(bright upbeat music) >> Welcome back to theCube's coverage of HPE's Green Lake announcement. We've been following the caves of Green Lake's announcement for several quarters now, and even years. And we're going to look at cloud adoption and frameworks to help facilitate cloud adoptions. You know, in 2020, the world was on a forced march to digital and there was a lot that they didn't know. Big part of that was how to automate, how to reduce your reliance on physically, manually and plugging things in. And so, customers need an adoption framework to better understand and how to de-risk that journey to the cloud. And with me to talk about that are Alexia Clements, who's the Vice President at Worldwide go to market for GreenLake cloud services at HPE and Alexei Gerasimov who's the vice president of Hybrid Cloud Delivery advisory and professional services at Hewlett Packard Enterprise. Folks, welcome to theCube. >> Alexia: Thanks so much for having us. >> You're very welcome. So, Alexei, what is a cloud adoption framework? How does that all work? >> Gerasimov: Yeah, thanks Dave. So the framework is a structured approach to elevate the conversation, to help our customers get outcomes. So we've been helping customers adopt the benefits in the most of IT for a decade. And we've noticed that they basically focus on eight key areas as they transform to cloud-like capabilities. It's a strategy and governance, it's innovation, people, a dev ops applications, operations security, and data. So we've structured our framework around those core components to help our customers get value. Because end of the day, it's all about changing the way they operate. To get the advantage of all of it. >> Yes. So you can't just pave the cow path and kind of plug your existing process. There's a lot that's unknown, as I said up front. So, so Alexia, maybe you could talk a little bit more about some of the real problems that you're solving with customers that you see in the field. >> Alexey: Yeah, absolutely. So most customers are going through some form of digital transformation and these transformations are difficult and they need a structured approach to help them through that journey. I kind of like to think of it as a recipe to make a meal. So you need to know what ingredients to buy and what are the steps to perform to make that meal. >> Okay. So when you talk to customers, what do you, what do you tell them? That's in it for them after the, after you've actually successfully helped them deploy? What are they telling you? >> Yeah, well, they're telling they now have reached their business outcomes and they're, you know, they're a more agile organization. >> What's the experience look like when you, when you go through one of these journeys and you, you apply the adoption framework, can you sort of paint a picture for us? >> Yeah, absolutely. So every customer is in some sort of transformation, like Alexia said, that transformation implies you've got to know where you start and again, know where you're going. So the experience traditionally is customers need to understand what are my current hybrid cloud capabilities? What do I have, what am I missing? What's lacking and then determine where do you want to go? And in order to get from point A to point B, they have to get a prescriptive approach. So the framework sort of breaks down their path from where they are to their desired maturity. And it takes them in the very prescriptive path to get there. >> So you start with an assessment, you do a gap analysis based on their skill sets. I presume you identify what's possible, help them understand, you know, best practice, which they may not achieve, but this is kind of their north star. Right? And then do you help? How do you help them fill those gaps? Because are skills gaps. Everybody talks about that today. You guys presumably can provide additional services to do that, but so can you add a little bit color to that scope? >> Yeah, yeah, absolutely. And so to your point, the first is a maturity level. So once you figure out the maturity level, you understand what needs to be done. So if you look at our domain, the eight domains that I mentioned and the framework, people is a big one, right? Most of the folks are struggling with people's skills and organizational capabilities. And it's so because it's an operating model change, right? And people are the key component to this operating model change. So we help our customers figure out how do we achieve that optimal operating level and operating a model maturity. And that could be on-prem that could be on public cloud. That could be hybrid. That could be at the edge. And yeah, we, if we can HP, the framework, by the way is pretty, pretty open and pretty objective. If we can help our customers address and achieve their sales gaps great. If we can not directly, then we can have a partner that can help them, you know, plug in something that we don't have. >> Are you finding that, that in terms of the maturity that most people have some kind of experience with, with cloud, but they're struggling to bring that cloud experience to their on-premise state. They don't want to just shove everything into the cloud. Right. So, what does that kind of typical journey look like for folks? I know there's--it's a wide spectrum, or you've got people that are maybe more mature. Maybe some of the folks in financial services got more resources, but can you sort of give us a sense as to what the typical, the average. >> Oh yeah yeah yeah, absolutely. By the way. So that give you a customer example, perfect example of a large North American integrated energy company. They decided to go cloud fresh, like a lot of companies. that wants to do cloud first. And why? The reason was agility. So they started going to the cloud and they realized in order to get agility, you can't just go to you, pick your public CSP, you got to change the way to operate. So they brought us in and they asked, could you help me figure out how we can change the organization? So we actually operate on the proper level of maturity. So we brought our team in. We help them figure out what do we need to look at? We need to look at operations. We need to look at people. We need to look at applications, and we need to figure out what gives you the best value. So when all said and done, they realized that their initial desire of, you know, public first or cloud first, wasn't really public cloud first. It's a way to operate. So now the customer is in three different public CSPs. They're on-prem, there are at edge and everywhere. So that's the focus. Yeah. >> Is the scope predominantly the technical organization. How deep does it go into the, to the business? Is it obviously the application development team is involved, but how deep into the business does this go? The framework. >> Right, and it's absolutely not a technology focused, the whole concept areas, it's outcomes based, and it's a results based. So if you look at the framework, there's really not a single element of the framework that says tech, like storage or compute. No, it's its people, its data, it's business value, strategy and governance, because the goal for us is being objective is we're just trying to help them address the outcomes. Not necessarily to give them more tech. >> So Alexia, I like that answer because it's a wider scope as, I mean, if we just focused on the tech and that's the swim lane, it'd be a lot easier. But as we all know, it's the people in the process that are really the hard part. So that, that makes the challenge for customers greater. You're hurting more cats. So what are the, some of the obstacles that potentially you help customers before they dive in understand. >> Yeah. So we're giving them a roadmap on where they need to go. So we're like I mentioned that recipe, so we're really trying to identify what is their strategy and where do they, what are the outcomes that they're trying to drive and help them on a street, you know, with that path to meet those outcomes. So some of those, I mean, every customer's a little bit different. I mean, we had one customer, which was a, one of the largest hospitals in north America and they, they would needed to, they wanted to go to the cloud, but they realized they couldn't put all of their patient data on the cloud. So what we did was we helped them in changing their operating model and really look to see how does that, how do they need to what's that end game for them, and actually help redo their operating model to have some in the cloud and some on-prem and, and really identify, you know, where they needed to go for their roadmap. So that was an obstacle that they had, hey, we can't put all this stuff out there. How does that now need to work in this new world? >> I would think the data model is a big deal here. I mean, you just gave an example where there's a, there's a, there's a governance and compliance aspect to it. So thinking about that example, did they have to change the way in which they provided federated governance was that presumably identify whose whose responsibility that was to adjudicate, but also had to get the, the implementers to follow that's the, how does that all work? Is it just the deep conversations? And then you figure out how to codify it or. >> No. So what so we have, so through those eight domains that Alexia mentioned, we go through, step-by-step how they need to think about it. And within mind, what are their business outcomes and goals that they're trying to achieve? So really identifying how they need to change that operating model to meet those business outcomes. >> So what's the output, it's a plan, right. That's tailored to the customer. Is that, is that correct? And, and then sort of assistance in implementing downstream or what do they get? >> Yeah, yeah, absolutely. Just to piggyback to what Alexia said, the alignment, the early alignment, the strategy and governance, as you mentioned, this is probably the most important thing, because everybody says we want to be cloud first, but what does that mean? Cloud first means different things to everyone. So we said, give him a plan. The first we'll help with figure out is what does that mean for you? Because at the end of the day, you're not going to the cloud for the sake of cloud, or anywhere you go into the cloud to get some sort of value. So what's that alignment. So the plan is supposed to help you on your road to that value, right? So we'll help them figure out what I want to do, why, for what purpose, what's going to actually address my business value. So yes, they will get a plan as part of it. But more importantly, they get, they get a set of activities, communication plans, which by the way, another block that you got to address. >> Dave: Huge. >> Yeah. >> Yeah. I mean, a lot of executives tell me, look, if you don't change your operating model and go to the cloud, yeah. You're talking, you know, nickels and dimes. If you want to get telephone numbers, you know, big companies, you want to get into bees with billions, you have to change the operating model. And the problem that they tell me is a lot of times the corner offices, okay, we're doing this, but everybody in the fat middle says, what are we doing? >> Right. And now more than ever, I mean, customers need to look at that model like a more modern operating model to realize the benefits of cloud capabilities, whether that be at the edge, their data centers, their colos cloud. So they really need to look at that. And what we've seen is with our framework, we're really helping customers accelerate their business outcomes. De-risk their transformation, and really optimize that cloud operating model. >> It's that alignment you reducing friction within the organization, confusing confusion. When people don't know which direction they're going, they'll just going to go wherever they're pointed. Right. Right. >> And you back to the alignment. So you've got alignment and you mentioned communication. You have to communicate up and down and left and right across the organization because that's one of the most probably ignored elements of any transformation lots of people don't know. So you got to communicate. And then you have to actually measure and report on how they, you know, how the transformation is happening. So we can help in all three of those. >> Especially when everybody's remote. Yeah. Right. And then I said, hey, these digital transformations, there's so much, that's unknown. >> Alexia: Right. It's difficult. >> It's a lot of new. And so you also have to, I presume part of the plan is, Hey, you're not, it's not going to be a hundred percent perfect. So you have to have. >> Alexia: Right. And you're constantly iterating on that plan. >> What does this have to do with GreenLake? >> Alexia: Yeah. So, I mean, GreenLake is HPE's you know, cloud everywhere. And what we're really doing is this framework is helping customers with that path to get that cloud-like experience and as a service model. And so the framework is really helping clients understand where do they need to go and what GreenLake solutions can help them get there. >> So the fundamental assumption of not every cloud player necessarily bad, I would say most hyperscalers is, hey, ultimately, all the data and the workloads are going to go to the cloud, that's their operating premise. So they all have an operating framework to facilitate that. >> Alexia: Right. >> It's, it's tongue in cheek, but it's true. So, but everybody has one of these. How was yours different? >> Yeah. So like, like you said, there's lots of different, you know, frameworks out there, but what we're really focused on is meeting those business goals and outcomes for clients. So we didn't focus on the technology. Like we mentioned what we were really focusing around. I mean, we kind of learned early on that every customer has technical capabilities, applications, data in multiple clouds, on-prem in colos and at the edge. So we didn't focus on like just the technology. So it's really driving business outcomes and their goals and, and the tech, all those frameworks that we just mentioned, they're really specifically driving a particular technology tool or vendor implementing a particular technology or vendor. >> So we've talked about outcomes a lot, but I wonder if we could peel the onion on that. So, you know, the highest level outcome is I want to increase revenue, cut costs, drop to the bottom line, increase shareholder value, improve employee experiences and retention, make customers happier, grow my business. I mean, those are, I mean, I, I don't know a lot of businesses that don't... >> Alexia: Right. >> want to do that, So. Okay. That's cool. But then I'm imagining you really start to peel the layers and say, okay, this is how we're going to get there. And you get down to specific objectives as to the, how is that sort of how this works? >> Right, and that's due to echo at Alexia. So that's exactly why ours is different. We're not focusing on how to adopt Microsoft or AWS or Alibaba with focusing on how we can deliver the customer experience or a better revenue, you know, or, you know, increase the value for the consumer for whatever the company will help him. So the framework we'll look at that and figure out how do we actually address it, whether it's on public cloud, whether it's on prem, whether it's at the edge. >> You mentioned Alexia, that something, hey, if we don't have the skills, we can get a partner who does, a big company. You got a huge partner network. So for example, if you might not have necessarily a deep industry expertise, that's where you might lean on a partner or is that, is that a good example or is there a better one? >> Yes and we know. We're not going to just like you mentioned AWS or Microsoft, Alibaba thing that everything will go to public cloud. I don't believe so, but at the same time we know not everything will stay on-prem. So the combination of on-prem, the edge, you know, private cloud and public cloud is what the customers are after. So our partners could be either third party, system integrator that can help us implement something or even the public CSPs, because we know our customers have capabilities everywhere. So the question becomes, how can we holistically address their needs, whether it's on-prem, whether it's in public cloud. >> Great. Guys, thanks so much. >> Alexia: Thank you. Thanks for having us. Appreciate it. >> My pleasure and thank you for watching everybody's as theCube's continuous coverage of HPE's GreenLake announcement, keep it right there for more great content. (bright upbeat music)

(bright upbeat music) >> Hello, everyone. Welcome to SiliconANGLE News breaking story here. Amazon Web Services expanding their relationship with Hugging Face, breaking news here on SiliconANGLE. I'm John Furrier, SiliconANGLE reporter, founder, and also co-host of theCUBE. And I have with me, Swami, from Amazon Web Services, vice president of database, analytics, machine learning with AWS. Swami, great to have you on for this breaking news segment on AWS's big news. Thanks for coming on and taking the time. >> Hey, John, pleasure to be here. >> You know- >> Looking forward to it. >> We've had many conversations on theCUBE over the years, we've watched Amazon really move fast into the large data modeling, SageMaker became a very smashing success, obviously you've been on this for a while. Now with ChatGPT OpenAI, a lot of buzz going mainstream, takes it from behind the curtain inside the ropes, if you will, in the industry to a mainstream. And so this is a big moment, I think, in the industry, I want to get your perspective, because your news with Hugging Face, I think is another tell sign that we're about to tip over into a new accelerated growth around making AI now application aware, application centric, more programmable, more API access. What's the big news about, with AWS Hugging Face, you know, what's going on with this announcement? >> Yeah. First of all, they're very excited to announce our expanded collaboration with Hugging Face, because with this partnership, our goal, as you all know, I mean, Hugging Face, I consider them like the GitHub for machine learning. And with this partnership, Hugging Face and AWS, we'll be able to democratize AI for a broad range of developers, not just specific deep AI startups. And now with this, we can accelerate the training, fine tuning and deployment of these large language models, and vision models from Hugging Face in the cloud. And the broader context, when you step back and see what customer problem we are trying to solve with this announcement, essentially if you see these foundational models, are used to now create like a huge number of applications, suggest like tech summarization, question answering, or search image generation, creative, other things. And these are all stuff we are seeing in the likes of these ChatGPT style applications. But there is a broad range of enterprise use cases that we don't even talk about. And it's because these kind of transformative, generative AI capabilities and models are not available to, I mean, millions of developers. And because either training these elements from scratch can be very expensive or time consuming and need deep expertise, or more importantly, they don't need these generic models, they need them to be fine tuned for the specific use cases. And one of the biggest complaints we hear is that these models, when they try to use it for real production use cases, they are incredibly expensive to train and incredibly expensive to run inference on, to use it at a production scale. So, and unlike web search style applications, where the margins can be really huge, here in production use cases and enterprises, you want efficiency at scale. That's where Hugging Face and AWS share our mission. And by integrating with Trainium and Inferentia, we're able to handle the cost efficient training and inference at scale, I'll deep dive on it. And by teaming up on the SageMaker front, now the time it takes to build these models and fine tune them is also coming down. So that's what makes this partnership very unique as well. So I'm very excited. >> I want to get into the time savings and the cost savings as well on the training and inference, it's a huge issue, but before we get into that, just how long have you guys been working with Hugging Face? I know there's a previous relationship, this is an expansion of that relationship, can you comment on what's different about what's happened before and then now? >> Yeah. So, Hugging Face, we have had a great relationship in the past few years as well, where they have actually made their models available to run on AWS, you know, fashion. Even in fact, their Bloom Project was something many of our customers even used. Bloom Project, for context, is their open source project which builds a GPT-3 style model. And now with this expanded collaboration, now Hugging Face selected AWS for that next generation office generative AI model, building on their highly successful Bloom Project as well. And the nice thing is, now, by direct integration with Trainium and Inferentia, where you get cost savings in a really significant way, now, for instance, Trn1 can provide up to 50% cost to train savings, and Inferentia can deliver up to 60% better costs, and four x more higher throughput than (indistinct). Now, these models, especially as they train that next generation generative AI models, it is going to be, not only more accessible to all the developers, who use it in open, so it'll be a lot cheaper as well. And that's what makes this moment really exciting, because we can't democratize AI unless we make it broadly accessible and cost efficient and easy to program and use as well. >> Yeah. >> So very exciting. >> I'll get into the SageMaker and CodeWhisperer angle in a second, but you hit on some good points there. One, accessibility, which is, I call the democratization, which is getting this in the hands of developers, and/or AI to develop, we'll get into that in a second. So, access to coding and Git reasoning is a whole nother wave. But the three things I know you've been working on, I want to put in the buckets here and comment, one, I know you've, over the years, been working on saving time to train, that's a big point, you mentioned some of those stats, also cost, 'cause now cost is an equation on, you know, bundling whether you're uncoupling with hardware and software, that's a big issue. Where do I find the GPUs? Where's the horsepower cost? And then also sustainability. You've mentioned that in the past, is there a sustainability angle here? Can you talk about those three things, time, cost, and sustainability? >> Certainly. So if you look at it from the AWS perspective, we have been supporting customers doing machine learning for the past years. Just for broader context, Amazon has been doing ML the past two decades right from the early days of ML powered recommendation to actually also supporting all kinds of generative AI applications. If you look at even generative AI application within Amazon, Amazon search, when you go search for a product and so forth, we have a team called MFi within Amazon search that helps bring these large language models into creating highly accurate search results. And these are created with models, really large models with tens of billions of parameters, scales to thousands of training jobs every month and trained on large model of hardware. And this is an example of a really good large language foundation model application running at production scale, and also, of course, Alexa, which uses a large generator model as well. And they actually even had a research paper that showed that they are more, and do better in accuracy than other systems like GPT-3 and whatnot. So, and we also touched on things like CodeWhisperer, which uses generative AI to improve developer productivity, but in a responsible manner, because 40% of some of the studies show 40% of this generated code had serious security flaws in it. This is where we didn't just do generative AI, we combined with automated reasoning capabilities, which is a very, very useful technique to identify these issues and couple them so that it produces highly secure code as well. Now, all these learnings taught us few things, and which is what you put in these three buckets. And yeah, like more than 100,000 customers using ML and AI services, including leading startups in the generative AI space, like stability AI, AI21 Labs, or Hugging Face, or even Alexa, for that matter. They care about, I put them in three dimension, one is around cost, which we touched on with Trainium and Inferentia, where we actually, the Trainium, you provide to 50% better cost savings, but the other aspect is, Trainium is a lot more power efficient as well compared to traditional one. And Inferentia is also better in terms of throughput, when it comes to what it is capable of. Like it is able to deliver up to three x higher compute performance and four x higher throughput, compared to it's previous generation, and it is extremely cost efficient and power efficient as well. >> Well. >> Now, the second element that really is important is in a day, developers deeply value the time it takes to build these models, and they don't want to build models from scratch. And this is where SageMaker, which is, even going to Kaggle uses, this is what it is, number one, enterprise ML platform. What it did to traditional machine learning, where tens of thousands of customers use StageMaker today, including the ones I mentioned, is that what used to take like months to build these models have dropped down to now a matter of days, if not less. Now, a generative AI, the cost of building these models, if you look at the landscape, the model parameter size had jumped by more than thousand X in the past three years, thousand x. And that means the training is like a really big distributed systems problem. How do you actually scale these model training? How do you actually ensure that you utilize these efficiently? Because these machines are very expensive, let alone they consume a lot of power. So, this is where SageMaker capability to build, automatically train, tune, and deploy models really concern this, especially with this distributor training infrastructure, and those are some of the reasons why some of the leading generative AI startups are actually leveraging it, because they do not want a giant infrastructure team, which is constantly tuning and fine tuning, and keeping these clusters alive. >> It sounds like a lot like what startups are doing with the cloud early days, no data center, you move to the cloud. So, this is the trend we're seeing, right? You guys are making it easier for developers with Hugging Face, I get that. I love that GitHub for machine learning, large language models are complex and expensive to build, but not anymore, you got Trainium and Inferentia, developers can get faster time to value, but then you got the transformers data sets, token libraries, all that optimized for generator. This is a perfect storm for startups. Jon Turow, a former AWS person, who used to work, I think for you, is now a VC at Madrona Venture, he and I were talking about the generator AI landscape, it's exploding with startups. Every alpha entrepreneur out there is seeing this as the next frontier, that's the 20 mile stairs, next 10 years is going to be huge. What is the big thing that's happened? 'Cause some people were saying, the founder of Yquem said, "Oh, the start ups won't be real, because they don't all have AI experience." John Markoff, former New York Times writer told me that, AI, there's so much work done, this is going to explode, accelerate really fast, because it's almost like it's been waiting for this moment. What's your reaction? >> I actually think there is going to be an explosion of startups, not because they need to be AI startups, but now finally AI is really accessible or going to be accessible, so that they can create remarkable applications, either for enterprises or for disrupting actually how customer service is being done or how creative tools are being built. And I mean, this is going to change in many ways. When we think about generative AI, we always like to think of how it generates like school homework or arts or music or whatnot, but when you look at it on the practical side, generative AI is being actually used across various industries. I'll give an example of like Autodesk. Autodesk is a customer who runs an AWS and SageMaker. They already have an offering that enables generated design, where designers can generate many structural designs for products, whereby you give a specific set of constraints and they actually can generate a structure accordingly. And we see similar kind of trend across various industries, where it can be around creative media editing or various others. I have the strong sense that literally, in the next few years, just like now, conventional machine learning is embedded in every application, every mobile app that we see, it is pervasive, and we don't even think twice about it, same way, like almost all apps are built on cloud. Generative AI is going to be part of every startup, and they are going to create remarkable experiences without needing actually, these deep generative AI scientists. But you won't get that until you actually make these models accessible. And I also don't think one model is going to rule the world, then you want these developers to have access to broad range of models. Just like, go back to the early days of deep learning. Everybody thought it is going to be one framework that will rule the world, and it has been changing, from Caffe to TensorFlow to PyTorch to various other things. And I have a suspicion, we had to enable developers where they are, so. >> You know, Dave Vellante and I have been riffing on this concept called super cloud, and a lot of people have co-opted to be multicloud, but we really were getting at this whole next layer on top of say, AWS. You guys are the most comprehensive cloud, you guys are a super cloud, and even Adam and I are talking about ISVs evolving to ecosystem partners. I mean, your top customers have ecosystems building on top of it. This feels like a whole nother AWS. How are you guys leveraging the history of AWS, which by the way, had the same trajectory, startups came in, they didn't want to provision a data center, the heavy lifting, all the things that have made Amazon successful culturally. And day one thinking is, provide the heavy lifting, undifferentiated heavy lifting, and make it faster for developers to program code. AI's got the same thing. How are you guys taking this to the next level, because now, this is an opportunity for the competition to change the game and take it over? This is, I'm sure, a conversation, you guys have a lot of things going on in AWS that makes you unique. What's the internal and external positioning around how you take it to the next level? >> I mean, so I agree with you that generative AI has a very, very strong potential in terms of what it can enable in terms of next generation application. But this is where Amazon's experience and expertise in putting these foundation models to work internally really has helped us quite a bit. If you look at it, like amazon.com search is like a very, very important application in terms of what is the customer impact on number of customers who use that application openly, and the amount of dollar impact it does for an organization. And we have been doing it silently for a while now. And the same thing is true for like Alexa too, which actually not only uses it for natural language understanding other city, even national leverages is set for creating stories and various other examples. And now, our approach to it from AWS is we actually look at it as in terms of the same three tiers like we did in machine learning, because when you look at generative AI, we genuinely see three sets of customers. One is, like really deep technical expert practitioner startups. These are the startups that are creating the next generation models like the likes of stability AIs or Hugging Face with Bloom or AI21. And they generally want to build their own models, and they want the best price performance of their infrastructure for training and inference. That's where our investments in silicon and hardware and networking innovations, where Trainium and Inferentia really plays a big role. And we can nearly do that, and that is one. The second middle tier is where I do think developers don't want to spend time building their own models, let alone, they actually want the model to be useful to that data. They don't need their models to create like high school homeworks or various other things. What they generally want is, hey, I had this data from my enterprises that I want to fine tune and make it really work only for this, and make it work remarkable, can be for tech summarization, to generate a report, or it can be for better Q&A, and so forth. This is where we are. Our investments in the middle tier with SageMaker, and our partnership with Hugging Face and AI21 and co here are all going to very meaningful. And you'll see us investing, I mean, you already talked about CodeWhisperer, which is an open preview, but we are also partnering with a whole lot of top ISVs, and you'll see more on this front to enable the next wave of generated AI apps too, because this is an area where we do think lot of innovation is yet to be done. It's like day one for us in this space, and we want to enable that huge ecosystem to flourish. >> You know, one of the things Dave Vellante and I were talking about in our first podcast we just did on Friday, we're going to do weekly, is we highlighted the AI ChatGPT example as a horizontal use case, because everyone loves it, people are using it in all their different verticals, and horizontal scalable cloud plays perfectly into it. So I have to ask you, as you look at what AWS is going to bring to the table, a lot's changed over the past 13 years with AWS, a lot more services are available, how should someone rebuild or re-platform and refactor their application of business with AI, with AWS? What are some of the tools that you see and recommend? Is it Serverless, is it SageMaker, CodeWhisperer? What do you think's going to shine brightly within the AWS stack, if you will, or service list, that's going to be part of this? As you mentioned, CodeWhisperer and SageMaker, what else should people be looking at as they start tinkering and getting all these benefits, and scale up their ups? >> You know, if we were a startup, first, I would really work backwards from the customer problem I try to solve, and pick and choose, bar, I don't need to deal with the undifferentiated heavy lifting, so. And that's where the answer is going to change. If you look at it then, the answer is not going to be like a one size fits all, so you need a very strong, I mean, granted on the compute front, if you can actually completely accurate it, so unless, I will always recommend it, instead of running compute for running your ups, because it takes care of all the undifferentiated heavy lifting, but on the data, and that's where we provide a whole variety of databases, right from like relational data, or non-relational, or dynamo, and so forth. And of course, we also have a deep analytical stack, where data directly flows from our relational databases into data lakes and data virus. And you can get value along with partnership with various analytical providers. The area where I do think fundamentally things are changing on what people can do is like, with CodeWhisperer, I was literally trying to actually program a code on sending a message through Twilio, and I was going to pull up to read a documentation, and in my ID, I was actually saying like, let's try sending a message to Twilio, or let's actually update a Route 53 error code. All I had to do was type in just a comment, and it actually started generating the sub-routine. And it is going to be a huge time saver, if I were a developer. And the goal is for us not to actually do it just for AWS developers, and not to just generate the code, but make sure the code is actually highly secure and follows the best practices. So, it's not always about machine learning, it's augmenting with automated reasoning as well. And generative AI is going to be changing, and not just in how people write code, but also how it actually gets built and used as well. You'll see a lot more stuff coming on this front. >> Swami, thank you for your time. I know you're super busy. Thank you for sharing on the news and giving commentary. Again, I think this is a AWS moment and industry moment, heavy lifting, accelerated value, agility. AIOps is going to be probably redefined here. Thanks for sharing your commentary. And we'll see you next time, I'm looking forward to doing more follow up on this. It's going to be a big wave. Thanks. >> Okay. Thanks again, John, always a pleasure. >> Okay. This is SiliconANGLE's breaking news commentary. I'm John Furrier with SiliconANGLE News, as well as host of theCUBE. Swami, who's a leader in AWS, has been on theCUBE multiple times. We've been tracking the growth of how Amazon's journey has just been exploding past five years, in particular, past three. You heard the numbers, great performance, great reviews. This is a watershed moment, I think, for the industry, and it's going to be a lot of fun for the next 10 years. Thanks for watching. (bright music)

