>> Live from San Francisco. It's the Cube. Covering Google Cloud Next '19. Brought to you by Google Cloud and its ecosystem partners. >> Hey welcome back, everyone, we're your live coverage with the Cube here in San Francisco for Google Cloud Next 2019. I'm John Furrier, my co-host Stu Miniman. I've got two great guests here from Google. Guemmy Kim, who's a group product manager for Google, Google Security Access and Christiaan Brand, Product Manager at Google. Talking about the security key, fallen as your security key and security in general. Thanks for joining us. >> Of course, thanks for having us. >> So, actually security's the hottest topic in Cloud and any world these days, but you guys have innovation and news, so first let's get the news out of the way. All the work, giz, mottos, all of the blogs have picked it up. >> [Christiaan Brand] Right. >> Security key, titan, tell us. >> [Christiaan Brand] Okay, sure. Uh, high votes on Christiaan. So uh, last year and next we introduced the Titan Security Key which is the strongest form of multifactor certification we offer at Google. Uh, this little kind of gizmo protects you against most of the common phishing threats online. We think that's the number one problem these days. About 81% of account breaches was as a result of phishing or bad passwords. So passwords are really becoming a problem. This old man stat uh making sure that not only do you enter your password, you also need to present this little thing at the point in time when you're logging in. But it does something more, this also makes sure that you're interacting with a legitimate website at the point in time when you're trying to log in. Easy for users to fool victim to phishing, because the site looks legitimate, you enter your username and password, bad guy gets all of it. Security key makes sure that you're interacting with a legitimate website and it will not give away it's secrets, without that assurance that you're not interacting with a phishing website. >> [Christiaan Brand] News this week though is saying that these things are really cool and we recommend users use them. Uh, especially if you're like a high-risk individual or maybe an enterprise user or acts sensitive data you know Google call admin. But what we're really doing this week is we are saying "okay this is cool" but the convenience aspect has been a bit lacking right? Uh, I have to carry this with me if I want to sign in. This week we are saying this mobile phone, now also does the exact same thing as the Security Key. Gives you that level of assurance, making sure you're not interacting with the phishing website and the way we do that is by establishing a local Bluetooth link between the device you're signing in on and the mobile phone. It works on any Android N so Android 7 and later devices this week. Uh and essentially all you need is a Google account and a device with Bluetooth capability to make that work. >> Alright, so, we come to a show like this and a lot of people we geek out as like okay what are the security places that we are going to button, the cloud, and all of these environments. We are actually going to talk about something that I think most people understand is okay I don't care what policies and software you put in place, but the actual person actually needs to be responsible and did you think about things? Explain a little bit what you do, and the security pieces that you know individuals need to be thinking about and how you help them and recommend for them that they can be more secure. >> In general, yeah, I think one of the things that we see from talking to real users and customers is that people tend to underestimate the risks that they are under. And so, we've talked to people like people in the admin space or people who are in the political space and other customers of Google cloud. And they are like, why do I even need to protect my account? And like, we actually had to go and do a lot of education to actually show them that they're actually in much higher risk than they think they are. One of the things that we've seen over time, is phishing obviously is one of the most effective ways that people's accounts get compromised and you have over 70% of organizations saying that they have been victims of phishing in the last year. Then the question is, how do we actually then reduce the phishing that's happening? Because at the end of the day, the humans that are in your organization are going to be your weakest link. And over time, I think that the phishers do recognize that and they'll employ very sophisticated techniques and to try to do that. And so what we tried to do on our end is what can we do on from an algorithmic and automatic and machine side to actually catch things that human eye can't catch and Security Key is definitely one of those things. Also employed with a bunch of other like anti-phishing, anti-spear phishing type things that we will do as well. >> This is important because one of the big cloud admin problems has been human misconfiguration. >> Yeah. >> And we've seen that a lot on Amazon S3 Buckets, and they now passed practices for that but this has become just a human problem. Talk about what you guys are doing to help solve that because if I got router, server access I can't, I don't want to be sharing passwords, that's kind of of a past practices but what other tech can I put in place? What are you guys offering to give me some confidence if I'm going to be using Google cloud. >> Yeah well, I think one of the things is that as much as you can educate your workforce to do the right things like do they recognize phishing emails? Do they recognize that uh, you know this email that is coming from somebody who claims is the CEO, isn't and some of these other techniques people are using. Uh again, like there's human fallacy, there's also things that are just impossible for humans to detect. But fortunately, especially with our Cloud Services, we have very advanced techniques that administrators can actually turn on and enforce for all of the users. And this includes everything from advanced, you know malware and phishing detection techniques to things like enforcing security keys across your organization. And so we're giving administrators that power to actually say, it's not actually up to individual users, I'm actually going to put on these much stronger controls and make it available to everybody at my organization. >> And you guys see a lot of data so you have a lot of collective intelligence across a lot of signals. I mean spear phishing is the worst, it's like phishing is hard to solve. >> [Christiaan Brand] If you think about we have a demo over here just a couple of steps to the right here uh, where we take users through kind of what phishing looks like. Uh, we say that over 99.99% of kind of those types of attack will never even make it through right? The problem is spear phishing as you said, when someone is targeting a specific individual at one company. At that point, we might have not seen those signals before uh that's really where something like a Security Key kind of comes in. >> That's totally right. >> [Christiaan Brand] At that very last line of defense and that's basically what we are targeting here that .1% of users. >> Spear phishing is the most effective because it's highly targeted, no patter recognition. >> Yeah >> So question, one