. Thanks for watching this episode of The Cube Insights, powered by ETR. Thanks to Stephanie Chan who does some of the background research? Alex Morrison is on production and is going to compile all this stuff. Thank you, Alex. We're all remote this week. Kristen Nicole and Cheryl Knight do Cube distribution and social distribution and get the word out, so thank you. Robert Hof is our editor in chief. Don't forget the checkout etr.ai for all the survey action. Remember I publish each week on wikibon.com and siliconangle.com and you can check out all the breaking analysis podcasts. All you can do is search breaking analysis podcast so you can pop in the headphones and listen while you're on a walk. You can email me at david.vellante@siliconangle.com. If you want to get in touch or DM me at DVellante, you can always hit me up into a comment on our LinkedIn posts. This is Dave Vellante. Thank you for watching this episode of break analysis, stay safe, be well and we'll see you next time. (upbeat music)

>> From theCUBE Studios in Palo Alto and Boston, bringing you data-driven insights from theCUBE and ETR, this is Breaking Analysis with Dave Vellante. >> The pandemic has changed the way we think about and predict the future. As we enter the third year of a global pandemic, we see the significant impact that it's had on technology strategy, spending patterns, and company fortunes Much has changed. And while many of these changes were forced reactions to a new abnormal, the trends that we've seen over the past 24 months have become more entrenched, and point to the way that's coming ahead in the technology business. Hello and welcome to this week's Wikibon CUBE Insights powered by ETR. In this Breaking Analysis, we welcome our partner and colleague and business friend, Erik Porter Bradley, as we deliver what's becoming an annual tradition for Erik and me, our predictions for Enterprise Technology in 2022 and beyond Erik, welcome. Thanks for taking some time out. >> Thank you, Dave. Luckily we did pretty well last year, so we were able to do this again. So hopefully we can keep that momentum going. >> Yeah, you know, I want to mention that, you know, we get a lot of inbound predictions from companies and PR firms that help shape our thinking. But one of the main objectives that we have is we try to make predictions that can be measured. That's why we use a lot of data. Now not all will necessarily fit that parameter, but if you've seen the grading of our 2021 predictions that Erik and I did, you'll see we do a pretty good job of trying to put forth prognostications that can be declared correct or not, you know, as black and white as possible. Now let's get right into it. Our first prediction, we're going to go run into spending, something that ETR surveys for quarterly. And we've reported extensively on this. We're calling for tech spending to increase somewhere around 8% in 2022, we can see there on the slide, Erik, we predicted spending last year would increase by 4% IDC. Last check was came in at five and a half percent. Gardner was somewhat higher, but in general, you know, not too bad, but looking ahead, we're seeing an acceleration from the ETR September surveys, as you can see in the yellow versus the blue bar in this chart, many of the SMBs that were hard hit by the pandemic are picking up spending again. And the ETR data is showing acceleration above the mean for industries like energy, utilities, retail, and services, and also, notably, in the Forbes largest 225 private companies. These are companies like Mars or Koch industries. They're predicting well above average spending for 2022. So Erik, please weigh in here. >> Yeah, a lot to bring up on this one, I'm going to be quick. So 1200 respondents on this, over a third of which were at the C-suite level. So really good data that we brought in, the usual bucket of, you know, fortune 500, global 2000 make up the meat of that median, but it's 8.3% and rising with momentum as we see. What's really interesting right now is that energy and utilities. This is usually like, you know, an orphan stock dividend type of play. You don't see them at the highest point of tech spending. And the reason why right now is really because this state of tech infrastructure in our energy infrastructure needs help. And it's obvious, remember the Florida municipality break reach last year? When they took over the water systems or they had the ability to? And this is a real issue, you know, there's bad nation state actors out there, and I'm no alarmist, but the energy and utility has to spend this money to keep up. It's really important. And then you also hit on the retail consumer. Obviously what's happened, the work from home shift created a shop from home shift, and the trends that are happening right now in retail. If you don't spend and keep up, you're not going to be around much longer. So I think the really two interesting things here to call out are energy utilities, usually a laggard in IT spend and it's leading, and also retail consumer, a lot of changes happening. >> Yeah. Great stuff. I mean, I recall when we entered the pandemic, really ETR was the first to emphasize the impact that work from home was going to have, so I really put a lot of weight on this data. Okay. Our next prediction is we're going to get into security, it's one of our favorite topics. And that is that the number one priority that needs to be addressed by organizations in 2022 is security and you can see, in this slide, the degree to which security is top of mind, relative to some other pretty important areas like cloud, productivity, data, and automation, and some others. Now people may say, "Oh, this is obvious." But I'm going to add some context here, Erik, and then bring you in. First, organizations, they don't have unlimited budgets. And there are a lot of competing priorities for dollars, especially with the digital transformation mandate. And depending on the size of the company, this data will vary. For example, while security is still number one at the largest public companies, and those are of course of the biggest spenders, it's not nearly as pronounced as it is on average, or in, for example, mid-sized companies and government agencies. And this is because midsized companies or smaller companies, they don't have the resources that larger companies do. Larger companies have done a better job of securing their infrastructure. So these mid-size firms are playing catch up and the data suggests cyber is even a bigger priority there, gaps that they have to fill, you know, going forward. And that's why we think there's going to be more demand for MSSPs, managed security service providers. And we may even see some IPO action there. And then of course, Erik, you and I have talked about events like the SolarWinds Hack, there's more ransomware attacks, other vulnerabilities. Just recently, like Log4j in December. All of this has heightened concerns. Now I want to talk a little bit more about how we measure this, you know, relatively, okay, it's an obvious prediction, but let's stick our necks out a little bit. And so in addition to the rise of managed security services, we're calling for M&A and/or IPOs, we've specified some names here on this chart, and we're also pointing to the digital supply chain as an area of emphasis. Again, Log4j really shone that under a light. And this is going to help the likes of Auth0, which is now Okta, SailPoint, which is called out on this chart, and some others. We're calling some winners in end point security. Erik, you're going to talk about sort of that lifecycle, that transformation that we're seeing, that migration to new endpoint technologies that are going to benefit from this reset refresh cycle. So Erik, weigh in here, let's talk about some of the elements of this prediction and some of the names on that chart. >> Yeah, certainly. I'm going to start right with Log4j top of mind. And the reason why is because we're seeing a real paradigm shift here where things are no longer being attacked at the network layer, they're being attacked at the application layer, and in the application stack itself. And that is a huge shift left. And that's taking in DevSecOps now as a real priority in 2022. That's a real paradigm shift over the last 20 years. That's not where attacks used to come from. And this is going to have a lot of changes. You called out a bunch of names in there that are, they're either going to work. I would add to that list Wiz. I would add Orca Security. Two names in our emerging technology study, in addition to the ones you added that are involved in cloud security and container security. These names are either going to get gobbled up. So the traditional legacy names are going to have to start writing checks and, you know, legacy is not fair, but they're in the data center, right? They're, on-prem, they're not cloud native. So these are the names that money is going to be flowing to. So they're either going to get gobbled up, or we're going to see some IPO's. And on the other thing I want to talk about too, is what you mentioned. We have CrowdStrike on that list, We have SentinalOne on the list. Everyone knows them. Our data was so strong on Tanium that we actually went positive for the first time just today, just this morning, where that was released. The trifecta of these are so important because of what you mentioned, under resourcing. We can't have security just tell us when something happens, it has to automate, and it has to respond. So in this next generation of EDR and XDR, an automated response has to happen because people are under-resourced, salaries are really high, there's a skill shortage out there. Security has to become responsive. It can't just monitor anymore. >> Yeah. Great. And we should call out too. So we named some names, Snyk, Aqua, Arctic Wolf, Lacework, Netskope, Illumio. These are all sort of IPO, or possibly even M&A candidates. All right. Our next prediction goes right to the way we work. Again, something that ETR has been on for awhile. We're calling for a major rethink in remote work for 2022. We had predicted last year that by the end of 2021, there'd be a larger return to the office with the norm being around a third of workers permanently remote. And of course the variants changed that equation and, you know, gave more time for people to think about this idea of hybrid work and that's really come in to focus. So we're predicting that is going to overtake fully remote as the dominant work model with only about a third of the workers back in the office full-time. And Erik, we expect a somewhat lower percentage to be fully remote. It's now sort of dipped under 30%, at around 29%, but it's still significantly higher than the historical average of around 15 to 16%. So still a major change, but this idea of hybrid and getting hybrid right, has really come into focus. Hasn't it? >> Yeah. It's here to stay. There's no doubt about it. We started this in March of 2020, as soon as the virus hit. This is the 10th iteration of the survey. No one, no one ever thought we'd see a number where only 34% of people were going to be in office permanently. That's a permanent number. They're expecting only a third of the workers to ever come back fully in office. And against that, there's 63% that are saying their permanent workforce is going to be either fully remote or hybrid. And this, I can't really explain how big of a paradigm shift this is. Since the start of the industrial revolution, people leave their house and go to work. Now they're saying that's not going to happen. The economic impact here is so broad, on so many different areas And, you know, the reason is like, why not? Right? The productivity increase is real. We're seeing the productivity increase. Enterprises are spending on collaboration tools, productivity tools, We're seeing an increased perception in productivity of their workforce. And the CFOs can cut down an expense item. I just don't see a reason why this would end, you know, I think it's going to continue. And I also want to point out these results, as high as they are, were before the Omicron wave hit us. I can only imagine what these results would have been if we had sent the survey out just two or three weeks later. >> Yeah. That's a great point. Okay. Next prediction, we're going to look at the supply chain, specifically in how it's affecting some of the hardware spending and cloud strategies in the future. So in this chart, ETRS buyers, have you experienced problems procuring hardware as a result of supply chain issues? And, you know, despite the fact that some companies are, you know, I would call out Dell, for example, doing really well in terms of delivering, you can see that in the numbers, it's pretty clear, there's been an impact. And that's not not an across the board, you know, thing where vendors are able to deliver, especially acute in PCs, but also pronounced in networking, also in firewall servers and storage. And what's interesting is how companies are responding and reacting. So first, you know, I'm going to call the laptop and PC demand staying well above pre-COVID norms. It had peaked in 2012. Pre-pandemic it kept dropping and dropping and dropping, in terms of, you know, unit volume, where the market was contracting. And we think can continue to grow this year in double digits in 2022. But what's interesting, Erik, is when you survey customers, is despite the difficulty they're having in procuring network hardware, there's as much of a migration away from existing networks to the cloud. You could probably comment on that. Their networks are more fossilized, but when it comes to firewalls and servers and storage, there's a much higher propensity to move to the cloud. 