(upbeat music) (background crowd chatter) >> Hello, fantastic cloud community and welcome back to Las Vegas where we are live from the show floor at AWS re:Invent. My name is Savannah Peterson. Joined for the first time. >> Yeah, Doobie. >> VIP, I know. >> All right, let's do this. >> Thanks for having me Dave, I really appreciate it. >> I appreciate you doing all the hard work. >> Yeah. (laughs) >> You, know. >> I don't know about that. We wouldn't be here without you and all these wonderful stories that all the businesses have. >> Well, when I host with John it's hard for me to get a word in edgewise. I'm just kidding, John. (Savannah laughing) >> Shocking, I've never want that experience. >> We're like knocking each other, trying to, we're elbowing. No, it's my turn to speak, (Savannah laughing) so I'm sure we're going to work great together. I'm really looking forward to it. >> Me too Dave, I feel very lucky to be here and I feel very lucky to introduce our guest this afternoon, Clint Sharp, welcome to the show. You are with Cribl. Yeah, how does it feel to be on the show floor today? >> It's amazing to be back at any conference in person and this one is just electric, I mean, there's like a ton of people here love the booth. We're having like a lot of activity. It's been really, really exciting to be here. >> So you're a re:Ieinvent alumni? Have you been here before? You're a Cube alumni. We're going to have an OG conversation about observability, I'm looking forward to it. Just in case folks haven't been watching theCUBE for the last nine years that you've been on it. I know you've been with a few different companies during that time period. Love that you've been with us since 2013. Give us the elevator pitch for Cribl. >> Yeah, so Cribl is an observability company which we're going to talk about today. Our flagship product is a telemetry router. So it just really helps you get data into the right places. We're very specifically in the observability and security markets, so we sell to those buyers and we help them work with logs and metrics and open telemetry, lots of different types of data to get it into the right systems. >> Why did observability all of a sudden become such a hot thing? >> Savannah: Such a hot topic. >> Right, I mean it just came on the scene so quickly and now it's obviously a very crowded space. So why now, and how do you guys differentiate from the crowd? >> Yeah, sure, so I think it's really a post-digital transformation thing Dave, when I think about how I interact with organizations you know, 20 years ago when I started this business I called up American Airlines when things weren't working and now everything's all done digitally, right? I rarely ever interact with a human being and yet if I go on one of these apps and I get a bad experience, switching is just as easy as booking another airline or changing banks or changing telecommunications providers. So companies really need an ability to dive into this data at very high fidelity to understand what Dave's experience with their service or their applications are. And for the same reasons on the security side, we need very, very high fidelity data in order to understand whether malicious actors are working their way around inside of the enterprise. And so that's really changed the tooling that we had, which, in prior years, it was really hard to ask arbitrary questions of that data. You really had to deal with whatever the vendor gave you or you know, whatever the tool came with. And observability is really an evolution, allowing people to ask and answer questions of their data that they really weren't planning in advance. >> Dave: Like what kind of questions are people asking? >> Yeah sure so what is Dave's performance with this application? I see that a malicious actor has made their way on the inside of my network. Where did they go? What did they do? What files did they access? What network connections did they open? And the scale of machine data of this machine to machine communication is so much larger than what you tend to see with like human generated data, transactional data, that we really need different systems to deal with that type of data. >> And what would you say is your secret sauce? Like some people come at it, some search, some come at it from security. What's your sort of superpower as Lisa likes to say? >> Yeah, so we're a customer's first company. And so one of the things I think that we've done incredibly well is go look at the market and look for problems that are not being solved by other vendors. And so when we created this category of an observability pipeline, nobody was really marketing an observability pipeline at that time. And really the problem that customers had is they have data from a lot of different sources and they need to get it to a lot of different destinations. And a lot of that data is not particularly valuable. And in fact, one of the things that we like to say about this class of data is that it's really not valuable until it is, right? And so if I have a security breach, if I have an outage and I need to start pouring through this data suddenly the data is very, very valuable. And so customers need a lot of different places to store this data. I might want that data in a logging system. I might want that data in a metric system. I might want that data in a distributed tracing system. I might want that data in a data lake. In fact AWS just announced their security data lake product today. >> Big topic all day. >> Yeah, I mean like you can see that the industry is going in this way. People want to be able to store massively greater quantities of data than they can cost effectively do today. >> Let's talk about that just a little bit. The tension between data growth, like you said it's not valuable until it is or until it's providing context, whether that be good or bad. Let's talk about the tension between data growth and budget growth. How are you seeing that translate in your customers? >> Yeah, well so data's growing in a 25% CAGR per IDC which means we're going to have two and a half times the data in five years. And when you talk to CISOs and CIOs and you ask them, is your budget growing at a 25% CAGR, absolutely not, under no circumstances am I going to have, you know, that much more money. So what got us to 2022 is not going to get us to 2032. And so we really need different approaches for managing this data at scale. And that's where you're starting to see things like the AWS security data lake, Snowflake is moving into this space. You're seeing a lot of different people kind of moving into the database for security and observability type of data. You also have lots of other companies that are competing in broad spectrum observability, companies like Splunk or companies like Datadog. And these guys are all doing it from a data-first approach. I'm going to bring a lot of data into these platforms and give users the ability to work with that data to understand the performance and security of their applications. >> Okay, so carry that through, and you guys are different how? >> Yeah, so we are this pipeline that's sitting in the middle of all these solutions. We don't care whether your data was originally intended for some other tool. We're going to help you in a vendor-neutral way get that data wherever you need to get it. And that gives them the ability to control cost because they can put the right data in the right place. If it's data that's not going to be frequently accessed let's put it in a data lake, the cheapest place we can possibly put that data to rest. Or if I want to put it into my security tool maybe not all of the data that's coming from my vendor, my vendor has to put all the data in their records because who knows what it's going to be used for. But I only use half or a quarter of that information for security. And so what if I just put the paired down results in my more expensive storage but I kept full fidelity data somewhere else. >> Okay so you're observing the observability platforms basically, okay. >> Clint: We're routing that data. >> And then creating- >> It's meta observability. >> Right, observability pipeline. When I think a data pipeline, I think of highly specialized individuals, there's a data analyst, there's a data scientist, there's a quality engineer, you know, etc, et cetera. Do you have specific roles in your customer base that look at different parts of that pipeline and can you describe that? >> Yeah, absolutely, so one of the things I think that we do different is we sell very specifically to the security tooling vendors. And so in that case we are, or not to the vendors, but to the customers themselves. So generally they have a team inside of that organization which is managing their security tooling and their operational tooling. And so we're building tooling very specifically for them, for the types of data they work with for the volumes and scale of data that they work with. And that is giving, and no other vendor is really focusing on them. There's a lot of general purpose data people in the world and we're really the only ones that are focusing very specifically on observability and security data. >> So the announcement today, the security data lake that you were talking about, it's based on the Open Cybersecurity Framework, which I think AWS put forth, right? And said, okay, everybody come on. [Savannah] Yeah, yeah they did. >> So, right, all right. So what are your thoughts on that? You know, how does it fit with your strategy, you know. >> Yeah, so we are again a customer's first neutral company. So if OCSF gains traction, which we hope it does then we'll absolutely help customers get data into that format. But we're kind of this universal adapter so we can take data from other vendors, proprietary schemas, maybe you're coming from one of the other send vendors and you want to translate that to OCSF to use it with the security data lake. We can provide customers the ability to change and reshape that data to fit into any schema from any vendor so that we're really giving security data lake customers the ability to adapt the legacy, the stuff that they have that they can't get rid of 'cause they've had it for 10 years, 20 years and nothing inside of an enterprise ever goes away. That stuff stays forever. >> Legacy. >> Well legacy is working right? I mean somebody's actually, you know, making money on top of this thing. >> We never get rid of stuff. >> No, (laughing) we just added the toolkit. It's like all the old cell phones we have, it's everything. I mean we even do it as individual users and consumers. It's all a part of our little personal library. >> So what's happened in the field company momentum? >> Yeah let's talk trends too. >> Yeah so the company's growing crazily fast. We're north of 400 employees and we're only a hundred and something, you know, a year ago. So you can kind of see we're tripling you know, year over year. >> Savannah: Casual, especially right now in a lot of companies are feeling that scale back. >> Yeah so obviously we're keeping our eye closely on the macro conditions, but we see such a huge opportunity because we're a value player in this space that there's a real flight to value in enterprises right now. They're looking for projects that are going to pay themselves back and we've always had this value prop, we're going to come give you a lot of capabilities but we're probably going to save you money at the same time. And so that's just really resonating incredibly well with enterprises today and giving us an opportunity to continue to grow in the face of some challenging headwinds from a macro perspective. >> Well, so, okay, so people think okay, security is immune from the macro. It's not, I mean- >> Nothing, really. >> No segment is immune. CrowdStrike announced today the CrowdStrike rocket ship's still growing AR 50%, but you know, stocks down, I don't know, 20% right now after our- >> Logically doesn't make- >> Okay stuff happens, but still, you know, it's interesting, the macro, because it was like, to me it's like a slingshot, right? Everybody was like, wow, pandemic, shut down. All of a sudden, oh wow, need tech, boom. >> Savannah: Yeah, digitally transformed today. >> It's like, okay, tap the brakes. You know, when you're driving down the highway and you get that slingshotting effect and I feel like that's what's going on now. So, the premise is that the real leaders, those guys with the best tech that really understand the customers are going to, you know, get through this. What are your customers telling you in terms of, you know they're spending patterns, how they're trying to maybe consolidate vendors and how does that affect you guys? >> Yeah, for sure, I mean, I think, obviously, back to that flight to value, they're looking for vendors who are aligned with their interests. So, you know, as their budgets are getting pressure, what vendors are helping them provide the same capabilities they had to provide to the business before especially from a security perspective 'cause they're going to get cut along with everybody else. If a larger organization is trimming budgets across, security's going to get cut along with everybody else. So is IT operations. And so since they're being asked to do more with less that's you know, really where we're coming in and trying to provide them value. But certainly we're seeing a lot of pressure from IT departments, security departments all over in terms of being able to live and do more with less. >> Yeah, I mean, Celip's got a great quote today. "If you're looking to tighten your belt the cloud is the place to do it." I mean, it's probably true. >> Absolutely, elastic scalability in this, you know, our new search product is based off of AWS Lambda and it gives you truly elastic scalability. These changes in architectures are what's going to allow, it's not that cloud is cheaper, it's that cloud gives you on-demand scalability that allows you to truly control the compute that you're spending. And so as a customer of AWS, like this is giving us capabilities to offer products that are scalable and cost effective in ways that we just have not been able to do in the cloud. >> So what does that mean for the customer that you're using serverless using Lambda? What does that mean for them in terms of what they don't have to do that they maybe had to previously? >> It offers us the ability to try to charge them like a truly cloud native vendor. So in our cloud product we sell a credit model whereby which you deduct credits for usage. So if you're streaming data, you pay for gigabytes. If you're searching data then you're paying for CPU consumption, and so it allows us to charge them only for what they're consuming which means we don't have to manage a whole fleet of servers, and eventually, well we go to managing our own compute quite possibly as we start to get to scale at certain customers. But Lambda allowed us to not have to launch that way, not have to run a bunch of infrastructure. And we've been able to align our charging model with something that we think is the most customer friendly which is true consumption, pay for what you consume. >> So for example, you're saying you don't have to configure the EC2 Instance or figure out the memory sizing, you don't have to worry about any of that. You just basically say go, it figures that out and you can focus on upstream, is that right? >> Yep, and we're able to not only from a cost perspective also from a people perspective, it's allowed us velocity that we did not have before, which is we can go and prototype and build significantly faster because we're not having to worry, you know, in our mature products we use EC2 like everybody else does, right? And so as we're launching new products it's allowed us to iterate much faster and will we eventually go back to running our own compute, who knows, maybe, but it's allowed us a lot faster velocity than we were able to get before. >> I like what I've heard you discuss a lot is the agility and adaptability. We're going to be moving and evolving, choosing different providers. You're very outspoken about being vendor agnostic and I think that's actually a really unique and interesting play because we don't know what the future holds. So we're doing a new game on that note here on theCUBE, new game, new challenge, I suppose I would call it to think of this as your 30 second thought leadership highlight reel, a sizzle of the most important topic or conversation that's happening theme here at the show this year. >> Yeah, I mean, for me, as I think, as we're looking, especially like security data lake, et cetera, it's giving customers ownership of their data. And I think that once you, and I'm a big fan of this concept of open observability, and security should be the same way which is, I should not be locking you in as a vendor into my platform. Data should be stored in open formats that can be analyzed by multiple places. And you've seen this with AWS's announcement, data stored in open formats the same way other vendors store that. And so if you want to plug out AWS and you want to bring somebody else in to analyze your security lake, then great. And as we move into our analysis product, our search product, we'll be able to search data in the security data lake or data that's raw in S3. And we're really just trying to give customers back control over their future so that they don't have to maintain a relationship with a particular vendor. They're always getting the best. And that competition fuels really great product. And I'm really excited for the next 10 years of our industry as we're able to start competing on experiences and giving customers the best products, the customer wins. And I'm really excited about the customer winning. >> Yeah, so customer focused, I love it. What a great note to end on. That was very exciting, very customer focused. So, yo Clint, I have really enjoyed talking to you. Thanks. >> Thanks Clint. >> Thanks so much, it's been a pleasure being on. >> Thanks for enhancing our observability over here, I feel like I'll be looking at things a little bit differently after this conversation. And thank all of you for tuning in to our wonderful afternoon of continuous live coverage here at AWS re:Ieinvent in fabulous Las Vegas, Nevada with Dave Vellante. I'm Savannah Peterson. We're theCUBE, the leading source for high tech coverage. (bright music)

(upbeat music) >> Hello, everyone and welcome back to fabulous Las Vegas, Nevada, where we are here on the show floor at AWS re:Invent. We are theCUBE. I am Savannah Peterson, joined with John Furrier. John, afternoon, day two, we are in full swing. >> Yes. >> What's got you most excited? >> Just got lunch, got the food kicking in. No, we don't get coffee. (Savannah laughing) >> Way to bring the hype there, John. >> No, there's so many people here just in Amazon. We're back to 2019 levels of crowd. The interest levels are high. Next gen, cloud security, big part of the keynote. This next segment, I am super excited about. CUBE Alumni, going back to 2013, 10 years ago he was on theCUBE. Now, 10 years later we're at re:Invent, looking forward to this guest and it's about security, great topic. >> I don't want to delay us anymore, please welcome Mark. Mark, thank you so much for being here with us. Massive day for you and the team. I know you oversee three different units at Amazon, Inspector, Detective, and the most recently announced, Security Lake. Tell us about Amazon Security Lake. >> Well, thanks Savannah. Thanks John for having me. Well, Security Lake has been in the works for a little bit of time and it got announced today at the keynote as you heard from Adam. We're super excited because there's a couple components that are really unique and valuable to our customers within Security Lake. First and foremost, the foundation of Security Lake is an open source project we call OCFS, Open Cybersecurity Framework Schema. And what that allows is us to work with the vendor community at large in the security space and develop a language where we can all communicate around security data. And that's the language that we put into Security Data Lake. We have 60 vendors participating in developing that language and partnering within Security Lake. But it's a communal lake where customers can bring all of their security data in one place, whether it's generated in AWS, they're on-prem, or SaaS offerings or other clouds, all in one location in a language that allows analytics to take advantage of that analytics and give better outcomes for our customers. >> So Adams Selipsky big keynote, he spent all the bulk of his time on data and security. Obviously they go well together, we've talked about this in the past on theCUBE. Data is part of security, but this security's a little bit different in the sense that the global footprint of AWS makes it uniquely positioned to manage some security threats, EKS protection, a very interesting announcement, runtime layer, but looking inside and outside the containers, probably gives extra telemetry on some of those supply chains vulnerabilities. This is actually a very nuanced point. You got Guard Duty kind of taking its role. What does it mean for customers 'cause there's a lot of things in this announcement that he didn't have time to go into detail. Unpack all the specifics around what the security announcement means for customers. >> Yeah, so we announced four items in Adam's keynote today within my team. So I'll start with Guard Duty for EKS runtime. It's complimenting our existing capabilities for EKS support. So today Inspector does vulnerability assessment on EKS or container images in general. Guard Duty does detections of EKS workloads based on log data. Detective does investigation and analysis based on that log data as well. With the announcement today, we go inside the container workloads. We have more telemetry, more fine grain telemetry and ultimately we can provide better detections for our customers to analyze risks within their container workload. So we're super excited about that one. Additionally, we announced Inspector for Lambda. So Inspector, we released last year at re:Invent and we focused mostly on EKS container workloads and EC2 workloads. Single click automatically assess your environment, start generating assessments around vulnerabilities. We've added Lambda to that capability for our customers. The third announcement we made was Macy sampling. So Macy has been around for a while in delivering a lot of value for customers providing information around their sensitive data within S3 buckets. What we found is many customers want to go and characterize all of the data in their buckets, but some just want to know is there any sensitive data in my bucket? And the sampling feature allows the customer to find out their sensitive data in the bucket, but we don't have to go through and do all of the analysis to tell you exactly what's in there. >> Unstructured and structured data. Any data? >> Correct, yeah. >> And the fourth? >> The fourth, Security Data Lake? (John and Savannah laughing) Yes. >> Okay, ocean theme. data lake. >> Very complimentary to all of our services, but the unique value in the data lake is that we put the information in the customer's control. It's in their S3 bucket, they get to decide who gets access to it. We've heard from customers over the years that really have two options around gathering large scale data for security analysis. One is we roll our own and we're security engineers, we're not data engineers. It's really hard for them to build these distributed systems at scale. The second one is we can pick a vendor or a partner, but we're locked in and it's in their schemer and their format and we're there for a long period of time. With Security Data Lake, they get the best of both worlds. We run the infrastructure at scale for them, put the data in their control and they get to decide what use case, what partner, what tool gives them the most value on top of their data. >> Is that always a good thing to give the customers too much control? 'Cause you know the old expression, you give 'em a knife they play with and they they can cut themselves, I mean. But no, seriously, 'cause what's the provisions around that? Because control was big part of the governance, how do you manage the security? How does the customer worry about, if I have too much control, someone makes a mistake? >> Well, what we finding out today is that many customers have realized that some of their data has been replicated seven times, 10 times, not necessarily maliciously, but because they have multiple vendors that utilize that data to give them different use cases and outcomes. It becomes costly and unwieldy to figure out where all that data is. So by centralizing it, the control is really around who has access to the data. Now, ultimately customers want to make those decisions and we've made it simple to aggregate this data in a single place. They can develop a home region if they want, where all the data flows into one region, they can distribute it globally. >> They're in charge. >> They're in charge. But the controls are mostly in the hands of the data governance person in the company, not the security analyst. >> So I'm really curious, you mentioned there's 60 AWS partner companies that have collaborated on the Security lake. Can you tell us a little bit about the process? How long does it take? Are people self-selecting to contribute to these projects? Are you cherry picking? What does that look like? >> It's a great question. There's three levels of collaboration. One is around the open source project that we announced at Black Hat early in this year called OCSF. And that collaboration is we've asked the vendor community to work with us to build a schema that is universally acceptable to security practitioners, not vendor specific and we've asked. >> Savannah: I'm sorry to interrupt you, but is this a first of its kind? >> There's multiple schemes out there developed by multiple parties. They've been around for multiple years, but they've been built by a single vendor. >> Yeah, that's what I'm drill in on a little bit. It sounds like the first we had this level of collaboration. >> There's been collaborations around them, but in a handful of companies. We've really gone to a broad set of collaborators to really get it right. And they're focused around areas of expertise that they have knowledge in. So the EDR vendors, they're focused around the scheme around EDR. The firewall vendors are focused around that area. Certainly the cloud vendors are in their scope. So that's level one of collaboration and that gets us the level playing field and the language in which we'll communicate. >> Savannah: Which is so important. >> Super foundational. Then the second area is around producers and subscribers. So many companies generate valuable security data from the tools that they run. And we call those producers the publishers and they publish the data into Security Lake within that OCSF format. Some of them are in the form of findings, many of them in the form of raw telemetry. Then the second one is in the subscriber side and those are usually analytic vendors, SIM vendors, XDR vendors that take advantage of the logs in one place and generate analytic driven outcomes on top of that, use cases, if you will, that highlight security risks or issues for customers. >> Savannah: Yeah, cool. >> What's the big customer focus when you start looking at Security Lakes? How do you see that planning out? You said there's a collaboration, love the open source vibe on that piece, what data goes in there? What's sharing? 'Cause a big part of the keynote I heard today was, I heard clean rooms, I've cut my antenna up. I'd love to hear that. That means there's an implied sharing aspect. The security industry's been sharing data for a while. What kind of data's in that lake? Give us an example, take us through. >> Well, this a number of sources within AWS, as customers run their workloads in AWS. We've identified somewhere around 25 sources that will be natively single click into Amazon Security Lake. We were announcing nine of them. They're traditional network logs, BBC flow, cloud trail logs, firewall logs, findings that are generated across AWS, EKS audit logs, RDS data logs. So anything that customers run workloads on will be available in data lake. But that's not limited to AWS. Customers run their environments hybridly, they have SaaS applications, they use other clouds in some instances. So it's open to bring all that data in. Customers can vector it all into this one single location if they decide, we make it pretty simple for them to do that. Again, in the same format where outcomes can be generated quickly and easily. >> Can you use the data lake off on premise or it has to be in an S3 in Amazon Cloud? >> Today it's in S3 in Amazon. If we hear customers looking to do something different, as you guys know, we tend to focus on our customers and what they want us to do, but they've been pretty happy about what we've decided to do in this first iteration. >> So we got a story about Silicon Angle. Obviously the ingestion is a big part of it. The reporters are jumping in, but the 53rd party sources is a pretty big number. Is that coming from the OCSF or is that just in general? Who's involved? >> Yeah, OCSF is the big part of that and we have a list of probably 50 more that want to join in part of this. >> The other big names are there, Cisco, CrowdStrike, Peloton Networks, all the big dogs are in there. >> All big partners of AWS, anyway, so it was an easy conversation and in most cases when we started having the conversation, they were like, "Wow, this has really been needed for a long time." And given our breadth of partners and where we sit from our customers perspective in the center of their cloud journey that they've looked at us and said, "You guys, we applaud you for driving this." >> So Mark, take us through the conversations you're having with the customers at re:Inforce. We saw a lot of meetings happening. It was great to be back face to face. You guys have been doing a lot of customer conversation, security Data Lake came out of that. What was the driving force behind it? What were some of the key concerns? What were the challenges and what's now the opportunity that's different? >> We heard from our customers in general. One, it's too hard for us to get all the data we need in a single place, whether through AWS, the industry in general, it's just too hard. We don't have those resources to data wrangle that data. We don't know how to pick schema. There's multiple ones out there. Tell us how we would do that. So these three challenges came out front and center for every customer. And mostly what they said is our resources are limited and we want to focus those resources on security outcomes and we have security engines. We don't want to focus them on data wrangling and large scale distributed systems. Can you help us solve that problem? And it came out loud and clear from almost every customer conversation we had. And that's where we took the challenge. We said, "Okay, let's build this data layer." And then on top of that we have services like Detective and Guard Duty, we'll take advantage of it as well. But we also have a myriad of ISV third parties that will also sit on top of that data and render out. >> What's interesting, I want to get your reaction. I know we don't have much time left, but I want to get your thoughts. When I see Security Data Lake, which is awesome by the way, love the focus, love how you guys put that together. It makes me realize the big thing in re:Invent this year is this idea of specialized solutions. You got instances for this and that, use cases that require certain kind of performance. You got the data pillars that Adam laid out. Are we going to start seeing more specialized data lakes? I mean, we have a video data lake. Is there going to be a FinTech data lake? Is there going to be, I mean, you got the Great Lakes kind of going on here, what is going on with these lakes? I mean, is that a trend that Amazon sees or customers are aligning to? >> Yeah, we have a couple lakes already. We have a healthcare lake and a financial lake and now we have a security lake. Foundationally we have Lake Formation, which is the tool that anyone can build a lake. And most of our lakes run on top of Lake Foundation, but specialize. And the specialization is in the data aggregation, normalization, enridgement, that is unique for those use cases. And I think you'll see more and more. >> John: So that's a feature, not a bug. >> It's a feature, it's a big feature. The customers have ask for it. >> So they want roll their own specialized, purpose-built data thing, lake? They can do it. >> And customer don't want to combine healthcare information with security information. They have different use cases and segmentation of the information that they care about. So I think you'll see more. Now, I also think that you'll see where there are adjacencies that those lakes will expand into other use cases in some cases too. >> And that's where the right tools comes in, as he was talking about this ETL zero, ETL feature. >> It be like an 80, 20 rule. So if 80% of the data is shared for different use cases, you can see how those lakes would expand to fulfill multiple use cases. >> All right, you think he's ready for the challenge? Look, we were on the same page. >> Okay, we have a new challenge, go ahead. >> So think of it as an Instagram Reel, sort of your hot take, your thought leadership moment, the clip we're going to come back to and reference your brilliance 10 years down the road. I mean, you've been a CUBE veteran, now CUBE alumni for almost 10 years, in just a few weeks it'll be that. What do you think is, and I suspect, I think I might know your answer to this, so feel free to be robust in this. But what do you think is the biggest story, key takeaway from the show this year? >> We're democratizing security data within Security Data Lake for sure. >> Well said, you are our shortest answer so far on theCUBE and I absolutely love and respect that. Mark, it has been a pleasure chatting with you and congratulations, again, on the huge announcement. This is such an exciting day for you all. >> Thank you Savannah, thank you John, pleasure to be here. >> John: Thank you, great to have you. >> We look forward to 10 more years of having you. >> Well, maybe we don't have to wait 10 years. (laughs) >> Well, more years, in another time. >> I have a feeling it'll be a lot of security content this year. >> Yeah, pretty hot theme >> Very hot theme. >> Pretty odd theme for us. >> Of course, re:Inforce will be there this year again, coming up 2023. >> All the res. >> Yep, all the res. >> Love that. >> We look forward to see you there. >> All right, thanks, Mark. >> Speaking of res, you're the reason we are here. Thank you all for tuning in to today's live coverage from AWS re:Invent. We are in Las Vegas, Nevada with John Furrier. My name is Savannah Peterson. We are theCUBE and we are the leading source for high tech coverage. (upbeat music)