of the things I like we are talking about here is we need to make it easier for users to stay secure. You see, too often, it's like we have all these policies in place and use the VPN and it's like uh forget it, I'm going to use my second phone or log in over here or let me take my files over here and work on them over here and oh my gosh I've just bypassed all of the policy we put in place because you know, how do you just fundamentally think about the product needs to be simple, and it needs to be what the user needs not just the corporate security mandate? >> Yeah, I mean that's a great question. At Google we actually try a nearly completely different way of like kind of access to organizational networks. Like, for example Google kind of deprecated the VPN. Right? So for our employees if we want to access data uh on the company network, we don't use VPNs anymore we have something called kind of BeyondCorp that's like more of a kind of overarching principle than a specific technology. Although we see a lot of companies, even at the show this year that doing kind of technology and product based on that principle of zero trust or BeyondCorp. That makes it really easy for users to interact with services wherever they are and it's all based on trust on the endpoint rather than trust on the network, right? What we've seen is data breaches and things happen you know? Malicious software crawls into a network and from that point it has access to all of the crown jewels. What we are trying to say is like nowhere in being at a privilege point in the network gives you any elevated access. The elevated access is in the context that your device has, the fact that is has a screen lock, the fact that it's maybe issued by your corporation, the fact that it's approved, I don't know, the fact that is has drive instruction turned on, uh you know it's coming from a certain you know location. Those are all kind of contextual signals that we use to make up this uh, you know, our installation of BeyondCorp. This is being offered to customers today, Security Keys again, plays a vital part in all of that. Uh, you know there's trust in the end point, but there's also trust in authentication. If the user is really who they say they are, uh and this kind of gives us that elevated level of trust. >> I think this is a modern approach, that I think is worth highlighting because the old days we had a parameter, access methods were simply, you know, access servers authenticated in and you're in. But you nailed, I think the key point which is: If you don't trust anything and you just say everything is not trustworthy, you need multi-factor authentication. Now, this is the big topic in the industry because architecturally you have to be set up for it, culturally you got to buy into it. So kind of two dimensions of complexity, plus you're going down a whole new road. So you guys must do a lot more than just two factor, three factor, you got to imbed it into the phone. It could be facial recognition, it could be your patterns. So talk about what MFA, Multi-factor Authentication, how's it evolving and how fast is MFA evolving? >> Well, I think the point that you brought up earlier, that it actually has to be usable. And when I look at usability, it has to work for both your end users as well as the idea administrators who are uh putting these on for the systems and we look at both. Uh, so that's actually why we are very excited about things like the built in security key that's on your phone that we launched because it actually is that step to saying how can you take the phone that you already have that users are already familiar using, and then put it into this technology that's like super secure and that most users weren't familiar with before. And so it's concepts like that were we try to merry. Uh, that being said, we've also developed other kind of second factors specific for enterprises in the last year. For example, we are looking at things like your employee ID, like how can an organization actually use that were an outside attacker doesn't have access to that kind of information and it helps to keep you secure. So we are constantly looking at, especially for enterprises, like how do we actually do more and more things that are tailored for usability for both support cause, for the IT organization, as well as the end users themselves. >> Maybe just to add to that, I think the technology, security keys, even in the way that it's being configured today which is built into your phone, that's going into the right direction, it's making things easier. But, I think we still think there's a lot that can be done uh to really bring this technology to the end consumer at some point. So, we kind of have our own interval roadmap, we are working towards in making it even easier. So hopefully, by the time we sit here next year, we can share some more innovations on how this has just become part of everyday life for most users, without them really realizing it. >> More aware of all brain waves, whatever. >> Full story. Yup, yup, yup. >> One of the things that really I think struck a cord with a lot of people in the Keynote was Google Cloud's policy on privacy. Talk about, you on your data, we don't uh you know, some might look and say well uh I'm familiar with some of the consumer you know, ads and search and things like that. And if I think about the discussion of security as a corporate employee is oh my gosh they're going to track everything I am doing, and monitoring everything I need to have my privacy but I still want to be secure. How do you strike that balance and product and working with customers to make sure that they're not living in some authoritarian state, where every second they're monitored? >> That's a good question. Kim if you want to take that, if not I'm happy to do. >> Go ahead. >> Alright, so that is a great question. And I think this year we've really try to emphasize that point and take it home. Google has a big advertising business as everyone knows. We are trying to make the point this year, to say that these two things are separate. If you bring your data to Google Cloud, it's your data, you put that in there. The only way that data would kind of be I guess used is with the terms of service that you signed up for. And those terms of service states: it's your data, it'll be access the way that you want it to be access. And we are going one step further with access transparency this year alright. We have known something where we say well even if a Google user or Googler or Google employee needs access to that data on your behalf, lets say you have a problem with storage buckets, right, something is corrupted. You call uh support and say hey please help me fix this. There will be a near real time log that you can look at which will tell you every single access and basically this is the technology uh we've had in production for quite some time internally at Google. If someone needs to look... >> Look at the data. >> Right, exactly right if I need to look at some you know customers data, because they followed the ticket and there's some problem. These things are stringently long, access is extremely oriented, it's not that someone can just go in and look at data anywhere and the same thing applies to Cloud. It has always applied to Cloud but this year we are exposing that to the user in these kind of