30% of customers that ETR surveyed will replace security appliances with cloud services and 41% and 34% respectively will move to cloud compute and storage in 2022. So cloud's relentless march on traditional on-prem models continues. Erik, what do you make of this data? Please weigh in on this prediction. >> As if we needed another reason to go to the cloud. Right here, here it is yet again. So this was added to the survey by client demand. They were asking about the procurement difficulties, the supply chain issues, and how it was impacting our community. So this is the first time we ran it. And it really was interesting to see, you know, the move there. And storage particularly I found interesting because it correlated with a huge jump that we saw on one of our vendor names, which was Rubrik, had the highest net score that it's ever had. So clearly we're seeing some correlation with some of these names that are there, you know, really well positioned to take storage, to take data into the cloud. So again, you didn't need another reason to, you know, hasten this digital transformation, but here we are, we have it yet again, and I don't see it slowing down anytime soon. >> You know, that's a really good point. I mean, it's not necessarily bad news for the... I mean, obviously you wish that it had no change, would be great, but things, you know, always going to change. So we'll talk about this a little bit later when we get into the Supercloud conversation, but this is an opportunity for people who embrace the cloud. So we'll come back to that. And I want to hang on cloud a bit and share some recent projections that we've made. The next prediction is the big four cloud players are going to surpass 167 billion, an IaaS and PaaS revenue in 2022. We track this. Observers of this program know that we try to create an apples to apples comparison between AWS, Azure, GCP and Alibaba in IaaS and PaaS. So we're calling for 38% revenue growth in 2022, which is astounding for such a massive market. You know, AWS is probably not going to hit a hundred billion dollar run rate, but they're going to be close this year. And we're going to get there by 2023, you know they're going to surpass that. Azure continues to close the gap. Now they're about two thirds of the size of AWS and Google, we think is going to surpass Alibaba and take the number three spot. Erik, anything you'd like to add here? >> Yeah, first of all, just on a sector level, we saw our sector, new survey net score on cloud jumped another 10%. It was already really high at 48. Went up to 53. This train is not slowing down anytime soon. And we even added an edge compute type of player, like CloudFlare into our cloud bucket this year. And it debuted with a net score of almost 60. So this is really an area that's expanding, not just the big three, but everywhere. We even saw Oracle and IBM jump up. So even they're having success, taking some of their on-prem customers and then selling them to their cloud services. This is a massive opportunity and it's not changing anytime soon, it's going to continue. >> And I think the operative word there is opportunity. So, you know, the next prediction is something that we've been having fun with and that's this Supercloud becomes a thing. Now, the reason I say we've been having fun is we put this concept of Supercloud out and it's become a bit of a controversy. First, you know, what the heck's the Supercloud right? It's sort of a buzz-wordy term, but there really is, we believe, a thing here. We think there needs to be a rethinking or at least an evolution of the term multi-cloud. And what we mean is that in our view, you know, multicloud from a vendor perspective was really cloud compatibility. It wasn't marketed that way, but that's what it was. Either a vendor would containerize its legacy stack, shove it into the cloud, or a company, you know, they'd do the work, they'd build a cloud native service on one of the big clouds and they did do it for AWS, and then Azure, and then Google. But there really wasn't much, if any, leverage across clouds. Now from a buyer perspective, we've always said multicloud was a symptom of multi-vendor, meaning I got different workloads, running in different clouds, or I bought a company and they run on Azure, and I do a lot of work on AWS, but generally it wasn't necessarily a prescribed strategy to build value on top of hyperscale infrastructure. There certainly was somewhat of a, you know, reducing lock-in and hedging the risk. But we're talking about something more here. We're talking about building value on top of the hyperscale gift of hundreds of billions of dollars in CapEx. So in addition, we're not just talking about transforming IT, which is what the last 10 years of cloud have been like. And, you know, doing work in the cloud because it's cheaper or simpler or more agile, all of those things. So that's beginning to change. And this chart shows some of the technology vendors that are leaning toward this Supercloud vision, in our view, building on top of the hyperscalers that are highlighted in red. Now, Jerry Chan at Greylock, they wrote a piece called Castles in the Cloud. It got our thinking going, and he and the team at Greylock, they're building out a database of all the cloud services and all the sub-markets in cloud. And that got us thinking that there's a higher level of abstraction coalescing in the market, where there's tight integration of services across clouds, but the underlying complexity is hidden, and there's an identical experience across clouds, and even, in my dreams, on-prem for some platforms, so what's new or new-ish and evolving are things like location independence, you've got to include the edge on that, metadata services to optimize locality of reference and data source awareness, governance, privacy, you know, application independent and dependent, actually, recovery across clouds. So we're seeing this evolve. And in our view, the two biggest things that are new are the technology is evolving, where you're seeing services truly integrate cross-cloud. And the other big change is digital transformation, where there's this new innovation curve developing, and it's not just about making your IT better. It's about SaaS-ifying and automating your entire company workflows. So Supercloud, it's not just a vendor thing to us. It's the evolution of, you know, the, the Marc Andreessen quote, "Every company will be a SaaS company." Every company will deliver capabilities that can be consumed as cloud services. So Erik, the chart shows spending momentum on the y-axis and net score, or presence in the ETR data center, or market share on the x-axis. We've talked about snowflake as the poster child for this concept where the vision is you're in their cloud and sharing data in that safe place. Maybe you could make some comments, you know, what do you think of this Supercloud concept and this change that we're sensing in the market? >> Well, I think you did a great job describing the concept. So maybe I'll support it a little bit on the vendor level and then kind of give examples of the ones that are doing it. You stole the lead there with Snowflake, right? There is no better example than what we've seen with what Snowflake can do. Cross-portability in the cloud, the ability to be able to be, you know, completely agnostic, but then build those services on top. They're better than anything they could offer. And it's not just there. I mean, you mentioned edge compute, that's a whole nother layer where this is coming in. And CloudFlare, the momentum there is out of control. I mean, this is a company that started off just doing CDN and trying to compete with Okta Mite. And now they're giving you a full soup to nuts with security and actual edge compute layer, but it's a fantastic company. What they're doing, it's another great example of what you're seeing here. I'm going to call out HashiCorp as well. They're more of an infrastructure services, a little bit more of an open-source freemium model, but what they're doing as well is completely cloud agnostic. It's dynamic. It doesn't care if you're in a container, it doesn't matter where you are. They recently IPO'd and they're down 25%, but their data looks so good across both of our emerging technology and TISA survey. It's certainly another name that's playing on this. And another one that we mentioned as well is Rubrik. If you need storage, compute, and in the cloud layer and you need to be agnostic to it, they're another one that's really playing in this space. So I think it's a great concept you're bringing up. I think it's one that's here to stay and there's certainly a lot of vendors that fit into what you're describing. >> Excellent. Thank you. All right, let's shift to data. The next prediction, it might be a little tough to measure. Before I said we're trying to be a little black and white here, but it relates to Data Mesh, which is, the ideas behind that term were created by Zhamak Dehghani of ThoughtWorks. And we see Data Mesh is really gaining momentum in 2022, but it's largely going to be, we think, confined to a more narrow scope. Now, the impetus for change in data architecture in many companies really stems from the fact that their Hadoop infrastructure really didn't solve their data problems and they struggle to get more value out of their data investments. Data Mesh prescribes a shift to a decentralized architecture in domain ownership of data and a shift to data product thinking, beyond data for analytics, but data products and services that can be monetized. Now this a very powerful in our view, but they're difficult for organizations to get their heads around and further decentralization creates the need for a self-service platform and federated data governance that can be automated. And not a lot of standards around this. So it's going to take some time. At our power panel a couple of weeks ago on data management, Tony Baer predicted a backlash on Data Mesh. And I don't think it's going to be so much of a backlash, but rather the adoption will be more limited. Most implementations we think are going to use a starting point of AWS and they'll enable domains to access and control their own data lakes. And while that is a very small slice of the Data Mesh vision, I think it's going to be a starting point. And the last thing I'll say is, this is going to take a decade to evolve, but I think it's the right direction. And whether it's a data lake or a data warehouse or a data hub or an S3 bucket, these are really, the concept is, they'll eventually just become nodes on the data mesh that are discoverable and access is governed. And so the idea is that the stranglehold that the data pipeline and process and hyper-specialized roles that they have on data agility is going to evolve. And decentralized architectures and the democratization of data will eventually become a norm for a lot of different use cases. And Erik, I wonder if you'd add anything to this. >> Yeah. There's a lot to add there. The first thing that jumped out to me was that that mention of the word backlash you said, and you said it's not really a backlash, but what it could be is these are new words trying to solve an old problem. And I do think sometimes the industry will notice that right away and maybe that'll be a little pushback. And the problems are what you already mentioned, right? We're trying to get to an area where we can have more assets in our data site, more deliverable, and more usable and relevant to the business. And you mentioned that as self-service with governance laid on top. And that's really what we're trying to get to. Now, there's a lot of ways you can get there. Data fabric is really the technical aspect and data mesh is really more about the people, the process, and the governance, but the two of those need to meet, in order to make that happen. And as far as tools, you know, there's even cataloging names like Informatica that play in this, right? Istio plays in this, Snowflake plays in this. So there's a lot of different tools that will support it. But I think you're right in calling out AWS, right? They have AWS Lake, they have AWS Glue. They have so much that's trying to drive this. But I think the really important thing to keep here is what you said. It's going to be a decade long journey. And by the way, we're on the shoulders of giants a decade ago that have even gotten us to this point to talk about these new words because this has been an ongoing type of issue, but ultimately, no matter which vendors you use, this is going to come down to your data governance plan and the data literacy in your business. This is really about workflows and people as much as it is tools. So, you know, the new term of data mesh is wonderful, but you still have to have the people and the governance and the processes in place to get there. >> Great, thank you for that, Erik. Some great points. All right, for the next prediction, we're going to shine the spotlight on two of our favorite topics, Snowflake and Databricks, and the prediction here is that, of course, Databricks is going to IPO this year, as expected. Everybody sort of expects that. And while, but the prediction really is, well, while these two companies are facing off already in the market, they're also going to compete with each other for M&A, especially as Databricks, you know, after the IPO, you're going to have, you know, more prominence and a war chest. So first, these companies, they're both looking pretty good, the same XY graph with spending velocity and presence and market share on the horizontal axis. And both Snowflake and Databricks are well above that magic 40% red dotted line, the elevated line, to us. And for context, we've included a few other firms. So