>>Hey everyone. Welcome back to Las Vegas. The cube is live at the Venetian Expo Center for AWS Reinvent 2022. There are thousands and thousands and thousands of people here joining myself, Lisa Martin at Dave Valante. David, it's great to see the energy of day one alone. People are back, they're ready to be back. They're ready to hear from AWS and what it's gonna announce to. >>Yeah, all through the pandemic. Of course, we've talked about digital transformation, but the conversation is evolving beyond that to business transformation now, deeper integration of the cloud to really transform fundamental business operations and And that's a new era. >>It is a new era. It's exciting. We've got a couple of guests that we're gonna unpack that with. Anan. Beji joins us, the President Digital Business Services at HCL Tech and Prar, SVP and Global head of AWS business unit. Also from HCL Tech. Guys, welcome. Thank >>You. Thank you, >>Thank you. >>Let's talk about some of the latest trends anon. We'll start with you. What are some of the latest trends in digitalization, especially as it relates to cloud adoption? What are you hearing out in the marketplace? >>Yeah, I think you said it right. The post pandemic, every industry, every enterprise and every industry realize that for resilience, for their ability to change and adapt change and their ability to increase, you know, velocity of change so that they can move fast and keep up the expectations of their consumers, their partners, their employees, they need to have composability at the core and resilience at the core. And so, digital transformation became all about the ability to change, an ability to pivot faster. Now, it's easier said than done, right? Larger enterprises, especially as you move into complex regulated industries, you know, oil and gas, manufacturing, life sciences, healthcare, utilities, these are industries that are not easy to change. They're not adaptable to change, and yet they had to really become more adaptable. And they saw cloud as an enabler to, to all of that, right? So they started looking at every area of their business, business processes that make up their value chains and really look at how can they increase the adaptability and the ability to change these value chains so that they can engage with their customers better, their partners, better their employees better, and also build some of the composability. >>And what might mean that is that just kind of like Lego blocks, they don't have to make changes that are sweeping and big that are difficult to make, but make them in parts so that they can make them again and again. So velocity of change becomes important. Clouds become an enabler to all of this. And so if I look at the last four years, every industry, whether regulated or not b2c, B2B to C, B2B is adopting cloud for digital acceleration. >>I'm curious to what you're seeing on the front lines, given the macro headwinds. You mentioned business resilience and during the pandemic, it was a lot of CIOs told us, wow, we were, we were kind of focused on disaster recovery, but our business wasn't resilient. We were really optimizing for efficiency. And then they started to okay, build in that business resilience. But now you got the economic headwinds. Yes. People are tapping their brakes a little bit. There's some uncertainty, a longer sales cycle, even the cloud's not immune. Yeah. Even though it's still growing at 30% plus per year. What are you guys seeing in the field with the AWS partnership? How are customers, you know, dealing with some of those more strategic transformation projects? Yeah, >>Yeah. So you know, first off, one thing that's changed and is different is every industry realizes that there is no choice. They don't have a choice to not be resilient. They don't have a choice to not be adaptable. The pandemic has taught them that the markets and the macros are increasingly changing supply chains. It's changing customer behavior for their own industries. It's changing their pricing and their cost models. And for all of that, they need to continue on their digital journeys. Now, what's different though is they wanna prioritize. They wanna prioritize and do more with less. They want to adapt faster, but also make sure that they don't, they don't just try to do everything together. And so there's a lot of focus on what do we prioritize? How do we leverage cloud to move faster, you know, and cheaper in terms of our change. >>And also to decide where do we consume and where do we compose? We'll talk a little bit more about that. There are certain things that you don't want to invent yourself. You can consume from cloud providers, whether it's business features, whether it is cloud capabilities. And so it's, there is a shift from adopting cloud just for cost takeout and just for resilience, but also for composability, which means let's consume what I can consume from the cloud and really build those features faster. So squeeze the go to market time, squeeze the time to market and squeeze the price to market, right? So that's the >>Change and really driving those business outcomes. As we talked about Absolut ard, talk to us about how hcl tech and AWS are working together. How are you enabling customers to achieve what an was talking about? >>Oh, absolutely. I mean, our partnership has started almost 10 years back, but over the last one year, we have created what we call as AWS dedicated business unit to look at end to end stock from an AWS perspective. So what we see in the market as a explained is more drive from clients for optimization, driving, app modernization, driving consolidation, looking at the cost, sustainability angles, looking at the IOT angle, manufacturing platforms, the industry adoption. All this is actually igniting the way the industry would look at AWS and as well as the partnership. So from an HCL tech and AWS partnership, we're actually accelerating most of these conversations by building bespoke accelerated industry solutions. So what I mean is, for example, there is an issue with a manufacturing plant and take Covid situation, people can't get into a a manufacturing plant. So how can AWS help put it in the cloud, accelerate those conversations. So we are building those industry specific solutions so that it can be everybody from a manufacturing sector can adopt and actually go to market. As well as you can access all this applications once it is in the cloud from anywhere, any device with a scalable options. That's where our partnership is actually igniting lot of cloud conversations and playing conversations in the market. So we see a lot of traction there. Lisa, on >>That, incredibly important during the last couple of years alone. >>Absolutely. I mean, last couple of years have been groundbreaking, right? Especially with the covid, for example, Amazon Connect, we use, we used Amazon Connect to roll out, you know, call center at the cloud, right? So you don't have to walk into an office, for example. People are working in the banking sector, especially in the trading platform. They were, they were not able to get there. So, but they need to make calls. How do you do the customer service? So Amazon Connect came right at the junction, so call center in the cloud and you can access, dial the number so the customer don't feel the pain of, you know, somebody not answering. It's accessible. That's where the partnership or the HCL tech partnership and AWS comes into play because we bring the scale, the skill set capability with the services of, you know, aws, Amazon, and that forms a concrete story for the client, right? That's one such example. And you know, many such examples are in the market that we are accelerating in the, in the discussions. >>And connect is a good example. Lisa, we were talking earlier about Amazon doubling down on the primitives, but also moving up up market as well, up chain up the value chain. And it needs partners like HCL to be able to go into various industries and apply that effectively. Absolutely. And that's where business transformation comes >>In. Absolutely. Absolutely. I think some of the aspects that we are looking at is, you know, while we do most of this cloud transformation initiatives from an tech perspective, what we are doing is we are encompassing them into a story, which we call it as cloud smart, right? So we are calling it as cloud smart, which is a go-to market offering from Atcl Tech, where the client doesn't have to look at each of these services from various vendors. So it's a one stop shop, right? From strategy consulting, look, implementation, underpinned by app modernization, consolidation, and the operational. So we do that as end to end service with our offerings, which is why helping us actually accelerate conversations on the crowd. What happen is the clients are also building these capabilities more and more often. You see a lot of new services are being added to aws, so not many clients are aware of it. So it is the responsibility of system integrator like us to make them aware and bring it into a shape where the client can consume in a low cost option, in an optimized way. That's where I think it's, it's, it's working out very well for us. With the partnership of, so >>You curate those services that you know will fit the customer's business. You, you know, the ingredients that you could put together, the, the dinner. >>Absolutely. You're preparing a dish, right? So you're preparing a dish, you know where the ingredients are. So the ingredients are supplied by aws. So you need to prepare a pasta dish, right? So you, you how spicy you want to make it howland, you want to make it, you know what source you want to use. How do you bring all those elements together? That's what, you know, tech has been focusing on. >>And you use the word curation, right? Curation is really industry process down, depending on your industry, every industry, every enterprise, there are things that are differentiating them. There's a business processes that differentiate you and there are business processes that don't necessarily differentiate you but are core to you. For example, if you're a retailer, you know, you're retailing, you're merchandising, how you price your products, how you market your products, your supply chains, those differentiate you. How you run your general ledger, your accounting, your payables. HR is core to your business but doesn't differentiate you. And the choices you make in the cloud for each of these areas are different. What differentiates you? You compose what doesn't differentiate you consume because you don't want to try and compose what >>Telco Exactly. Oh my gosh. >>Our biggest examples are in Telco, right? Right. Their omnichannel marketing, you know, how they connect with their consumers, how they do their billing systems, how they do their pricing systems. Those are their differentiations and things that don't they want to consume. And that's where cloud adoption needs to come with really a curation framework. We call it the Phoenix framework, which defines what differentiates you versus not. And based on that, what are the architectural choices you make at the applications layer, the integration layer, the data layer, and the infrastructure layer all from aws and how do you make those choices? >>Talk about a customer example anon that really articulates that value. >>Yeah, I'll give you an example that sort of, everybody can relate to a very large tools company that manufactures tools that we all use at home for, you know, remodeling our houses, building stuff, building furniture. Their business post pandemic dramatically shifted in every way possible. Nobody was going anymore to Home Depot and Lowe's to buy their tools, their online business surge by 200%. Their supply chains were changing because their manufacturers originally were in China and Malaysia. They were shifting a lot of that base to Taiwan and Germany and Latin America. Their pricing model was changing. Their last mile deliveries were changing cuz they were not used to delivering you and me last mile deliveries. So every aspect of their business was changing. They hadn't thought of their business in the same way, but guess what? That business was growing, but the needs were changing and they needed to rethink every value chain in their business. >>And so they had to adopt cloud. They leverage AWS at their core to rethink every part of their business. Rebuilding their supply chain applications, modernizing their warehouse management systems, modernizing their pricing systems, modernizing their sales and marketing platforms, every aspect you can think of and all of that within 24 months. Cuz otherwise they would lose market share, you know, in any given market. And all of this, while they were, you know, delivering their day to day business, they were manufacturing the goods and they were shipping products. So that was quite a lot to achieve in 24 months. And that's not just one example is across industries, examples like that that we have. That's >>One of the best business transformation examples I think I've heard. >>Absolutely. Absolutely. And so cloud does need to start with a business transformation objective. And that's what's happening to the cloud. It's changing away from an infrastructure consolidation discussion to business task. >>Because I know you guys have a theater session tomorrow on, on continuous modern, it was experiencing cloud transformation and continuous modernization. That's the theme. Pre-cloud. It was just a, you'd, you'd live, you'd rip and replace your infrastructure and it was a big application portfolio assessment and rationalization. It was just, it just became this years long, you know, like an SAP installation. Yes. How has cloud changed that and what's, tell us more about that session and that continuous modernization. Yeah, >>So, so we are doing a John session with a client on how HCL Tech helped the client in terms of transforming the landscape and adopting cloud much faster, you know, into the ecosystem. So what we are currently doing is, so it's a continuous process. So when we talk about cloud adoption transformation, it doesn't stop there. So it, it needs to keep evolving. So what we came up with a framework for the all such clients who are on the cloud transformation part need to look at which we call it a smart waste cloud, cloud smart. Where once it is in the clouds, smart waste to cloud for cloud and in the cloud. So what happens is, when it is to cloud, what do you do? What are the accelerators? What are the frameworks? Smart waste for clouds? How do you look at the governance of it? >>Okay? Consolidation activities of it, once it is in the cloud, how do we optimize, what do you look at? Security aspects, et cetera. So the client doesn't have to go to multiple ecosystem partners to look at it. So he is looking at one such service provider who can actually encompass and give all this onto the plate in a much more granular fashion with accelerated approach. So we build accelerated solutions frameworks, which helps the client to actually pick and choose in a much lower cost, I think. And it has to be a continuous modernization for the client. So why we are calling it as a continuous modernization is we are also also creating what we call cloud foundries and factories. What happens is the client can look at not only in a transformation journey, but also futuristic when there are new services are adapted, how this transformation and factories helping them in a lower cost option and driving that a acceleration story. So we are addressing it in multiple ways. One on the transformation front, one on the TCO front, one on the AX accelerated front, one on the operational front. So all this combined into one single framework, which is what is a continuous modernization of clouded option from xgl tech. >>When you apply this framework with customers, how do you deal with technical debt? Can you avoid technical debt? Can you hide technical debt? Or is it like debt and taxes? We're always gonna have technical debt because Amazon, you know, they'll talk about, they don't ever deprecate anything. Yeah. You know, are they gonna, are we gonna see Amazon take on tech? How do you avoid that? Or at least shield the customer for that technical debt. >>So every cio, right? Key ambitions are digital cloud, TCO optimization, sustainability. So we have a framework for that. So every CIO will look at, okay, I wanna spend, but I want to be optimized. My TCO should not go up. So that's where a system integrator like us comes. We have AOP story where, which does the complete financial analysis of your cloud adoption as to what estate and what technical client already has. How can we optimize that and how can we, how can we overlay on top of that our own services to make it much more optimized solution for the client? And there are several frameworks that we have defined for the CIO organizations where the CIO can actually look at some of these elements and adopt it internally within the system. You wanna pick it from there? >>Yeah, I think, I think it's, it's, it's a great question. First of all, there's a generational shift in the last three years where nobody's doing lift and shift of traditional applications or traditional data systems to the cloud. As you said, nobody's taking their technical debt to the cloud anymore. >>Business value's not there. >>There's no business value, right? The value is really being cloud native, which means you want to continuously modernize your value chains, which means your applications, your integration, your data to leverage the cloud and continuously modernize. Now you will still make priority decisions, right? Things that really differentiate you. You will modernize them through composition things that don't, you'll rather consume them, but in both factors, you're modernizing, I use the word surround and drown enterprises are surrounding their traditional, you know, environments and drowning them over a period of time. So over the next five years, you'll see more and more irrelevant legacy because the relevance is being built in the cloud, cloud for the future. That's the way I see it. >>Speaking of, take us out here, speaking of business value and on, we're almost outta time here. If there's a billboard on 1 0 1 in Palo Alto regarding HCL tech, what's the value prop? What does it say? >>It's a simple billboard. We say we are super charging our customers, our partners, our employees. We are super charging progress. And we believe that the strength that we bring from learnings of over 200,000 professionals that work at hcl working with over half of, you know, 500 of the, the largest Fortune thousands in the world is, is really bringing those learnings that we continuously look at every day that we live with, every day across all kind of regulations, all kind of industries, in adopting new technologies, in modernizing their business strategies and achieving their business transformation goals with the velocity they want. That's kind of the supercharging progress mantra, >>Super charging progress. Love it. Guys, thank you so much for joining. David, me on the program talking about, thank you for having a conversation. Our pleasure. What's going on with HCL Tech, aws, the value that you're delivering for customers. Thank you so much for your time. Thank >>You. Thank you. Thanks. Have a great time. >>Take care for our guests. I'm Lisa Martin, he's Dave Valante. You're watching The Cube, the leader in live enterprise and emerging tech coverage.

(reveal music) >> We're kicking off with Deepak Rangaraj who's PowerEdge Security Product Manager at Dell Technologies. Deepak. Great to have you on the program. Thank you. >> Thank you for having me. >> So we're going through the infrastructure stack and in part one of this series, we looked at the landscape overall and how cyber has changed and specifically how Dell thinks about data protection in and security in a manner that both secures infrastructure and minimizes organizational friction. We also hit on the storage part of the portfolio. So now we want to dig into servers. So my first question is what are the critical aspects of securing server infrastructure that our audience should be aware of? >> Sure. So if you look at computing in general, right? It has rapidly evolved over the past couple of years especially with trends towards software defined data centers and with also organizations having to deal with hybrid environments, where they have private clouds public cloud, extra locations, remote offices and also remote workers. So on top of this, there's also an increase in the complexity of the supply chain itself, right? There are companies who are dealing with hundreds of suppliers as part of their supply chain. So all of this complexity provides a lot of opportunity for attackers because it's expanding the threat surface of what can be attacked. And attacks are becoming more frequent, more severe and more sophisticated. And this has also triggered around, in the regulatory and mandates around the security needs. And these regulations are not just in the government sector, right? So it extends to critical infrastructure. And eventually it will also get into the private sector. In addition to this organizations are also looking at their own internal compliance mandates and this could be based on the industry in which they're operating in or it could be their own security questions. And this is the landscape in which servers are operating in today. And given that servers are the foundational blocks of the data center it becomes extremely important to protect them, and given how complex the modern server platforms are, it's also extremely difficult and it takes a lot of effort. And this means protecting everything from the supply chain, to the manufacturing, and then eventually the assuring the hardware and software integrity of the platforms and also the operations. And there are very few companies that go to the lengths that Dell does in order to secure the server. We truly believe in the notion and the security mentality that, you know security should enable our customers to go focus on their business and proactively innovate on their business. And it should not be a burden to them. And we heavily invest to make that possible for our customers. >> So, this is really important because the premise that I set up at the beginning of this was really that I, as a security pro, I'm not a security pro, but if I were I wouldn't want to be doing all this infrastructure stuff because I now have all these new things I got to deal with. I want a company like Dell who has the resources to build that security in, to deal with the supply chain, to ensure the Providence et cetera. So I'm glad you hit on that but so given what you just said, what does cybersecurity resilience mean from a server perspective? For example, are there specific principles that Dell adheres to that are non-negotiable, let's say. How does Dell ensure that its customers can trust your server infrastructure? >> Yeah. Like when, when it comes to security at Dell, right it's ingrained in our product DNA. So that's the best way to put it. And security is non-negotiable, right? It's never an after thought where you come up with a design and then later on figure out how to go make it secure, right? With our security development life cycle, the products are being designed to counter these threats right from the beginning. And in addition to that, we are also testing and evaluating these products continuously to identify vulnerabilities. We also have external third party audits which supplement this process. And in addition to this Dell makes the commitment that we will rapidly respond to any mitigations and any vulnerabilities and exposures found out in the field and provide mitigations and patches for those in a timely manner. So this security principle is also built into our server life cycle, right? Every phase of it. So we want our products to provide cutting edge capabilities when it comes to security. So as part of that, we are constantly evaluating what our security model has done. We are building on it and continuously improving it. So till a few years ago, our model was primarily based on the NEST Framework of protect, detect, and regular. And it's still aligns really well to that framework. But over the past couple of years, we have seen how computers evolved, how the threats have evolved. And we have also seen the regulatory trends and we recognize the fact that the best security strategy for the modern world is a Zero Trust approach. And so now when we are building our infrastructure and tools and offerings for customers, first and foremost, they're cyber resilient, right? What we mean by that is they're capable of anticipating threats, withstanding attacks and rapidly recurring from attacks, and also adapting to the adverse conditions in which they're deployed. The process of designing these capabilities and identifying these capabilities, however is done through the Zero Trust Framework. And that's very important because now we are also anticipating how our customers will end up using these capabilities at their end to enable their own Zero Trust IT Environments and IT Zero Risk Deployments. We have completely adapted our security approach to make it easier for customers to work with us no matter where they are in their journey towards zero trust adoption. >> So thank you for that. You mentioned the NEST framework. You talked about Zero Trust. When I think about NEST I think as well about layered approaches. And when I think about Zero Trust, I think about if you don't have access to it, you're not getting access. You got to earn that access and you've got layers. And then you still assume that bad guys are going to get in. So you've got to detect that and you've got to response. So server infrastructure security is so fundamental. So my question is what is Dell providing specifically to for example, detect anomalies and breaches from unauthorized activity? How do you enable fast and easy or facile recovery from malicious incidents? >> Right, what that is, is exactly right. Breaches are bound to happen. Given how complex our current environment is it's extremely distributed and extremely connected, right? Data and users are no longer contained within offices where we can set up a parameter firewall and say, yeah, everything within that is good. We can trust everything within it. That's no longer true. The best approach to protect data and infrastructure in the current world is to use a Zero Trust approach which uses the principles, nothing is ever trusted, right? Nothing is trusted implicitly. You're constantly verifying every single user, every single device and every single access in your system at every single level of your IT environment. And this is the principle that we use on PowerEdge, right? But with an increased focus on providing granular controls and checks based on the principles of these privileged access. So the idea is that service first and foremost need to make sure that the threats never enter and they're rejected at the point of entry but we recognize breaches are going to occur. And if they do, they need to be minimized such that this fear of damage cost by attacker is minimized. So they're not able to move from one part of the network to something else, laterally or escalate their privileges and cause more damage, right? So the impact radius for instance, has to be reduced. And this is done through features like automated detection capabilities and automation, automated mediation capabilities. So some examples are, as part of our end to end boot resilience process we have what we call a system lockdown, right? We can lock down the configuration of the system and lock down the document versions and all changes to the system. And we have capabilities which automatically detect any drift from that lockdown configuration. And we can figure out if the drift was caused to do authorized changes or unauthorized changes. And if it is an unauthorized change can log it, generate security alerts. And we even have capabilities to automatically draw the firmware and roll those versions back to a known good version, and also the configurations, right? And this becomes extremely important because as part of Zero Trust, we need to respond to these things at machine speed, and we cannot do it at a human speed. And having these automated capabilities is a big deal when achieving that Zero Trust strategy. And in addition to this, we also have chassis intrusion detection where if the chassis, the box, the server box is opened up, it logs alerts and you can figure out, even later if there's an AC power cycle, you can go look at the logs to see that the boxes opened up and figure out if there was a, like an known authorized access or some malicious actor opening and changing something in your system. >> Great. Thank you for that. Lot of detail and appreciate that. I want to go somewhere else now because Dell has a renowned supply chain reputation. So what about securing the the supply chain and the server bill of materials? What does Dell specifically do to track the Providence of components it uses in its systems so that when the systems arrive a customer can be a hundred percent certain that that system hasn't been compromised. >> Right? And we talked about how complex the modern supply chain is, right? And that's no different for service. We have hundreds of components on the server and a lot of these require from where in order to be configured and run and these firmware competence could be coming from third party suppliers. So now the complexity that we are dealing with require the end to end approach. And that's where Dell pays a lot of attention into assuring the security of our supply chain. And it starts all the way from sourcing components, right? And then through the design and then even the manufacturing process where we are vetting the personal manufacturers and vetting the factories itself and the factories also have physical controls physical security controls built into them and even shipping, right? We have GPS tagging of packages. So all of this is built to ensure supply chain security but a critical aspect of this is also making sure that the systems which are built in the factories are delivered to the customers without any changes or any tamper. And we have a feature called the secure component verification, which is capable of doing this. What the feature does is when the system gets built in the factory, it generates an inventory of all the components in the system and it creates a cryptographic certificate based on the signatures presented to this by the competence. And this certificate is stored separately and sent to the customers separately from the system itself. So once the customers receive the system at their end they can run out to, it generates an inventory of the competence on the system at their end and then compare it to the golden certificate to make sure nothing was changed. And if any changes are detected we can figure out if there's an authorized change or an unauthorized change. Again authorized changes could be like, you know upgrades to the drives or memory and unauthorized changes could be any sort of tamper. So that's the supply chain aspect of it. And bill of materials is also an important aspect to guaranteeing security, right? And we provide a software bill of materials which is basically a list of ingredients of all the software pieces in the platform. So what it allows our customers to do is quickly take a look at all the different pieces and compare it to the vulnerability database and see if any of the vulnerable pieces which have been discovered out in the wild affect their platforms. So that's a quick way of figuring out if the platform has any known vulnerabilities and it has not been patched. >> Excellent. That's really good. My last question is, I wonder if you could, you know give us the sort of summary from your perspective. What are the key strengths of Dell server portfolio from a security standpoint? I'm really interested in, you know, the uniqueness and the strong suit that Dell brings to the table. >> Right? Yeah. We have talked enough about the complexity of the environment and how Zero Trust is necessary for the modern IT environment, right? And this is integral to Dell PowerEdge service. And as part of that, like, you know security stats with the supply chain, we have already talked about the second component verification which is a unique feature that Dell platforms have. And on top of it we also have a Silicon based platform mode of trust. So this is a key, which is programmed into the Silicon on the black server during manufacturing and can never be changed after. And this immutable key is what forms the anchor for creating the chain of trust. That is used to verify everything in the platform from the hardware and software integrity to the boot, all pieces of it. Right? In addition to that, we also have a host of data protection features, whether it is protecting data across in news or inflight, we have self encrypting drives which provides scalable and flexible encryption options. And this coupled with external key management provides really good protection for your data address. External key management is important because, you know somebody could physically steal the server, walk away but then the keys are not stored on the server. It's stored separately. So that provides your action layer security. And we also have dual layer encryption where we can compliment the hardware encryption on the secure encrypted drives with software encryption. In addition to this, we have identity and access management features like multifactor authentication, single sign on roles, scope, and time based access controls. All of which are critical to enable that granular control and checks for Zero Trust approach. So I would say like, you know, if you look at the Dell feature set, it's pretty comprehensive. And we also have the flexibility built in to meet the needs of all customers, no matter where they fall in the spectrum of, you know risk tolerance and security sensitivity. And we also have the capabilities to meet all the regulatory requirements and compliance requirements. So in a nutshell, I would say that, you know Dell PowerEdge service is cyber resilient infrastructure helps accelerate Zero Trust option for customers. >> Got it. So you've really thought this through, all the various things that you would do to sort of make sure that your server infrastructure is secure, not compromised, that your supply chain is secure, so that your customers can focus on some of the other things that they have to worry about, which are numerous. Thanks, Deepak, appreciate you coming on "The Cube" and participating in the program. >> Thank you for having me. >> You're welcome. In a moment, I'll be back to dig into the networking portion of the infrastructure. Stay with us for more coverage of a blueprint for trusted infrastructure and collaboration with Dell technologies on "The Cube". Your leader in enterprise and emerging tech coverage. (outro music)

