>> Live from Las Vegas, it's theCUBE, covering AWS re:Invent 2018, brought to you by Amazon Web Services, Intel, and their ecosystem partners. >> And welcome back here to Las Vegas. We're in the Sands expo, we're in Hall D. If you happen to be at the show or dropping in just to watch, come on by and say hi to us. Love to see you here on theCUBE, as we continue our coverage, day two. And along with Justin Warren, I'm John Walls. And now we're joined by a couple of gents from HUB International, Seth Morrell, who's the vice president of enterprise, architecture and design. Seth, good morning to you. >> Good morning. >> And Jeremy Embalabala, who is the director of security architecture and engineering, also at HUB International. Good morning, Jeremy. >> Good morning. >> Seth, by the way, playing hurt, broken finger with a snowblower in Chicago on Monday. >> On Monday. >> Yeah, good luck though with the winter. >> Yeah, yeah, yeah, it started off well. >> Sorry to see that, but thanks for coming regardless. >> No problem. >> All right, tell us about HUB International a little bit, about primary mission and then the two of you, what you're doing for them primarily. >> Right, right, so HUB International is an insurance brokerage. Personal, commercial, we do employee benefits, retirement as well. We're based in the US in Chicago, operate in US and Canada. 500 plus locations, 12,000 employees. >> Okay, and then primary responsibilities between the two of you? >> Well, I'm the director of security architecture. I'm responsible for all things technical with regards to security, both on the architecture side, engineering and operations. >> All right, so yesterday we were talking about this early, you did a session, you're big Splunk guys, right? So let's talk about what you're doing with that, how that's working for you in general, if you would. >> Yeah, yeah, go ahead. >> Yeah, the reason Splunk Enterprise Security, the on-premise version we actually, people always ask me, are you using Splunk Cloud or Splunk On Prem? And I always joke, well we're using Splunk On Prem in the cloud in AWS. But for us, we're really focused on Splunk as a SIEM, to enable our security operations center to provide insights into our environment and help us detect and understand threats that are going on in the environment. So we have a manage partner that runs our security operations center for us. They also manage our Splunk environment. It helps us keep an eye on both our AWS environment that we have, our Azure environment, and our on-premise data center as well. >> A few people have sort of gotten wary of the idea of a SIEM. People have tried to use SIEMs and they haven't been very successful and they go, "Oh SIEM's a bit of a dirty word." But it sounds like SIEM's actually working for you really well. >> Yeah, I really view a SIEM as a cornerstone of security program. Specifically if you have a mature security operation center, it's really hard to operate that without a SIEM. SIEMs are tricky, they're tricky to implement, they're generally very costly and they require a lot of tuning, a lot of love, care, and feeding in order to be effective. Quite frankly, if you don't get that right, it can actually be detrimental to your security program. But if you put the proper care and feeding into a SIEM, it will be very beneficial to your organization. >> Okay, so what's some of the things that you've been able to do now that you've got Splunk in there and it's helping you manage the security? Because I saw some statistics earlier this morning, where security is basically the second biggest, most popular term here at AWS and at re:Invent. It's clearly front of mind for a lot of enterprises. So what is it that Splunk in helping you to achieve that you wouldn't have been able to go otherwise? >> The biggest thing for us is the aggregation of all of our logs, our data sources in AWS, data sources on prem, our Windows file servers, our network traffic flow data, all of that's aggregated into Splunk. And that allows us to do some correlation with third-party threat intelligence feeds. Take indicators of compromise that are streamed, that are observed out there in the real world, and apply those to data that we're seeing on our actual data sources in our environment. It allows us to detect threats that we wouldn't have been able to detect otherwise. >> Right, how does that translate through to what you're actually doing as a business? I mean, this is a very sort of technology-centric thing, but you're an insurance agent. So how does this investment in security translate into the business value? >> One, it just gives us visibility into the environment, and we can proactively identify potential threats and remediate them before they actually cause an impact to the business. Without these tools and without these capabilities, it'd be a much riskier endeavor. And so it's helped us throughout, and we've been good partners with Splunk, they're been good partners with us. And coupled with all the other things that we're doing in the security space and in the cloud space, we're able to build a nice secure environment for our customers and ourselves. >> We're also a very highly regulated industry, so we have regulations that we have to comply with for security. And our customers also care about security very, very deeply. So it allows us to be able to protect our customers' data and really assure our customers that their data is safe with us, whether that data is hosted on-prem or it's in the cloud. >> What about that battle? There's often a battle between private enterprise and regulation, just in general, right? It's making sure the policy makers understand capabilities and real threats as opposed to maybe perceptions or whatever. What do you see in terms of the federal regulatory environment and what you deal with in a Balkanized system