transparency reports making sure that the user is absolutely aware of who's accessing their data and for which reason. >> And that's a trust issue as well, it's not just using the check and giving them the benefit... >> [Christiaan Brand] Absolutely. >> But it's basically giving them a trust equation saying look they'll be no God handle access... >> Right, right, exactly. >> You heard with Uber and these other stories that are on the web, and that's huge for you guys. I mean internally just you guys are hardcore on this and you hear this all the time. >> Yeah uh >> Separate building, Sunnyvale... >> No, not separate building. But you know uh, so I've worked in privacy as well for a number of years and I'm actually very proud like as a company I feel like we actually have pushed the floor front on how privacy principles actually should be applied to the technology uh and for examples we have been working very collaboratively with regulators around the world, cause their interest is in protecting the businesses and the citizens kind of for their various countries. And uh we definitely have a commitment to make sure that you know, whether it's organization's or individuals like their privacy actually is protected, the data is secure, and certainly the whole process of how we develop products at Google like there's definitely privacy checkpoints in place so that we're doing the right thing with that data. >> Yeah, I can say I've been following Google for a long time. You guys sometimes got a bad rep because it's easy to attack Google and you guys to a great job with privacy. You pay attention to it and you have the technology, you don't just kind of talk about it. You actually implement it and you dog food it as to or you eat and drink your own champagne. I mean that's how bore became, started became Kubernetes you know? And Spanner was internal first and then became out here. This is the trend that Google, the same trend that you guys are doing with the phones, testing it out internally to see if it works. >> Yeah, yeah. >> Absolutely right, so Security Keys will start there like we uh Krebs published an article last year, just before the event saying we had zero incidents of possible phishers with Googlers since they deploying the technology. We had this inside Google for a long time, and it was kind of born out of necessity, right. We knew there was positive phishing was a problem, even Googlers fall for this kind of thing. It's impossible to train your users not to fall for this type of scam, it just is right. We can view any location all we want, but in the end like we need technology to better protect the user, even your employees. So that's were we started deploying this technology, then we said we want to go one step further. We want to kind of implement this on the mobile phone, so we've been testing this technology internally uh for quite a few months. Uh, kind of making sure that things are shaping out. We released this new beta this week uh so it's not a J product quite yet. Uh, you know as you know there is Bluetooth, there is Chrome, there is Android, there's quite a few things involved. Android Ecosystem is kind of a little bit fragmented, right, there is many OEMs. We want to make this technology available to everyone, everyone who has an Android phone, so we are kind of working on the last little things but we think the technology is in a pretty good place after doing this "drinking of champagne." >> So it's got to be bulletproof. So now, on the current news just to get back to the current news, the phone, the Android phone that has a security key is available or is it data that is available? >> [Christiaan Brand] So it's interesting. In on the Cloud side, the way that we normally launch products there is we do an alpha, which is kind of like a closed liked selection. The moment that we move and do beta, beta is open, anyone can deploy it but it has certain like terms of service limitation and other things. Which says hey don't rely on this as your sole way of accessing an account. For example, if you happening to try and sign in on a device that doesn't have Bluetooth the technology clearly will not work. So we're saying please make sure you have a backup, please keep a physical security key for the time being. But start using this technology, we think for the most popular platforms it should be well shaken out. But beta is more of a designation that we kind of reserve for saying we're starting... >> You're setting expectations. >> But also, one thing I want to clarify that just because it's in beta it doesn't mean it less secure. The worst thing that will happen is that you can be locked out of your account because you know, the Bluetooth could fail to communicate or other things like that. So I want to assure people, even though it's beta you can use it, your account is secure. >> Google has the beta kind of uh which means you either take it out to a select group of people or set expectations on terms of service. >> Right. >> Just to kind of keep an eye on it. But just to clarify, which phones again are available for the Android? >> [Christiaan Brand] Uh, we wanted to make sure that we cover as large a population as possible, so we kind of have to look at the trade offs, you know at which point in time we make this available going forward. Uh, we wanted to make sure that we cover more than 50% of the Android devices out there today. That level that we wanted to reach, kind of coincided with the Android 7, Android Nougat, is kind of the line that we've drawn. Anything Android 7 and above, it doesn't have to be a Pixel phone, it doesn't have to a Nexus phone, it doesn't have to a Samsung phone, any phone 7 and up should work with the technology. Uh and there's a little special treat for folks that have a Pixel 3 as you alluded to earlier we have the Titan M chip that we announced last year in Pixel. There we actually make use of this cryptographic chip but on other devices you have the same technology and you have the same assurance. >> Well certainly an exciting area both on from a device standpoint, everybody loves to geek out on the new phones as Google I know is coming up I'm sure it'll be a fun time to talk about that. But overall, on Cloud security is number one, access, human, errors, fixing those, automating, a very important area. So we're going to be keeping track of what's going on, thanks for coming on. >> Thanks. >> And sharing your insight, I appreciate it. >> Of course, thanks for having us. >> Okay, live Cube coverage here in San Francisco. More after this short break. Here Day 3 of 3 days of wall-to-wall coverage. I'm John Furrier and Stu Miniman, stay with us, we'll be back after this short break. (energetic music)