Okay. We're back at AWS reinforced 2022. My name is Dave Vellante, and this is the cube we're here in Boston, home of lobster and CDA. And we're here, the convention center where the cube got started in 2010, Shariq Qureshi is here the senior manager at Deloitte and two LL P and merit bear is back on the cube. Good to see >>You guys can't keep me away, >>Right? No. Well, we love having you on the cube shark set up your role at, at Deloitte and toosh what do you actually, what's your swim lane, if you will. >>Yeah, sure. You know, I spend, I wear a lot of hats. I spend a lot of time in the assurance, the controls advisory audit type of role. So I spend our time, a lot of time working with our clients to understand, you know, regulatory requirements, compliance requirements, and then controls that they need to have in place in order to address risks, technology risks, and ultimately business risks. >>So I like to put forth premise, you know, when I walk around a show like this and come up with some observations and then I like to share 'em and then people like me. Well, you know, maybe so help me course correct. My epiphany at this event is the cloud is becoming the first line of defense. The CISO at your customers is now the second line of defense. I think audit is maybe the th third line of defense. Do, do you buy that the sort of organizational layered approach? >>No, because in fact, what we're here to talk about today is audit manager, which is integrated, right? Like if you're doing so the whole notion of cloud is that we are taking those bottom layers of the stack, right? So the concrete floors up through layer for the hypervisor, the, the racks and stacks and HVAC and guards and gates up through the hypervisor, right? Our, our proprietary hardware nitro ecosystem, which has security inheritance is okay upon that. We are then virtualized. Right? And so what we're really talking about is the ways that audit looks different today, that you can reason about what you're doing. So you're doing infrastructure as code. You can do securities code, you can do compliances code, and that's the beauty of it. So like for better, or in your case for worse in your analogy, you know, these are integrated, these are woven together and they are an API call >>Seamless. >>It, it is like easy to describe, right? I mean, like you can command line knowledge about your resources. You can also reason about it. So like, this is something that's embedded, for example, an inspector you can do network reachability know whether you have an internet facing endpoint, which is a PCI, you know, requirement, but that'll be dashboarded in your security hub. So there's the cloud is all the stuff we take away that you don't have to deal with. And also all the stuff that we manage on top of it that then you can reason about and augment and, and take action on. >>Okay. So at the same time you can't automate the audit entirely. Right? So, but, but talk about the challenges of, of, of, of automating and auditing cloud environment. >>Yeah. I mean, when I look at cloud, you know, organizations move to take advantage of cloud characteristics and cloud capabilities, right? So elasticity, scalability is one of them. And, you know, for market conditions, business, business outcomes, you know, resources expand and contract. And one of the questions that we often get as an auditor is how do you maintain a control environment for resources that weren't there yesterday, but are there today, or that are, that are no longer there and that are there today. So how do you maintain controls and how do you maintain security consistently uniformly throughout an audit environment? It's not there. So that's a challenge auditors, you know, historically when you look at the on-prem environment, you have servers that are there, it's a physical, it's a physical box. You can touch it and see it. And if it goes down, then, you know, it's still there. You can hug >>It if you're some people >>It's still there. So, but you know, with, you know, with cloud things get torn down that you don't see. So how do you maintain controls? That's, you know, it, one challenges, it >>Sounds like you're describing a CMDB for audit. >>I mean, that's a, that's an outcome of having, you know, getting good controls of having a CMDB to keep track and have an inventory of your assets. >>But the problem with CMDB is they're out of date, like so, so quickly, is it different in the cloud world? >>Yeah, exactly. I mean, yes. And yes, they are outta date. Cuz like anything static will be manual and imprecise, like it's gonna be, did John go calculate, like go count how many servers we have. That's why I was joking about server huggers versus like virtualizing it. So you put out a call and you know, not just whether it exists, but whether it's been patched, whether it's, you know, like there are ways that we can reason about what we've done, permissioning pruning, you know, like, and these, by the way, correspond to audit and compliance requirements. And so yes, we are not like there, it's not a click of a, whatever, a snap of the fingers, right. It takes work to translate between auditors and us. And it also takes work to have customers understand how they can augment the way that they think about compliance. But a lot of this is just the good stuff that they already need to be doing, right? Knowing internet facing endpoints or whatever, you know, like pruning permissioning. And there's a lot of ways that, you know, access analyzer, for example, these are automated reasoning tools that come from our formal reasoning group, automated reason group that's in identity. Like they, computers can reason about things in ways that are more complex, as long as it can be resolved. It's like EEU utility in mathematics. You don't go out and try to count every prime number. We accept the infinitude of primes to be true. If you believe in math, then we can reason about it. >>Okay. So hearing that there's a changing landscape yeah. In compliance shift from a lot of manual work to one that's much more highly automated, maybe not completely integrated and seamless. Right. But, but working in that direction, right. Yeah. Is that right? And maybe you could describe that in a little bit more detail, how that, you know, journey has progressed. >>I mean, just the fact alone that you have, you know, a lot of services, a lot of companies that are out there that are trying to remove the manual component and to automate things, to make things more efficient. So then, you know, developers can develop and we can be more agile and to do the things that, you know, really what the core competencies are of the business to remove those manual, you know, components to take out the human element and there's a growing need for it. You know, like we always look at security as, you know, like a second class citizen, we don't take advantage of, you know, the, you know, the opportunities that we need to, to do to maintain controls. So, you know, there's an opportunity here for us to look at and, and automate compliance, to automate controls and, and to make things, you know, seamless >>As a fun side benefit, you will actually hopefully have improved your actual security and also retain your workforce because people don't wanna be doing manual processes. You know, they wanna be doing stuff that humans are designed for, which is creative thinking, innovation, you know, creating ways to make new pathways instead of just like re walking these roads that a computer can analyze, >>You mentioned audit manager, what is that? I mean, let's give a plug for the product or the service. What's that all about what problems does it solve? Let's get >>Into that. Yeah. I mean, audit manager is a first of its kind service. You're not gonna find this offered through any other hyperscaler it's specifically geared and tailored towards the second line, which is security and compliance and a third line function, which is internal audit. So what is it looking to do and what is it looking to address some of those challenges working in a cloud space working, and if you have a cloud footprint. So for example, you know, most organizations operate in a multi account strategy, right? You don't just have one account, but how do you maintain consistency of controls across all your accounts? Auto manager is a service that can give, you know, kind of that single pane of view that to see across your entire landscape, just like a cartographer has a map to see, you know, the entire view of what he's designing auto managers does the same thing only from a cloud perspective. So there's also other, you know, features and capabilities that auto managers trying to integrate, you know, that presents challenges for those in compliance those in the audit space. So, you know, most companies, organizations they have, you know, not just one framework like SOC two or GDPR, high trust, HIPAA PCI, you know, you can select an industry accepted framework and evaluate your cloud consumption against, you know, an industry accepted framework to see where you stand in terms of your control posture, your security hygiene, >>And that's exclusive to AWS. Is that what you're saying? You won't find that on any other hyper scale >>And you'll find similarities in other products, but you won't find something that's specifically geared towards the second line and third line. There's also other features and capabilities to collect evidence, which is, I don't see that in the marketplace. >>Well, the only reason I ask that is because, you know, you, everybody has multiple clouds and I would love, I would love a, you know, an audit manager that's, that's span that transcends, you know, one cloud, is that possible? Or is that something that is just not feasible because of the, the, the deltas between clouds? >>I mean, anything's possible with the APIs right now, the way that, you know, you have to ingrain in, right. There's, you know, a, a feature that was introduced recently for audit manager was the ability to pull in APIs from third party sources. So now you're not just looking, looking exclusively at one cloud provider, you're looking at your entire digital ecosystem of services, your tools, your SA solutions that you're consuming to get a full, comprehensive picture of your environment. >>So compliance, risk, audit security, they're like cousins that are all sort of hanging out on the same holiday, but, but they're different. Like what help us understand and squint through those different disciplines. >>Yeah. I mean, each of them have, you know, a different role and a hat to wear. So internal audit is more of your independent arm of management working or reporting directly towards, you know, to the audit committee or to the board to give an independent view on company control and posture security and compliance works with management to help design the, that there that are intended to prevent, detect, or even correct, you know, controls, breakdowns, you know, those action, those action verb items that you wanna prevent unauthorized access, or you wanna restrict changes from making its way into production unless it's approved and, and documented and tracked and so on and so forth. So each, you know, these roles they're very similar, but they're also different in terms of what their function is. >>How are customers dealing with regional differences? You mentioned GDPR, different regulations, data sovereignty, what are the global nuances and complexities that, that, that cloud brings. And how are you addressing those? >>Yeah. Merit, I don't know if you had any thoughts on that one. >>I mean, I think that a lot of what, and this will build off of your response to the sort of Venn diagrams of security and risk and compliance and audit. I think, you know, what we're seeing is that folks care about the same stuff. They care about privacy. They care about security. They care about incentivizing best practices. The form that that takes when it's a compliance framework is by definition a little bit static over time. Whereas security tends to be more quickly evolving with standards that are like industry standards. And so I think one of the things that, you know, all these compliance frameworks have in, in mind is to go after those best practices, the forms that they take may take different forms. You know what I mean? And so I, I see them as hopeful in the motivation sense that we are helping entities get the wherewithal, they need to grow up or mature or get even more security minded. I think there are times that they feel a little clunky, but you know, that's just Frank. Yeah. >>It, it, it can audit manager sort of help me solve that problem. Is that the intent? And I see what you're saying, merit, that there security is at a different pace than, than, you know, GDPR, a privacy, you know, person, >>Right. I mean, like security says, we want this outcome. We want to have, you know, data be protected. The compliance may say, it must be this particular encryption standard. You know what I mean? Like the form I see things taking over time will evolve and, and feels dynamic. Whereas I think that sometimes when we think about compliance and it's exactly why we need stuff like audit manager is to like help manage exactly what articulation of that are we getting in this place at this time for this regulated industry? And like almost every customer I have is regulated. If you're doing business, you're probably in PCI, right. >>And there's never just one silver bullet. So security is, is a number of things that you're gonna do, the number of tools that you're gonna have. And it's often the culture in, in what you develop in your people, your process and technology. So auto manager is one of the components of robust strategy on how to address security. >>But it's also one of those things where like, there are very few entities, maybe Deloitte is one that are like built to do compliance. They're built to do manufacturing, automotive hospitality. Yeah. You know, like they're doing some other industry as their industry. Right. And we wanna let them have less lag time as they make sure that they can do that core business. And the point is to enable them to move our, I mean like sure. I think that folks should move to the pod because of security, but you don't have to, you should move because it enables your business. And this is one of the ways in which it just like minimizes, you know, like whatever our tailwinds lagging or push it anyway, it pushes you. Right. I mean, like it minimizes the lag >>Definitely tailwind. So are you suggesting merit that you can inject that industry knowledge and specificity into things like audit manager and, and actually begin to automate that as, and of course Deloitte has, you know, industry expertise char, but, but, but how should we think about that? >>I mean, you're gonna, you're gonna look at your controls comprehensively a across the board. So if you operate in an industry, you're gonna look to see like, what's, what's important for you. What do you have to, you know, be mindful of? So if you have data residency concerns, you wanna make sure that you've tailored your controls based on the risks that you're addressing. So if there's a framework >>And remember that you can go in the console and choose what region you're, you know, like we never remove your data from your region that you have chosen, you know, like this is, there's an intentionality and an ability to do this with a click of a mouse or with an API call that's, you know, or with a cloud formation template. That's like, there is a deliberateness there. There's not just like best wishes. >>You know, >>ESG is in scope. I presume, you know, helping the CISO become more green, more diverse. Increasingly you're seeing ESG reports come out from major organizations. I presume that's part of the compliance, but maybe not, maybe it hasn't seeped in yet. Are you seeing >>For that? I think it's still a new service auto manager. It's still, you know, being developed, but, you know, continuous feedback to make sure that, you know, we're covering a, a broad range of services and, and, and those considerations are definitely in the scope. Yeah. >>I mean, are you hearing more of that from >>Clients? So, I mean, we have an internal commitment to sustainability, right. That has been very publicly announced and that I'm passionate about. We also have some other native tools that probably, you know, are worth mentioning here, like security hub that does, you know, CIS benchmarking and other things like that are traffic lighted in their dashboard. You know, like there are ways a lot of this is going to be the ways that we can take what might have been like an ugly ETL process and instead take the managed ness on top of it and, and consume that and allow your CISO to make high velocity decision, high velocity, high quality decisions. >>What's the relationship between your two firms? How do you work >>To I'm like we just met. >>Yeah. I sense that, so is it, is it, how do you integrate, I guess is >>A question. Yeah. I mean, I mean, from the audit perspective, our perspective, working with clients and understanding, you know, their requirements and then bringing the service audit manager from the technical aspect and how we can work together. So we have a few use cases, one we've working with the tech company who wanted to evaluate, you know, production workload that had content, you know, critical client information, client data. So they needed to create custom controls. We were working with them to create custom controls, which auto manager would evaluate their environment, which would, you know, there's a reporting aspect of it, which was used to, you know, to present to senior leadership. So we were working together with AWS and on helping craft what those custom controls were in implement at the customer. >>Yeah. I mean, among other things, delight can help augment workforce. It can help folks interpret their results when they get outputs and act upon them and understand industry standards for responsiveness there. I mean, mean like it's a way to augment your approach by, you know, bringing in someone who's done this before. >>Yeah. Cool, cool. Collaboration on a topic that's generally considered, sorry. Don't, don't hate me for saying this boring, but really important. And the fact that you're automating again makes it a lot more interesting guys. Excellent. Thanks for your sharp first time on the cube. Thank you. Absolutely on, appreciate it. Rapidly. Becoming a VIP. Thanks. Coming on. Hey, I'll take it. All right. Keep it right there. Thank you. This is Dave ante for the cube. You're watching our coverage of AWS reinforce 2022 from Boston. We'll be right back.

>> Announcer: "theCUBE" presents HPE Discover 2022. Brought to you by HPE. >> Welcome back to HPE Discover 2022. You're watching "theCUBE's" coverage. This is Day 2, Dave Vellante with John Furrier. Sheila Rohra is here. She's the Senior Vice President and GM of the Data Infrastructure Business at Hewlett Packard Enterprise, and of course, the storage division. And Omer Asad. Welcome back to "theCUBE", Omer. Senior Vice President and General Manager for Cloud Data Services, Hewlett Packard Enterprise storage. Guys, thanks for coming on. Good to see you. >> Thank you. Always a pleasure, man. >> Thank you. >> So Sheila, I'll start with you. Explain the difference. The Data Infrastructure Business and then Omer's Cloud Data Services. You first. >> Okay. So Data Infrastructure Business. So I'm responsible for the primary secondary storage. Basically, what you physically store, the data in a box, I actually own that. So I'm going to have Omer explain his business because he can explain it better than me. (laughing) Go ahead. >> So 100% right. So first, data infrastructure platforms, primary secondary storage. And then what I do from a cloud perspective is wrap up those things into offerings, block storage offerings, data protection offerings, and then put them on top of the GreenLake platform, which is the platform that Antonio and Fidelma talked about on main Keynote stage yesterday. That includes multi-tenancy, customer subscription management, sign on management, and then on top of that we build services. Services are cloud-like services, storage services or block service, data protection service, disaster recovery services. Those services are then launched on top of the platform. Some services like data protection services are software only. Some services are software plus hardware. And the hardware on the platform comes along from the primary storage business and we run the control plane for that block service on the GreenLake platform and that's the cloud service. >> So, I just want to clarify. So what we maybe used to know as 3PAR and Nimble and StoreOnce. Those are the products that you're responsible for? >> That is the primary storage part, right? And just to kind of show that, he and I, we do indeed work together. Right. So if you think about the 3PAR, the primary... Sorry, the Primera, the Alletras, the Nimble, right? All that, right? That's the technology that, you know, my team builds. And what Omer does with his magic is that he turns it into HPE GreenLake for storage, right? And to deliver as a service, right? And basically to create a self-service agility for the customer and also to get a very Cloud operational experience for them. >> So if I'm a customer, just so I get this right, if I'm a customer and I want Hybrid, that's what you're delivering as a Cloud service? >> Yes. >> And I don't care where the data is on-premises, in storage, or on Cloud. >> 100%. >> Is that right? >> So the way that would work is, as a customer, you would come along with the partner, because we're 100% partner-led. You'll come to the GreenLake Console. On the GreenLake Console, you will pick one of our services. Could be a data protection service, could be the block storage service. All services are hybrid in nature. Public Cloud is 100% participant in the ecosystem. You'll choose a service. Once you choose a service, you like the rate card for that service. That rate card is just like a hyperscaler rate card. IOPS, Commitment, MINCOMMIT's, whatever. Once you procure that at the price that you like with a partner, you buy the subscription. Then you go to console.greenLake.com, activate your subscription. Once the subscription is activated, if it's a service like block storage, which we talked about yesterday, service will be activated, and our supply chain will send you our platform gear, and that will get activated in your site. Two things, network cable, power cable, dial into the cloud, service gets activated, and you have a cloud control plane. The key difference to remember is that it is cloud-consumption model and cloud-operation model built in together. It is not your traditional as a service, which is just like hardware leasing. >> Yeah, yeah, yeah. >> That's a thing of the past. >> But this answers a question that I had, is how do you transfer or transform from a company that is, you know, selling boxes, of course, most of you are engineers are software engineers, I get that, to one that is selling services. And it sounds like the answer is you've organized, I know it's inside baseball here, but you organize so that you still have, you can build best of breed products and then you can package them into services. >> Omer: 100%. 100%. >> It's separate but complementary organization. >> So the simplest way to look at it would be, we have a platform side at the house that builds the persistence layers, the innovation, the file systems, the speeds and feeds, and then building on top of that, really, really resilient storage services. Then how the customer consumes those storage services, we've got tremendous feedback from our customers, is that the cloud-operational model has won. It's just a very, very simple way to operate it, right? So from a customer's perspective, we have completely abstracted away out hardware, which is in the back. It could be at their own data center, it could be at an MSP, or they could be using a public cloud region. But from an operational perspective, the customer gets a single pane of glass through our service console, whether they're operating stuff on-prem, or they're operating stuff in the public cloud. >> So they get storage no matter what? They want it in the cloud, they got it that way, and if they want it as a service, it just gets shipped. >> 100%. >> They plug it in and it auto configures. >> Omer: It's ready to go. >> That's right. And the key thing is simplicity. We want to take the headache away from our customers, we want our customers to focus on their business outcomes, and their projects, and we're simplifying it through analytics and through this unified cloud platform, right? On like how their data is managed, how they're stored, how they're secured, that's all taken care of in this operational model. >> Okay, so I have a question. So just now the edge, like take me through this. Say I'm a customer, okay I got the data saved on-premise action, cloud, love that. Great, sir. That's a value proposition. Come to HPE because we provide this easily. Yeah. But now at the edge, I want to deploy it out to some edge node. Could be a tower with Telecom, 5G or whatever, I want to box this out there, I want storage. What happens there? Just ship it out there and connects up? Does it work the same way? >> 100%. So from our infrastructure team, you'll consume one or two platforms. You'll consume either the Hyperconverged form factor, SimpliVity, or you might convert, the Converged form factor, which is proliant servers powered by Alletras. Alletra 6Ks. Either of those... But it's very different the way you would procure it. What you would procure from us is an edge service. That edge service will come configured with certain amount of compute, certain amount of storage, and a certain amount of data protection. Once you buy that on a dollars per gig per month basis, whichever rate card you prefer, storage rate card or a VMware rate card, that's all you buy. From that point on, the platform team automatically configures the back-end hardware from that attribute-based ordering and that is shipped out to your edge. Dial in the network cable, dial in the power cable, GreenLake cloud discovers it, and then you start running the- >> Self-service, configure it, it just shows up, plug it in, done. >> Omer: Self-service but partner-led. >> Yeah. >> Because we have preferred pricing for our partners. Our partners would come in, they will configure the subscriptions, and then we activate those customers, and then send out the hardware. So it's like a hyperscaler on-prem at-scale kind of a model. >> Yeah, I like it a lot. >> So you guys are in the data business. You run the data portion of Hewlett Packard Enterprise. I used to call it storage, even if we still call it storage but really, it's evolving into data. So what's your vision for the data business and your customer's data vision, if you will? How are you supporting that? >> Well, I want to kick it off, and then I'm going to have my friend, Omer, chime in. But the key thing is that what the first step is is that we have to create a unified platform, and in this case we're creating a unified cloud platform, right? Where there's a single pane of glass to manage all that data, right? And also leveraging lots of analytics and telemetry data that actually comes from our infosite, right? We use all that, we make it easy for the customer, and all they have to say, and they're basically given the answers to the test. "Hey, you know, you may want to increase your capacity. You may want to tweak your performance here." And all the customers are like, "Yes. No. Yes, no." Basically it, right? Accept and not accept, right? That's actually the easiest way. And again, as I said earlier, this frees up the bandwidth for the IT teams so then they actually focus more on the business side of the house, rather than figuring out how to actually manage every single step of the way of the data. >> Got it. >> So it's exactly what Sheila described, right? The way this strategy manifests itself across an operational roadmap for us is the ability to change from a storage vendor to a data services vendor, right? >> Sheila: Right. >> And then once we start monetizing these data services to our customers through the GreenLake platform, which gives us cloud consumption model and a cloud operational model, and then certain data services come with the platform layer, certain data services are software only. But all the services, all the data services that we provide are hybrid in nature, where we say, when you provision storage, you could provision it on-prem, or you can provision it in a hyperscaler environment. The challenge that most of our customers have come back and told us, is like, data center control planes are getting fragmented. On-premises, I mean there's no secrecy about it, right? VMware is the predominant hypervisor, and as a result of that, vCenter is the predominant configuration layer. Then there is the public cloud side, which is through either Ajour, or GCP, or AWS, being one of the largest ones out there. But when the customer is dealing with data assets, the persistence layer could be anywhere, it could be in AWS region, it could be your own data center, or it could be your MSP. But what this does is it creates an immense amount of fragmentation in the context in which the customers understand the data. Essentially, John, the customers are just trying to answer three questions: What is it that I store? How much of it do I store? Should I even be storing it in the first place? And surprisingly, those three questions just haven't been answered. And we've gotten more and more fragmented. So what we are trying to produce for our customers, is a context to ware data view, which allows the customer to understand structured and unstructured data, and the lineage of how it is stored in the organization. And essentially, the vision is around simplification and context to ware data management. One of the key things that makes that possible, is again, the age old infosite capability that we have continued to hone and develop over time, which is now up to the stage of like 12 trillion data points that are coming into the system that are not corroborated to give that back. >> And of course cost-optimizing it as well. We're up against the clock, but take us through the announcements, what's new from when we sort of last talked? I guess it was in September. >> Omer: Right. >> Right. What's new that's being announced here and, or, you know, GA? >> Right. So three major announcements that came out, because to keep on establishing the context when we were with you last time. So last time we announced GreenLake backup and recovery service. >> John: Right. >> That was VMware backup and recovery as a complete cloud, sort of SaaS control plane. No backup target management, no BDS server management, no catalog management, it's completely a SaaS service. Provide your vCenter address, boom, off you go. We do the backups, agentless, 100% dedup enabled. We have extended that into the public cloud domain. So now, we can back up AWS, EC2, and EBS instances within the same constructs. So a single catalog, single backup policy, single protection framework that protects you both in the cloud and on-prem, no fragmentation, no multiple solutions to deploy. And the second one is we've extended our Hyperconverged service to now be what we call the Hybrid Cloud On-Demand. So basically, you go to GreenLake Console control plane, and from there, you basically just start configuring virtual machines. It supports VMware and AWS at the same time. So you can provision a virtual machine on-prem, or you can provision a virtual machine in the public cloud. >> Got it. >> And, it's the same framework, the same catalog, the same inventory management system across the board. And then, lastly, we extended our block storage service to also become hybrid in nature. >> Got it. >> So you can manage on-prem and AWS, EBS assets as well. >> And Sheila, do you still make product announcements, or does Antonio not allow that? (Omer laughing) >> Well, we make product announcements, and you're going to see our product announcements actually done through the HPE GreenLake for block storage. >> Dave: Oh, okay. >> So our announcements will be coming through that, because we do want to make it as a service. Again, we want to take all of that headache of "What configuration should I buy? How do I actually deploy it? How do I...?" We really want to take that headache away. So you're going to see more feature announcements that's going to come through this. >> So feature acceleration through GreenLake will be exposed? >> Absolutely. >> This is some cool stuff going on behind the scenes. >> Oh, there's a lot good stuff. >> Hardware still matters, you know. >> Hardware still matters. >> Does it still matter? Does hardware matter? >> Hardware still matters, but what matters more is the experience, and that's actually what we want to bring to the customer. (laughing) >> John: That's good. >> Good answer. >> Omer: 100%. (laughing) >> Guys, thanks so much- >> John: Hardware matters. >> For coming on "theCUBE". Good to see you again. >> John: We got it. >> Thanks. >> And hope the experience was good for you Sheila. >> I know, I know. Thank you. >> Omer: Pleasure as always. >> All right, keep it right there. Dave Vellante and John Furrier will be back from HPE Discover 2022. You're watching "theCUBE". (soft music)

