>>The cube presents Koon and cloud native con Europe, 2022, brought to you by red hat, the cloud native computing foundation and its ecosystem partners. >>Welcome to Valencia Spain and CubeCon cloud native con Europe, 2022 I'm cube Townsend, along with Paul Gill, senior editor, enterprise architecture at Silicon angle. We are talking to some incredible folks this week, continuing the conversation around enabling developers to do their work. Paul you've said that this conference is about developers. What are you finding key as a theme running throughout the show >>That that developers really need a whole set of special tools. You know, it's not the end user, the end user tools, the end user access controls the authentication it's developers need a need their own to live their in their own environment. They need their own workflow tools, their own collaboration and their own security. And that's where teleport comes in. >>So speaking of teleport, we have Michael fork, chief marking our officer at teleport new world role for you. First, tell me about how long have you been at teleport now >>Going on seven or eight months now, >>Seven or eight months in this fast moving market. I'm I'm going to tell you a painful experience I've had in this new world. We've built applications. We've moved fast audits come in. The auditors have come in and they said, you know what, who authorized this change to the cluster? And we'll go into the change ticket and say, this person authorized the changes and the change ticket. And then they'll ask for trace back. Okay. Show me the change. What do it mean? Show you the changes. It just happened. >>Yeah. Check, check GitHub. >>Yeah, check GI, get, see, we, we, we, we said we were gonna make the changes, the change happen. That's not enough. What are CU, how are you helping customers solve this access control and audit problem? >>Yeah, that's a great question. There're kind of, there're kind of two, two sides to the puzzle. And actually I think that the intro hits it. Well, you you've talked about kind of developer experience needing needing tools to more efficiently do the job as a practitioner. And you're coming at it from kind of a security and compliance angle. And there's a tension between both of those teams. It's like, you know, there's, there's a tension between dev and ops before we created DevOps. There's also a tension between kind of security teams and developers. So we've created dev SecOps. What that means is you need an easy way for developers to get access, access to the resources they needed through their jobs. That's, you know, Linux hosts and databases and Kubernetes clusters and, you know, monitoring dashboards and managing all of those credentials is quite cumbersome. If I need to access a dozen systems, then you know, I'm using SSH keys to access this. >>I have admin credentials for my database. I I'm going through a VPN to access an internal dashboard, teleport, consolidates, all of that access into a single login via your identity provider, Okta active directory, but then on the security and compliance side, we make it really easy for that compliance officer. When they say, show me that change, we have all of the audit logs. That's that show exactly what changes Keith made when he logged into, into that system. And in fact, one of the booths behind here is talking about E B P F a modern way to get that kind of kernel level grade granularity. We build all of that observability into teleport to make the security and compliance teams happy. And the engineering teams a lot more productive. >>Where do the, the access control tools like Okta, you mentioned fall short. I mean, why, why is there a need for your level of, of control at the control plane? >>Yeah. When you, when you start to talk about authorization, authentication, audit at the infrastructure level, each of these technologies has its own way of managing what kind of in, in the jargon often and Ze, right? Authentication authorization. So you have SSH for, for Linux. Kubernetes has its own way of doing authorization. All of the database providers have their own way and it's quite complicated, right? It's, it's much different. So, you know, if I'm gonna access office 365 or I'm gonna a access Salesforce, right. I'm really talking about the HTTP protocol. It's relatively trivial to implement single sign on for web-based applications. But when we start talking about things that are happening at the Linux kernel level, or with Kubernetes, it's quite complicated to build those integrations. And that's where teleport extends what you have with your IDP. So for instance, Okta, lots of our customers use Okta as their identity provider, but then teleport takes those roles and applies them and enforces them at the actual infrastructure level. >>So if I'm a lay developer, I'm looking at this thinking, you know, I, I have service mesh, I've implemented link D SEO or something to that level. And I also have Ansible and Ansible has security, etcetera. What, what role, or how does that integrate to all together from a big picture perspective? >>Yeah. So >>What, one of the, kind of the meta themes at teleport is we, we like to, we like to say that we are fighting complexity cuz as we build new technologies, we tend to run the new tech on top of the old tech. Whereas for instance, when you buy a new car, you typically don't, you know, hook the old car to the