you can see kind of what a good position these two companies are really in, especially, I mean, Snowflake, wow, it just keeps moving to the right on this horizontal picture, but maintaining the next net score in the Y axis. Amazing. So, but here's the thing, Databricks is using the term Lakehouse implying that it has the best of data lakes and data warehouses. And Snowflake has the vision of the data cloud and data sharing. And Snowflake, they've nailed analytics, and now they're moving into data science in the domain of Databricks. Databricks, on the other hand, has nailed data science and is moving into the domain of Snowflake, in the data warehouse and analytics space. But to really make this seamless, there has to be a semantic layer between these two worlds and they're either going to build it or buy it or both. And there are other areas like data clean rooms and privacy and data prep and governance and machine learning tooling and AI, all that stuff. So the prediction is they'll not only compete in the market, but they'll step up and in their competition for M&A, especially after the Databricks IPO. We've listed some target names here, like Atscale, you know, Iguazio, Infosum, Habu, Immuta, and I'm sure there are many, many others. Erik, you care to comment? >> Yeah. I remember a year ago when we were talking Snowflake when they first came out and you, and I said, "I'm shocked if they don't use this war chest of money" "and start going after more" "because we know Slootman, we have so much respect for him." "We've seen his playbook." And I'm actually a little bit surprised that here we are, at 12 months later, and he hasn't spent that money yet. So I think this prediction's just spot on. To talk a little bit about the data side, Snowflake is in rarefied air. It's all by itself. It is the number one net score in our entire TISA universe. It is absolutely incredible. There's almost no negative intentions. Global 2000 organizations are increasing their spend on it. We maintain our positive outlook. It's really just, you know, stands alone. Databricks, however, also has one of the highest overall net sentiments in the entire universe, not just its area. And this is the first time we're coming up positive on this name as well. It looks like it's not slowing down. Really interesting comment you made though that we normally hear from our end-user commentary in our panels and our interviews. Databricks is really more used for the data science side. The MLAI is where it's best positioned in our survey. So it might still have some catching up to do to really have that caliber of usability that you know Snowflake is seeing right now. That's snowflake having its own marketplace. There's just a lot more to Snowflake right now than there is Databricks. But I do think you're right. These two massive vendors are sort of heading towards a collision course, and it'll be very interesting to see how they deploy their cash. I think Snowflake, with their incredible management and leadership, probably will make the first move. >> Well, I think you're right on that. And by the way, I'll just add, you know, Databricks has basically said, hey, it's going to be easier for us to come from data lakes into data warehouse. I'm not sure I buy that. I think, again, that semantic layer is a missing ingredient. So it's going to be really interesting to see how this plays out. And to your point, you know, Snowflake's got the war chest, they got the momentum, they've got the public presence now since November, 2020. And so, you know, they're probably going to start making some aggressive moves. Anyway, next prediction is something, Erik, that you and I have talked about many, many times, and that is observability. I know it's one of your favorite topics. And we see this world screaming for more consolidation it's going all in on cloud native. These legacy stacks, they're fighting to stay relevant, but the direction is pretty clear. And the same XY graph lays out the players in the field, with some of the new entrants that we've also highlighted, like Observe and Honeycomb and ChaosSearch that we've talked about. Erik, we put a big red target around Splunk because everyone wants their gold. So please give us your thoughts. >> Oh man, I feel like I've been saying negative things about Splunk for too long. I've got a bad rap on this name. The Splunk shareholders come after me all the time. Listen, it really comes down to this. They're a fantastic company that was designed to do logging and monitoring and had some great tool sets around what you could do with it. But they were designed for the data center. They were designed for prem. The world we're in now is so dynamic. Everything I hear from our end user community is that all net new workloads will be going to cloud native players. It's that simple. So Splunk has entrenched. It's going to continue doing what it's doing and it does it really, really well. But if you're doing something new, the new workloads are going to be in a dynamic environment and that's going to go to the cloud native players. And in our data, it is extremely clear that that means Datadog and Elastic. They are by far number one and two in net score, increase rates, adoption rates. It's not even close. Even New Relic actually is starting to, you know, entrench itself really well. We saw New Relic's adoption's going up, which is super important because they went to that freemium model, you know, to try to get their little bit of an entrenched customer base and that's working as well. And then you made a great list here, of all the new entrants, but it goes beyond this. There's so many more. In our emerging technology survey, we're seeing Century, Catchpoint, Securonix, Lucid Works. There are so many options in this space. And let's not forget, the biggest data that we're seeing is with Grafana. And Grafana labs as yet to turn on their enterprise. Elastic did it, why can't Grafana labs do it? They have an enterprise stack. So when you look at how crowded this space is, there has to be consolidation. I recently hosted a panel and every single guy on that panel said, "Please give me a consolidation." Because they're the end users trying to actually deploy these and it's getting a little bit confusing. >> Great. Thank you for that. Okay. Last prediction. Erik, might be a little out of your wheelhouse, but you know, you might have some thoughts on it. And that's a hybrid events become the new digital model and a new category in 2022. You got these pure play digital or virtual events. They're going to take a back seat to in-person hybrids. The virtual experience will eventually give way to metaverse experiences and that's going to take some time, but the physical hybrid is going to drive it. And metaverse is ultimately going to define the virtual experience because the virtual experience today is not great. Nobody likes virtual. And hybrid is going to become the business model. Today's pure virtual experience has to evolve, you know, theCUBE first delivered hybrid mid last decade, but nobody really wanted it. We did Mobile World Congress last summer in Barcelona in an amazing hybrid model, which we're showing in some of the pictures here. Alex, if you don't mind bringing that back up. And every physical event that we're we're doing now has a hybrid and virtual component, including the pre-records. You can see in our studios, you see that the green screen. I don't know. Erik, what do you think about, you know, the Zoom fatigue and all this. I know you host regular events with your round tables, but what are your thoughts? >> Well, first of all, I think you and your company here have just done an amazing job on this. So that's really your expertise. I spent 20 years of my career hosting intimate wall street idea dinners. So I'm better at navigating a wine list than I am navigating a conference floor. But I will say that, you know, the trend just goes along with what we saw. If 35% are going to be fully remote. If 70% are going to be hybrid, then our events are going to be as well. I used to host round table dinners on, you know, one or two nights a week. Now those have gone virtual. They're now panels. They're now one-on-one interviews. You know, we do chats. We do submitted questions. We do what we can, but there's no reason that this is going to change anytime soon. I think you're spot on here. >> Yeah. Great. All right. So there you have it, Erik and I, Listen, we always love the feedback. Love to know what you think. Thank you, Erik, for your partnership, your collaboration, and love doing these predictions with you. >> Yeah. I always enjoy them too. And I'm actually happy. Last year you made us do a baker's dozen, so thanks for keeping it to 10 this year. >> (laughs) We've got a lot to say. I know, you know, we cut out. We didn't do much on crypto. We didn't really talk about SaaS. I mean, I got some thoughts there. We didn't really do much on containers and AI. >> You want to keep going? I've got another 10 for you. >> RPA...All right, we'll have you back and then let's do that. All right. All right. Don't forget, these episodes are all available as podcasts, wherever you listen, all you can do is search Breaking Analysis podcast. Check out ETR's website at etr.plus, they've got a new website out. It's the best data in the industry, and we publish a full report every week on wikibon.com and siliconangle.com. You can always reach out on email, David.Vellante@siliconangle.com I'm @DVellante on Twitter. Comment on our LinkedIn posts. This is Dave Vellante for the Cube Insights powered by ETR. Have a great week, stay safe, be well. And we'll see you next time. (mellow music)

>>Hello and welcome back to the cube in person at an event AWS reinvent 2021. We're here live with two sets. Also virtual we've watched the cube on the site. Virtual sits a hybrid event. I'm John for your host of the cube. We're here for three days. Wall-to-wall covered chicken off day one. All about software. ISV is also the value of the cloud. We've got two great guests, John Grosse and senior vice president, chief revenue officer Prisma, cloud of Palo Alto networks. Welcome to the cube. >>Thank you for having me excited to be here. >>Three to Joseph's general manager technology partners from AWS. Thanks for coming on again. Good to see you. So obviously the story here at re-invent is Adam Lesley, new CEO taking over Andy Jassy, uh, tomorrow's a big keynote. We're expecting to hear that the cloud is kind of going next gen. The next gen cloud is here. It's about applications, modern applications and true infrastructure as code security is code data as code essentially, applications are now the number one priority. This is a big thing. This is part of the movement of the cloud. So I got to get your guys' perspectives. Where are we in that movement? What are customers doing as they migrate to the cloud? It's not just lift and shift. They're like, okay, I got to rearchitect my business. Big things are happening. What do you guys see? >>Well, I think there's a couple of big drivers at the highest level, right? Some customers are thinking about migrating their it estate to the cloud. They want to take cost out. They want to drive agility. They want to drive a better user experience and you have other customers that want to innovate, right? They want to drive innovation that leverage the cloud for innovation and increase their speed of execution. And as they look at that opportunity, they're having to rethink dev ops and which is making them also think more about DevSecOps and how are they going to accelerate that cloud application life cycle so they can take advantage of microservices. And in addition to that, as we look back on the last two years, as we were talking about before we came on the air and this unfortunate pandemic era that will maybe refer to it, as many customers have been thinking about their supply chains, you know, what am I going to do with my supply chain? How do I really take problems out of that supply chain? So I can continue to serve my customers in my markets. And it's also made them think about different ways to approach their customers. How do they reach their customers? And then how do they fulfill bill and continue to nurture those customer relationships? So I think it goes to the big drivers >>And the, and the security aspect is so huge. You guys have Palo Alto networks? No, that's just give us a perspective and reaction to that. As people digitize their business, you get security built in from day one. This is the number one thing we talk about on the cube bit, baking it in from day one, whether they say shifting left, whatever sure. It's your business, you're now digital. Yeah. >>What are the things that we think we bring to CEO's and CIS is into boards is really three different ways to get started with cloud native security. With Prisma cloud, you can start at the simplest of terms with posture management. I just want to inventory my assets and know what I have out there and make sure those are secure. I want to be compliant. We want to deliver on compliance and governance for my board, my leadership team, others are thinking about workload protection, Kubernetes, serverless containers. What am I going to do with those critical workloads that I'm now moving to the cloud? And then to your point, big push area is shifting security left. I've got to build security in right from the start of that application development life cycle change the way I think about CIC D and delivering those applications securely in the cloud and doing a fast now time to market on applications is critical for customers. And they've got to think about building security. And so they don't have to rework those apps and build security and later. >>So