>> Let me check. (uptempo orchestral music) (uptempo techno music) >> Live, from San Francisco, it's theCUBE! Covering Red Hat Summit 2018. Brought to you by Red Hat. >> Hey welcome back everyone, we are live here with theCUBE in San Francisco, Moscone West, for Red Hat Summit 2018. I'm John Furrier, co-host of theCUBE, with John Troyer co-host, analyst this week. the TechReckoning co-founder. Our next two guests are Ashesh Badani, vice president and general manager of OpenShift Platform and Alex Polvi, CEO of CoreOS, interview of the week because CoreOS now part of Red Hat. Congratulations, good to see you again. Thanks for coming on theCUBE. >> You're welcome. >> So obviously this is for us, we've been covering both of you guys pretty heavily and we've been commenting very positively around the acquisition of CoreOS. Two great companies that know open-source, pure open-source. You guys got the business model nailed down, these guys got great tech. You bring it together. So the first question is how's everyone doing? How's everyone feeling? And where's the overlap, if any and where's the fix? Explain the true fit of CoreOS. >> I'm going to start Alex, you want to jump in after. We're very excited right, so when we first had interactions with CoreOS, we knew this is going to be a great fit. The conversation we had earlier, both companies delivers in open-source, delivers in the mission center to take us forward regard to Kubernetes, as the container orchestration engine, and then being able to build out value for our customers around it. I think from our perspective, the work that both CoreOS did in advancing the community forward but also the work they've done around automation or their upgrades, management metering, charge back and so on. Being able to bring all those qualities into Red Hat is incredible. So I think the fits been good. It's been three months, I'll let Alex comment some more on that but we've been doing a lot of work from integration perspective around engineering, around product management. At Red Hat Summit this week, we reveal details around some of the converged road maps, which I can talk about some more as well. So we're feeling pretty good about it. >> Alex, your reaction. >> Yes, it's been three months. If you've studied CoreOS at all, you know everything that we do really centers around this concept of automated operations. And so by being part of Red Hat, we're starting to bring that to market in a much bigger and faster way of really accelerating it. The way the acquisition are really successful is either mutually beneficial to both companies and they accelerate the adoption of technology and that's definitely happening. We had the announcement yesterday with Red Hat CoreOS around the Linux distribution. Last week, we did the operator framework. It was very central to the work that we've been doing as part of CoreOS, and then as companies in a lot of ways is being part of Red Hat for three months now. This is what our company would have looked like if we ever just another 10 years along or whatever very similar, we're like a mini Red Hat, and now we're leaped ahead in a big way. >> And you guys done a good work. We've documented on theCUBE many times, and we were in Copenhagen last week. Now covering the operating framework but I want to get your reaction. You guys did a lot of great work on the tech side obviously, you can go into more detail but we've always been saying on theCUBE. If you try to force monetization in these emerging markets, you're optimizing behavior. And this was something that's gone on, we've seen containers. It's been well documented obviously what's happened. It's certainly a beautiful thing. Got Kubernetes now on top working together with that. If as an entrepreneur out there that are building companies. If you try to force the monetization too early, you really thinking differently. You guys stay true to it. Now we've got a good home with Red Hat. Talk about that dynamic because that was something that I know you guys faced at CoreOS and you've managed through it. Tempted probably many times to do something. Talk about the mission that you had, staying true to that and just that dynamic. It's challenging. >> Yeah, as we set out to build a company in general, there are really three operating principles. There is build a great technology to solve our mission which is to secure the internet through automated operations, build a great place to spend their days which is really about the people and the culture and so on. Why are we doing this, and the third was to make it sustainable and by that I mean to build their own money fountains, building out of the middle of our campus. And so by joining Red Hat it's we have a money fountain sitting there. (laughing) It's spewing off a ton of cash flow every single quarter that allows us to continue to do those first two things in perpetuity, and that third one is something every company needs in order to continue to execute towards the mission. And the thing that's so awesome about working with Red Hat is we're very much aligned and compatible. Red Hat's mission isn't exactly the same thing we are working but it's definitely compatible. It's like Apache and GPL are compatible. It's like that type of compatible. >> You both believe in open-source in a big way. Talk about the Red Hat perspectives. Now you got like a kid in a candy store. Openshift made a big bed with Kubernetes. You see now, you have the CoreOS, how has it changed in Red Hat internally? Things moving around actually accelerates the game a bit for you guys, and you're seeing new life being pumped into OpenStack. You're seeing clear line of sight with Kubernetes on the app side. We were just at KubeCon. A lot of people are pretty excited. There's clear lines of sight on what's defacto. What people are going to build around, and also differentiate. >> Right, so I'll start off by saying I really hope our CEO, Jim Whitehurst doesn't see this interview but if it goes off in terms of money factor. I'm currently make budget request. I think I know what's going on. >> Balance sheet, cashless now. It's in the public filings. If I see a fountain of money spewing off the thing, >> The ability to reinvest. >> This is a really good fit. (laughing) The way to say this, they have a great business model. >> Yeah, yeah. >> Some of us will make money, some of us will spend the money. Some of us will spend the money, it will work out well. (laughing) >> It's a great win. It's a great win. It obviously accelerates the plans. The commercialization is already there with Red Hat. This is just a good thing for everybody but the impact of you guys accelerating, just seeing OpenShift. You can boil it down to the impact of Red Hat. What is the impact? >> So in all seriousness, I think the focus for us really has been about there is so much complimentary work that's been going on with the CoreOS team that we're bringing into OpenShift, and to Red Hat in general that accelerates everything that you're seeing. You saw some amazing announcements happen this week with regard to our partnership with Microsoft and getting OpenShift out and Azure, and joint support offering. The work we're doing with IBM to get IBM middleware as well as IBM Cloud Private support integrated with OpenShift. The work that Alex referred to around automation, being able to bring that to our customers. We see all the excitement around that front as well so we want to take all Techtonic work that has been going on at CoreOS, then move that to OpenShift. Carry forward the community that CoreOS built around Container Linux, and actually inject a lot those ideas into that Linux, our flagship technology. Bring that passion and energy to bear as well, and then carry forward a lot of the other projects that they have. For example, the Quake Container Registry, that's extremely popular. Carry that forward, support our customers to use that both stand alone integrated with the OpenShift platform. Other projects like FCB that Alex has