back and then pull it around with you. Right? We, we replace old technology with new technology, but in infrastructure that doesn't happen as often. And so you end up with kind of layers of complexity with one protocol sitting on top of another protocol on top of another protocol. And what teleport does is for the access control plane, we, we kind of replace the legacy ways of doing authentication authorization and audit with a new modern experience. But we allow you to continue to use the existing tools. >>So we don't replace, for instance, you know, your configuration management system, you can keep using Ansible or, or salt or Jenkins, but teleport now is gonna give those, those scripts or those pipelines in identity that you can define. What, what should Ansible be able to do? Right? If, cuz people are worried about supply chain attacks, if a, if a vulnerable dependency gets introduced into your supply chain pipeline and your kind of Ansible playbook goes crazy and starts deploying that vulnerability everywhere, that's probably something you wanna limit with teleport. You can limit that with an identity, but you can still use the tools that you're, that you're used to. >>So how do I guarantee something like an ex-employee doesn't come in and, and initiate Ansible script that was sitting in the background just waiting to happen until, you know, they left. >>Yeah. Great question. It's there's kind of the, the, the great resignation that's happening. We did a survey where actually we asked the question kind of, you know, can you guarantee that X employees can no longer access your infrastructure? And shockingly like 89% of companies could not guarantee that it's like, wow, that's like that should, that should be a headline somewhere. And we actually just learned that there are on the dark web, there are people that are targeting current employees of Netflix and Uber and trying to buy credentials of those employees to the infrastructure. So it's a big problem with teleport. We solve this in a really easy, transparent way for developers. Everything that we do is based on short lift certificates. So unlike a SSH key, which exists until you decommission it, shortlist certificates by, by default expire. And if you don't reissue them based on a new login based on the identity, then, then you can't do anything. So even a stolen credential kind of the it's value decreases dramatically over time. >>So that statistic or four out of five companies can't guarantee X employees can't access infrastructure. Why is simply removing the employee from the, you know, from the L app or directory decommissioning their login credentials. Why is that not sufficient? >>Well, it, it depends on if everything is integrated into your identity provider and because of the complexities of accessing infrastructure, we know that developers are creative people. And by, by kind of by definition, they're able to create systems to make their lives easier. So one thing that we see developers doing is kind of copying an SSH key to a local notepad on, on their computer. So they essentially can take that credential out of a vault. They can put it somewhere that's easier for them to access. And if you're not rotating that credential, then I can also, you know, copy it to a, to a personal device as well. Same thing for shared admin credentials. So the, the, the issue is that those credentials are not completely managed in a unified way that enables the developer to not go around the system in order to make their lives easier. >>But rather to actually use the system, there's a, there's a market called privilege access management that a lot of enterprises are using to kind of manage credentials for their developers, but it's notoriously disruptive to developer workflows. And so developers kind of go around the system in order to make their jobs easier. What teleport does is we obviate the need to go around the system, cuz the simplest thing is just to come in in the morning, log in one time to my identity provider. And now I have access to all of my servers, all of my databases, all of my Kubernetes clusters with a short lift certificate, that's completely transparent. And does >>This apply to, to your, both your local and your cloud accounts? >>Yes. Yes, exactly. >>So as a security company, what's driving the increase in security breaches. Is it the lack of developer hygiene? Is it this ex-employee great resignation bill. Is it external intruders? What's driving security breaches today. >>Yes. >>It's you know, it's, it's all of those things. I think if I had to put, give you a one word answer, I would say complexity. The systems that we are building are just massively complex, right? Look at how many vendors there are at this show in order to make Kubernetes easy to use, to do what its promises. It's just, we're building very complex systems. When you build complex systems, there's a lot of back doors, we call it kind of a tax surface. And that's why for every new thing that we introduce, we also need to think about how do we remove old layers of the stack so that we can simplify so that we can consolidate and take advantage of the power of something like Kubernetes without introducing security vulnerabilities. >>One of the problems or challenges with security solutions is, you know, you there's this complexity versus flexibility knob that you, you need to be careful of. What's the deployment