let's talk about what you guys have been doing with customers during the pandemic and how they're going to come out of it with a growth strategy. We had some great talks on our cube program around how the software development life cycle is changing, how modern applications are being built. And I'll see Amazon, you guys enable people to make money on top of Amazon because you make money too. But how are you guys helping customers? What's the big thing that come out of the pandemic. >>Yeah, so, well, the pandemic has been unfortunate for all of humanity, but through this, we have really seen customers accelerating their journey into AWS and security is top of mind for them as customers continue to digitize their software, they are really looking for solutions from Palo Alto networks on AWS. And what they're looking for is something very simple and cost-effective which Palo Alto has provided because of our long-term partnership. And as John mentioned, right due to the pandemic and many other factors around it, there have been many constraints placed on the supply chain, but the economies of scale with AWS has really helped partners and customers address many of these constraints. So we have seen a tremendous movement into AWS the last 20 months. >>And how, how has the partnership for Palo Alto networks been for you guys? Because I wrote in my article, I just posted last night around the preview of this event in my interview that has Leschi is that cloud is enabling the partners Amazon's cloud is enabling partners to do more than be a point solution. And that we're talking about a platform, not tools. I mean, this tools tools are great, but this notion of super clouds are developing where partners are leveraging more than just hosting, right? >>What's your partnerships always start and end with customers. So one of the things we're most excited about from a first of a cloud perspective is we now have over 800 calmly customers that are utilizing Prisma cloud is secure workloads and to secure their security posture management and shift security left using Prisma cloud on AWS. And the other, a couple of big ingredients that we've had together is really multi-dimensional partnership that makes that all possible, right? We're an advanced technology partner. We have a number of programs that we run together, and we've also been a part of a handful of product launches and innovation launches that we're super excited about, like what we've done with guard duty, like what we've also done with auto provisioning using control tower. So multi-dimensional partnership, which is always the best we think starts with customers. And then from there, what we've done is we've taken a really intentional programmatic approach as we think about innovation programs and go to market together. Yeah. >>Follow up on the, you know, mind, you guys have been very successful at Palo Alto networks as your customer base, the more, more sophisticated and smarter around cloud, you got to add more value and be responsive. What is the big trend in your customer base? You see with cloud? Are they obviously keeping stuff on, on premises for certain things, obviously security reasons, but also data's got to open up. So now you have a more of a bigger data aperture. >>Absolutely. Absolutely. And what's happening is what should happen, which is customers are asking us to do more and innovate faster. And so, you know, we're really excited about our recent launch at Prisma cloud 3.0 where it really expanded the platform. Uh, we're now bringing an adoption adviser, which is going to simplify the experience for our mutual customers so that they can more readily adopt CSPs CWPP and extend their utilization of the platform. At the same time, we've made a number of announcements about adding more value into our infrastructure as code approach, you know, shifting security left. So very excited about that. And, and so I think that, you know, what we're finding is that we're needing to listen to customers and quickly build and deliver, uh, innovation in the cloud is they're all trying to your point new use cases and stretching their needs for cloud security. >>I got to say one of my observations of the past two and a half years, even coming into the pandemic was security clearly being baked in from the beginning, but the pandemic really exposed those who were ready for it. Yeah. And that, and that's a big point. And now it's like dev sec ops, no one argues about it anymore. Right. It is what it is. Right. That's a huge difference from just five years ago. >>Absolutely true. Absolutely true. And now, you know, as you're seeing, you know, partnering with AWS customers are delivering actually their end product in the cloud. Right. And that is the most critical relationship is their customer's customer. And they've got to make sure that it absolutely is a secure user experience because now we're talking about customers, identity payment information, we're talking about critical customer relationship management now all in the cloud. And it has to be secured end to end. So very exciting opportunities. >>I mean, uh, you're under a lot of pressure. Now you have a lot of these big partners doing big business. They have big customers. I know they do. Palo Alto has a lot of great customers. How do you support them? What are you guys doing to continue to nurture and support your customers? >>Yeah. Customers is the key word there, John. So we provide value to Palo Alto and other partners to a number of different ways. But one approach that we take is called a well-architected review. It's a process which looks at the software solutions through pillars of security, reliability, performance, cost optimization, and operational excellence. And the reason for that is we want to make sure that the foundation for customers is laid in the best way possible. Because once you have that foundation laid, you can really, really build and scale your business. And so that is one of the ways we continue to provide value and Palo Alto we've taken the well-architected review through all of their solutions, bought the ones existing and the ones in the future. >>I got to say, I've noticed you guys have been using the word primitives a lot. Now it's foundational services. Um, because what we're talking about here is foundation. And a lot of the trends we're seeing from your customers, both is they want to refactor their business value in the cloud, the modern application trend, isn't just apps is about business model innovation in the software itself. So it's asking the infrastructure to be code, ask you to be programmable security with automation, all that AI, this is a trend. Do you guys agree with that? Yeah, >>I absolutely. I do. And I think what you're seeing now from customer's point of view is they need to build security into that application lifecycle mental model. They have to have an end-to-end vision of how they're going to deliver those, those applications at speed and do it, you know, utilizing cloud native architecture so that they can have microservices that deliver value in they're more flexible. And that's part of the power. I think of AWS and Palo Alto networks. First of all, cloud is we're enabling customers to innovate at speed shift left with security, build security into those apps, take rework out, deliver applications faster, which obviously drives more value to them. >>Yeah. I'd love to get your thoughts on something, John, if you don't mind, while you're here, we were talking about for reinvented around major inflection points and every major inflection point in the history of the tech industry, whenever there's a change of how people develop applications, speed and performance was super important. Critical. How do you guys see that? Cause you guys are on the front lines with security performance matters. Now whether it's in the cloud or in transit, what's your >>Absolutely absolutely. You know, it was really interesting in customer conversations. Even some of the customer conversations I've had today, every customer now starts a conversation with some element of cloud security, security, posture management, workload protection, identity data, but they all are coming back now to shifting left with security. It's part of every single conversation. Yes. I was primarily leaders into posture management. Oh, by the way, absolutely got to dive into how I'm going to shift left and build security in. And so that speed of development now I think is going to be a key competitive differentiator for customers. They're going to have to become experts at delivering on that entire application pipeline. >>But your reaction to that speeds and feeds >>Well, it is, I believe it's really important. And um, we're trying to do everything that we can help partners like Palo Alto network with our processes. And most importantly, scaling the business, which I'm sure we'll talk about shortly, how we work together to really get those 800 customers >>Talking about that. Cause you have the advanced technology partnership program. Talk about what you guys do there. >>Yeah. So first of all, I want to thank John and the entire Palo Alto team for building such an excellent partnership across build co-sale and co-market. And as an advanced technology partner, Palo Alto is part of four different competencies, security containers, DevOps networking. And the reason why these competencies are so crucial is because you're able to list your validated solutions with public customer references by use case in each of these competencies, which I think John, you would agree enables them, asked to do focus, demand generation activities through dev days, blog posts, webinars, account mapping, which of course generates those opportunities together. And Palo Alto is also part of our ISB accelerate program. So our sales team is in incented in order to work with Palo Alto and help them close opportunities. And then also you are on AWS marketplace, which enables you to do free trials and enabling you to really scale across the globe. And then we are also helping Palo Alto across the globe with resources, including public sector to help them scale their business. >>The whole selling thing is interesting as the chief revenue officer, it's like, oh yeah, I love that. Um, this is a big deal. Talk about that further. I know the marketplace is where people are buying, but it's a joint sales, Amazon salespeople sell for you, right? >>Cosa, we call it co-sale whereby we can share opportunities with each other. And when we do share those opportunities, the sales teams are engaging together to understand, Hey, what's going on at the customer? What are the pain points? What are the use cases, value proposition, and then going in together to the customer to win the deal. And then continuing that relationship beyond to continue to grow net new revenue, >>Not too shabby, is it, oh yeah. Get more feet on the street. So to speak and virtual, >>There you go. It works on both dimensions and to all the points you made. I mean, we have some terrific mechanisms we use together, you know, like immersion days, dev days where we're able to work with customers, deliver well-architected visions for our customers together. And when we were both designed in, it's obviously a great, it's a great win for the customer enables us to scale. >>I think it's a cutting and not everyone gets these services to, you have to be a certain lay level to get the joint selling. >>That is correct. That's an advanced technology partner and also as part of ISB accelerate, which is our very focused Cosell program. Awesome. >>Well, thanks so much for coming on the cube. Really appreciate. Congratulations on a great partnership. Uh, two great brands. Congratulations, final minute. Just what's your expectation. As we come out of this pandemic, what do you see customers doing? What's the one thing that all customers are preparing for coming out of the pandemic? What do you guys see? >>Well, I think now customers are preparing for acceleration in all of their routes to market. Right now they're having to anticipate their return to some of the normal routes to market that they've for some time now have been trying to reinvent around and trying to drive primarily digital, go to market. Now I think we're going to see growth on every dimension with our customers, because they're going to need to return to some kind of normal with their supply chains, delivering through brick and mortar and their traditional delivery models on top of driving hyper growth that they're already enjoying through their digital go-to-market. >>That's great insight. So, you know, your, your thoughts on companies coming out of the pandemic, looking for a growth strategy, what's the, >>Well, I think they're going to prepare in order to address this pandemic in the future, Some calamity of some way. Right. But I do think that what I'm observing personally, especially segments that have been slower to adopt because they wanted evidence. The pandemic has really increased that whether that's vaccine research or treatment research, it has really accelerated that. So I agree with John B going to >>See it all across the board. I mean, one thing I'd say just support those two awesome insights is that the pandemic expose what works and what doesn't work. Right. You can't hide the ball anymore. You know, if, if software's being used, it's successful. If not, as self-aware right. You can't hide the ball cloud. If it's not working, you know what right away. Yeah. Thanks so much for coming on the Cape. Really appreciate it. Thank you very much. Okay. Cube coverage here at reinvent live 2021. I'm John for your host of the cube. Stay with us wall to wall coverage for the next four days here in the queue.