where you're dealing with 50 states and Canada. So you've got your hands full, I assume. >> So at HUB, we view security and compliance a little differently. Instead of trying to build security programs and achieve compliance by abiding by all the regulations, we do the right thing from a security perspective. We make the right investments. We put the right controls into our environment. When those new regulations come out for provincial law in Canada or different states or GDPR in Europe, that we'll be 95% of the way there, by just building the right controls into our environment at a foundational level. Then we have to just spend our efforts just kind of aligning ourselves with the other 5% that vary from regulation to regulation. >> Was that a shift in management philosophy at all? Because quite often or maybe in the past, it's like, I'm only going to do something. I'm not saying HUB, but in general, when I have to. As opposed to you appear to be preemptive. Right, you're doing things because you should. So there's a different mindset there, right? >> It sounds like a much more strategic view of security rather than a tactical reactive kind of security. How long has that been the philosophy at HUB? >> So we really built out our a security program starting the beginning of last year. There's all new leadership that came in, Seth came in, myself came in, all new leadership across the organization. And that's really where that mindset came from. And the need and recognition to make an investment in security. We view security as a driver of business, not just a cost center. It's a way we can add to the bottom line and be able to generate revenue for the business by being able to show our customers that we really care about their data, and we're going to do our best to take of them. So with that mindset, we can actually help market, and use that as a marketing tool to be able to help drive business. >> So what are some of the things that you've seen here at the show that you're thinking about, well actually that will support my strategy? Some of the more longer term things. Is there anything that's sort of stuck out to you as sort of going, ooh, that's something that we should actually take back? >> Yeah, well, there's some tactical announcements that are very important to us. The announcement of Windows File Server support. File Server support is big deal for us. We're a heavy File Server organization. And having that native within AWS is very interesting. There's been some other announcements with SFTP. Other items that we're going to be trying to take advantage of in a fairly quick fashion. And we're excited about that. We've been on our journey to cloud since essentially the summer of 2017 through now. And we're kind of ready for the next steps, the next set of capabilities. And so, a conference like this and all these announcements, we're excited to take a look at the menu and start picking out what we want to eat. >> It's a great buffet. >> Yeah, yeah. >> In a city that's famous for it. >> That's true, that's true. >> All you can eat. >> Yeah. >> All right, so let's talk about the journey then. You said 2017, so it's been a year, year plus into that. And you're excited about what's coming, but what do you need? So I know you got this great buffet that you're looking at, but maybe you don't want the pork. Maybe you want the turkey. What do you need, what do you want the most, you think, to service your clients? >> Right, so, we spent most of our migration just essentially moving what we had over to the cloud. And so, what our next steps are, let's really understand our workloads, let's be smarter about how we're running them, let's take advantage of the appropriate technology, the menu items that are out there, per work load, just to be smarter. We're going to be spending much more time this year looking at more automation, orchestration, and basically maturing our cloud capabilities so that we're ready for the next big thing. And as we acquire another company or there's a new business need, we're working to be more proactive and being able to anticipate those needs with building a platform that we can really extend and build upon. >> I'm sorry, go ahead. >> I have a question on the choosing of workloads then. So are you going to be moving everything to the cloud? Or do you think that there'll be some things that will actually remain on-prem or is it going to be a hybrid cloud? >> Our goal is to go from a data center to a network closet. >> Right. >> So we have moved almost all of our application workloads out of our data center right now. We have a large VDI environment we're looking to move as well. Once that's done, we'll be down to our phone system and a couple other legacy applications that we're trying to determine what we actually want to do with strategically. >> Right, okay. That's a pretty common sort of story. There's a lot of people who are moving as much as they possibly can, and then there's a few little bits that just sort of sit there that you need to decide, do we rewrite this, do we actually need this at all, maybe we just turn it off. >> Right. >> Yeah. >> Are there any capabilities specific to your industry that you need or that you'd like to have refined? Something that would allow you to do your job, specifically in the insurance space, that would be unique to you? Anything floating out there that you say, if we had that, that'll fine-tune this to a better degree or a greater degree? >> So for us, it's all about flexibility. We grow very, very rapidly through our mergers and acquisitions. We bought 52 companies last year and we're on pace to do almost 70 companies this year. So for us, the cloud really enables us to be able to absorb those organizations that we acquire, bring them in much, much faster. Part of the story of our cloud migration, we were able to move the integration time for mergers and acquisitions from six months down to under 90 days. Because we're now able to move those workloads in much, much quicker with the clouds. For us that's really a key capability. >> Well you guys are used to writing checks, dinner's on them tonight, right? >> Definitely. >> Seth, Jeremy, thanks for being with us. >> Thank you. >> Glad to be here. >> We appreciate the time. Good luck with the winter, I think you might need it. >> Yeah, yeah, exactly. >> All right, we'll be back with more from AWS re:Invent. You're watching theCUBE from Las Vegas. (snappy techno music)