experience in integration experience for deploying teleport. >>Yeah, it's it, we built it to be cloud native to feel like any other kind of cloud native or Kubernetes like solution. So you basically, you deploy it using helm chart, you deploy it using containers and we take care of all of the auto configuration and auto update. So that it's just, it's, it's part of your stack and you manage it using the same automation that you use to manage everything else. That's a, that's a big kind of installation and developer experience. Part of it. If it's complex to use, then not only are developers not gonna use it. Operations teams are not gonna want to have to deal with it. And then you're left with doing things the old way, which is very unsatisfactory for everybody. >>How does Kubernetes change the security equation? Are there vulnerabilities? It introduces to the, to the stack that maybe companies aren't aware of >>Almost by definition. Yes. Kind of any new technology is gonna introduce new security vulnerabilities. That's the that's that is the result of the complexity, which is, there are things that you just don't know when you introduce new components. I think kind of all of the supply chain vulnerabilities are our way of looking at that, which is we have, you know, Kubernetes is itself built on a lot of dependencies. Those dependencies themselves could have security vulnerabilities. You might have a package that's maintained by one kind of hobbyist developer, but that's actually deployed across hundreds of thousands of applications across, across the internet. So again, it's about one understanding that that complexity exists and then saying, is there a way that we can kind of layer on a solution that provides a common layer to let us kind of avoid that complexity and say, okay, every critical action needs to be authorized with an identity that way if it's automated or if it's human, I have that level of assurance that a hacked Ansible pipeline is not going to be able to introduce vulnerabilities across my entire infrastructure. >>So one of the challenges for CIOs and CTOs, it's the lack of developer resources and another resulting pain point that compounds that issue is rework due to security audits is teleport a source of truth that when a auditor comes in to audit a, a, a, a C I C D pipeline that the developer or, or operations team can just say, Hey, here's, self-service get what you need. And come back to us with any questions or is there a second set of tools we have to use to get that audit and compliance reporting? >>Yeah, it's teleport can be that single source of truth. We can also integrate with your other systems so you can export all of the, what we call access logs. So every, every behavior that took place, every query that was run on a database, every, you know, curl command that was run on a Lennox, host, teleport is creating a log of that. And so you can go in and you can filter and you can view those, those actions within teleport. But we also integrate with other systems that, that people are using, you have its Splunk or Datadog or whatever other tool chain it's really important that we integrate, but you can also use teleport as that single source. So >>You can work with the observability suites that are now being >>Installed. Yeah, there, the, the wonderful thing about kind of an ecosystem like Kubernetes is there's a lot of standardization. You can pick your preferred tool, but under the hood, the protocols for taking a log and putting it in another system are standardized. And so we can integrate with any of the tools that developers are already using. >>So how big is teleport when I'm thinking about a, from a couple of things big as in what's the footprint and then from a developer operations team overhead, is this kind of a set and forget it, how much care feed and maintenance does it >>Need? So it's very lightweight. We basically have kind of two components. There's the, the access proxy that sits in front of your infrastructure. And that's what enables us to, you know, regardless of the complexity that sits across your multi data center footprint, your traditional applications, running on windows, your, your, your modern applications running on, you know, Linux and Kubernetes, we provide seamless access to all of that. And then there's an agent that runs on all of your hosts. And this is the part that can be deployed using yo helm or any other kind of cloud native deployment methodology that enables us to do the, the granular application level audit. For instance, what queries are actually being run on CockroachDB or on, on Postgres, you know, what, what CIS calls are running on Linnux kernel, very lightweight automation can be used to install, manage, upgrade all of it. And so from an operations perspective, kind of bringing in teleport shouldn't be any more complicated than running any application on a container. That's, that's the design goal and what we built for our customers. >>If I'm in a hybrid environment, I'm transitioning, I'm making the migration to teleport. Is this a team? Is this a solution that sits only on the Kubernetes cloud native side? Or is this something that I can trans transition to initially, and then migrate all of my applications to, as I transition to cloud native? >>Yeah. We, there are kind of, no, there are no cloud native dependencies for teleport. Meaning if you are, you're a hundred percent windows shop, then we support for instance, RDP. That's the way in which windows handles room access. If you have some applications that are running on Linux, we can support that as well. If you've got kind of the, you know, the complete opposite in the spectrum, you're doing everything, cloud native containers, Kubernetes, everything. We also support that. >>Well, Michael, I really appreciate you stopping by and sharing the teleport story. Security is becoming an obvious pain point for cloud native and container management. And teleport has a really good story around ensuring compliance and security from Licia Spain. I'm Keith towns, along with Paul Gillon and you're watching the cue, the, the leader, not the, the leader two, the high take tech coverage.