(upbeat music) >> Good afternoon, everyone. Welcome back to theCUBE's live coverage of Snowflake Summit 22, the fourth annual Snowflake Summit. Lisa Martin here with Dave Vellante, We're live in Vegas, as I mentioned. We've got a couple of guests here with us. We're going to be unpacking some more great information that has come out of the show news today. Please welcome Chris Child back to theCUBE, Senior Director of Product Management at Snowflake, and Lisa Cramer is here, Head of Embedded Products at LiveRamp, guys welcome. >> Thank you. >> Hi. >> Tell us a little bit about LiveRamp, what you guys do, what your differentiators are and a little bit about the Snowflake partnership? >> Sure, well, LiveRamp makes it safe and easy to connect data. And we're powered by core identity resolution capabilities, which enable our clients to resolve their data, and connect it with other data sets. And so we've brought these identity infrastructure capabilities to Snowflake, and built into the Native Application Framework. We focused on two initial products around device resolution, which enables our clients to connect customer data from the digital ecosystem. This powers things like, measurement use cases, and understanding campaign effectiveness and ROI. And the second capability we built into the Native Application Framework is called transcoding. And this enables a translation layer between identifiers, so that parties can safely and effectively share data at a person-based view. >> Chris, talk to us about, Snowflake just announced a lot of news this morning, just announced, the new Snowflake Native Application Framework. You alluded to this, Lisa, talk to us about that. What does it mean for customers, what does it do? Give us all the backstory. >> Yeah, so we had seen a bunch of cases for our customers where they wanted to be able to take application logic, and have other people use it. So LiveRamp, as an example of that, they've built a bunch of complicated logic to help you figure out who is the same person in different systems. But the problem was always that, that application had to run outside of the Data Cloud. And that required you to take your data outside of Snowflake, entrust your data to a third party. And so every time that companies have to go, become a vendor, they have to go through a security review, and go through a long onerous process, to be able to be allowed to process the really sensitive data that these customers have. So with the Native Applications Framework, you can take your application code, all of the logic, and the data that's needed to build it together, and actually push that through secure data sharing into a customer's account, where it runs, and is able to access their data, join it with data from the provider, all without actually having to give that provider access to your core data assets themselves. >> Is it proper to think of the Native Application Framework as a PaaS layer within the Data Cloud? >> That's a great way to think about it. And so, this is where we've integrated with the marketplace as well. So providers like LiveRamp will be able to publish these applications. They'll run entirely on effectively a PaaS layer that's powered by Snowflake, and be able to deliver those to any region, any cloud, any place that Snowflake runs. >> So, we get a lot of grief for this term, but we've coined a term called "supercloud". Okay, and the supercloud is an abstraction layer that hovers above the hyperscale infrastructure. Companies like yours, build on top of that. So you don't have to worry about the underlying complexities. And we've said that, in order to make that a reality, you have to have a super PaaS. So is that essentially what you're doing? You're building your product on top of that? You're not worrying about, okay, now I'm going to go to Azure, I'm going to go to AWS, or I'm going to go to, wherever, is that a right way to think about it? >> That's exactly right. And I think, Snowflake has really helped us, kind of shift the paradigm in how we work with our customers, and enabled us to bring our capabilities to where their data lives, right? And enabled them to, kind of run the analytics, and run the identity resolution where their data sits. And so that's really exciting. And I think, specifically with the Native Application Framework, Snowflake delivered on the promise of minimizing data movement, right? The application is installed. You don't have to move your data at all. And so for us, that was a really compelling reason to build into it. And we love when our customers can maintain control of their data. >> So the difference between what you are doing as partners, and a SaaS, is that, you're not worrying about all the capabilities, there in the data, all the governance, and the security components. You're relying on the Data Cloud for that, is that right? Or is it a SaaS? >> Yeah, I think there's components, like certainly parts of our business still run in the SaaS model. But I think the ability to rely on some of the infrastructure that Snowflake provides, and honestly kind of the connectivity, and the verticalized solutions that Snowflake brings to bear with data providers, and technology providers, that matter most to that vertical, really enable us to kind of rely on some of that to ensure that we can serve our customers as they want us to. >> So you're extending your SaaS platform and bringing new capabilities, as opposed to building, or are you building new apps in the Data Cloud? This is, I'm sorry to be so pedantic, but I'm trying to understand from your perspective. >> Oh yeah, so we built new capabilities within the Data Cloud. It's based on our core identity infrastructure capabilities, but we wanted to build into the Native Application Framework, so that data doesn't have to move and we can serve our customers, and they can maintain control over their data in their environment. So we built new capabilities, but it's all based on our core identity infrastructure. >> So safe sharing reminds me of like when procurement says, do we have an MSA? Yes, okay, go. You know, it's just frictionless. Versus no, okay, send some paper, go back and forth and it just takes forever. >> That's one of the big goals that we see. And to your point on, is it a PaaS, is it a SaaS? We honestly think of it as something a little bit different, in a similar way to where, at Snowflake we saw a whole generation of SaaS business models, and as a utility, and a consumption-based model, we think of ourselves as different from a SaaS business model. We're now trying to enable application providers, like LiveRamp, to take the core technology in IP that they've built over many, many years, but deliver it in a completely new different way that wasn't possible. And so part of this is extending what they're doing, and making it a little easier to deploy, and not having to go through the MSA process in the same way. But also we do think that this will allow entirely new capabilities to be brought that wouldn't be possible, unless they could be deployed and run inside the Data Cloud. >> Is LiveRamp a consumption pricing model, or is it a subscription, or a combo? >> We are actually a subscription, but with some usage capabilities. >> It's an hybrid. >> Chris, talk a little bit about the framework that you guys have both discussed. How is it part of the overall Snowflake vision of delivering secure and governed, powerful analytics, and data sharing to customers, and ecosystem partners? >> So this, for us we view this as kind of the next evolution of Snowflake. So Snowflake was all built on helping people consolidate their data, bring all your data into one place and then run all of your different workloads on it. And what we've seen over the years is, there are still a lot of different use cases, where you need to take your data out of the Data Cloud, in order to do certain different things. So we made a bunch of announcements today around machine learning, so that you don't have to take your data out to train models. And native applications is built on the idea of don't bring your data to the applications you need. Whether they're machine learning models, whether they're identity resolution, whether they're really even just analytics. Instead, take the application logic and bring that into the Data Cloud, and run it right on your data where it is. And so the big benefit of that is, I don't need copies of my data that are getting out of sync, and getting out of date. I don't need to give a copy of my data to anyone else. I get to keep it, I get to govern it. I get to secure it. I know exactly what's going on. But now, we can open this up to workloads, not just ones that Snowflake's building, but workloads that partners like LiveRamp, or anyone else is building. All those workloads can then run in a single copy of your data, in a single secure environment. >> And when you say in one place, Chris, people can get confused by that, 'cause it's really not in one place. it's the global thing that Benoit stressed this morning >> And that right, and so these, once you write a native app once, so the native app that they've written is one piece of code, one application, that now can be deployed by customers in any region, or on any cloud that they're running on without any changes at all. So to your point on the PaaS, that's where it gets very PaaS-like, because they write once to the Snowflake APIs, and now it can run literally anywhere the Snowflake runs. >> But the premise that we've put forth in supercloud is that, this is a new era. It's not multicloud. And it's consistent with a digital business, right? You're building, you've got a digital business, and this is a new value layer of a digital business. If I've got capabilities, I want to bring them to the cloud. I want to bring them to, every company's a software company, software's eating the world, data's eating software. I mean, I could go on and on and on, but it's not like 10 years ago. This is a whole new life cycle that we're just starting. Is that valid? I mean do you feel that way about LiveRamp? >> Definitely, I mean, I think it's really exciting to see all of the data connectivity that is happening. At the same time, I think the challenges still remain, right? So there are still challenges around being able to resolve your data, and being able to connect your data to a person-based view in a privacy safe way, to be able to partner with others in a data collaboration model, right? And to be able to do all of that without sharing anything from a sensitive identifier standpoint, or not having a resolved data set. And so I think you're absolutely right. There's a lot of really cool, awesome innovation happening, but the customer challenges, kind of still exist. And so that's why it's exciting to build these applications that can now solve those problems, where that data is. >> It's the cloud benefit, the heavy lifting thing, for data? 'Cause you don't have to worry about all that. You can focus on campaign ROI, or whatever new innovation that you want to bring out. >> And think about it from the end customer's perspective. They now, can come into their single environment where they have all their data, they can say, I need to match the identity, and they can pull in LiveRamp with a few clicks, and then they can say, I'm ready to take some actions on this. And they can pull in action tools with just a few more clicks. And they haven't made current marketing stack that you see. There's 20 different tools and you're schlepping data back and forth between each of them, and LiveRamp's just one stop on your journey to get this data out to where I'm actually sending emails or targeting ads. Our vision is that, all that happens on one copy of the data, each of these different tools are grabbing the parts they need, again in a secure well-governed, well-controlled way, enriching in ways that they need, taking actions that they need, pulling in other data sets that they need. But the end consumer maintains control over the data, and over the process, the entire way through. >> So one copy data. So you sometimes might make a copy, right? But you'd make as many copies as you need to, but no more, kind of thing, to paraphrase Einstein, or is that right? >> There's literally one copy of the data. So one of the nice things with Snowflake, with data sharing, and with native applications, the data is stored once in one file on disc and S3, which eventually is a disc somewhere. >> Yeah, yeah, right. >> But what can happen is, I'm really just granting permission to these different applications, to read and write from that single copy of the data. So as soon as a new customer touches my website, that immediately shows up in my data. LiveRamp gets access to that instantly. They enrich it. Before I've even noticed that that new customer signed up, the data's already been enriched, the identity's been matched, and they're already put into a bucket about what campaign I should run against them. >> So the data stays where it is. You bring the ISO compute, but the application. And then you take the results, right? And then I can read them back? >> You bring the next application, right to that same copy of the data. So what'll happen is you'll have a view that LiveRamp is accessing and reading and making changes on, LiveRamp is exposing its own view, I have another application reading from the LiveRamp view, exposing its own view. And ultimately someone's taking an action based on that. But there's one copy of the data all the way through. That's the really powerful thing. >> Okay, so yeah, so you're not moving the data. So you're not dealing with latency problems, but I can, if I'm in Australia and I'm running on US West, it's not a problem? >> Yes, so there, if you do want to run across different clouds, we will copy the data in that case, we've found it's much faster. >> Okay, great, I thought I was losing my mind. >> No, but as long as you're staying within a single region, there will be no copies of the data. >> Yeah, okay, totally makes sense, great. >> One of the efficiency there in speed to be able to get the insights. That's what it's all about, being able to turn the volume up on the data from a value perspective. Thanks so much guys for joining us on the program today talking about what LiveRamp and Snowflake are doing together and breaking down the Snowflake Native Application Framework. We appreciate your insights and your time, And thanks for joining us. >> Thank you both. >> Thank you guys. >> Thank you. >> For our guests, and Dave Vellante, I'm Lisa Martin. You're watching theCUBE Live from Snowflake Summit 22 from Las Vegas. We'll be right back with our next guest. (upbeat music)

(upbeat music) >> Hello everyone, my name is Dave Vellante, and we're digging into the many facets of the software supply chain and how to better manage digital risk. I'd like to introduce Kirsten Newcomer, who is the Director of Cloud and DevSecOps Strategy at Red Hat. Hello Kirsten, welcome. >> Hello Dave, great to be here with you today. >> Let's dive right in. What technologies and practices should we be thinking about that can help improve the security posture within the software supply chain? >> So I think the most important thing for folks to think about really is adopting DevSecOps. And while organizations talk about DevSecOps, and many folks have adopted DevOps, they tend to forget the security part of DevSecOps. And so for me, DevSecOps is both DevSec, how do I shift security left into my supply chain, and SecOps which is a better understood and more common piece of the puzzle, but then closing that loop between what issues are discovered in production and feeding that back to the development team to ensure that we're really addressing that supply chain. >> Yeah I heard a stat. I don't know what the source is, I don't know if it's true, but it probably is that around 50% of the organizations in North America, don't even have a SecOps team. Now of course that probably includes a lot of smaller organizations, but the SecOps team, they're not doing DevSecOps, but so what are organizations doing for supply chain security today? >> Yeah, I think the most common practice, that people have adopted is vulnerability scanning. And so they will do that as part of their development process. They might do it at one particular point, they might do it at more than one point. But one of the challenges that, we see first of all, is that, that's the only security gate that they've integrated into their supply chain, into their pipeline. So they may be scanning code that they get externally, they may be scanning their own code. But the second challenge is that the results take so much work to triage. This is static vulnerability scanning. You get information that is not in full context, because you don't know whether a vulnerability is truly exploitable, unless you know how exposed that particular part of the code is to the internet, for example, or to other aspects. And so it's just a real challenge for organizations, who are only looking at static vulnerability data, to figure out what the right steps to take are to manage those. And there's no way we're going to wind up with zero vulnerabilities, in the code that we're all working with today. Things just move too quickly. >> Is that idea of vulnerability scanning, is it almost like sampling where you may or may not find the weakest link? >> I would say that it's more comprehensive than that. The vulnerability scanners that are available, are generally pretty strong, but they are, again, if it's a static environment, a lot of them rely on NVD database, which typically it's going to give you the worst case scenario, and by nature can't account for things like, was the software that you're scanning built with controls, mitigations built in. It's just going to tell you, this is the package, and this is the known vulnerabilities associated with that package. It's not going to tell you whether there were compiler time flags, that may be mitigated that vulnerability. And so it's almost overwhelming for organizations, to prioritize that information, and really understand it in context. And so when I think about the closed loop feedback, you really want not just that static scan, but also analysis that takes into account, the configuration of the application, and the runtime environment and any mitigations that might be present there. >> I see, thank you for that. So, given that this digital risk and software supply chains are now front and center, we read about them all the time now, how do you think organizations are responding? What's the future of software supply chain going to look like? >> That's a great one. So I think organizations are scrambling. We've certainly at Red Hat, We've seen an increase in questions, about Red Hat's own supply chain security, and we've got lots of information that we can share and make available. But I think also we're starting to see, this strong increased interest, in security bill of materials. So I actually started working with, automation and standards around security bill of materials, a number of years ago. I participated in The Linux Foundation, SPDX project. There are other projects like CycloneDX. But I think all organizations are going to need to, those of us who deliver software, we're going to need to provide S-bombs and consumers of our software should be looking for S-bombs, to help them understand, to build transparency across the projects. And to facilitate that automation, you can leverage the data, in a software package list, to get a quick view of vulnerabilities. Again, you don't have that runtime context yet, but it saves you that step, perhaps of having to do the initial scanning. And then there are additional things that folks are looking at. Attested pipelines is going to be key, for building your custom software. As you pull the code in and your developers build their solutions, their applications, being able to vet the steps in your pipeline, and attest that nothing has happened in that pipeline, is really going to be key. >> So the software bill of materials is going to give you, a granular picture of your software, and then what the chain of, providence if you will or? >> Well, an S-bomb depending on the format, an S-bomb absolutely can provide a chain of providence. But another thing when we think about it, from the security angles, so there's the providence, where did this come from? Who provided it to me? But also with that bill of materials, that list of packages, you can leverage tooling, that will give you information about vulnerability information about those packages. At Red Hat we don't think that vulnerability info should be included in the S-bomb, because vulnerability data changes everyday. But, it saves you a step potentially. Then you don't necessarily have to be so concerned about doing the scan, you can pull data about known vulnerabilities for those packages without a scan. Similarly the attestation in the pipeline, that's about things like ensuring that, the code that you pull into your pipeline is signed. Signatures are in many ways of more important piece for defining providence and getting trust. >> Got it. So I was talking to Asiso the other day, and was asking her okay, what are your main challenges, kind of the standard analyst questions, if you will. She said look, I got great people, but I just don't have enough depth of talent, to handle, the challenges I'm always sort of playing catch up. That leads one to the conclusion, okay, automation is potentially an answer to address that problem, but the same time, people have said to me, sometimes we put too much faith in automation. some say okay, hey Kirsten help me square the circle. I want to automate because I lack the talent, but it's not, it's not sufficient. What are your thoughts on automation? >> So I think in the world we're in today, especially with cloud native applications, you can't manage without automation, because things are moving too quickly. So I think the way that you assess whether automation is meeting your goals becomes critical. And so looking for external guidance, such as the NIST's Secure Software Development Framework, that can help. But again, when we come back, I think, look for an opinionated position from the vendors, from the folks you're working with, from your advisors, on what are the appropriate set of gates. And we've talked about vulnerability scanning, but analyzing the configed data for your apps it's just as important. And so I think we have to work together as an industry, to figure out what are the key security gates, how do we audit the automation, so that I can validate that automation and be comfortable, that it is actually meeting the needs. But I don't see how we move forward without automation. >> Excellent. Thank you. We were forced into digital, without a lot of thought. Some folks, it's a spectrum, some organizations are better shape than others, but many had to just dive right in without a lot of strategy. And now people have sat back and said, okay, let's be more planful, more thoughtful. So as you, and then of course, you've got, the supply chain hacks, et cetera. How do you think the whole narrative and the strategy is going to change? How should it change the way in which we create, maintain, consume softwares as both organizations and individuals? >> Yeah. So again, I think there's going to be, and there's already, need request for more transparency, from software vendors. This is a place where S-bombs play a role, but there's also a lot of conversation out there about zero trust. So what does that mean in, you have to have a relationship with your vendor, that provides transparency, so that you can assess the level of trust. You also have to, in your organization, determine to your point earlier about people with skills and automation. How do you trust, but verify? This is not just with your vendor, but also with your internal supply chain. So trust and verify remains key. That's been a concept that's been around for a while. Cloud native doesn't change that, but it may change the tools that we use. And we may also decide what are our trust boundaries. Are they where are we comfortable trusting? Where do we think that zero trust is more applicable place, a more applicable frame to apply? But I do think back to the automation piece, and again, it is hard for everybody to keep up. I think we have to break down silos, we have to ensure that teams are talking across those silos, so that we can leverage each other's skills. And we need to think about managing everything as code. What I like about the everything is code including security, is it does create auditability in new ways. If you're managing your infrastructure, and get Ops like approach your security policies, with a get Ops like approach, it provides visibility and auditability, and it enables your dev team to participate in new ways. >> So when you're talking about zero trust I think, okay, I can't trust users, I got to trust the verified users, machines, employees, my software, my partners. >> Yap >> Every possible connection point. >> Absolutely. And this is where both attestation and identity become key. So being able to, I mean, the SolarWinds team has done a really interesting set of things with their supply chain, after they were, in response to the hack they were dealing with. They're now using Tekton CD chains, to ensure that they have, attested every step in their supply chain process, and that they can replicate that with automation. So they're doing a combination of, yep. We've got humans who need to interact with the chain, and then we can validate every step in that chain. And then workload identity, is a key thing for us to think about too. So how do we assert identity for the workloads that are being deployed to the cloud and verify whether that's with SPIFFE SPIRE, or related projects verify, that the workload is the one that we meant to deploy and also runtime behavioral analysis. I know we've been talking about supply chain, but again, I think we have to do this closed loop. You can't just think about shifting security left. And I know you mentioned earlier, a lot of teams don't have SecOps, but there are solutions available, that help assess the behavior and runtime, and that information can be fed back to the app dev team, to help them adjust and verify and validate. Where do I need to tighten my security? >> Am glad you brought up the SolarWinds to Kirsten what they're doing. And as I remember after 911, everyone was afraid to fly, but it was probably the safest time in history to fly. And so same analogy here. SolarWinds probably has learned more about this and its reputation took a huge hit. But if you had to compare, what SolarWinds has learned and applied, at the speed at which they've done it with maybe, some other software suppliers, you might find that they've actually done a better job. It's just, unfortunately, that something hit that we never saw before. To me it was Stuxnet, like we'd never seen anything like this before, and then boom, we've entered a whole new era. I'll give you the last word Kirsten. >> No just to agree with you. And I think, again, as an industry, it's pushed us all to think harder and more carefully about where do we need to improve? What tools do we need to build to help ourselves? Again, S-bombs have been around, for a good 10 years or so, but they are enjoying a resurgence of importance signing, image signing, manifest signing. That's been around for ages, but we haven't made it easy to integrate that into the supply chain, and that's work that's happening today. Similarly that attestation of a supply chain, of a pipeline that's happening. So I think as a industry, we've all recognized, that we need to step up, and there's a lot of creative energy going into improving in this space. >> Excellent Kirsten Newcomer, thanks so much for your perspectives. Excellent conversation. >> My pleasure, thanks so much. >> You're welcome. And you're watching theCUBE, the leader in tech coverage. (soft music)

(upbeat music) >> Hello everyone, my name is Dave Vellante, and we're digging into the many facets of the software supply chain and how to better manage digital risk. I'd like to introduce Kirsten Newcomer, who is the Director of Cloud and DevSecOps Strategy at Red Hat. Hello Kirsten, welcome. >> Hello Dave, great to be here with you today. >> Let's dive right in. What technologies and practices should we be thinking about that can help improve the security posture within the software supply chain? >> So I think the most important thing for folks to think about really is adopting DevSecOps. And while organizations talk about DevSecOps, and many folks have adopted DevOps, they tend to forget the security part of DevSecOps. And so for me, DevSecOps is both DevSec, how do I shift security left into my supply chain, and SecOps which is a better understood and more common piece of the puzzle, but then closing that loop between what issues are discovered in production and feeding that back to the development team to ensure that we're really addressing that supply chain. >> Yeah I heard a stat. I don't know what the source is, I don't know if it's true, but it probably is that around 50% of the organizations in North America, don't even have a SecOps team. Now of course that probably includes a lot of smaller organizations, but the SecOps team, they're not doing DevSecOps, but so what are organizations doing for supply chain security today? >> Yeah, I think the most common practice, that people have adopted is vulnerability scanning. And so they will do that as part of their development process. They might do it at one particular point, they might do it at more than one point. But one of the challenges that, we see first of all, is that, that's the only security gate that they've integrated into their supply chain, into their pipeline. So they may be scanning code that they get externally, they may be scanning their own code. But the second challenge is that the results take so much work to triage. This is static vulnerability scanning. You get information that is not in full context, because you don't know whether a vulnerability is truly exploitable, unless you know how exposed that particular part of the code is to the internet, for example, or to other aspects. And so it's just a real challenge for organizations, who are only looking at static vulnerability data, to figure out what the right steps to take are to manage those. And there's no way we're going to wind up with zero vulnerabilities, in the code that we're all working with today. Things just move too quickly. >> Is that idea of vulnerability scanning, is it almost like sampling where you may or may not find the weakest link? >> I would say that it's more comprehensive than that. The vulnerability scanners that are available, are generally pretty strong, but they are, again, if it's a static environment, a lot of them rely on NVD database, which typically it's going to give you the worst case scenario, and by nature can't account for things like, was the software that you're scanning built with controls, mitigations built in. It's just going to tell you, this is the package, and this is the known vulnerabilities associated with that package. It's not going to tell you whether there were compiler time flags, that may be mitigated that vulnerability. And so it's almost overwhelming for organizations, to prioritize that information, and really understand it in context. And so when I think about the closed loop feedback, you really want not just that static scan, but also analysis that takes into account, the configuration of the application, and the runtime environment and any mitigations that might be present there. >> I see, thank you for that. So, given that this digital risk and software supply chains are now front and center, we read about them all the time now, how do you think organizations are responding? What's the future of software supply chain going to look like? >> That's a great one. So I think organizations are scrambling. We've certainly at Red Hat, We've seen an increase in questions, about Red Hat's own supply chain security, and we've got lots of information that we can share and make available. But I think also we're starting to see, this strong increased interest, in security bill of materials. So I actually started working with, automation and standards around security bill of materials, a number of years ago. I participated in The Linux Foundation, SPDX project. There are other projects like CycloneDX. But I think all organizations are going to need to, those of us who deliver software, we're going to need to provide S-bombs and consumers of our software should be looking for S-bombs, to help them understand, to build transparency across the projects. And to facilitate that automation, you can leverage the data, in a software package list, to get a quick view of vulnerabilities. Again, you don't have that runtime context yet, but it saves you that step, perhaps of having to do the initial scanning. And then there are additional things that folks are looking at. Attested pipelines is going to be key, for building your custom software. As you pull the code in and your developers build their solutions, their applications, being able to vet the steps in your pipeline, and attest that nothing has happened in that pipeline, is really going to be key. >> So the software bill of materials is going to give you, a granular picture of your software, and then what the chain of, providence if you will or? >> Well, an S-bomb depending on the format, an S-bomb absolutely can provide a chain of providence. But another thing when we think about it, from the security angles, so there's the providence, where did this come from? Who provided it to me? But also with that bill of materials, that list of packages, you can leverage tooling, that will give you information about vulnerability information about those packages. At Red Hat we don't think that vulnerability info should be included in the S-bomb, because vulnerability data changes everyday. But, it saves you a step potentially. Then you don't necessarily have to be so concerned about doing the scan, you can pull data about known vulnerabilities for those packages without a scan. Similarly the attestation in the pipeline, that's about things like ensuring that, the code that you pull into your pipeline is signed. Signatures are in many ways of more important piece for defining providence and getting trust. >> Got it. So I was talking to Asiso the other day, and was asking her okay, what are your main challenges, kind of the standard analyst questions, if you will. She said look, I got great people, but I just don't have enough depth of talent, to handle, the challenges I'm always sort of playing catch up. That leads one to the conclusion, okay, automation is potentially an answer to address that problem, but the same time, people have said to me, sometimes we put too much faith in automation. some say okay, hey Kirsten help me square the circle. I want to automate because I lack the talent, but it's not, it's not sufficient. What are your thoughts on automation? >> So I think in the world we're in today, especially with cloud native applications, you can't manage without automation, because things are moving too quickly. So I think the way that you assess whether automation is meeting your goals becomes critical. And so looking for external guidance, such as the NIST's Secure Software Development Framework, that can help. But again, when we come back, I think, look for an opinionated position from the vendors, from the folks you're working with, from your advisors, on what are the appropriate set of gates. And we've talked about vulnerability scanning, but analyzing the configed data for your apps it's just as important. And so I think we have to work together as an industry, to figure out what are the key security gates, how do we audit the automation, so that I can validate that automation and be comfortable, that it is actually meeting the needs. But I don't see how we move forward without automation. >> Excellent. Thank you. We were forced into digital, without a lot of thought. Some folks, it's a spectrum, some organizations are better shape than others, but many had to just dive right in without a lot of strategy. And now people have sat back and said, okay, let's be more planful, more thoughtful. So as you, and then of course, you've got, the supply chain hacks, et cetera. How do you think the whole narrative and the strategy is going to change? How should it change the way in which we create, maintain, consume softwares as both organizations and individuals? >> Yeah. So again, I think there's going to be, and there's already, need request for more transparency, from software vendors. This is a place where S-bombs play a role, but there's also a lot of conversation out there about zero trust. So what does that mean in, you have to have a relationship with your vendor, that provides transparency, so that you can assess the level of trust. You also have to, in your organization, determine to your point earlier about people with skills and automation. How do you trust, but verify? This is not just with your vendor, but also with your internal supply chain. So trust and verify remains key. That's been a concept that's been around for a while. Cloud native doesn't change that, but it may change the tools that we use. And we may also decide what are our trust boundaries. Are they where are we comfortable trusting? Where do we think that zero trust is more applicable place, a more applicable frame to apply? But I do think back to the automation piece, and again, it is hard for everybody to keep up. I think we have to break down silos, we have to ensure that teams are talking across those silos, so that we can leverage each other's skills. And we need to think about managing everything as code. What I like about the everything is code including security, is it does create auditability in new ways. If you're managing your infrastructure, and get Ops like approach your security policies, with a get Ops like approach, it provides visibility and auditability, and it enables your dev team to participate in new ways. >> So when you're talking about zero trust I think, okay, I can't trust users, I got to trust the verified users, machines, employees, my software, my partners. >> Yap >> Every possible connection point. >> Absolutely. And this is where both attestation and identity become key. So being able to, I mean, the SolarWinds team has done a really interesting set of things with their supply chain, after they were, in response to the hack they were dealing with. They're now using Tekton CD chains, to ensure that they have, attested every step in their supply chain process, and that they can replicate that with automation. So they're doing a combination of, yep. We've got humans who need to interact with the chain, and then we can validate every step in that chain. And then workload identity, is a key thing for us to think about too. So how do we assert identity for the workloads that are being deployed to the cloud and verify whether that's with SPIFFE SPIRE, or related projects verify, that the workload is the one that we meant to deploy and also runtime behavioral analysis. I know we've been talking about supply chain, but again, I think we have to do this closed loop. You can't just think about shifting security left. And I know you mentioned earlier, a lot of teams don't have SecOps, but there are solutions available, that help assess the behavior and runtime, and that information can be fed back to the app dev team, to help them adjust and verify and validate. Where do I need to tighten my security? >> Am glad you brought up the SolarWinds to Kirsten what they're doing. And as I remember after 911, everyone was afraid to fly, but it was probably the safest time in history to fly. And so same analogy here. SolarWinds probably has learned more about this and its reputation took a huge hit. But if you had to compare, what SolarWinds has learned and applied, at the speed at which they've done it with maybe, some other software suppliers, you might find that they've actually done a better job. It's just, unfortunately, that something hit that we never saw before. To me it was Stuxnet, like we'd never seen anything like this before, and then boom, we've entered a whole new era. I'll give you the last word Kirsten. >> No just to agree with you. And I think, again, as an industry, it's pushed us all to think harder and more carefully about where do we need to improve? What tools do we need to build to help ourselves? Again, S-bombs have been around, for a good 10 years or so, but they are enjoying a resurgence of importance signing, image signing, manifest signing. That's been around for ages, but we haven't made it easy to integrate that into the supply chain, and that's work that's happening today. Similarly that attestation of a supply chain, of a pipeline that's happening. So I think as a industry, we've all recognized, that we need to step up, and there's a lot of creative energy going into improving in this space. >> Excellent Kirsten Newcomer, thanks so much for your perspectives. Excellent conversation. >> My pleasure, thanks so much. >> You're welcome. And you're watching theCUBE, the leader in tech coverage. (soft music)