been talking about which is the underpinnings of Kubernetes plus running worldwide. So all of those things, we can bring forward, and then all the advancements that were made in place by CoreOS as they're working towards their money fountain, just plug that right into it. >> And just as a point of reference, Brendan Burns flew in yesterday. Microsoft Build is going up so he left their own conference to come down here. >> As did Scar Guthrie, right? >> That's a great testament. This is the testament. They're coming down, really laying down support. This is a real big deal. This is not a fake deal, it's real. >> And so I want to talk a little bit about specifics of the timeline, the road maps. Sometimes with these mergers or acquisitions, it's well the technology will be incorporated at some point, and then it goes away to die and you never see it again. And then the people all leave, and then you ask what was going on. But here, you actually have, I was great. You were talking to me. You have some specific timelines and we'll start to see some of the Techtonics Stack in OpenShift fairly soon. >> Yes, absolutely so the acquisition was announced three months ago and we said at that time that by Red Hat Summit, we'll lay out for you a road map and so we're now starting to do that. We put out release of some materials around some details with regard to how that's coming out. We have detailed sessions going on at Red Hat Summit around the integration plans between Red Hat, OpenShift and CoreOS with a few specific areas with regard to OpenShift. You'll start seeing the earliest versions if you will of the work that's being done. This summer, we'll deliver the full road map to you there by the end of this calendar year. With regard to, for example pieces like the Quake Container Registry that's being made available and being sold now as we speak. Customers can go get that, and we want to make sure no customer is left behind. Right, that's a principle we put out. And with regard to supporting any existing customers on Techtonic or the Container Linux space, we're doing that as we're working to integrate them into the Red Hat portfolio. Can you talk a little bit about the decision for Red Hat's atomic coast and Container Linux? Now re-named again, CoreOS. That was one of the seminal inventions that you all made as you started the company. I think it had some brilliant ideas again about security and the operational aspects but can you talk about some of those technologies and the decisions made there? >> Yeah, like I said, the acquisition of CoreOS Red Hat was about saying look what can we take that CoreOS has been doing to accelerate both work and community but also what could be doing to deliver this technology to customers. So the goal was we'll take all the atomic and the word that's been going on there have that be superseded by the work that's coming out of CoreOS Container Linux carry the community forward. Release a version of that called Red Hat CoreOS and in its initial form make that actually an underlying environment to run OpenShift in. Okay so for customers who want the automation that Alex talked about earlier. They made that available both at the underlying platform. Make it available in OpenShift platform itself via the work that's come from Techtonic, and then ultimately, Alex will talk about this some more through operators. So trusted operations from ISP or third party software that would run on the platform. All right so now if you will, we'll have full stack automation all the way through. OpenShift also support Red Hat Linux, a traditional environment for the thousands of customers that we have globally. Over a period of time, you should expect to see much of the work that's going on Red Hat CoreOS find its way into it as well. So I think this just benefits all around for us both in the near term as well as long. >> And Red Hat Container certification, where does that fit into all this? >> Yeah, a great question, so what we announced maybe was, actually was two years ago was a Container certification program. Last year, we spent some time talking about the health of those containers, and being able to provide that to customers. And this year, we're talking about trusted operations around those containers. That carries forward, we've got hundreds of ISPs that have built certified containers around it, and now with the operator framework, we've had, I think it's four ISPs demonstrating previews of their operators working with our platform as well as 60 more that are committed to building ISP operators that will be certified again. >> So people are certified in general, pretty much. I think we're very excited. The fact that we went to KubeCon last week, announced that the operating framework have been based on the ideas that the CoreOS team has been working on for at least two years. Making that available to the community and then saying for the ISPs that want a path to market. Going back to the money fountain again for the ISP that want to pass through market which is pretty much all of them. We also have the ability to do that so give them an opportunity to make sure that as wide as possible some adoption of the software at the same time help with commercialization. >> Can you guys share your definition of operator because I saw the announcement but we we're on a broader definition when we see the DevOps movement going the next level. It's all about automation and security, you mentioned that admin roles are being automated in a way to see more of an operator function within enterprise and emerging service providers. So the role operator now takes on two meanings. It's a software developer. It also is a network operator, it's also a service, so what is that, how do you guys view that role because if this continues, you're going to have automation. More administrator is going to be self healing, all this stuff is going to go on. Potentially operations is now the developers and IT all blurring together. How do you guys define the word operator in the future state? >> Well I know the scenario of great interest to you. >> So operator is the term for the piece of software that implements the automated operations. And so automated operations, what is that? Well that's what sets apart, the way I think about it is what sets apart a cloud provider verses a hosting provider. It's a set of software that really runs the thing for you and so if we're going to get into specific Kubernetes lingo, it would be an application specific controller. That's a piece of software that's implements the automated operations. And automated operation is a software that gives you that simplicity of cloud. It's at the core of a database as a service. It's both hosting but also automated operations. Those two things together make up a cloud service and that software piece is what we're decoupling from the hosting providers for the first time and allowing any open-source project or ISP brings the simplicity of cloud but in any environment. And that's what the operator is a piece of software that actually goes and implements that. >> So a microservices framework, this fits in pretty nicely. How do you see obviously? >> Microservices, there's all these terms. Microservice is more of an architecture than anything but it's saying look, there's these basic things that every operations team has to go and do. You