>>Well, hello everybody at John Wallace here on the Cube, and glad to have you along here for day two of our coverage here at AWS Reinvent 22. We're up in the global startup program, which is part of AWS's Startup Showcase, and I've got Kevin Farley with me. He is the director of Strategic Alliances with Maria Day db. And Kevin, good to see you this morning. Good to see you, John. Thanks for joining us. Thank >>You. >>Appreciate it. Yeah. First off, tell us about Maria db. Sure. Obviously data's your thing. Yep. But to share that with some folks at home who might not be familiar with your offering. >>Yeah. So Maria DB's been around as a corporate entity for 10 plus years, and we have a massive customer base. You know, there's a billion downloads from Docker Hub, 75% of the Fortune 500. We have an enormous sea of really happy users. But what we realize is that all of these users are really thinking about what do we, what does it mean to transform it? What does cloud modernization mean? And how do we build a strategy on something we really love to drive it into the cloud and take it to the future. So what we launched about two years ago, two and a half years ago, is Skye. It's our database as a service. It leverages all the best elements, what we provide on the enterprise platform. It marries to the AWS cloud, and it really provides the best of both worlds for our >>Customers. So in your thought then, what, what problem is that solving? >>I think what you see in the overall database market is that many people have been using what we would call legacy technology. There's been lots of sort of stratification and mixes of different database solutions. All of them come with some promise, and all of 'em come with a lot of compromise. So I think what the market is really looking for is something that can take what they know and love, can bring it to the cloud and can survive the port drive the performance and scale. That completely changes the landscape, especially as you think about what modern data needs look like, right? What people did 10 years ago with the exponential scale of data no longer works. And what they need is something that not only can really deliver against their core business values and their core business deliverables, but gets 'em to the future. How do we drive something new? How do we innovate? How do we change the game? And I think what we built with AWS really delivers what we call cloud scale. It's taking something that is the best technology, and I as a V can build, marrying it to, you know, Kubernetes layer, marrying it to global availability, thinking about having true global high availability across all of your environments and really delivering that to customers through an integrated partnership. >>Could we see this coming? I mean, because you know data, right? I mean, yeah, we, we, everybody talked about the tsunami of growth, you know, >>Back 10 >>Sure. 11 years ago. But, but maybe the headlights didn't go far enough or, or, but, but you could see that there was going to be crunch time. >>There's no doubt. And I think that this has been a, there's, there's been these sort of pocket solutions, right? So if you think at the entire no sequel world, right? People said, oh, I need scale, I can get it, but what do I have to give up asset compliance? So I have to change the way I think about what data is and how I, I can govern it. So there's been these things that deliver on half the promise, but there's never been something that comes together and really drives what we deliver through CIQ is something called expand. So distributed SQL really tied to the SQL Query language, having that asset data. So having everything you need without the compromise built on the cloud allows you to scale out and allows you to think about, I can actually do exponential layers of, of data, data modeling, data querying, complete read, write, driving that forward. And I think it gives us a whole nother dynamic that we can deliver on in a way that hasn't been before. And I think that's kind of the holy grail of what people are looking for is how am I building modern applications and how do I have a database in the cloud that's really gonna support >>It? You know, you talk about distributed, you know, sequel and, and I mean, there's a little mystery behind it, isn't there? Or at least maybe not mystery. There's a little, I guess, confusion or, or just misunderstanding. I mean, I, how, nail that down a little bit. I >>Would say the best way to say it, honestly, this is the great thing, is it people believe it's too good to be true. And I think what we see over and over >>Again, you know, what they say about that. >>But this is the great part is, you know, you know, we've just had two taste studies recently with aws, with HIT labs and Certified power, both on expand, both proof in the pudding. They did the POCs, they're like, oh my God, this works. If you watch the keynote yesterday, you know, Adam had a slide that was, you know, as big as the entire room and it highlighted Samsung and they said, you know, we're doing 80,000 requests per second. So the, you know, the story there is that AWS is able as, as an entity with their scale and their breadth to handle that kind of workload. But guess what that