(upbeat music) >> Hello everyone, my name is Dave Vellante, and we're digging into the many facets of the software supply chain and how to better manage digital risk. I'd like to introduce Kirsten Newcomer, who is the Director of Cloud and DevSecOps Strategy at Red Hat. Hello Kirsten, welcome. >> Hello Dave, great to be here with you today. >> Let's dive right in. What technologies and practices should we be thinking about that can help improve the security posture within the software supply chain? >> So I think the most important thing for folks to think about really is adopting DevSecOps. And while organizations talk about DevSecOps, and many folks have adopted DevOps, they tend to forget the security part of DevSecOps. And so for me, DevSecOps is both DevSec, how do I shift security left into my supply chain, and SecOps which is a better understood and more common piece of the puzzle, but then closing that loop between what issues are discovered in production and feeding that back to the development team to ensure that we're really addressing that supply chain. >> Yeah I heard a stat. I don't know what the source is, I don't know if it's true, but it probably is that around 50% of the organizations in North America, don't even have a SecOps team. Now of course that probably includes a lot of smaller organizations, but the SecOps team, they're not doing DevSecOps, but so what are organizations doing for supply chain security today? >> Yeah, I think the most common practice, that people have adopted is vulnerability scanning. And so they will do that as part of their development process. They might do it at one particular point, they might do it at more than one point. But one of the challenges that, we see first of all, is that, that's the only security gate that they've integrated into their supply chain, into their pipeline. So they may be scanning code that they get externally, they may be scanning their own code. But the second challenge is that the results take so much work to triage. This is static vulnerability scanning. You get information that is not in full context, because you don't know whether a vulnerability is truly exploitable, unless you know how exposed that particular part of the code is to the internet, for example, or to other aspects. And so it's just a real challenge for organizations, who are only looking at static vulnerability data, to figure out what the right steps to take are to manage those. And there's no way we're going to wind up with zero vulnerabilities, in the code that we're all working with today. Things just move too quickly. >> Is that idea of vulnerability scanning, is it almost like sampling where you may or may not find the weakest link? >> I would say that it's more comprehensive than that. The vulnerability scanners that are available, are generally pretty strong, but they are, again, if it's a static environment, a lot of them rely on NVD database, which typically it's going to give you the worst case scenario, and by nature can't account for things like, was the software that you're scanning built with controls, mitigations built in. It's just going to tell you, this is the package, and this is the known vulnerabilities associated with that package. It's not going to tell you whether there were compiler time flags, that may be mitigated that vulnerability. And so it's almost overwhelming for organizations, to prioritize that information, and really understand it in context. And so when I think about the closed loop feedback, you really want not just that static scan, but also analysis that takes into account, the configuration of the application, and the runtime environment and any mitigations that might be present there. >> I see, thank you for that. So, given that this digital risk and software supply chains are now front and center, we read about them all the time now, how do you think organizations are responding? What's the future of software supply chain going to look like? >> That's a great one. So I think organizations are scrambling. We've certainly at Red Hat, We've seen an increase in questions, about Red Hat's own supply chain security, and we've got lots of information that we can share and make available. But I think also we're starting to see, this strong increased interest, in security bill of materials. So I actually started working with, automation and standards around security bill of materials, a number of years ago. I participated in The Linux Foundation, SPDX project. There are other projects like CycloneDX. But I think all organizations are going to need to, those of us who deliver software, we're going to need to provide S-bombs and consumers of our software should be looking for S-bombs, to help them understand, to build transparency across the projects. And to facilitate that automation, you can leverage the data, in a software package list, to get a quick view of vulnerabilities. Again, you don't have that runtime context yet, but it saves you that step, perhaps of having to do the initial scanning. And then there are additional things that folks are looking at. Attested pipelines is going to be key, for building your custom software. As you pull the code in and your developers build their solutions, their applications, being able to vet the steps in your pipeline, and attest that nothing has happened in that pipeline, is really going to be key. >> So the software bill of materials is going to give you, a granular picture of your software, and then what the chain of, providence if you will or? >> Well, an S-bomb depending on the format, an S-bomb absolutely can provide a chain of providence. But another thing when we think about it, from the security angles, so there's the providence, where did this come from? Who provided it to me? But also with that bill of materials, that list of packages, you can leverage tooling, that will give you information about vulnerability information about those packages. At Red Hat we don't think that vulnerability info should be included in the S-bomb, because vulnerability data changes everyday. But, it saves you a step potentially. Then you don't necessarily have to be so concerned about doing the scan, you can pull data about known vulnerabilities for those packages without a scan. Similarly the attestation in the pipeline, that's about things like ensuring that, the code that you pull into your pipeline is signed. Signatures are in many ways of more important piece for defining providence and getting trust. >> Got it. So I was talking to Asiso the other day, and was asking her okay, what are your main challenges, kind of the standard analyst questions, if you will. She said look, I got great people, but I just don't have enough depth of talent, to handle, the challenges I'm always sort of playing catch up. That leads one to the conclusion, okay, automation is potentially an answer to address that problem, but the same time, people have said to me, sometimes we put too much faith in automation. some say okay, hey Kirsten help me square the circle. I want to automate because I lack the talent, but it's not, it's not sufficient. What are your thoughts on automation? >> So I think in the world we're in today, especially with cloud native applications, you can't manage without automation, because things are moving too quickly. So I think the way that you assess whether automation is meeting your goals becomes critical. And so looking for external guidance, such as the NIST's Secure Software Development Framework, that can help. But again, when we come back, I think, look for an opinionated position from the vendors, from the folks you're working with, from your advisors, on what are the appropriate set of gates. And we've talked about vulnerability scanning, but analyzing the configed data for your apps it's just as important. And so I think we have to work together as an industry, to figure out what are the key security gates, how do we audit the automation, so that I can validate that automation and be comfortable, that it is actually meeting the needs. But I don't see how we move forward without automation. >> Excellent. Thank you. We were forced into digital, without a lot of thought. Some folks, it's a spectrum, some organizations are better shape than others, but many had to just dive right in without a lot of strategy. And now people have sat back and said, okay, let's be more planful, more thoughtful. So as you, and then of course, you've got, the supply chain hacks, et cetera. How do you think the whole narrative and the strategy is going to change? How should it change the way in which we create, maintain, consume softwares as both organizations and individuals? >> Yeah. So again, I think there's going to be, and there's already, need request for more transparency, from software vendors. This is a place where S-bombs play a role, but there's also a lot of conversation out there about zero trust. So what does that mean in, you have to have a relationship with your vendor, that provides transparency, so that you can assess the level of trust. You also have to, in your organization, determine to your point earlier about people with skills and automation. How do you trust, but verify? This is not just with your vendor, but also with your internal supply chain. So trust and verify remains key. That's been a concept that's been around for a while. Cloud native doesn't change that, but it may change the tools that we use. And we may also decide what are our trust boundaries. Are they where are we comfortable trusting? Where do we think that zero trust is more applicable place, a more applicable frame to apply? But I do think back to the automation piece, and again, it is hard for everybody to keep up. I think we have to break down silos, we have to ensure that teams are talking across those silos, so that we can leverage each other's skills. And we need to think about managing everything as code. What I like about the everything is code including security, is it does create auditability in new ways. If you're managing your infrastructure, and get Ops like approach your security policies, with a get Ops like approach, it provides visibility and auditability, and it enables your dev team to participate in new ways. >> So when you're talking about zero trust I think, okay, I can't trust users, I got to trust the verified users, machines, employees, my software, my partners. >> Yap >> Every possible connection point. >> Absolutely. And this is where both attestation and identity become key. So being able to, I mean, the SolarWinds team has done a really interesting set of things with their supply chain, after they were, in response to the hack they were dealing with. They're now using Tekton CD chains, to ensure that they have, attested every step in their supply chain process, and that they can replicate that with automation. So they're doing a combination of, yep. We've got humans who need to interact with the chain, and then we can validate every step in that chain. And then workload identity, is a key thing for us to think about too. So how do we assert identity for the workloads that are being deployed to the cloud and verify whether that's with SPIFFE SPIRE, or related projects verify, that the workload is the one that we meant to deploy and also runtime behavioral analysis. I know we've been talking about supply chain, but again, I think we have to do this closed loop. You can't just think about shifting security left. And I know you mentioned earlier, a lot of teams don't have SecOps, but there are solutions available, that help assess the behavior and runtime, and that information can be fed back to the app dev team, to help them adjust and verify and validate. Where do I need to tighten my security? >> Am glad you brought up the SolarWinds to Kirsten what they're doing. And as I remember after 911, everyone was afraid to fly, but it was probably the safest time in history to fly. And so same analogy here. SolarWinds probably has learned more about this and its reputation took a huge hit. But if you had to compare, what SolarWinds has learned and applied, at the speed at which they've done it with maybe, some other software suppliers, you might find that they've actually done a better job. It's just, unfortunately, that something hit that we never saw before. To me it was Stuxnet, like we'd never seen anything like this before, and then boom, we've entered a whole new era. I'll give you the last word Kirsten. >> No just to agree with you. And I think, again, as an industry, it's pushed us all to think harder and more carefully about where do we need to improve? What tools do we need to build to help ourselves? Again, S-bombs have been around, for a good 10 years or so, but they are enjoying a resurgence of importance signing, image signing, manifest signing. That's been around for ages, but we haven't made it easy to integrate that into the supply chain, and that's work that's happening today. Similarly that attestation of a supply chain, of a pipeline that's happening. So I think as a industry, we've all recognized, that we need to step up, and there's a lot of creative energy going into improving in this space. >> Excellent Kirsten Newcomer, thanks so much for your perspectives. Excellent conversation. >> My pleasure, thanks so much. >> You're welcome. And you're watching theCUBE, the leader in tech coverage. (soft music)

>>welcome back everyone to the cube con cloud, David Kahn coverage. I'm john for a host of the cube, we're here in person, 2020 20 a real event, it's a hybrid event, we're streaming live to you with all the great coverage and guests coming on next three days. Clayton Coleman's chief Hybrid cloud architect for Red Hat is joining me here to go over viewers talk but also talk about hybrid cloud. Multi cloud where it's all going road red hats doing great to see you thanks coming on. It's a pleasure to be >>back. It's a pleasure to be back in cuba con. >>Uh it's an honor to have you on as a chief architect at Red Hat on hybrid cloud. It is the hottest area in the market right now. The biggest story we were back in person. That's the biggest story here. The second biggest story, that's the most important story is hybrid cloud. And what does it mean for multi cloud, this is a key trend. You just gave a talk here. What's your take on it? You >>know, I, I like to summarize hybrid cloud as the answer to. It's really the summarization of yes please more of everything, which is, we don't have one of anything. Nobody has got any kind of real footprint is single cloud. They're not single framework, they're not single language, they're not single application server, they're not single container platform, they're not single VM technology. And so, um, and then, you know, looking around here in this, uh, partner space where eight years into kubernetes and there is an enormous ecosystem of tools, technologies, capabilities, add ons, plug ins components that make our applications better. Um the modern application landscape is so huge that I think that's what hybrid really is is it's we've got all these places to run stuff more than ever and we've got all this stuff to run more than ever and it doesn't slow down. So how do we bring sanity to that? How do we understand it? Bring it together and companies has been a big part of that, like it unlocked some of that. What's the next step? >>Yeah, that's a great, great commentary. I want to take into the kubernetes piece but you know, as we've been reporting the digital transformation at all time, high speed is the number one request. People want to go faster, not just speeds and feeds, but like ship code fast to build apps faster. Make it all run faster and secure. Okay, check, get that. Look what we were 15, 15 years ago, 10 years ago, five years ago, 2016. The first coupe con in Seattle we were there for small events kubernetes, we gotta sell it, figure it out. Right convince people >>that it's a it's worth >>it. Yeah. So what's your take on that? Well, I mean, it's mature, it's kind of de facto standard at this point. What's missing. Where is it? >>So I think Kubernetes has succeeded at the core mission which is helping us stop worrying about all the problems that we spent endless amounts of time arguing about, how do I deploy software, How do I roll it out? But in the meantime we've added more types of software. You know, the rise of ai ml um you know, the whole the whole ecosystem around training software models like what is a what is an Ai model? Is it look like an application, does it look like a job? It's part batch, part service. Um It's spread out to the edge. We've added mobile devices. The explosion in mobile computing over the last 10 years has co evolved. And so kubernetes succeeded at that kind of set a floor for what everybody thought was an application. And in the meantime we've added all these other parts of the application. >>It's funny, you know, David Anthony, we're talking about what's to minimum and networks at red hat will be on later. Back in the first two cubicles were like, you know, this is like a TCP I P moment, the Os I model that was a killer part of the stack. Now it was all standardized below TCP I. P. Company feels like a similar kind of construct where it's unifying, is creating some enablement, It's enabling some innovation and it kind of brought everyone together at the same time everyone realized that that's real, >>the whole >>cloud native is real. And now we're in an era now where people are talking about doing things that are completely different. You mentioned as a batch job house ai new software paradigm development paradigms, not to suffer during the lifecycle, but just like software development in general is impacted. >>Absolutely. And you know, the components like, you know, we spent a lot of time talking about how to test and build application, but those are things that we all kind of internalized now we we have seen the processes is critical because it's going to be in lots of places, people are looking to standardize. But sometimes the new technology comes up alongside the side, the thing we're trying to standardize, we're like, well let's just use the new technology instead function as a service is kind of uh it came up, you know, kubernetes group K Native. And then you see, you know, the proliferation of functions as a service choices, what do people use? So there's a lot of choice and we're all building on those common layers, but everybody kind of has their own opinions, everybody's doing something subtly different. >>Let me ask you your opinion on on more under the Hood kind of complexity challenge. There's general consensus in the industry that does a lot of complexity. Okay, you don't mean debate that, but that's in a way, a good thing in the sense if you solve that, that's where innovation comes in. So the goal is to solve complexity, abstract out of the heavy lifting under heavy living in Sandy Jackson. And I would say, or abstract away complexity make things easier to use >>Well and an open source and this ecosystem is an amazing um it's one of the most effective methods we've ever found for trying every possible solution and keeping the five or six most successful and that's a little bit like developers, developers flow downhill, developers are going to do, it's easy if it's easier to put a credit card in and go to the public cloud, you're gonna do it if you can take control away from the teams at your organization that are there to protect you, but maybe aren't as responsive as you like. People will, people will go around those. And so I think a little bit of what we're trying to do is what are the commonalities that we could pick out of this ecosystem that everybody agrees on and make those the downhill path that people follow, not putting a credit card into a cloud, but offering a way for you not to think about what clouds are on until you need to write, because you want to go to the fridge is a developer, you wanna go the fridge, pull out your favorite brand of soda, that favorite band Isoda might have an AWS label also >>talk about the open shift and the Kubernetes relationship, you guys push the boundaries. Um Den is being controlled playing and nodes, these are things that you talked about in your talk, talk about because you guys made some good bets on open shift, we've been covering that, how's that playing out now? It's a relationship now >>is interesting coming into kubernetes, we came in from the platform as a service angle, right, Platform as a service was the first iteration of trying to make the lowest cost path for developers to flow to business value um and so we added things on top of kubernetes, we knew that we were going to complex, so we built in a little bit um in our structure and our way of thinking about cube that it was never going to be just that basic bare bones package that you're gonna have to make choices for people that made sense. Ah obviously as the ecosystems grown, we've tried to grow with it, we've tried to be a layer above kubernetes, we've tried to be a layer in between kubernetes, we've tried to be a layer underneath kubernetes and all of these are valid places to be. Um I think that next step is we're all kind of asking, you know, we've got all this stuff, are there any ways that we can be more efficient? So I like to think about practical benefits, what is a practical benefit That a little bit of opinion nation could bring to this ecosystem and I think it's around applications, it's being application centric, it's what is a team, 90% of the time need to be successful, they need a way to get their code out, they need to get it to the places that they wanted to be, and that place is everywhere. It's not one cloud or on premises or a data center, it's the edge, it's running as a lambda. It's running inside devices that might be being designed in this very room today. >>It's interesting. You know, you're an architect, but also the computer science industry is the people who were trained in the area are learning. It's pretty fascinating and almost intoxicating right now in this this market because you have an operating system, dynamic systems kind of programming model with distributed cloud, edge on fire, that's only gonna get more complicated with 5G and high density data applications. Um and then you've got this changing modal mode of operations were programming with bots and Ai and machine learning to new things, but it's kind of the same distributed computing paradigm. Yeah. What's your reaction to that? >>Well, and it's it's interesting. I was kind of described like layers. We've gone from Lenox replaced proprietary UNIX or mainframe to virtualization, which, and then we had a lot of Lennox, we had some windows too. And then we moved to public cloud and private cloud. We brought config management and moved to kubernetes, um we still got that. Os at the heart of what we do. We've got, uh application libraries and we've shared services and common services. I think it's interesting like to learn from Lennox's lesson, which is we want to build an open expansive ecosystem, You're kind of like kind of like what's going on. We want to pick enough opinion nation that it just works because I think just works is what, let's be honest, like we could come up with all the great theories of what the right way computers should be done, but it's gonna be what's easy, what gets people help them get their jobs done, trying to time to take that from where people are today on cube in cloud, on multiple clouds, give them just a little bit more consolidation. And I think it's a trick people or convince people by showing them how much easier it could be. >>You know, what's interesting around um, what you guys have done a red hat is that you guys have real customers are demanding, you have enterprise customers. So you have your eye on the front edge of the, of the bleeding edge, making things easier. And I think that's good enough is a good angle, but let's, let's face it, people are just lifting and shifting to the cloud now. They haven't yet re factored and re factoring is a concept of taking what you're doing in the cloud of taking advantage of new services to change the operating dynamic and value proposition of say the application. So the smart money is all going there, seeing the funding come into applications that are leveraging the new platform? Re platform and then re factoring what's your take on that because you got the edge, you have other things happening. >>There are so many more types of applications today. And it's interesting because almost all of them start with real practical problems that enterprises or growing tech companies or companies that aren't tech companies but have a very strong tech component. Right? That's the biggest transformation the last 15 years is that you can be a tech company without ever calling yourself a tech company because you have a website and you have an upset and your entire business model flows like that. So there is, I think pragmatically people are, they're okay with their footprint where it is. They're looking to consolidate their very interested in taking advantage of the scale that modern cloud offers them and they're trying to figure out how to bring all the advantages that they have in these modern technologies to these new footprints and these new form factors that they're trying to fit into, whether that's an application running on the edge next to their load bouncer in a gateway, in telco five Gs happening right now. Red hat's been really heavily involved in a telco ecosystem and it's kubernetes through and through its building on those kinds of principles. What are the concepts that help make a hybrid application, an application that spans the data flowing from a device back to the cloud, out to a Gateway processed by a big data system in a private region, someplace where computers cheap can't >>be asylum? No, absolutely not has to be distributed non siloed based >>and how do we do that and keep security? How do we help you track where your data is and who's talking to whom? Um there's a lot of, there's a lot of people here today who are helping people connect. I think that next step that contact connectivity, the knowing who's talking and how they're connecting, that'll be a fundamental part of what emerges as >>that's why I think the observe ability to me is the data is really about a data funding a new data sector of the market that's going to be addressable. I think data address ability is critical. Clayton really appreciate you coming on. And giving a perspective an expert in the field. I gotta ask you, you know, I gotta say from a personal standpoint how open source has truly been a real enabler. You look at how fast new things could come in and be adopted and vetted and things get kicked around people try stuff that fails, but it's they they build on each other. Right? So a I for example, it's just a great example of look at what machine learning and AI is going on, how fast that's been adopted. Absolutely. I don't think that would be done in open source. I have to ask you guys at red hat as you continue your mission and with IBM with that partnership, how do you see people participating with you guys? You're here, you're part of the ecosystem, big player, how you guys continue to work with the community? Take a minute to share what you're working on. >>So uh first off, it's impossible to get anything done I think in this ecosystem without being open first. Um and that's something the red at and IBM are both committed to. A lot of what I try to do is I try to map from the very complex problems that people bring to us because every problem in applications is complex at some later and you've got to have the expertise but there's so much expertise. So you got to be able to blend the experts in a particular technology, the experts in a particular problem domain like the folks who consult or contract or helped design some of these architectures or have that experience at large companies and then move on to advise others and how to proceed. And then you have to be able to take those lessons put them in technology and the technology has to go back and take that feedback. I would say my primary goal is to come to these sorts of events and to share what everyone is facing because if we as a group aren't all working at some level, there won't be the ability of those organizations to react because none of us know the whole stack, none of us know the whole set of details >>And this text changing too. I mean you got to get a reference to a side while it's more than 80s metaphor. But you know, but that changed the game on proprietary and that was like >>getting it allows us to think and to separate. You know, you want to have nice thin layers that the world on top doesn't worry about below except when you need to and below program you can make things more efficient and public cloud, open source kubernetes and the proliferation of applications on top That's happening today. I >>mean Palmer gets used to talk about the hardened top when he was the VM ware Ceo Back in 2010. Remember him saying that he says she predicted >>the whole, we >>call it the mainframe in the cloud at the time because it was a funny thing to say, but it was really a computer. I mean essentially distributed nature of the cloud. It happened. Absolutely. Clayton, thanks for coming on the Cuban sharing your insights appreciate. It was a pleasure. Thank you. Right click here on the Cuban john furry. You're here live in L A for coupon cloud native in person. It's a hybrid event was streaming Also going to the cube platform as well. Check us out there all the interviews. Three days of coverage, we'll be right back Yeah. Mm mm mm I have