have to go and install something, you have to upgrade it, you have to back it up, when it crashes in the middle of the night, get it going again. A lot of these things, the best practices for how you do them are all common. There's no ingenuity in it. And for those things, we can now because of Kubernetes write software that just automates it, and this was not possible five years ago. You couldn't write those software. There were things like configuration management systems and stuff like that that would allow companies to build their own custom versions of this. But to build a generic piece of software that knows how to run application like Prometheus or a database or so on. It wasn't possible to write that and that's what the first four or five years of CoreOS was is making it possible, that's why you saw all these mat and new open-source projects being built. But once it was possible it was like let's start leveraging that. You saw the first operator come out about a year ago, and I think it was our ATD operator was the first one, and we started talking about this as a concept. And now we're releasing operator framework which is from all the learnings of building the first couple. We now made a generic, so anybody can go and do it, and as part of Red Hat, we're now bringing it to the whole ISP ecosystem. So the whole plan to make automated operations ubiquitous is still well underway. >> I'd love to extend that conversation though to the operator, the person. >> Right. I think you and your team brought the perspective of the operational excellence right to the table. A lot of cloud has been driven by the role of developer and DevOps but I've always felt like well wait a minute operators the people who use to be known as IT insisted they had a lot to bring to the table too about security and about keeping things running, and about compliance and about all that good stuff. So can you talk a little bit as you see the community emerging, and as you see all these folks here. How do you talk to people who want to understand what their role is going to be with all this automation in keeping the clouds running? >> Computers use to be people too. (laughing) But we're not going to completely automate away everything because there's still parts of this wildly complex system that justifies whole conferences of thousands of people that require a whole lot of human ingenuity. What we're doing is saying let's not like do the part that is the fire drill in the middle of the might that keeps you from making forward progress. The typical role of an operations person today is just fighting fires of mundane things that don't actually add a lot of value to the business. In fact, this guy is difficult because you only get brought up when things are on fire. You never get an praise when things are going well. And so what we want to do is help the operations folks put out those fires like the security updates. Let's just roll those out automatically. The way you do those across all organizations does not need to be special and unique but they're really critical to do right. >> Well it's just automate that stuff away and let the operations team focus on moving the business forward. The parts that require the human spirit to actually go and do, and if we get to a point where a CEO of a company is like, wow, I can not come up with a new vision for this imitative 'cause my operations team are just so fast at influencing them. Then we have to start worrying about operations people's job but I don't see that happening for a very long time. >> And no one is going to be sitting around twiddling their thumbs either. >> Let me just extend that point a little bit. The whole point of operators is to encapsulate human knowledge that ISPs have and bring that in the platform and automate it. So the challenge that we've had is an operations person is required to know a lot about a lot. So the question then really is how can we at least take some of what's already known by people and be able to replicate that and that allows for every one to move forward. I think that's just forward-- >> Well, there's a bigger picture beyond that, so I agree but there is also scale. With cloud, you have scale issues. So with scale automation is a beautiful thing 'cause the fire has also grown exponentially too so you can't be operating like this. Scale matters, super. >> The reason that this stuff was invented at Google initially was not because of Google's high career per second. Is that they were, to build the application they're building required so many servers that you couldn't hire enough operations people without writing software to automate it. So they were forced to custom design the system because they had so many servers to run to build the software that they wanted to build. And other companies are just now getting to that point because every company is going through a digital transformation. They have to have thousands of servers just to run their applications. There's no way you're just going to hire the operations staff to go and do it all by hand. You have to write software to turn the operations people into mech warriors of running servers. You need to wrap them in automation in order to scale that. >> At KubeCon, she made a comment that all those operations folks at Google are software developers. >> Brand engineers. >> Brand engineering, so they're not Ops guys just pushing buttons and provisioning gear and what not. They're actually writing code. You bring up the Google piece, the other piece that we heard at KubeCon. We hear this consistently that this is now a new way to do software development. So when a former Googler went to work for another company, left Google. She went in and she said, "Oh my God, you guys don't do. "You don't use board?" To her, she's like how do you write software? So she was like young and went out in the real world and was like wait a minute, you don't do this? So this is a new model in software development at scale with these new capabilities. >> I think so and I think what's really important is the work we're doing with regards to an ecosystem perspective to help folks. So one of the top things I hear from customers all the time is this sounds fantastic. Everyone's talking about DevOps or microservices or wanting to run Kubernetes at scale. Do I have the skills? Can I keep up with the change that's in place and how do I continue going forward around that? So we announced at Red Hat Summit Managed offerings from let's say Atos and DXC where you've got goals to integrate us helping folks, or companies like Extension T systems. The CEO came and spoke today about the work we're doing with them to help connected cars, and those applications be rolled out quick and fast. I think it's going to take a village to get us to where we want to because the rate of change is so fast around all of these areas and it's not slowing down that we'll have to ensure there's more automation and then there's more enablement that's going on for our customers. >> So some clarity, can you guys comment on your reaction to obviously we've seen OpenStack has done over the years and now with well Containers, now Kubernetes. You seeing at least two ecosystems clearly identified. Application developers, cloud native and then I would call under the hood infrastructure, you got OpenStack. Almost it clarifies where people can