(upbeat music) >> Welcome back to theCUBE coverage of AWS re:Invent 2021. I'm John Furrier, your host for theCUBE. In this segment, we're going to be talking about Red Hat and the AWS evolving partnership. A great segment, really talking about how Hybrid and the Enterprise are evolving, certainly multicloud and the horizon. But a lot of benefits in the cloud, we've been covering on theCUBE and on SiliconANGLE with Red Hat for the past year. Very relevant. We've got Gunnar Hellekson, GM of Red Hat Enterprise Linux, And Joe Fernandes, VP and GM of the Hybrid Platforms, both of Red Hat. Gentlemen, thanks for coming on theCUBE. >> Yeah, thanks for having us. >> Thanks for having us John. >> So, you know, me, I'm a fan boy of Red Hat. So I always say, you guys made all the right investments, OpenShift, all these things that you guys made decisions years ago playing out beautifully. And I think, you know, with Amazon's re:Invent, you're seeing the themes all play out. Modern application stack, you're starting to see things at the top of the stack evolve, you've got 5G in the Edge, workloads being redefined and expanded on the cloud with Cloud Scale. So everything has been going down to Hybrid and Enterprise grade level discussions. This is in the Wheelhouse of Red Hat. So I want to congratulate you. But what's your reaction? What do you guys see this year at re:Invent? What's the top story? >> I can start. >> Who wants to start with first? >> Sure, I mean, clearly, AWS itself is huge. But as you mentioned, the world is Hybrid, right, so customers are running still in their data center, in the Amazon Public Cloud across multiple Public Clouds and out to the Edge and bring in more and more workloads. So it's not just the applications, analytics. It's AI, it's machine learning. And so, yeah, we can expect to see more discussion around that, more great examples of customer use cases. And as you mentioned, Red Hat has been right in the middle of this for some time John. >> You guys also had some success with the fully managed OpenShift service called ROSA, R-O-S-A, which is Red Hat OpenShift Service on AWS, another acronym, but really this is about what the customers are looking for. Can you take us through an update on OpenShift on AWS, because the combination of managed services in the cloud, refactoring applications, but working on-premises is a big deal. Take us through why that's so important. >> Yeah, so, we've had customers running OpenShift on AWS for a long time, right? So whether it's our software-based offerings where customers deploy OpenShift themselves, or our fully managed cloud service. We've had cloud services on AWS for over five years. What ROSA brings or Red Hat OpenShift on AWS is a jointly managed service, right? So we're working in partnership with Amazon, with AWS to make OpenShift available as a jointly-managed service offering. It's a native AWS service offering. You can get it right through the AWS console. You can leverage your AWS committed spend. But, most importantly, you know, it's something that we're working on together. Bringing new customers to the table for both Red Hat and AWS. And we're really excited about it because it's really helping customers accelerate their move to the public cloud and really helping them drive that Hybrid strategy that we talked about. >> Gunnar, you know what I want to get your thoughts on this, because one of the things that I love about this market right now is open-source continues to be amazing, continues to drive more value, and there's new migration of talent coming in. The numbers are just continuing to grow and grow. But the importance of Red Hat's history with AWS is pretty significant. I mean, Red Hat pioneered Open-source and it's been involved with AWS from the early days. Can you take us through a little bit of history for the folks that may not know Red Hat's partnership with AWS? >> Yeah. I mean, we've been collaborating with AWS since 2008. So for over a decade we've been working together, and what's made the partnership work is that we have a common interest in making sure that customers have a consistent approachable experience. Whether they're going on-premise or in the cloud. Nobody wants to have to go through an entire retraining and retooling exercise just to take advantage of all the great advantages of the cloud. And, so being able to use something like Red Hat Enterprise Linux as a consistent substrate on which you can build your application platforms is really attractive. So, that's where the partnership started. And since then we've had the ability to better integrate with native AWS services. And one thing I want to point out is that, a lot of these integrations are kind of technical. It's not just about technical consistency across these platforms, it's also about operational consistency and business concerns. And when you're moving into an Open Hybrid Cloud kind of a situation, that's what becomes important, right? You don't want to have two completely different tool sets on two completely different platforms. You want as much consistency as possible as you move from one to the other. And I think a lot of customers see value in that, both for the Red Hat Enterprise Linux side of the business, and also on the OpenShift side of the business. >> Well that's interesting. I'd love to get your both perspective on this whole Enterprise focus, because the Enterprise is, as you know, guys you've been there from the beginning, they have requirements. And there're sometimes, they're different by Enterprise. So as you see cloud, and I remember early days of Amazon, it's the 15th year of AWS, 10th year of re:Invent as a conference. I mean, that seems like a lifetime ago. But that's not, not too far ago where, you know, it was like, well, Amazon might not make it, its only for developers. Enterprisers do their own thing. Now it's like, it's all about the Enterprise. How are Enterprise customers evolving with you guys? Because they're all seeing the benefit of replatforming. But as they refactor, how has Red Hat evolved with that trend and how have you helped Amazon? >> Yeah, so as we mentioned, Enterprisers really across the globe are adopting a Hybrid Cloud Strategy. But, Hybrid actually isn't just about the infrastructure. So, its certainly the infrastructure where these Enterprisers are running these applications is increasingly becoming Hybrid as you move from data center to multiple public clouds and out to the Edge. But the Enterprisers application portfolios are also Hybrid, right? It's a Hybrid mix of very traditional monolithic and tier type applications. But also new cloud native services that have either been built from scratch, or as you mentioned, existing applications have been refactored. And then they're moving beyond the applications, as I mentioned to make better use of data. Also evolving their processes for how they build, deploy, and manage, leveraging, CI/CD and GitOps and so forth. So really for us it's, how do you help Enterprises bring all that together, right? Manage this Hybrid infrastructure that's supporting this Hybrid portfolio of applications that really help them evolve their processes. We've been working with Enterprises on these types of challenges for a long time. And we're now partnering with Amazon to do the same in terms of our joint product and service offerings. >> Talking about the RHEL evolution. I mean, because that's the bread and butter for Red Hat. It has been there for a long time. OpenShift again, making argument earlier, I mentioned the bets you guys made with Kubernetes, for instance, and it's all been made with all the right moves. So I love ROSA. You got me sold on that. RHEL though has been the tried and true steady workhorse. How has that evolved with workloads? >> Yeah, you know, it's interesting. I think when customers were at the stage, when they were wondering, if well, can I use AWS to solve my problem, or should I use AWS to solve my problem? Our focus was largely on kind of technical enablement. Can we keep up with the pace of new hardware that Amazon is rolling up? Can we ensure that consistency with the on-premise and off-premise? And I think now we're starting to shift focus into really differentiating RHEL on the AWS platform. Again, integrating natively with AWS services, making it easier to operate in AWS. And a good example of this is using tools like Red Hat Insights, which we announced, I guess, about a year ago. Which is now included in every Red Hat Enterprise Linux subscription. Using tools like Insights in order to give customers advice on maybe potential problems that are coming up, helping customer solve them. Can the customers identify problems before they happen? Helping them with performance problems. And again, having additional tools like that, additional cloud-based tools, makes RHEL as easy to use on the Cloud despite all the complexity of all the redeploying, refactoring, microservices, there is now a proliferation of infrastructure options, and to the extent that RHEL can be the thing that is consistent, solid, reliable, secure, just as customers are getting in, then we can make customer successful. >> You know, Joe, we talked about this last time we were chatting, I think Red Hat Summit or Ansible Fest, I forget which event it was, but we were talking about how modern application developers at the top of the stack just want to code. They want to write some code, and now they want the infrastructure's code, AKA DevOps, DevSecOps, but as this trend of moving up the stack continues to be a big theme at re:Invent, that requires automation. That requires a lot of stuff that happened under the covers. Red Hat is at the center of all this action from historical perspective, pre-existing Enterprises before Cloud now, during Cloud, and soon to be Cloud Scale, how do you see that evolving? Because how are customers shaping their architecture? Cause this is distributed computing in the cloud. It's essentially, we've seen this moving before, but now at such a scale where data, security, these are all new elements. How do you talk about that? >> Yeah, well, first of all, got to mention, Linux is a given right. Linux is going to be available in every environment, data center, Public Cloud, Edge. Linux combined with Linux containers and Kubernetes, that's the abstraction like abstracting the applications away from the infrastructure. And now it's all about how do you build on top of that to bring that automation that you mentioned. So, we're very focused on helping customers really build fully automated end to end deployment pipelines, so they can build their applications more efficiently. They can automate the continuous integration and deployment of those applications into whatever Cloud or Edge footprint they choose. And that they can promote across environments. Because again, it's not just about developing the applications, it's about moving them all the way through to production where their customers are relying on those services to do their work and so forth. And so that's what we're doing is, you know, obviously I think, Linux is a given, Linux, Containers, Kubernetes. Those decisions have been made and now it's a matter of how can we put that together with the automation that allows them to accelerate those deployments out to production so customers can take advantage of them? >> You know, Gunnar, we were joking in theCUBE. I was old enough to remember we used to install Linux on a server back in the day. Now a lot of these young developers never actually have to install the software and do some of those configurations 'cause it's all automated now. Again, the commoditization and automation trend, abstraction layers, some say, is a good thing. So how do you see the evolution of this DevOps movement with the partnership with AWS going forward? What types of things are you working on with Amazon Web Services and what kind of offerings can customers look forward to? >> Yeah, sure. So, I mean, it used to be that as you say, Linux was something that you managed with a mouse and keyboard. And I think it's been quite a few years since any significant amount of Linux has been managed with a mouse and a keyboard. A lot of it is scripts, automation tools, configuration management tools, things