(soft music) >> There are many constants in the storage business, relentlessly declining cost per bit, innovations that perpetually battled the laws of physics, a seemingly endless flow of venture capital, despite the intense competition. And there's one other constant in the storage business, Eric Hertzog, and he joins us today in this CUBE video exclusive to talk about IBM's recent storage announcements. Eric, welcome back to theCUBE. >> Great, Dave, thanks very much, we love being on theCUBE and you guys do a great job of informing the industry about what's going on in storage and IT in general. >> Well, thank you for that. >> Great job. >> We're going to cover a lot of ground today. IBM Storage, made a number of announcements the past month around data resilience, a new as-a-service model, which a lot of folks are doing in the industry, you've made performance enhancements. Can you give us the top line summary of the hard news, Eric? >> Sure, the top line summary is of course cyber security is on top of mind for everybody in the recent Fortune 500 list that came out, you probably saw, there was a survey of CEOs of Fortune 500 companies, they named cybersecurity as their number one concern, not war, not pandemic, but cybersecurity. So we've got an announcement around data resilience and cyber resiliency built on our FlashSystem family with our new offering, Safeguarded Copy. And the second thing is the move to a new method of storage consumption. Storage-as-a-Service, a pay-as-you-go model, cloud-like the way people buy cloud storage, that's what you can do now from IBM Storage with our Storage-as-a-Service. Those are the key, two takeaways, Dave. >> Yeah and I want to stay on the trends that we're seeing in cyber for a moment, the work from home pivot in the hybrid work approach has really created a new exposures, people aren't as secure outside of the walled garden of the offices and we've seen a dramatic escalation in the adversaries capabilities and techniques, another least of which is island hopping, in other words, putting code fragments in the digital supply chain, they reform once they're inside the company and it's almost like this organic creepy thing that occurs. They're also living as you know, stealthily for many, many months, sometimes years, exfiltrating data, and then just waiting and then when companies respond, the incidents response trigger a ransomware incident. So they escalate the cyber crime and it's just a really, really bad situation for victims. What are you seeing in that regard and the trends? >> Well, one of the key things we see as everyone is very concerned about cybersecurity. The Biden administration has issued (indistinct) not only to the government sector, but to the private sector, cyber security is a big issue. Other governments across the world have done the same thing. So at IBM Storage, what we see is taking a comprehensive view. Many people think that cybersecurity is moat with the alligators, the castle wall and then of course the sheriff of Nottingham to catch the bad guys. And we know the sheriff of Nottingham doesn't do a good job of catching Robin Hood. So it takes a while as you just pointed out, sitting there for months or even longer. So one of the key things you need to do in an overall cybersecurity strategy is don't forget storage. Now our announcement around Safeguarded Copy is very much about rapid recovery after an attack for malware or ransomware. We have a much broader set of cyber security technology inside of IBM Storage. For example, with our FlashSystem family, we can encrypt data at rest with no performance penalty. So if someone steals that data, guess what? It's encrypted. We can do anomalous pattern detection with our backup product, Spectrum Protect Plus, why would you care? Well, if theCUBE's backup was taking two hours on particular datasets and all of a sudden it was taking four hours, Hmm maybe someone is encrypting those backup data sets. And so we notify. So what we believe at IBM is that an overarching cybersecurity strategy has to keep the bad guys out, threat detection, anomalous pattern behavior on the network, on the servers, on the storage and all of that, chasing the bad guy down once they breach the wall, 'cause that does happen, but if you don't have cyber and data resilience built into your storage technology, you are leaving a gap that the bad guys can explain, whether that be the malware ransomware guys oh by the way, Dave, there still is internal IT theft that there was a case about 10 years ago now where 10 IT guys stole $175 million. I kid you not, $175 million from a bunch of large banks across the country, and that was an internal IT theft. So between the internal IT issues that could approach you malware and ransomware, a comprehensive cybersecurity strategy, must include storage. >> So I want to ask you about come back to Safeguarded Copy and you mentioned some features and capabilities, encrypting data at rest, your anomalous pattern recognition inferring, you're taking a holistic approach, but of course you've got a storage centricity, what's different about your cyber solution? What's your unique value probability to your (indistinct) . >> Well, when you look at Safeguarded Copy, what it does is it creates immutable copies that are logically air-gapped, but logically air-gapped locally. So what that means is if you have a malware or ransomware attack and you need to do a recovery, whether it be a surgical recovery or a full-on recovery, because they attacked everything, then we can do recovery in a couple hours versus a couple of days or a couple of weeks. Now, in addition to the logical local air-gapping with Safeguarded Copy, you also could do remote logical air-gapping by snapping out to the cloud, which we also have on our FlashSystem products and you also of course, could take our FlashSystem products and back up to tape, giving you a physical air gap. In short, we give our customers three different ways to help with malware and ransomware. >> Let me ask you- >> Are air-gapped locally. >> Yeah, please continue, I'm sorry. >> So our air-gapping locally for rapid recovery, air-gapping remotely, which again, then puts it on the cloud provider network, so hopefully they can't breach that. And then clearly a physical air gap going out to tape all three and on the mainframe, we have Safeguarded Copy already, Dave and several of our mainframe customers actually do two of those things, they'll do Safeguarded Copy or rapid recovery locally, but they'll also take that Safeguarded Copy and either put it out to tape or put it out to a cloud provider with a remote logical air-gap using a snapshot. >> I want to ask you a question about management 'cause when you ask CSOs, what's your number one challenge, they'll say lack of talent, We've got all these tools and all this lack of skills to really do all this stuff. Can't hire people fast enough and they don't have the skills. So when you think about it, and so what you do is you bring a lot of automation into the orchestration and management. My question is this, when you set up air gaps, do you recommend, or what do you see in terms of not, of logically and physically not only physically separating the data, but also the management and orchestration and automation does that have to be logically air-gapped as well or can you use the same management system? What's best practice there? >> Ah, so what we do is we work with our copy management software, which will manage regular copies as well, but Safeguarded Copies are immutable. You can't write to them, you can't get rid of them and they're logically air-gapped from the local hosts. So the hosts, for the Safeguarded Copies that immutable copy, you just made, the hosts don't even know that it's there. So you manage that with our copy management software, which by the way, we'll manage regular snapshots and replicas as well, but what that allows you to do is allows you to automate, for example, you can automate recovery across multiple FlashSystem arrays, the copy services manager will allow you to set different parameters for different Safeguarded Copies. So a certain Safeguarded Copy, you could say, make me a copy every four hours. And then on another volume on a different data set, you could say, make me a copy every 12 hours. Once you set all that stuff update, it's completely automated, completely automated. >> So, I want to come back to something you mentioned about anomalous pattern recognition and how you help with threat detection. So a couple of a couple of quick multi-part question here. First of all, the backup corpus is an obvious target. So that's an area that you have to protect. And so can, and you're saying, you've used the example if your backups taking too long, but so how do you do that? What's the technology behind that? And then can you go beyond, should you go beyond just the backup corpus, with primary data or copies on-prem, et cetera? Two part questions. >> So when we look at it, the anomalous pattern detection is part of our backup software, say Spectrum Protect and what it does it uses AI-based technology, it recognizes a pattern. So it knows that the backup dataset for the queue takes two hours and it recognizes that, and it sees that as the normal state of events. So if all of a sudden that backup that theCUBE was doing used to take two hours and starts taking four, what it does is that's an anomalous pattern, it's not a normal pattern. It'll send a note to the backup admin, the storage admin, whoever you designate it to and say the backup data set for theCUBE that used to take two hours, it's taken four hours, you probably ought to check that. So when we view cyber resiliency from a storage perspective, it's broad. We just talked about anomalous pattern detection in Spectrum Protect. We were talking most of the conversation about our Safeguarded Copy, which is available on the mainframe for several years and is now available on FlashSystems, making immutable local air-gap copies, that can be rapidly recovered and are immutable and can help you recover for a malware or ransomware attack. Our data at rest encryption happens to be with no performance penalty. So when you look at it, you need to create an overarching strategy for cybersecurity and then when you look at your storage estate, you need to look at your secondary storage, backup, replicas, snaps, archive, and have a strategy there to protect that and then you need a strategy to protect your primary storage, which would be things like Safeguarded Copy and encryption. So then you put it all together and in fact, Dave, one of the things we offer is a free cyber resilience assessment. It's not only for IBM Storage, but it happens to be a cyber resilience assessment that conforms to the NIST Framework and it's heterogeneous. So if you're a big company, you've got IBM EMC and HP Storage, guess what? It's all about the data sets not about the storage. So we say, you said these 10 data sets are critical, why are you not encrypting them? These data sets are XYZ, why are you not air-gapping them? So we come up based on the NIST Framework, a set of recommendations that are not IBM specific, but they are storage specific. Here's how you make your storage more resilient, both your secondary storage and your primary storage. That's how we see the big thing and Safeguarded Copy of course fits in on the primary storage side, A on the mainframe, which we've had for several years now and B in the Linux world, the Unix world and the Windows Server world on our FlashSystem portfolio with the announcement we did on July 20th. >> Great, thank you for painting that picture. Eric, are you seeing any use case patterns emerge in this space? >> Well, we see a couple of things. First of all, is A most resellers and most end-users, don't see storage an overarching part of the cybersecurity strategy, and that's starting to change. Second thing we're seeing is more and more storage companies are trying to get into this bailiwick of offering cyber and data resilience. The value IBM brings of course is much longer experience to that and we even integrate with other products. So for example, IBM offers a product called QRadar from the security divisions not a storage product, a security product, and it helps you with early data breach recognition. So it looks at servers, network access, it looks at the storage and it actually integrates now with our Safeguarded Copy. So, part of the value that we bring is this overarching strategy of a comprehensive data and cyber resilience across our whole portfolio, including Safeguarded Copy our July 20th announcement. But also integration beyond storage now with our QRadar product from IBM security division. And there will be future announcements coming in both Q4 and Q1 of additional integration with other security technologies, so you can see how storage can be a vital COD in the corporate cybersecurity strategy. >> Got it, thank you. Let's pivot to the, as-a-service it's, cloud obviously is brought in that as-a-service. Now, it seems like everybody has one now. You guys have announced obviously HPE, Dell, Lenovo, Cisco, Pure, everybody's gotten out there as-a-service model, what do we need to know about your as-a-service solution and why is it different from the others? >> Sure. Well, one of the big differences is we actually go on actual storage, not effective. So when you look at effective storage, which most of them do that includes creating the (indistinct) data sets and other things, so you're basically paying for that. Second thing we do is we have a bigger margin. So for example, if theCUBE says we want SLA-3 and we sell it by the SLA, Dave, SLA-1, two and three. So let's say theCUBE needs SLA-3 and the minimum capacity is a 100 terabytes, but let's say you think you need 300 terabytes. No problem. You also have a variable. One of the key differences is unlike many of our competitors, the rate for the base and the rate for the variable are identical. Several of our competitors, when you're in the base, you pay a certain amount, when you go into the variable, they charge you a premium. The other key differentiator is around data reduction. Some of our competitors and all storage companies have data reduction technology. Block-level D do thin provisioning, compression, we all offer those features. The difference is with IBM's pay-as-you-grow, Storage-as-a-Service model, if you have certain data sets that are not very deducible, not very compressible, we absorbed that with our competitors, most of them, if the dataset is not easily deducible, compressible, and they don't see the value, they actually charge you a premium for that. So that is a huge difference. And then the last big difference is our a 100% availability guarantee. We have that on our FlashSystem product line, we're the only one offering 100% availability guarantee. We also against many of the competitors offer a better base nines, as you know, availability characteristics. We offer six nines of availability, which is five minutes and 26 seconds of downtime and a 100% availability of offering. Some of our competitors only offer four nines of availability and if you want five or six, they charge you extra. We give you six nines base in which has only five minutes and change of downtime in a year. So those are the key difference between us and the other as-a-service models out there. >> So, the basic concept I think, is if you commit to more and buy more, you pay less per. I mean, that's the basic philosophy of these things, right? So, if- >> Yes. >> I commit to you X, let's say, I want to just sort of start small and I commit to you to X and great. I'm in now in, maybe I sign up for a multi-year term, I commit this much, whatever, a 100 terabytes or whatever the minimum is. And then I can say, Hey, you know what? This is working for me. The CFO likes it and the IT guys can provision more seamlessly, we got our chargeback or showback model goes, I want to now make a bigger commitment and I can, and I want to sort of, can I break my three-year term and come back and then renegotiate, kind of like reserved instances, maybe bigger and pay less? How do you approach that? >> Well, what you do is we do a couple of things. First of all, you could always add additional capacity, and you just call up. We assign a technical account manager to every account. So in addition to what you get from the regular sales team and what you get from our value business partners, by the way, we did factor in the business partners, Dave, into this, so business partners will have a great pay-as-you-go Storage-as-a-Service solution, that includes partners and their ability to leverage. In fact, several of our partners that do have both MSP and MHP businesses are working right now to leverage our Storage-as-a-Service, and then add on their own value with their own MSP and MHP capability. >> And they can white label that? Is that right or? >> Well, you'd still have Storage-as-a-Service from IBM. They would resell that to theCUBE and then they'd add in their own MHP or MSP. >> Got it. >> That said partners interested in doing a white label, we would certainly entertain that capability. >> Got it. I interrupted you, carry on please. >> Yeah, you can go ahead and add more capacity, not a problem. You also can change the SLA. So theCUBE, one of the leading an industry analyst firms, you bought every analyst firm in the world, and you're using IBM Storage-as-a-Service, pay-as-you-go cloud-like model. So what you do is you call up the technical account manager and say, Eric, we bought all these other companies they're using on-prem storage, we'd like to move to Storage-as-a-Service for all the companies we acquire. We can do that, so that would up your capacity. And then you could say, now we've been at SLA-2, but because we're adding all these new applications of workloads from our acquired companies, we want some of it to be at SLA-1. So we can have some of your workloads on SLA-2, others on SLA-1, you could switch everything to SLA-1, and you just call your technical account manager and they'll make that happen for you or your business partner, obviously, if you bought through the channel. >> I get it, the hard question is what if all those other companies theCUBE acquired are also IBM Storage-as-a-Service customers? Can I, what's that discussion like? Hey, can I consolidate those and get a better deal? >> Yeah, there are all Storage-as-a-Service customers and Dave I love that thought, we would just figure out a way to consolidate the agreement. The agreements are one through five years. What I think also that's very unique is let's say for whatever reason, and we all love finance people. Let's say the IT guys have called the finance and say, we did a one-year contract, we now like to do a three-year contract. The one year is coming up and guess what? Finance's delayed for whatever reason, the PO doesn't go through. So the ITI calls up the technical account manager, we love your service, it's delayed in finance. We will let them stay on their Storage-as-a-Service, even though they don't have a contract. Now, of course they've told us they want to do one, but if they exceed the contract by a quarter or two, because they can't get the finance guys are messing with the IT guys, that's fine. What the key differentiators? Exactly the same price. Several of our competitors will also extend without a contract, but until you do a contract, they charge you a premium, we do not, whatever, if you're an SLA-3, you're SLA-3, we'll extend you and no big deal. And then you do your contract, when the finance guys get their act together and you're ready to go. So that is something we can do and we'll do on a continual basis. >> Last question. Let's go way out. So, we're not doing any time, near-term forecasts, I'm trying to understand how popular you think as-a-service is going to be. I mean, if you think about the end of the decade, let's think industry total, IBM specific, how popular do you think as-a-service models will be? Do you think it will be the majority of the transacted business or it's kind of more of a, just one of many? >> So I think there will be many, some people will still have bare metal on-premises. Some people will still do virtualization on-premises or in a hybrid cloud configuration. What I do think though is Storage-as-a-Service will be over 50% by the end. Remember, we're sitting at 2021. So we're talking now 2029. >> Right. >> So I think Storage-as-a-Service will be over 50%. I think most of that Storage-as-a-Service will be in a hybrid cloud model. I think the days of a 100% cloud, which is the way it started. I think a lot of people realize that a 100% cloud actually is more expensive than a hybrid cloud or fully on-prem. I was at a major university in New York, they are in the healthcare space and I know their CIO from one of my past lives. I was talking to him, they did a full on analysis of all the cloud providers going a 100% cloud. And their analysis showed that a 100% cloud, particularly for highly transactional workloads was 50% more expensive than buying it, paying the maintenance and paying their employees. So we did an all in view. So what I think it's going to be is Storage-as-a-Service will be over 50%. I think most of that Storage-as-a-Service will be in a hybrid cloud configuration with storage on-prem or in a colo, like what our IBM pay-as-you-go service will do and then it will be accessed and available through a hybrid cloud configuration with IBM Cloud, Google, Amazon as or whoever the cloud provider is. So I do think that you're looking at over 50% of the storage being as-a-service, but I do think the bulk of that as-a-service will be as-a-service through someone like IBM or our competitors and then part of it will be from the cloud providers. But I do think you're going to see a mix because right now the expense of going a 100% cloud cloud storage is dramatically understated and when someone does an analysis like that major university in New York did, they had a guy from finance, help them do the analysis and it was 50% more expensive than doing on-premise either on-prem or on-prem as-a-service, both were way cheaper. >> But you own the asset, right? >> Yes. >> As-a-service model. >> We, right, we own the asset. >> And I would bet, >> I would bet that over the lifetime value of the spend and it as-a-service model, just like the cloud, if you do this with IBM or any of your competitors, I would bet that overall you're going to spend more just like you've seen in the cloud, but you get the benefit is the flexibility that you get. >> Yeah, yeah. If you compare it to the, so obviously the number one model would be to buy. That's probably going to be the least expensive. >> Right. >> But it's also the least flexible. Then you also have leasing, more flexibility, but leasing usually is more expensive. Just like when you lease your car, if you add up all the lease payments and then you, at the end, pay that balloon payment to buy, it's cheaper to buy the car up front than it is to lease a car. Same thing with any IT asset, now storage network servers, all are available on leasing, the net is at the bottom line, that's more than buying it upfront. And then Storage-as-a-Service will also be more expensive than buying it, my friend, but ultimate capability, altering SLAs, adding new capacity, being able to handle an app very quickly. We can provision the storage, as you mentioned, the IT guys can easily provision. We provision, the storage in 10 minutes, if you bought from IBM Storage or any competitor you bought and you need more storage, A you got to put a PO through your system and if you're not theCUBE, but you're a giant global Fortune 500, sometimes it takes weeks to get the PO done. Then the PO has to go to the business partner, the business partner has got to give a PO to the distributor and a PO to IBM. So it can take you weeks to actually get the additional storage that you need. With Storage-as-a-Service from IBM with our pay-as-you-go, cloud-like model, all you have to do is provision and you're done. And by the way, we provide a 50% overage for free. So if they end up needing more storage, that 50% is actually sitting on-prem already and if they get to 75% utilization of the total amount of storage, we then call them up, the technical account manager would call them up and their business partner and say, Dave, do you know that you guys are at 75% full? We'd like to come add some additional storage to get you back down to a 50% margin. And by the way, most of our competitors only do a 25% margin. So again, another differentiator for IBM Storage-as-a-Service. >> What about, I said, last question, but I have another question. What about day one? Like how long does it take, if I want to start fresh with as-a-service? >> Get it. >> How long does it take to get up and running? >> Basically you put the PO through, whatever it takes on your side or through your business partner, we then we'll sign the technical account manager, will call you up because you need to tell us, do you want to, in a colo facility that you're working with or do you want to put it on on-prem? And then once we do that, we just schedule a time for your IT guys do the install. So, probably two weeks. >> Yeah. >> It all depends because you've got to call back and say, Eric, we'd like it at our colo partner, our colo partners, ABC, we got to call ABC and then get back to you or on-prem , we're going to have guys in the office, a good day when it's not going to be too busy. Could you come two weeks from Thursday? Which now would be three weeks for sake of argument. But that would be, we interface with the customer, with the technical account manager to do it on your schedule on your time, whether you do it in your own facility or use a colo provider. >> Yeah, but once you tell, once I tell you, once we get through all that stuff, it's two weeks from when that's all agreed. >> Yeah. >> It's like the Xerox copier salesman, (Dave chuckles) Where are you going to put it? Once you decide where you're going to put it, then it's a couple of weeks. It's not a month or two months or yeah. >> Yeah, it's not. And we need additional capacity, remember there's a 50% margin sitting there. So if you need to go into the variable and use it, and when we hit a 75%, we actually track it with our storage insights pro. So we'll call you up and say, Dave, you're at 76%. We'd like to add more storage to give you better margin of extra storage and you would say, great, when can we do it? So, yeah, we're proactive about that to make sure that you stay at that 50% margin. Again, our competitors, all do only have 25% margin. So we're giving you that better margin, a larger margin in case you really have a high capacity demand for that quarter and we proactively will call you up, if we think you need more based on monitoring your storage usage. >> Great. Eric got to go, thank you so much for taking us through that great detail, I really appreciate it. Always good to see you. >> Great, thanks Dave, really appreciate it. >> Alright, thank you for watching this CUBE conversation, this is Dave Vellante and we'll see you next time. (soft music)

(bright music) >> Welcome back to HPE Discover 2021. My name is Dave Vellante and you're watching theCUBE's virtual coverage of Discover. We're going to dig into the most pressing topic, not only for IT, but entire organizations. And that's cyber security. With me is Sunil James, senior director of security engineering at Hewlett Packard Enterprise. Sunil, welcome to theCUBE. Come on in. >> Dave, thank you for having me. I appreciate it. >> Hey, you talked about project Aurora today. Tell us about project Aurora, what is that? >> So I'm glad you asked. Project Aurora is a new framework that we're working on that attempts to provide the underpinnings for Zero Trust architectures inside of everything that we build at HPE. Zero Trust is a way of providing a mechanism for enterprises to allow for everything in their enterprise, whether it's a server, a human, or anything in between, to be verified and attested to before they're allowed to access or transact in certain ways. That's what we announced today. >> Well, so in response to a spate of damaging cyber attacks last month, President Biden issued an executive order designed to improve the United States' security posture. And in that order, he essentially issued a Zero Trust mandate. You know, it's interesting, Sunil. Zero Trust has gone from a buzzword to a critical part of a security strategy. So in thinking about a Zero Trust architecture, how do you think about that, and how does project Aurora fit in? >> Yeah, so Zero Trust architecture, as a concept, has been around for quite some time now. And over the last few years, we've seen many a company attempting to provide technologies that they purport to be Zero Trust. Zero Trust is a framework. It's not one technology, it's not one tool, it's not one product. It is an entire framework of thinking and applying cybersecurity principles to everything that we just talked about beforehand. Project Aurora, as I said beforehand, is designed to provide a way for ourselves and our customers to be able to measure, attest, and verify every single piece of technology that we sell to them. Whether it's a server or everything else in between. Now, we've got a long way to go before we're able to cover everything that HPE sells. But for us, these capabilities are the root of Zero Trust architectures. You need to be able to, at any given moment's notice, verify, measure, and attest, and this is what we're doing with project Aurora. >> So you founded a company called Scytale and sold that to HPE last year. And my understanding is you were really the driving force behind the secure production identity framework, but you said Zero Trust is really a framework. That's an open source project. Maybe you can explain what that is. I mean, people talk about the NIST Framework for cybersecurity. How does that relate? Why is this important and how does Aurora fit into it? >> Yeah, so that's a good question. The NIST Framework is a broader framework for cybersecurity that couples and covers many aspects of thinking about the security posture of an enterprise, whether it's network security, host based intrusion detection capabilities, incident response, things of that sort. SPIFFE, which you're referring to, Secure Production Identity Framework For Everyone, is an open source framework and technology base that we did work on when I was the CEO of Scytale, that was designed to provide a platform agnostic way to assign identity to anything that runs in a network. And so think about yourself or myself. We have identities in our back pocket, driver's license, passports, things of that sort. They provide a unique assertion of who we are, and what we're allowed to do. That does not exist in the world of software. And what SPIFFE does is it provides that mechanism so that you can actually use frameworks like project Aurora that can verify the underpinning infrastructure on top of which software workloads run to be able to verify those SPIFFE identities even better than before. >> Is the intent to productize this capability, you know, within this framework? How do you approach this from HPE's standpoint? >> So SPIFFE and SPIRE will and always will be, as far as I'm concerned, remain an open source project held by the Cloud Native Computing Foundation. It's for the world, all right. And we want that to be the case because we think that more of our Enterprise customers are not living in the world of one vendor or two vendors. They have multiple vendors. And so we need to give them the tools and the flexibility to be able to allow for open source capabilities like SPIFFE and SPIRE to provide a way for them to assign these identities and assign policies and control, regardless of the infrastructure choices they make today or tomorrow. HPE recognizes that this is a key differentiating capability for our customers. And our goal is to be able to look at our offerings that power the next generation of workloads. Kubernetes instances, containers, serverless, and anything that comes after that. And our responsibility is to say, "How can we actually take what we have and be able to provide those kinds of assertions, those underpinnings for Zero Trust that are going to be necessary to distribute those identities to those workloads, and to do so in a scalable, effective, and automated manner?" Which is one of the most important things that project Aurora does. >> So a lot of companies, Sunil, will set up a security division. But is the HPE strategy to essentially embed security across its entire portfolio? How should we think about HPE strategy in cyber? >> Yeah, so it's a great question. HPE has a long history in security and other domains, networking, and servers, and storage, and beyond. The way we think about what we're building with project Aurora, this is plumbing. This is plumbing that must be in everything we build. Customers don't buy one product from us and they think it's one company, and something else from us, and they think it's another company. They're buying HPE products. And our goal with project Aurora is to ensure that this plumbing is widely and uniformly distributed and made available. So whether you're buying an Aruba device, a Primera storage device, or a ProLiant server, project Aurora's capabilities are going to provide a consistent way to do the things that I've mentioned beforehand to allow for those Zero Trust architectures to become real. >> So, as I alluded to President Biden's executive order previously. I mean, you're a security practitioner, you're an expert in this area. It just seems as though, and I'd love to get your comments on this. I mean, the adversaries are well-funded, you know, they're either organized crime, they're nation states. They're extracting a lot of very valuable information, they're monetizing that. You've seen things like ransomware as a service now. So any knucklehead can be in the ransomware business. So it's just this endless escalation game. How do you see the industry approaching this? What needs to happen? So obviously I like what you're saying about the plumbing. You're not trying to attack this with a bunch of point tools, which is part of the problem. How do you see the industry coming together to solve this problem? >> Yeah. If you operate in the world of security, you have to operate from the standpoint of humility. And the reason why you have to operate from a standpoint of humility is because the attack landscape is constantly changing. The things, and tools, and investments, and techniques that you thought were going to thwart an attacker today, they're quickly outdated within a week, a month, a quarter, whatever it might be. And so you have to be able to consistently and continuously evolve and adapt towards what customers are facing on any given moment's notice. I think to be able to, as an industry, tackle these issues more and moreso, you need to be able to have all of us start to abide, not abide, but start to adopt these open-source patterns. We recognize that every company, HPE included, is here to serve customers and to make money for its shareholders as well. But in order for us to do that, we have to also recognize that they've got other technologies in their infrastructure as well. And so it's our belief, it's my belief, that allowing for us to support open standards with SPIFFE and SPIRE, and perhaps with some of the aspects of what we're doing with project Aurora, I think allows for other people to be able to kind of deliver the same underpinning capabilities, the plumbing, if you will, regardless of whether it's an HPE product or something else along those lines as well. We need more of that generally across our industry, and I think we're far from it. >> I mean, this sounds like a war. I mean, it's more than a battle, it's a war that actually is never going to end. And I don't think there is an end in sight. And you hear CESOs talk about the shortage of talent, they're getting inundated with point products and tools, and then that just creates more technical debt. It's been interesting to watch. Interesting maybe is not the right word. But the pivot to Zero Trust, endpoint security, cloud security, and the exposure that we've now seen as a result of the pandemic was sort of rushed. And then of course, we've seen, you know, the adversaries really take advantage of that. So, I mean what you're describing is this ongoing never-ending battle, isn't it? >> Yeah, yeah, no, it's going to be ongoing. And by the way, Zero Trust is not the end state, right? I mean, there was things that we called the final nail in the coffin five years ago, 10 years ago, and yet the attackers persevered. And that's because there's a lot of innovation out there. There's a lot of infrastructure moving to dynamic architectures like cloud and others that are going to be poorly configured, and are going to not have necessarily the best and brightest providing security around them. So we have to remain vigilant. We have to work as hard as we can to help customers deploy Zero Trust architectures. But we have to be thinking about what's next. We have to be watching, studying, and evolving to be able to prepare ourselves, to be able to go after whatever the next capabilities are. >> What I like about what you're saying is, you're right. You have to have humility. I don't want to say, I mean, it's hard because I do feel like a lot of times the vendor community says, "Okay, we have the answer," to your point. "Okay, we have a Zero Trust solution." Or, "We have a solution." And there is no silver bullet in this game. And I think what I'm hearing from you is, look we're providing infrastructure, plumbing, the substrate, but it's an open system. It's got to evolve. And the thing you didn't say, but I'd love your thoughts on this is we've got to collaborate with somebody you might think is your competitor. 'Cause they're the good guys. >> Yeah. Our customers don't care that we're competitors with anybody. They care that we're helping them solve their problems for their business. So our responsibility is to figure out what we need to do to work together to provide the basic capabilities that allow for our customers to remain in business, right? If cybersecurity issues plague any of our customers that doesn't affect just HPE, that affects all of the companies that are serving that customer. And so, I think we have a shared responsibility to be able to protect our customers. >> And you've been in cyber for much, if not most of your career, right? >> Correct. >> So I got to ask you, did you have a superhero when you were a kid? Did you have a sort of a, you know, save the world thing going? >> Did I have a, you know, I didn't have a save the world thing going, but I had, I had two parents that cared for the world in many, many ways. They were both in the world of healthcare. And so everyday I saw them taking care of other people. And I think that probably rubbed off in some of the decisions that I make too. >> Well it's awesome. You're doing great work, really appreciate you coming on theCUBE, and thank you so much for your insights. >> I appreciate that, thanks. >> And thank you for being with us for our ongoing coverage of HPE Discover 21. This is Dave Vellante. You're watching theCUBE. The leader in digital tech coverage. We'll be right back. (bright music)