actually focus on real problems that the Kubernetes needs. So how has the Container, maturation of Containers with Kubernetes clarified the role of the community? If this continues with automation, you can almost argue that the clarity happens everywhere. Can you comment on how you see that happening? Is it happening or is it just observation that's misguided? >> I think we're getting better with regard to fit for a purpose or fit for use case. All right, so if you start thinking about the earliest days of OpenStack. OpenStack is going to be AWS in a box, and then you realize well that's not a practical way of thinking about what a community can do a build at scale. And so when you start thinking about a Word appropriate use case for this. Now you start betting if you will, a set of scales, you set expectations around how to make that successful. I think we'll go through the same if we haven't already or even going through it with regard to Kubernetes. So not every company in the world can run Managed World call. DYI Kubernetes, don't many companies will start with that. And so the question is how do we get to the point where there's balance around it and then be able to take advantage of the work? For example, companies like Red Hat work for us was doing to help accelerate that path 'cause to the point Alex was trying to make is the value for them being able to keep up with the core release of Kubernetes? And every time a bug shows up to go off and be able to fix and patch it, and watch that or is the value building the next set of applications set on top of platforms. >> That's great, well congratulations guys. Thanks for coming on theCUBE. Appreciate the insight. Congratulations on the three months into Red Hat. Good fit, and enjoy the rest of the show. Thanks for coming on, I appreciate it. >> Thanks. >> Live from Red Hat Summit, it's theCUBE's coverage here of Red Hat and all the innovation going on out in the open. We're here in the middle of, we open the floor with Moscone West with live coverage. Stay with us for more after this short break. (uptempo techno music)

(electronic music) >> Announcer: Live from Orlando Florida, it's the Cube, covering Grace Hopper Celebration of Women in Computing, brought to you by SiliconANGLE Media. >> Welcome back to the Cube's coverage of the Grace Hopper conference here in Orlando, Florida. I'm your host, Rebecca Knight. We're joined by LaFawn Davis, she is the global head of culture and inclusion at Twilio. Thanks so much for joining us. >> Thank you for having me. >> So let's start by telling our viewers what you do at Twilio. What does the global head of culture and inclusion do? >> That's a great question, it's kind of a newer title, so the culture piece is around our environment, our workspace, how employees feel, and it also incorporates employee experience, so we want to make sure that all the great talent we get in, we actually keep and develop and grow, and then there's the inclusion piece, the D&I piece, and that's the piece that people typically understand, so that is attracting, recruiting, retaining and developing top talent, it's making sure that we're looking at all of the diverse workforce that we want to have in the company, that we're serving our employees in the right way, and so it's nice that it's going to have both sides of that so it's not just purely about recruiting, it's not purely about numbers. It really is about how employees feel and it's whether or not they feel included, but also belong. >> So how do you do that? I mean, that's what every company wants, is to make employees feel happy about coming to work every morning. How do you do it? >> You have to ask. So it's really important that we have values that we can stand upon, every day. So we have what we call Nine Things, and they really are values, things like draw the owl, which is like you have to start somewhere. >> Rebecca: Draw the owl? >> Draw the owl. It's from an old internet meme that's around the way you draw an owl is you start with two circles, and then you draw the rest of the owl. You have to start somewhere. We have another one that's be humble. No shenanigans, that one you hear a lot, like if you're in a meeting and people are kind of ... thinking of doing things a different way? >> There are a few tech companies that maybe could have benefited from those shenanigans, but yeah. >> We'll call each other out, I mean, you'll hear it around the office. >> Rebecca: Do they, though? >> Oh no, absolutely. They absolutely will, they'll say, "That sounds a little shenanigan-y." or, you know, "We're not supposed to be doing "shenanigans here, so let's really "figure out how to do the right thing." And I think when you have values that are that specific, you can stand on them, you can count on them, and you can call each other out. >> Shenanigan-y? I love it, okay. >> (laughs) So it's like, let's be honest, and let's do what's right. >> But at the same time, I mean, it is, I understand how that can become the sort of safe word, and it's almost funny to say, "Hey, what are you doing here?" But how do you make those employees feel empowered enough to be able to call someone out, particularly if that person is a manager or a white guy that just has more bluster. >> Yeah, it starts from the top down. But even before I got to Twilio, I've only been at Twilio for six months but I did in the space for well over a decade, and what Twilio has is a top down and a bottoms up, so they were doing diversity inclusion and had employee resource groups before I got there. Three years before I got there, and the CEO is fantastic, and it really starts from that, messaging, you can tell the CEO he's being shenanigan-y. He expects you to, so we're hiring in people that espouse our values, we're looking for that, we're making sure that people come in with that understanding of, we don't want shenanigans here, we want you to be humble here, we want you to draw the owl, we want you to really acquire knowledge and thirst after it. Those are the things we look for, and so if you keep hiring people like that that already lend to your values, you're going to have, continue to have that culture. And it's not really about, oh I don't want to say this in front of, like, a C-Suite executive or in front of a leader, it's expected of you that you live those values no matter who you are. >> So as you've said, you've been in this space for a while, you worked for PayPal, Google, Yahoo. What have been the biggest changes you've seen over the course of your career? >> Yeah, so it's really a journey, right? I think the diversity journey especially ten years ago started with diversity, numbers, demographics, and it was really just gender globally and ethnicity U.S., and that's it and that's what people talked about, and those were the efforts that people made. It was really about recruiting, and now it's gone into more of the inclusion space and making sure people feel like they have a voice that can be heard, or they have a seat at the table, but honestly right now where we're at is the belonging space, right? Inclusion is really about making sure other people feel included and that you're hearing other perspectives. Belonging is a personal feeling. I feel like I belong here, and I'll tell you a funny story. When I first started Twilio, probably about two weeks in, I sit on the people team, which