like this. And the investments we've made both in RHEL and in specifically RHEL on AWS is around enabling RHEL to be more manageable. And so, including things like something we call System Roles. So these are Ansible modules that kind of automate routine system's administration tasks. We've made investments in something called Image Builder. And so this is a tool that allows customers to kind of compose the operating system that they need, create a blueprint for it, and then kind of stamp out the same image, whether it's an ISO image, so you can install it on-premise or an AMI so we can deploy it in AWS. So again, the problem used to be helping customers package and manage dependencies and that kind of old world, three and a half-inch floppy disc kind of Linux problems. And now we've evolved towards making Linux easier to deploy and manage at a grand scale whether you're in AWS or whether you're On premise. >> Joe, take us through the Hybrid story. I know obviously success with OpenShifts Managed Service on AWS. What's the update there for you? What are customers expecting this re:Invent and what's the story for you guys? >> Yeah, so, you know, the OpenShift Managed Services business this is the fastest growing segment of our business. We're seeing lots of new customers. And again, bringing new customers, I think for both Red Hat and AWS through this service. So, we expected to hear from customers at re:Invent about what they're doing. Again, not only with OpenShift and our Red Hat solutions, but really with what they're building on top of those service offerings, of those solutions to sort of bring more value to their customers. To me, that's always the best part of re:Invent is really hearing from customers. And when we all start going there in person again, to actually be able to meet with them one-on-one, whether it's in person or virtual and so forth. So, looking forward to that. >> Well, great to have you guys on theCUBE. Congratulations on all success. The Enterprise continues to adopt more and more Cloud which benefits all the work you guys have done both on the RHEL side, and as you guys modernize with all these great services and managed services continues to be the center of all the action. Thanks for coming on. Appreciate it. >> Thanks John. >> Thank you. >> Okay, Red Hat's partnership with AWS evolving as Cloud scale Edge, all distributed computing, all happening at large scale. This is theCUBE with CUBE coverage of AWS re:Invent 2021. I'm John Furrier. Thanks for watching. (upbeat music)

(upbeat music) >> Welcome to the Q3 "AWS Startup Showcase", I'm Lisa Martin. We're going to be talking about new breakthroughs in DevOps, Data Analytics and Cloud Management Tools, with WhiteSource Software, at least for the DevOps track. I'm excited to welcome Susan StClair, Director of Product at WhiteSource software to the program. Susan, it's great to see you! >> Oh, very excited to be here, Lisa, thank you. >> We've got a lot of stuff to talk about today, but ultimately, the theme that Susan's going to talk to us about us is, winning developer's trust is key to scaling-up open source security for the enterprise. We're going to unpack that. You talk about, that winning that trust is key, shifting left won't work without developers buy-in. Susan, help us understand this. >> Yeah, sure, so- on some of the topics we have later but you look at the rate of applications of being the pool of how fast that is, and you look at development teams of hundreds and you have the OpSec teams of five or ten, and they just can't do it all, so, really, you need to leverage everybody who's part of the application to really be able to make sure that you're developing and deploying and releasing a secure application. So, that's the Shifting Left. Unfortunately, I think what's happened is, because application security is overwhelmed and because they're like, "Oh, we have all of these developer teams over here, and it's their code, and they should fix it." And they just kind of dumped application security on them and the poor development teams are like, "but that's not what I do, I don't have any expertise in there." So if you really, truly, want a Shift Left to work, you do need to build that buy-in, you do need to build the trust with your extended team, for lack of a better word. And, really start to look at things that are important to them. So automated tools, making sure that they work with their tools sets and their processes. Looking at automation, not just in terms of scanning but also remediation. You just really need to start to work with them and think about application releases in a different mindset. >> And your recommendation here is also to build that trust gradually, and to let developers control the pace- >> Absolutely >> And the level of automation. Talk to me about why it's important to give the developers that control? >> Yeah, sure. Again, I think nobody likes to be told what to do, I certainly don't, don't tell me how to do my job. So, I think, that because historically application security and development have really been at odds. It has been somewhat of a confrontational relationship, so, I think as you're starting to build that trust, you do need to go slow. Where does it make sense to add in auto-remediation solution like WhiteSource, right? Where does it make sense? We don't want to do it everywhere, we don't want to overwhelm development teams with this. So, really start to look, let them control the pace, build that trust, build that. This is a good thing for everybody. And, again, I think with tools like WhiteSource, the solution software, you can pick and choose, it's not an all or nothing. We're going full automation, full remediation, one-stop-shopping, I mean you can kind of control the pace as you start to build that trust between the various teams. >> Is that differentiator for WhiteSource the ability for this auto-remediation tool to let them control that? >> Yeah, it definitely is, and I know it just rolls off the tongue, doesn't it? Just rolls off the tongue. >> It really does. (both laughing) >> Say it ten times fast >> I'm afraid to. >> Exactly, exactly. So, no, it actually, absolutely is a differentiator for us. And again when we look at, looking at our customer base and enterprise and we look at, even maybe smaller teams that trust is really made us successful and the key to that trust is really that controlling the pace with auto-remediation. And, some of the other automation pieces to the solution. >> And speaking of customers, you guys have 23% of the Fortune 100 as customers, give me an example of one of your favorite customers that you think really shows the value that WhiteSource is giving to those developers by giving them that control. >> Yeah, sure. So I feel like we're like the big company or bigger company that nobody has heard of outside of this space. But, not naming names, but large financial customers and really shifting application security, open-source application security, to the hands of the development teams. So they've actually, again, small application team, they've really pushed it out to the development teams as part of a repo-integration for scanning, for ticket creation, for auto-remediation, and that's really, let them scale beyond, just one or two teams to thousands of repos, for example. I mean, that is, in my opinion, a huge use case or huge validation of that this works. This isn't just somebody talking about how cool their software is and it's not based in reality. >> A stat that I read about WhiteSource offer that I wanted to get your feedback on, is that, "WhiteSource goes beyond traditional detection, providing dependency and trace analysis and that this helps organizations eliminate upto 85% of security alerts." That's a big number. Talk to me about how you guys do that and the advantages that delivers. >> Yeah, sure, so I think like the one of the challenges with, historically, with open-source solutions, is that they scan and they get this result, and you could have hundreds and thousands of insecure libraries and you're like, "Holy moly, where do I even start?" It's just completely overwhelming. And then you dig into little deeper and again starting to build that trust with development teams, and the development teams comes back to you and says, "Well, hey, guess what? Yeah I know that library is insecure, but I'm not using that part of that library." So, it's really kind of a false-positive. So, what this dependency tracing does and how it helps with prioritization, is it says, "Okay, we see this particular library, this vulnerable open-source library, and it is in your execution path, we can see that you're using it." So then, you're able to say, "Okay, I should definitely fix this, because we're using it, or maybe not." Maybe, again, it's part my backlog yes, we should always keep up-to-date, and be completely secure. But having that ability to prioritize where to start and having the alerts based on that really reduces the noise. And again, it builds the trust between the teams. >> So, we talked from the beginning about shifting left isn't going to work without developers buy-in, the idea of using auto-remediation tools to let developers control that pace, the OpSec folks, the Dev folks, we also have for, I believe, it's the fifth consecutive year now, a huge gap in cybersecurity skills. I think I've seen some reports estimating that there needs to be another three million professionals in the next five years to help fill that gap and at the same time we're seeing the security landscape changing dramatically. Talk to me about how the cybersecurity skills gap is affecting developers, OpSec folks, and what your seeing as a tool that can help remediate some of that. >> Sure, yeah, no, that's, I mean that is the challenge. And I would even say that there seems to those skills gap on the development side too. But, I think that in terms of some of the challenges with that, so you have to look at ways, how can we be smarter about things. So, we don't have people, large teams where they know everything about application security and open-source security that we can really rely on to drive remediation, but, also to use these tools that all of us bought that do different things, that aren't correlated but to kind of provide that glue. So, where WhiteSource, I think is trying to address this is, again, if I don't have the people, and I don't have the skillsets, first of all automation, right? So, the more that we can automate, the better. But, not just again, automating on the scanning side, I think that's certainly a part of it, but again, looking at how we can help development teams that are maybe not security experts, and keeping them up-to-date and giving them, again, automatic remediation so that they can fix things without having a really depth that you would expect in a cybersecurity professional. >> I'm sure they appreciate that, not having to have that depth, because there really isn't, in terms of developers, there isn't the time. Speed is always of the essence there. One of the things too that I know, is there's lot of tools being used, you mentioned that. How can WhiteSource Software help the developers to better utilize some of the tools that they have or not just be buying tools to check boxes? >> Yeah, sure. So, yeah it's sad fact, I think, within our industry, probably more than just our hours, but really a lot of decisions, purchasing decision are based on the, "Well, I need to scan because somebody told me to and I that I had to, and I'm going to check the box. I'm not really interested in fixing anything, I just need to check that box." And, I think, historically, when it comes to tool selection, again, because application security is really focused on that check-the-box because they need to do that for a compliance or governance reason, they really haven't taken into heart the teams that would actually be using them and having to make the magic happen. So, they would prioritize things that, again, maybe OpDev wouldn't, so, again does it work with my tools? As a developer, I live in my IDE, I live in my code-repo, I live in my ticketing system, security doesn't typically care anything about that. So, I think with WhiteSource, again, providing the tools that the OpSec