(upbeat music) >> Welcome to this CUBE Conversation, I'm Lisa Martin. I've got two guests from Fortinet with me next talking about an very interesting topic that's something that always piques my interest, cybersecurity, and some of the things going on with respect to that. Sandra Wheatley joins us the SVP of marketing, threat intelligence and influencer communications at Fortinet. Sandra, it's great to see you again. >> Thank you, Lisa. I'm delighted to be here today. >> Lisa: Good and Rob Rashotte is here as well, vice-president, global training and technical field enablement at Fortinet. Rob welcome to the program. >> Hi, great to meet you Lisa. Nice to be here. >> Likewise. So since I last saw Fortinet we've had such a challenging year as we all know, that's an understatement, but one of the things that happened so quickly was the distribution of the workforce. And there were already preexisting gaps in IT Visibility and teams being siloed, security teams being siloed as well exacerbated distinct cybersecurity skills gap. So Sandra I want to start with you. Talk to us about what's going on with the cybersecurity skills gap and how it's impacting organizations today. >> Thank you, Lisa. While the cybersecurity skills gap continues to be one of the biggest challenges facing security organizations today, as you know, the cybersecurity space is very dynamic. It's constantly changing and we saw this even through COVID with more people working from home or being educated from home. Cyber adversaries are using remote workers as a way into the enterprise network. And so security organizations today are facing a lot of complexity. They deal with billions of alerts that come in every day and a lot of these have to be managed manually and they just don't have the professionals to keep up with that. So it continues to be a big issue facing organizations. We have seen some progress about a year ago. It was estimated that we would need 4 million professionals come into the industry to close the gap. We are now at probably a little bit over 3 million. So there is progress being made but we still have a long way to go. >> Yeah, good progress there. But what I mean, one of the things that we saw so quickly was with the distribution center was suddenly, there were tons of trusted devices that were off the network perimeter where all these keep going, "Use your own device at home until we can get you something provisioned on the network." So huge challenge that was almost like a light switch for people in any industry. Rob, talk to me from your perspective the ongoing cybersecurity skills gap. What are some of the things that you were seeing through your lens? >> Yeah, well, I mean it has certainly changed our focus over the last year with the pandemic and the change in workforce and so on. And I think as a cybersecurity vendor, a lot of the times when we talk about training and the skills gap we often tend to think pretty quickly about engineers and technical training and like this has really opened up our eyes too. We need to really broaden our scope when we're talking about training and closing the skills gap, because it's a lot more than just engineers. So we've had to really focus more on really anyone sitting in front of a computer screen and ensure that programs are available for people that are working from home that need to understand, the fact that security is just as big an issue if you're working from home or working from the office. So it's really broadened our scope in terms of who we're delivering training to and within a number of our programs, actually, that has happened. When we're dealing with we have a lot of academic partners that we deliver training with them. And one thing that's happened there is we we've traditionally dealt with engineering schools within our academic partners but now we're starting to see a lot of business schools coming and talking to us about delivering training within MBA programs and so on. So that business leaders can start understand, the need to be addressing cybersecurity in the boardroom for example, not just within the it department. So it's I guess the one thing I would say is it's really broadened our scope in terms of who the audience is for cybersecurity and the skills gap is a, you know it impacts a lot of different areas in the organization. >> Yeah, you brought up a great point there that elevation of security to the board level is critical. As we saw like big spikes and things like Ransomware last year. Ransomware getting much more sophisticated kind of playing on people's concerns for buzzwords like COVID-19 for example, and I talked to a lot of organizations where security is at the board level but the talent gap is another challenge. Sandra talk to us about what Fortinet is doing from a partnership perspective to help shrink that gap. >> Well, it's interesting because if you were to do a survey of people about where the responsibility lies to train more professionals for the industry, you'll see a split about 40% of people feel like academia should be providing the training and the curriculum to bring more professionals into the industry. And then others feel like it's a mix between corporate private public partnerships. And that's something that Fortinet believes in. We are tackling this issue on multiple fronts. We recently launched our TAA initiative or our Training Advancement Agenda, and a lot of the pro programs that Rob manages are part of that agenda like our free NSE training, our security academies, but we're also working with a lot of global partners, corporate partners like Salesforce, and IBM. We're also working with the World Economic Forum on this initiative because we really believe it's a joint effort to really make a difference. And so, for example, with Salesforce we provide some of our curriculum and training for free on their training platform, the same with IBM. And we'll continue to scale these partnerships because with these partners, we can reach more people and accelerate the impact that we can have overall. >> Absolutely that ability to expand it especially as we saw such a change in the cyber threat landscape last year as you said, Sandra you've made great progress needing, you know, a deficit of 4 million folks down to 3 million, but also looking at the opportunity to try to find more folks leveraging partners and to rubs point elevating the conversation or expanding that scope. This isn't just a problem for IT and security folks. This is a challenge across the organization that the board needs to be focused on because we've seen in this rapidly changing last year organizations and enough peril in trying to pivot their businesses. And then you add on some of the cyber threats. Rob can you talk a little bit more about the TAA initiative? I know that about your Network Security Expert program NSE program, you guys also do FortiVet program. Tell us a little bit about some of those programs and maybe some of the things that you've done to broaden the scope during the last year. >> Yeah, it certainly can. I mean, there's a number of programs that make up the agenda and you know we've widened the scope in terms of the audiences that we're looking at. But also as Sandra mentioned, trying to expand our reach as ordinary, obviously we have a reach into our partners and our ecosystem, but the ecosystem of the IBM's and the world economic forums and so on go far beyond our reach. But one of the things that we were able to do as a company almost exactly a year ago, we made the conscious decision that the training curriculum that we've built, we wanted to make it available to as many people as we possibly could. So we we've made approximately 400 hours worth of cybersecurity training available to anyone that wants to sign up and take the training in self-paced format, where they want to take it, when they want to take it. So that was a big commitment on our part and that training continues to be free today and we'll keep it free until we start to see the skills gap closed but that that has resulted I guess it was about a month or two ago when we were tracking numbers that we've exceeded over a million registrations for that training, which really was validation to us that the demand for this training is massive. So that's helped us expand our reach but that training as well we're making it available for free, but we have all sorts of different types of partners who are taking that training and making it three free through their learning portals as well. So it's really expanded the reach in that way. You know, another area that we've really focused on is partnering with nonprofits who are representing underrepresented groups. So you mentioned the veterans program that's been a program we've had for quite a while now, but we've looked at that program and thought, well, you know, we can definitely replicate our efforts there and look at other groups as well and start to see how we can partner with different NGOs to really address the diversity and inclusion, within the cybersecurity industry. 'Cause, you know, I think one thing that's interesting here is because of the skill shortage, a lot of hiring managers have had to start to look at recruiting through non traditional streams. And that that can be, you know, looking at if we have policies that say, we must hire people with four year degrees. Well, maybe we want to take a look at that and see well is that really necessary for all the jobs that we're looking at? Maybe we could look at shorter programs even high school students but then also looking at underrepresented groups it is a great way for us to take a look at this skills gap in cybersecurity and align it with our diversity and inclusion initiatives, internally within our organizations and see how we can bring that to bear on problem and really start to have the same time, create a much more diverse workforce within cybersecurity while we're trying to close that skills gap. >> I love that what a great opportunity to expand upon that. I wanted to ask you just really quickly, Rob she said 400 hours of free cyber training available over a million registrations so far. You're right, that definitely shows the demand. I'm curious when we think of backgrounds we think are these, you know need to be IT folks. Is that curriculum broad enough so that somebody with a marketing degree or somebody that doesn't have a degree could kind of get in on level one and start learning their way up the security stack? >> Yeah, it is a very broad scope. When we look at the catalog, it is multiple levels. And in fact our network security expert program it's an eight level program. And the first couple of levels of that program are applicable to anyone that needs an awareness of cybersecurity and the issues. So, yeah, it's perfect. And `in fact the level one of that program is something that we've integrated into a new service offering which is our Cybersecurity Awareness Program that companies can implement internally to provide that base level of cybersecurity awareness to all of their employees. And then as you go up to level two, three, four and five, and so on, it gets more and more technical right up to the NSE level or we're talking about, you know, architects engineers are developing very large critical cyber security infrastructures. >> Lisa, you bring up a very important point that I'd like to make a comment on. There's this misconception that you need a degree in Computer Science or some other technical degree to be in cyber security. And that's absolutely not the case. In fact, half the people in cybersecurity don't have a degree in any Computer Science program, et cetera, but you know there's a lot of skillsets and backgrounds that really map well to cybersecurity. And it's a very broad industry. There was new roles coming all of the time. So I would encourage people to not let that be a barrier to getting into this industry. And in fact our Veteran's program has been extremely successful because people coming out of the defense forces have a lot of the skills that match very well to cyber security like attention to detail, situational awareness, the ability to work under pressure. So it's definitely a misconception that the industry needs to correct. >> I couldn't agree more, especially as the daughter of a Vietnam Combat Veteran and I love what you guys are doing with veterans but you're right. There's so many other skills that people have that are so transportable and transferable that, and it's such an exciting industry. I mean, we all have a million devices scattered around. I think with those new Apple tags that if I put one on my dog's collar, my dog's going to be a connected device. There's so many opportunities to learn but there's also more exposure. The more people that have different backgrounds I think just that with that thought diversity alone, organizations in any industry can benefit. Sandra talk to us about how partners are taking some of these programs and rolling them into their own to help kind of open that door wider as you say, to make sure that barrier isn't there and also get more folks aware of what they can learn. >> Yeah, the encouraging thing is I just see a lot more creativity around this issue. If you think about it, the lack of diversity in IT has been a challenge for everyone that the issue in cybersecurity is just a manifestation of that. And one of the reasons is that it's particularly cybersecurity. A lot of people don't understand how to get into the industry, or they have a lack of awareness about the different types of roles. And we see this in particular with women and young females as well as underserved minority groups. In fact, the veterans program is one way to bring more of that diversity into the industry. And if you think about it today, women make up about 24%. I think it's single digits for underrepresented groups. So we have a huge opportunity there. And I think somehow working with our partners we're doing a lot of different things. Not only are we providing our curriculum and our training and the technical support, but we're also done a lot of work around mapping roles and the steps you need to take to, to achieve those roles. So we've created that for different roles, and we've shared that with some of our training partners and they provide that information on their training platforms. We also regularly have done a lot of different podcasts and interviews with women and minorities have gone through the industry and been very successful talking about how they did that and how they got there. We're working with lots of nonprofits like Women in Cybersecurity speaking to people out there providing them the support. So it's a multi-phase approach. And I do think that private industry need to be doing things like creating entry level kinds of roles to bring more people in the industry and recruit differently. But the good news is there's a huge amount of awareness around this, and you definitely see companies doing a lot more, as well as our partners. >> Well if I could just touch on something there, well Sandra is talking about the different career roles and so on. The industry can get pretty complicated pretty quickly when we're talking about different roles. And there's a lot of buzzwords. And you know when people are looking at this and say, well, how do I even get into this industry? It sounds very technical complicated. And, you know, there are a number of different career patching tools that you can find out there around cyber security but when there's too many of those that even gets confusing. So the career paths that we've developed, we've done that in conjunction with NICE and there's an initiative called the NICE Framework which stands for National Initiative for Cyber Security Education. And so the pathways that we've developed map to that. So, you know, that's one thing I'd like to encourage other organizations to make sure that we're all following that framework so that as we're providing these career paths to people we're using the same terminology. We're using the same titles and career paths and so on. So it just makes it a little bit more understandable for people to pick a path that they want and then start their journey. >> I also think exposing students earlier in their education about cyber security is really important. In fact, we're just released a book called "Cyber Safe" and it's targeting elementary school children and their parents and making them more aware of cybersecurity, the risks, how they should behave online. It talks about cyber bullying and it also helps has guidance in there for parents. And this is a book that we're making freely available to underserved schools and it can easily be accessed online. We've had great reviews, but it's all part of our TAA efforts to educate and make people more aware about the opportunities on the industry overall. >> I love that, Sandra our SVP of marketing. Is there a URL that you can give our audience where they can find that free resource? >> Yes, you can find that I believe on our NSE training page. You can just go to fortinet.com NSE and or TAA and you will find information about how to get the book. >> Excellent so fortinet.com search TAA or NSE you'll find that information. I'm going to check that out myself 'cause maybe you know, for adult children of parents who also need some cybersecurity help I think I might check that out for myself. >> You can (indistinct) copy Lisa. >> Thank you, excellent. It's been great talking to you guys. This is such an interesting topic. I love the efforts that Fortinet is doing to close those gaps and also what you're doing to bridge that with the diversity and inclusion efforts brought out. That's a great effort, Sandra, Rob thank you for joining me today. >> Thank you, Lisa. >> Thank you, Lisa >> For Sandra Wheatley and Rob Rashotte. I'm Lisa Martin. You're watching this CUBE conversation with Fortinet. (gentle music)

>>Welcome everyone to a day in the life of data with HPE as well. Data fabric, the session is being recorded and will be available for replay at a later time. When you want to come back and view it again, feel free to add any questions that you have into the chat. And Chad and I joined stark. We'll, we'll be more than willing to answer your questions. And now let me turn it over to Jimmy Bates. >>Thanks. Uh, let me go ahead and share my screen here and we'll get started. >>Hey everyone. Uh, once again, my name is Jimmy Bates. I'm a director of solutions architecture here for HPS Merle in the Americas. Uh, today I'd like to walk you through a journey on how our everyday life is evolving, how everything about our world continues to grow more connected about, and about how here at HPE, how we support the data that represents that digital evolution for our customers, with the HPE as rural data fabric to start with, let's define that term data. The concept of that data can be simplified to a record of life's events. No matter if it's personal professional or mechanical in nature, data is just records that represent and describe what has happened, what is happening or what we think will happen. And it turns out the more complete record we have of these events, the easier it is to figure out what comes next. >>Um, I like to refer to that as the omnipotence protocol. Um, let's look at this from a personal perspective of two very different people. Um, let me introduce you to James. He's a native citizen of the digital world. He's, he's been, he's been a citizen of this, uh, an a career professional in the it world for years. He's always on always connected. He loves to get all the information he needs on a smartphone. He works constantly with analytics. He predicts what his customers need, what they want, where they are, uh, and how best to reach them. Um, he's fully embraced the use of data in his life. This is Sue SCA. She's, she's a bit of a, um, of an opposite to James. She's not yet immigrated to our digital world. She's been dealing with the changes that are prevalent in our times. And she started a new business that allows her customers, the option of, um, of expressing their personalities and the mask that they wear. She wants to make sure her customers can upload images, logos, and designs in order to deliver that customized mask, uh, to brighten their interactions with others while being safe as they go about their day. But she needs a crash course in digital and the digital journey. She's recently as, as most of us have as transitioned from an office culture to a work from home culture, and she wants to continue to grow that revenue venture on the side >>At the core of these personalities is a journey that is, that is representative common challenge that we're all facing today. Our world has been steadily shrinking as our ability to reach out to one another has steadily increased. We're all on that journey together to know more about what is happening to be connected to what our business is doing to be instantly responsive to our customer needs and to deliver that personalized service to every individual. And it as moral, we see this across every industry, the challenge of providing tailored experiences to potential customers in a connected world to provide constant information on deliveries that we requested or provide an easier commute to our destination to, to change the inventories, um, to the just-in-time arrival for our fabrications to identify quality issues in real time to alter the production of each product. So it's tailored to the request of the end user to deliver energy in, in smarter, more efficient ways, uh, without injury w while protecting the environment and to identify those, those, uh, medical emerging threats, and to deliver those personalized treatments safely. >>And at the core of all of these changes, all of these different industries is data. Um, if you look at the major technology trends, um, they've been evolving down this path for some time now, we're we're well into our cloud journey. The mobile platform world is, is now just part of our core strategies. IOT is feeding constant streams of data often over those mobile, uh, platforms. And the edge is increasingly just part of our core, all of this combined with the massive amounts of data that's becoming, becoming available through it is driving autonomous solutions with machine learning and AI. Uh, this is, this is just one aspect of this, this data journey that we're on, but for success, it's got, uh, sorry for success. It's got to be paired. Um, it's gotta be paired with action. >>Um, >>Well, when you look at the, uh, um, if we take a look at James and Cisco, right, we can start to see, um, with the investments in those actions, um, how their travel they're realizing >>Their goals, >>Services, efforts, you know, uh, focused, deliver new data-driven applications are done in new ways that are smaller in nature and kind of rapidly iterate, um, to respond to the digital needs of, of our new world, um, containerization to deploy and manage those apps anywhere in our connected world, they need to be secure we'll time streaming architecture, um, from, from the, from the beginning to allow for continual interactions with our changing customer demands and all of this, especially in our current environment, while running cost reduction initiatives. This is just the current world that, that our solutions must live in. Um, with that framework in mind, um, I'd like to take the remainder of our time and kind of walk through some of the use cases where, where we at HPE helped organizations through this journey with, with, with the ASML data fabrics, >>Let's >>Start with what's happening in the mobile world. In fact, the HPE as moral data fabric is being used by a number of companies to provide infinitely personalized experiences. In this case, it could be James could be sushi. It could be anyone that opens up their smartphone in the morning, uh, quickly checking what's transpiring in the world with a selection of curated, relative relevant articles, images, and videos provided by data-driven algorithm workloads, all that data, the logs, the recommendations, and the delivery of those recommendations are done through a variety of companies using HP as rural software, um, that provides a very personalized experience for our users. In addition, other companies monitor the service quality of those mobile devices to ensure optimize connectivity as they move throughout their day. The same is true for digital communication for that video communication, what we're doing right now, especially in these days where it's our primary method of connecting as we deal with limited physical engagements. Um, there's been a clear spike in the usage of these types of services. HPE, as Merle is helping a number of these companies deliver on real time telemetry analysis, predicting demand, latency, monitoring, user experience, and analyzing in real time, responding with autonomous adjustments to maintain pleasant experiences for all participants involved. >>Um, >>Another area, um, we're eight or HBS ML data fabric is playing a crucial role in the daily experience inside our automobiles. We invest a lot of ourselves in our cars. We expect tailored experiences that help us stay safe and connected as we move from one destination to another, in the areas of autonomous driving connected car, a number of major car companies in the world are using our data fabric to take autonomous driving to the next level where it should be effectively collecting all data from sensors and cameras, and then feeding that back into a global data fabric. So that engineers that develop cars can train next generation, future driving algorithms that make our driving experience safer and more autonomy going forward. >>Now let's take a look at a different mode of travel. Uh, the airline industry is being impaired. Varied is being impacted very differently today from, from the car companies, with our software, uh, we help airlines travel agencies, and even us as consumers deal with pricing, calculations and challenges, uh, with, um, air traffic services. We, we deal with, um, um, uh, delivering services around route predictions on time arrivals, weather patterns, and tagging and tracking luggage. We help people with flight connections and finding out what the figuring out what the best options are for your, for your travel. Uh, we collect mountains of data, secure it in a global data fabric, so it can provide, be provided back in an analyzed form with it. The stressed industry can contain some very interesting insights, provide competitive offerings and better services to us as travelers. >>This is also true for powering biometrics. At scale, we work with the biggest biometrics databases in the world, providing the back end for their enormous biometric authentication pursuit. Just to kind of give you a rough idea. A biometric authentication is done with a number of different data points from fingerprints. I re scans numerous facial features. All of these data points are captured for every individual and uploaded into the database, such that when the user is requesting services, their biometric metrics can be pooled and validated in seconds. From a scale perspective, they're onboarding 1 million people a day more than 200 million a year with a hundred percent business continuity and the options do multi-master and a global data fabric as needed ensuring that users will have no issues in securely accessing their pension payouts medical services or what other types of services. They may be guaranteed >>Pivoting >>To a very different industry. Even agriculture was being impacted in digital ways. Using HPE as well, data fabric, we help farmers become more digital. We help them predict weather patterns, optimize sea production. We even helped see producers create custom seed for very specific weather and ground conditions. We combine all of these things to help optimize production and ensure we can feed future generations. In some cases, all of these data sources collected at the edge can be provided back to insurance companies to help farmers issue claims when micro patterns affect farmers in negative ways, we all benefit from optimized farming and the HBS Modena fabric is there to assist in that journey. We provide the framework and the workload guidance to collect relevant data, analyze it and optimize food production. Our customers demonstrate the agricultural industry is most definitely my immigrating to our digital world. >>Now >>That we've got the food, we need to ship it along with everything else, all over the world, as well as offer can be found in action in many of the largest logistics companies in the world. I mean, just tracking things with greater efficiency can lead to astounding insights. What flights and ships did the package take? What Hans held it along its journey, what weather conditions did it encounter? What, what customs office did it go through and, and how much of it's requested and being delivered this along with hundreds of other telemetry points can be used to provide very accurate trade and economic predictions around what's going on with trade in the world. These data sets are being used very intensively to understand economy conditions and plan for future event consequences. We also help answer, uh, questions for shipping containers that are, that are more basic. Uh, like where is my container located at is my container still on the correct ship? Uh, surprisingly, uh, this helps cut down on those pesky little events like lost containers. >>Um, it's astounding the amount of data that's in DNA, and it's not just the pairs. It's, it's the never ending patterns found with other patterns that none of it can be fully understood unless the micro is maintained in context to the macro. You can't really understand these small patterns unless you maintain that overall understanding of the entire DNA structure to help the HVS mold data fabric can be found across every aspect of the medical field. Most recently was there providing the software framework to collect genomic sequencing, landing it in the data fabric, empowering connected availability for analysis to predict and find patterns of significance to shorten the effort it takes to identify those potential triggers and make things like vaccines become becoming available. In record time. >>Data is about people at HPE asthma. We keep people connected all around the world. We do this in a variety of ways. We we've already looked at several of the ways that that happens. We help you find data. You need, we help you get from point a to point B. We help make sure those birthday gifts show up on time. Some other interesting ways we connect people via recipes, through social platforms and online services. We help people connect to that new recipe that is unexpected, but may just be the kind of thing you need for dinner tonight at HPDs where we provide our customers with the power to deliver services that are tailored to the individual from edge to core, from containers to cloud. Many of the services you encounter everyday are delivered to you through an HV as oral global data fabric. You may not see it, but we're there in the morning in the morning when you get up and we're there in the evening. Um, when you wind down, um, at HPE as role, we make data globally available across everywhere that your business needs to go. Um, I'd like to thank everyone, uh, for the time that you've given us today. And I'd like to turn it back over and open up the floor for questions at this time, >>Jimmy, here's a question. What are the ways consumers can get started with HPS >>The fabric? Well, um, uh, there's several ways to get started, right? We, we, uh, first off we have software available that you can download that there's extensive documentation and use cases posted on our website. Um, uh, we have services that we offer, like, um, assessment services that can come in and help you assess the, the data challenges that you're having, whether you're, you're just dealing with a scale issue, a security issue, or trying to migrate to a more containerized approach. We have a services to help you come in, assess that aspect. Um, we have a getting started bundles, um, and we have, um, so there's all kinds of services that, that help you get started on your journey. So what >>Does a typical first deployment look like? >>Well, that's, that's a very, very interesting question. Um, a typical first deployment, it really kind of varies depending on where you're at in the material. Are you James? Are you, um, um, Cisco, right? It really depends on, on where you're at in your journey. Um, but a typical deployment, um, is, is, is involved. Uh, we, we like to come in, we we'd like to do workshops, really understand your specific challenges and problems so that we can determine what solutions are best for you. Um, that to take a look at when we kind of settle on that we, we, um, the first deployment, uh, is, um, there's typically, um, a deployment of, uh, a, uh, a service offering, um, w with a software to kind of get you started along the way we kind of bundle that aspect. Um, as you move forward, if you're more mature and you already have existing container solutions, you already have existing, large scale data aspects of it. Um, it's really about the specific use case of your current problem that you're dealing with. Um, every solution, um, is tailored towards the individual challenges and problems that, that each one of us are facing. >>I break, they mentioned as part of the asthma family. So how does data fabric pair with the other solutions within Israel? >>Well, so I like to say there's, um, there, there's, there's three main areas, um, from a software standpoint, um, for when you count some of our, um, offerings with the GreenLake solution, but there are, so there are really four main areas with ESMO. There's the data fabric offering, which is really focused on, on, on, on delivering that data at scale for AI ML workloads for big data workloads for containerized workloads. There is the ESMO container platform, which really solves a lot of, um, some of the same problems, but really focus more on a compute delivery, uh, and a hundred percent Kubernetes environment. We also have security offerings, um, which, which help you take in this containerized world, uh, that help you take the different aspects of, um, securing those applications. Um, so that when the application, the containerized applications move from one framework or one infrastructure from one to the other, it really helps those, the security go with those applications so that they can operate in a zero trust environment. And of course, all of this, uh, options of being available to you, where everything has a service, including the hardware through some of our GreenLake offerings. So those are kind of the areas that, uh, um, that pair with the HPE, um, data fabric, uh, when you look at the entire ESMO pro portfolio. >>Well, thanks, Jimmy really appreciate it. That's all the questions we have right now. So is there anything that you'd like to close with? >>Uh, you know, the, um, I I'm, I find it I'm very, uh, I'm honored to be here at HPE. Um, I, I really find it, it's amazing. Uh, as we work with our customers solving some really challenging problems that are core to their business, um, it's, it's always an interesting, um, interesting, um, day in the office because, uh, every problem is different because every problem is tailored to the specific challenges that our customers face. Um, while they're all will well, we will, what we went over today is a lot of the general areas and the general concepts that we're all on together in a journey, but the devil's always in the details. It's about understanding the specific challenges in the organization and, and as moral software is designed to help adapt, um, and, and empower your growth in your, in your company. So that you're focused on your business, in the complexity of delivering services across this connected world. That's what as will takes off your plate so that you don't have to worry about that. It just works, and you can focus on the things that impact your business more directly. >>Okay. Well, we really thank everyone for coming today and hope you learned, uh, an idea about how data fabric can begin to help your business with it. All of a sudden analytics, thank you for coming. Thanks.