is next to the legal team, and the legal team's having this discussion and I'm like, wait a minute, oh my gosh, are you all conspiracy theorists? And they're like yeah! And I go, oh! Oh, you're my people! (Rebecca laughs) 'Cause I'm the one with the whiteboard and the red string and the tinfoil hat, and I immediately felt a sense of, you're my people, I feel like I'm supposed to be here. Everyone wants that feeling, and so the belonging space is really where companies are starting to focus, it's not just about having a seat at the table. Do you want to be here, do teams work well together? Are we working on something that's important to you? Do we have a vision that's inspiring to you? And that's more around belonging. I think the next step in this journey is equality, and we are a long way from that. >> And what do you make of that? I mean, you have been in this space for a while now, at some of the biggest, most respected tech names in the industry, and some of their names have been dragged through the mud around these issues, so I mean, are you discouraged, are you hopeful, what's your feeling now? >> I'm hopeful. I don't think I would still be doing it this long if I wasn't hopeful, and yes, I get tired. (laughs) >> Yeah, that we're still talking about it. >> Definitely get fatigued, but I'm very passionate about it, and that's how I ended up in this career. I started off in operations when I was at Google, and I was one of the founding members of the Black Googler Network, which is an employee's resource group, and I just got really passionate about being strategic. It wasn't just about building a sense of community. It was, no, let's figure out how to attract, recruit, retain and develop talent. Let's figure out like what the company needs and how we can plug in, and not just ... I mean, it lit a fire in me, and so I took lots of different roles within the D&I space and every time I think I'm going to step out, I get sucked back in. (they laugh) And so I think there's so much work to do. I think people inherently want to do the right thing. There's some bad apples that have been dragged through the mud lately, absolutely, but I think for the most part, people are coming from a good place. They may not know what to do, I think we have to change the conversation, because if we continue to do the same things over and over again, and they're not working, that should say something, right? >> So these, in terms of your past companies, Yahoo, Google, PayPal, they are much bigger than Twilio, Twilio is ... >> Less than a thousand employees. >> Less than a thousand people. How would you describe the biggest differences in terms of trying to affect change? >> Yeah, so I think the nice thing is, this is the first company where I don't fee like I have to talk about the business case for diversity. >> Rebecca: They already get it. >> They already get it, it's already got. My CEO will tell the story that when he started this company, he's like, I'm trying to build a company, and people were like, diversity, diversity, he's like, I'm trying to build a company. And then he really thought about it, and said, "Well, when is the right time to think about diversity? Is it when I have a thousand white male engineers?" Right, at that point you're fixing a problem as opposed to just starting with it and hiring people around that, and so it's the first company where I feel like that was already there, which is wonderful because now I can focus on the things that make the greatest impact, instead of starting from scratch, and so a smaller company, especially with more of a startup mentality, they just went public last year, I think it's almost easier in a way to make more progress because of that. >> And just in terms of what your CEO said about having to fix the problem, how do you think Twilio's products, how can you, how would a customer be able to tell that this was made by a diverse group of people, and it wasn't just a bunch of white guys in a room wearing hoodies, developing the Twilio suite? >> Platform. >> Rebecca: Yeah. >> The whole goal of the Twilio platform is to power up communication, right? That's the entire goal, and so I think as we're out and about, I mean we have this really cool role and it made this all tour, I just don't know it, and they're called developer evangelists, which I would love to be if I actually coded a little bit more, and they actually are the kind of, the middle of coding and evangelizing kind of what Twilio does, but a little bit of sales too, and so they're actually touching the community. We have community developers, we have, so it's not just people sitting at a desk in a room talking about what's best for people. It's we get out into the community, we understand what developers need, and we're constantly trying to figure out how do we create more doers, that's what we call people who create things. How do we create more doers? We have twilio.org, which is our foundation working with nonprofits, and there are social justice apps built on the platform. There are life-saving apps built on the platform. And we're funding these organizations so they can continue to build more and more on our platforms and change people's lives, and so I think that, and those examples, actually help people understand it's not just 400 white guys sitting in a room creating something for them. We're actually getting out and understanding what people need. >> And the research around diversity shows that diverse teams, it may take them a little slower to get the work done but the work is better, because it has taken in multiple perspectives, it has there's been more sort of fighting, and I don't mean to say fighting in the pejorative sense, but just getting to the ... >> LaFawn: Debating. >> The right answer, yeah, debate, exactly. (LaFawn laughs) To get to the right answer. I mean, would you say that's the experience? And I know you're not on the technical side, but what are you hearing from your ... >> I challenge that. >> Rebecca: Okay, all right. >> Every employee is encouraged to build something on the Twilio platform when they start, no matter what role they're in, and I am not in a technical role, but I know a little bit of coding now. But yes, absolutely, healthy debate is absolutely encouraged. How else are you going to build something for other people? It's really easy to just say, "I think we need to do this feature," right, but if that's not what people need, or you're not getting other perspectives, then you're building an inferior product. And so absolutely, you have to have that healthy debate, it's encouraged, and I see it (laughs) but it's not in a disrespectful way. So I have, being a part of the tech industry for a long time, I have seen some conversations that weren't so great, and people not treating each other well, thinking that that's how you have-- >> A little shenanigan-y. >> That's very shenanigan-y, right? Or calling each other names because they think that's how you get your point across. And I just don't feel that way at Twilio. It's much more respectful. I'm not saying that they don't get into it because I think you have to in order to really innovate. >> Well, LaFawn, thank you so much for joining us. It's been really a lot of fun talking to you. >> Thank you so much, you too. >> We will have more from Grace Hopper just after this. (electronic music)