team needs. So again, the compliance reports and the policies and all this stuff we love. Also providing, again, the way to easily fit into developer workflows, that's how we're helping to move beyond, okay, we're checking the box but we do want to actually fix something and we want to move the target along. So we're really, I think, helping address that need as well. >> I know you guys did a DevSec Ops Insights Report recently, unpack that a little bit with some of the key findings that have come out of that. >> Yeah, no, that's great, so it's very interesting. First of all I think we in the industry we talk a lot about DevSecOps and that security is part of the DevOps process and everything is good. But when you actually talk to people, I think, two things, one, it's very much a work in progress, absolutely, and a lot of that is part of the tooling. I think, too, like what we've found as a part of this survey, is that the developers, are often, they feel forced to, okay, I'm shifting left, you're telling me I own security, but you're also telling me that I need to get this application out the door. I need this to compete. So, they're really being forced into hard choices of which one to prioritize, and that really comes down to a culture thing. What is more important to you. Being secure or being competitive? And how do you weigh that? So, I thought that was actually very interesting, I think that we tend to give OpDev teams a bad rap but they're really doing the best they can and they need clear guidance and there needs to be a security culture for them to operate in. >> Right, that's a really big one that you just hit on, that cultural impact. It's hard to change. In the last 18 months, we've all been through so much change, personally and professionally. We've seen this massive acceleration in digital transformation, so probably more pressure on developers who need to be able to be productive from work, from anywhere environments, that that cultural change, is really critical. I'm curious if you have some feedback from customers that have done it successfully or are in the process of doing it successfully that you can share? >> Yeah, change is hard, no matter where it's at. Absolutely. So, I think, like where we've seen the most successful of our customers, around this specifically, it truly is both a top-down and bottom-up approach. From a top-down, you can't just give lip-service that application security is important. You can't just say, "Oh, again from a compliance check-the-box, point-of-view, we scan, and we're looking, and, oh look, we have these statistics. You have to really have to live it. And what I mean by that is, when you're developing new applications it's just as important as the feature list. Security bugs are just as important as any other type of bugs. So again, it goes into the workflow of the application development teams and you don't make them make these hard trade-offs all the time between security and release. And then, from the bottom-up, again, you need to be where your teams are at. You can't ask them to go into another tool, or another thing, or another this and that. They have things to do. You have to be where they are. And you, have to give targeted, actionable, not things they have to go research, a guidance, and automate as much as you can. Again, both on the scanning as well as on the remediation side. >> Meet them where they are and facilitate that automation. Susan, thank you so much for joining me today, talking about- >> My pleasure. >> How WhiteSource Software is helping that, and also for the challenge of saying auto-remediation 10 times in a row, fast. (Susan laughing) I might practice that later. But it's been great talking to you. >> That will be my home work. Likewise. >> Exactly! Thank you so much for joining me. >> My pleasure. >> This has been our coverage of the "AWS Startup Showcase", New Breakthroughs in DevOps, Data Analytics and Cloud Management tools. For Susan StClair, I'm Lisa Martin. Thanks for watching. (gentle music)

>> Narrator: From theCUBE Studios in Palo Alto in Boston, connecting with thought leaders around the globe, these are Cloud Native Insights. >> Hi, I'm Stu Miniman the host of cloud native insights. And when we started this weekly program, we look at Cloud Native and you know, what does that mean? And of course, one of the most important topics in IT coming into 2020 was security. And once the global pandemic hit, security went from the top issue to oh my gosh, it's even more important. I've said a few times on the program while most people are working from home, it did not mean that the bad actors went home, we've actually seen an increase in the need for security. So really happy to be able to dig in and talk about what is Cloud Native security, and what should that mean to users? And to help me dig into this important topic, happy to welcome back to the program one of our CUBE alumni Dan Hubbard, he is the CEO of Lacework. Dan thanks so much for joining us. >> Thanks Stu. Happy to be here. >> Alright, so we don't want to argue too much on the Cloud Native term, I agree with you and your team. It's a term that like cloud before, it doesn't necessarily have a lot of meaning. But when we talk about modernization, we talked about customers leveraging the opportunity in innovation and cloud security of course is super important. You know most of us probably remember back, you go back a few years and it's like, "Oh well I adopt cloud. "It's secure, right? "I mean, it should just be built into my platform. "And I should have to think about that." Well, I don't think there's anybody out there at least hopefully there's not anybody out there that thinks that anything that I go to will just be inherently fully secure. So give us a little bit if you would, you know where you see us here in 2020 security's a complex landscape. What are you seeing? >> Yeah, so you know a lot of people as you said, used to talk about what's called the shared responsibility model, which was the cloud provider is responsible for a bunch of things. Like the physical access to the data center, the network, the hypervisor and you know that the core file system and operating system and then you're responsible for everything else that you could configure. But there's something that's not talked about as much. And that's kind of the shared irresponsibility model that's happening within companies where developers are saying they're not responsible for security saying that they're moving too fast. And so what we are seeing is that you know, as people migrate to the cloud or of course are born in the cloud, this notion of DevSecOps, or you know SecDevOps whatever you want to call it, is really about the architecture and the organization. It's not just about technology, and it's not just about people. And it's more about layer seven and eight, than it is about layer one to three. And so there's a bunch of trends that we're seeing in successful companies and customers and prospects will be seeing the market around how do they get to that level of cooperation between the security and the developers in the operation teams? >> Yeah Dan, first of all fully agree with what you're saying. I know when I go to like serverless.com they've got everybody chanting that security is everyone's responsibility. You know I think back to DevOps as a trend, when I read the Phoenix project it was, oh hey, the security is not something that you do bolt on, we're looking at after it's something that you need to shift into everyone thinking about it. Security is just going to be baked in along the process all the way. So the DevOps fail us when it comes to security, why do we need DevSecOps? You know why are you know as you say seven and eight the you know, political and organizational challenges still so much of an issue you know, decades into this discussion? >> Yeah. You know I think there's a few moving parts here and kind of post COVID is even more interesting is that companies have incredibly strategic initiatives to build applications that are core to their business. And in post COVID it's almost existential to their business. If you think of you know, markets like retail and hospitality and restaurants you know, they have to figure out how to digitize and how to deliver their business without potentially physical you know, access to two locations. So as that speed has happened, some of the safety has been left behind. And it's easy to say you have to kind of you know, one of our mantras is to run with speed and safety. But it's kind of hard to run with scissors you know, and be safe at the same time. So some of it is just speed. And the other is that unfortunately, the security people in many ways and the security products and a lot of the security solutions that are out there, the incumbents if you will, are trying to deliver their current solution in a cloud way. So they're doing sometimes it's called Cloud built or you know what I call Cloud washing and they're delivering a system that's not applicable to the modern infrastructure in the modern way that developers are building. So then you have a clash between the teams of like, "Hey I want to do this." And then I'd be like, "No you can't do that get out of our way. "This is strategic to the business." So a lot of it has just been you know, kind of combination of all those factors. >> Alright so Dan, we'll go back to Cloud Native security, you talked about sometimes people are Cloud washing, or they're just taking what they had putting it in the cloud. Sometimes it's just, oh hey we've got a SaaS model on this. Other times I hear cloud native security, and it just means hey I've got some hooks into Containers or Kubernetes. What does modern security look like? Help us understand a little bit. You mentioned some of the you know, legacy vendors what they're doing. I see lots of new security startups, some in you know specifically in that, you know, Kubernetes space. There's already been some acquisitions there. So you know, what do you see out there? You know what's good, what's bad in the trends that you're seeing? >> Yeah so I think the one thing that we really believe is that this is such a large problem that you have to be 100% focused on it. You know if you're doing this, you know, securing your infrastructure and securing your modern applications, and doing other parts of the business whether it's you know securing the endpoints of the laptops of the company and the firewall and authentication and all kinds of other things you have competing interests. So focus is pretty key. And it's obviously a very large addressable problem. What the market is telling us is a few things. The first one is that automation is critical. They may not have as many people to solve the problem. And the problem set is moving at such a scale that it's very, very hard to keep up. So a lot of people ask me you know, what do I worry about? You know, how do I stay awake at night? Or how do I get to sleep? And really the things I'm worried most about in the way where I spend most of my time on the product side is about how fast are builders building? Not necessarily about the bad guys. Now the bad guys are coming and they're doing all kinds of innovative and interesting things. But usually it starts off with the good guys and how they're deploying and how they're building. And you know, the cloud providers literally are releasing API's and new acronyms almost weekly it seems. So like new technology is being created such a scale. So automation the ability to adapt to that is one key message that we hear from the customers. The other is that it has to solve or go across multiple categories. So although things like Kubernetes and Containers are very popular today. The cloud security tackle and challenges is much more complex than that. You've got infrastructure as code, you've got server lists, you've got kind of fragmented workloads, whether some are Containers, some are VMs, maybe some are armies and then some are Kubernetes. So you've got a very fragmented world out there, and all of it needs to be secured. And then the last one is probably the most consistent theme we're hearing is that as DevOps becomes involved, because they know the application and the stack much better than