>>This is Dave Violante. We're here at a W s with the Keep talking About Storage palate cars. Here is the director of product management for E B s Elastic block storage. Welcome. Good to see again. >>Nice to see it. If >>so, let's talk about E b s. You know, it all started with us. Three and course customers demand Maur. What do we need to know about E b s? Like, what are the options that you provide? Give us the late low down. >>Yeah. So the way to think about block storage in the AWS eight abreast constructors. Really two kinds of offerings. One is around instant storage, which is a form of block strategy. And then you have a block started service, which is E. B s Andi. Sort of. The key thing they're from customer standpoint of different shit between the two is if you warn your storage like cycle to be coincident with your instance like cycle, then you use instant surgeon. That's why we see a lot of our customers using since storage, because they won't want that experience if you want. On the other hand, it's storage life cycle that's different from your instance life cycle. So the ability to change instances, the ability to grow size is the ability to to take back ups. Then you want to choose the obvious experience. And there we have a series of volume types that customers can consume. Be a GP two we have, I want. We have our stream volumes, which are a C one and C one. >>So she's when you talk to customers of block stores. What did they tell you that they most care about? >>Yeah, uh, it is. It is a Lord around performance. It is a lot around. Availability is a lot on your ability. He's a fuse. Those of the core characteristics that that customers care about earlier this year as an example, one of the things that we launched for customers was the ability to encrypt their volumes by default on you. Say, Well, why is that important? So security becomes a big concern for customers a day as they think about their environment and with encryption by default. We just made it simple. With a single setting, you can now, at an account level, ensure that all your PBS volumes created from that point on our fully encrypted. >>Okay, let's talk about snapshots. So how o r r. Snapshots in the cloud? Different. And how are your customers using stamps? >>Yeah, that's great. Great. Great. Cigarette in tow. Common conversation. Customers who are coming from on premises environment are used to snapshots is being sort of this copy on right type attack volumes. The way to think about aws snapshot. Devious snapshots in particular are really to think of them as backup. And so that is the one sort of key thing that I always tell customers is to think of what we call snapshots, really as backups. Especially if you're coming from a non premises environment. >>Okay, um, how about things you're doing to really improve? Uh, EBS snapshots. I mean, is it more performance? Is it making simple Are expanding use cases. Yeah. >>Yeah. Let's talk about the use case scenario Is that that snapshots get use, and snapshots are really the underlying storage for water called Amazon machine images. Our aim eyes. That is how snaps that is, how our instances boot. That is also the way that customers create CBS Williams from, so you can create an obvious volume from a snapshot. So on that on that particular use case, one of the things that we're we're now launching is a capability via calling far snapshot restored. So you can now take a knee, be a snapshot and then within an availability is soon. Make it such that you can. You can now launch volumes from it without encountering any Leighton sing and back on DDE. That we think is a tremendously powerful capability for customs. Because if you can, it takes away all the undifferentiated heavy lifting that they had to do in order to lure the data from the snapshot into the volume completely out of the picture and allows them to focus on getting their data to their applications. That's right. >>All right, we'll give you the last word. Final thoughts on the innovations that you had. Congratulations on all the hard work. >>No, actually, this is the team has done a tremendous amount of work in art launches. Couldn't be happier to see this in the hands of customers. We look forward to seeing what they build from from the things that we provided them so excited to see that happen. >>That's actually quite amazing. It started all very simple with us three. And now we've seen service is just become more granular. Higher performance. Really meeting customer demands. She's thanks so much. Thank you so much. All right. Thanks for watching. Your body will be back right after this short break.