security, it has to fit into your modern workflow of DevOps. So that means you know, deep integrations into Jira and Slack and PagerDuty and New Relic and Datadog are a lot more important in integrating to your you know, Palo Alto firewall and your Cisco IDs system and your endpoint you know antivirus. So those are the real key trends that we're seeing from the customers. >> Yeah Dan, you bring up a really important point, leveraging automation. I'm wondering what you're hearing from customers, because there definitely is a little bit of concern, especially if you take something like security and say, okay well, automation. Is that something that I'm just going to let the system do it? Or is it giving me to getting me to a certain point that then a human makes the final decision and enacts what's going to happen there? Where are we along that journey? >> Yeah, so I think of automation in two lenses. The first lens is efficacy, which is you know do I have to write rules? And do I have to tune train and alter the system over time? Or can it do that on my behalf? Or is there a combination of both? So the notion of people writing rules and building rules is very, very hard in this world because things are moving so quickly. You know, what is the KMS you know threat surface? The threat attacks are just changing. And typically what happens when you write rules is they're either too narrow and you messed up or they're too broad you just get way too much noise. So there's automating the efficacy of the system. That's one that's really critical. The other one that is becoming more important is in the past it was called enforcement. And this is how do I automate a response to your efficacy. And in this scenario it were very, very early days. Some vendors have come out and said you know, we can do full remediation and blocking. And typically what happens is the DevOps team kind of gives the Heisman to the security team it says, "No, you're not doing that." You know this is my production servers, and my infrastructure that's you know running our business, you can't block anything without us knowing about it. So I think we're really early. I believe that you know we're going to move to a world that's more about orchestration and automation, where there's a set of parameters where you can orchestrate certain things or maybe an ops assist mode. You know for example, we have some customers that will send our alerts to Slack, then they have a Slack bot and they say, "Okay, is it okay that Bob just opened "an S3 bucket in this region, yes or no?" No, and then it runs a serverless function and closes it. So there's kind of a what we call driver assist mode versus you know full you know, no one behind the steering wheel today. But I think it's going to mature over time. >> Yeah, Dan one of the other big challenges customer has is that their environments are even more fragmented than they would in the past. So often they're leveraging multiple cloud providers, multiple SaaS providers then they have their hosting providers. And security is something that I need to have holistically across these environments but not have to worry about okay, do I have the skill set and understanding between those environments? Hopefully you know that's something you see out there and want to understand, you know how the security industry in general and maybe Lacework specifically is helping customers, get their arms a little bit more around that multi cloud challenge if you will? >> Yeah. So I totally agree things are you know, I think we have this Silicon Valley, West Coast bias that the world is all you know, great. And it says to utopia Kubernetes, modern infrastructure, everything runs up and down, and it's all you know super easy. The reality is much different. Even in the most sophisticated sets of infrastructure in the most sophisticated customers are very fragmented and diverse. The other challenge that security runs into is security in the past a lot of traditional security mindsets are all about point in time. And they're really all about inventory. So you know, I know used to be able to ask, you know a security person, how many servers do you have? Where are they? What are they doing this? They say, "Oh, you know we have 10 racks with 42 servers in each rack. "And here's our IP addresses." Nowadays, the answer is kind of like, "I don't know what time is it you know, "how busy is a service?" It's very ephemeral. So you have to have a system which can adapt with the ephemeral nature of everything. So you know in the past it was really difficult to spin up, say 10,000 servers in a Asia data center for four hours to do research you know. Security probably know if that's happening, you know they would know through a number of different ways could make big change control window would be really hard they have to ship the units, they bake them in you know, et cetera. Nowadays that's like three lines of code. So the security people have to know and get visibility into the changes and have an engine which can determine those changes and what the risk profile of those in near real time. >> Yeah it's the what we've seen is the monitoring companies out there now talking all about observability. Its real time, it's streamings. You know it reminds me of you know my physics. So you know Heisenberg's uncertainty principle when you try to measure something, you already can't because it's already changed. So what does that mean-- >> Dan: Yeah. >> You know what does security look like in my you know, real time serverless ever changing world? You know, how is it that we are going to be able to stay secure? >> Yeah, so I think there are some really positive trends. The first one is that this is kind of a reboot. So this is kind of a restart. You know there are things we've learned in the past that we can bring forward but it's also an opportunity to kind of clean the slate and think about how we can rebuild the infrastructure. The first kind of key one is that over time security in the traditional data center started understanding less and less about the application over time, what they did was they built this big fortress around it, some called it defense in depth you know, the Security Onion whatever you want to call it you know, the M&M'S. But they were really lacking in the understanding of the application. So now security really has to understand the application because that's the core of what's important. And that allows them to be smarter about what are the changes in their environment, and if those are good, bad or indifferent. The other thing that I think is interesting is that compliance was kind of a dirty word that no one really wanted to talk about. It was kind of this boring thing or auditors would show up once every six months go through a very complex checklist and say you're okay. Now compliance is actually very sophisticated. And the ability to look at your configuration in near real time and understand if you are compliant or following best practices is real. And we do that for our customers all the time. You know we can tell them how they're doing against the compliance standard within a you know, a minute timeframe. And we can tell that they're drifting in and out of that. And the last one and the one that I think most are excited about is really the journey towards least privileges and minimizing the scope of your attack surface within your developers and their access in your infrastructure. Now it's... We're pretty far from there, it's an easy thing to say it's a pretty hard thing to do. But getting towards and driving towards that journey of least privilege I think is where most people are looking to go. >> Alright Dan, I want to go back to something that we talked about early in the conversation, that relationship with the cloud providers themselves, so you know talking AWS, Azure, Google Cloud and the like. How should customers be thinking about how they manage security, dealing with them dealing with companies like Lacework and the ecosystem you mentioned in companies like Datadog and the New Relic? You know how do they sort through and manage how they can maintain those relationships? >> So there's kind of the layer eight relationships, of course which are starting you know in particular with the cloud providers, it's a lot more about bottoms up relationships and very technical understanding of product and features, than it is about being on the golf course, and you know eating steak dinners. And that's very different you know, security and buying IT infrastructure was very relationship driven in the past. Now you really especially with SaaS and subscriptions, you're really proving out your technology every day. You know I say kind of trust is built on consistent positive results over time. So you really have to have trust within your solution and within that service and that trust is built on obviously a lot of that go to market business side. But more often than not it's now being built on the ability for that solution to get better over time because it's a subscription. You know how do you deliver more features and increase value to the customer as you do more things over time? So that's really, really important. The other one is like, how do I integrate the technology together? And I believe it's more important for us to integrate our stack with the cloud provider with the adjacent spaces like APM and metrics and monitoring and with open source, because open source really is a core component to this. So how do we have the API's and integrations and the hooks and the visibility into all of those is really, really important for our customers in the market? >> Well Dan as I said at the beginning, security is such an important topic to everyone out there. You know we've seen from practitioners we talked to for the last few years not only is it a top issue it's a board level discussion for pretty much every company out there. So I want to give you the final word as to in today's you know modern era, what advice do you give to users out there to make sure that they are staying as secure as possible? >> Yeah so you know first and foremost, people often say, "Hey you know, when we build our business, "you know, it'd be a good problem to start have to worry "about customers and you know, "all kinds of people using the service. "And you know, we'll worry about security then." And it's easy lip service to say start it as early as possible. The reality is sometimes it's hard to do that. You've got all kinds of competing interests, you're trying to build a business and an application and everything else depending obviously, the maturity of your organization. I would say that this is a great time to kind of crawl, walk, run. And you don't have to think about it. If you're building in the cloud you don't have to think of the end game you know right away, you can kind of stair step into that. So you know my suggestion to people that are moving into the cloud is really think about compliance and configuration best practices first and visibility, and then start thinking of the more complex things like triage alerts and how does that fit into my workflow? How do I look at breaches down the line? Now for the more mature orgs that are taking, you know an application or a new application or Stack and just dropping it in, those are the ones that should really think about how do I fit security into this new world order? And how do I make it as part of the design process? And it's not about how do I take my existing security stack and move it over? That's like taking, you know a centralized application moving to the cloud and calling it cloud. You know if you're going to build in the cloud, you have to secure it the same way that you're building it in a modern way. So really think about you know, modern, you know new generation vendors and solutions and a combination of kind of your provider, maybe some open source and then a service, of course like Lacework. >> Alright well Dan Hubbard, thank you so much for helping us dig into this important topic Cloud Native security, pleasure talking with you. >> Thank you. Have a great day. >> And I'm Stu Miniman your hosts for Cloud Native Insights and looking forward to hearing more of your Cloud Native Insights in the future. (upbeat music)