is? That's MariaDB expand underneath there driving all of that utilization. So it's already there, it's already married, it's already in the cloud, and now we're taking it to a completely different level with a fully managed database solution. Right? >>How impressive is that? Right? I mean, you would think that somebody out there who, I mean that that volume, that kind of capacity is, is mind blowing. >>I mean, to your kind of previous point, it's like one of those things, do I see what's coming and it's here, right? You know, it's, is it actually ever gonna be possible? And now we're showing that it really is on a daily basis for some of the biggest brands in the world. We're also seeing companies moving off not only transitioning from, you know, MariaDB or myse, but all of the big licensed, you know, conversions as well. So you think about Oracle DBS Bank is one of our biggest customers, one of the largest Oracle conversions in the world onto MariaDB. And now thinking about what is the promise of connecting that to the cloud? How do you take things that you're currently doing, OnPrem delivering a hybrid model that also then starts to say, Hey, here's my path to cloud modernization. Skye gives me that bridge. And then you take it one layer farther and you think about multi-cloud, right? That's one of the things that's critical that ISVs can really only deliver in a meaningful way, is how can we have a solution for a customer that we can take to any availability zone. We can have performance, proximity, cost, proximity. We're always able to have that total data dexterity across any environment we need and we can build on that for the future. >>So if, if we're talking about cloud database and there's so many good things going forward here. You're talking about easy use and scalability and all that. But as with ever have you talked about this, there's some push and there's some pull. Yeah. So, so what's the, what's the other side that's still, you know, you that you think has to be >>Addressed? And I think that's a great question. So there's, we see that there's poll, right? We've seen these deals, this pipeline growth, this, there's great adoption. But what I think we're still not at the point of massive hockey stick adoption is that customers still don't fully understand the capabilities distributed SQL and the power they can actually deliver. So the more we drive case studies, the more we drive POCs, the more we prove the model, I think you're gonna see just a massive adoption scale. And I also think customers are tired of doing lots of different things in lots of different pockets. So neither one of the key elements of Sky SQL is we can do both transactional and analytical data out of the same database driven by the same proxy. So what, instead of having DBAs and developers try to figure out, okay, I'm gonna pull from this database here. >>Yeah. That there, it's, it's this big spaghetti wire concept that is super expensive and super time intensive. So the ability to write modern applications and pull data from both pockets and really be able to have that as a seamless entity and deliver that to customers is massive. I mean, another part of the keynote yesterday was a new deliverable, like kind of no etl. Adam talked about Aurora and Redshift and the massive complexity of what used to exist for getting data back and forth. You also have to pay for two different databases. It's super expensive. So I think the idea that you can take the real focus of AWS and US is customer value. How do you deliver that next thing that changes the game? Always utilizes AWS delivers on that promise, but then takes a net new technology that really starts to think about how do we bring things together? How do we make it more simple? How do we make it more powerful? And how do we deliver more customer value as we go forward? >>But you know, if, if I'm, I'm still an on-prim guy, just pretend I'm not saying I am. Just pretend I just for the sake of the discussion here, it's like I just can't let it go. Yeah. Right. I, I still, you know, there's control, there's the known versus the unknown. The uncertain. Yeah. So twist my arm just a little bit more and get me over the hum. >>Well, first of all, you don't have to, right? And there's gonna be some industries and some verticals that will always have elements of their business that will be OnPrem. Guess what? We make the best based in the world. It can be MariaDB, but there's those that then say, these, these elements of our business are gonna be far more effective moving to the cloud. So we give you Skye, there's a natural symbiotic bridge between everything we do and how we deliver it. Where you can be hybrid and it's great. You can adopt the cloud as your business needs grow. And you can have multi-cloud. This is that, that idea that you can, can have your cake and eat it too, right? You can literally have all these elements of your business met without these big pressure to say, you gotta throw that away. You gotta move to this. It's really, how do you kind of gracefully adopt the cloud in a way that makes sense for your business? Where are you trying to drive your business? Is it time to value, right? Is it governance? Is it is there's different elements of what matters the most to individual businesses. You know, we wanna address those and we can address >>Those. So you're saying you don't have to dive >>In, you don't have to dive >>In. You, you can, you can go ankle deep, knee deep, whatever you wanna >>Do. Absolutely. And you know, some of the largest MariaDB users still have massive, massive on-prem implementations. And that's okay. But there's elements that are starting to fall behind. There's cost savings, there's things that they need to do in the cloud that they can't do. OnPrem. And that's where expand Skye really says, okay, here is your platform. Grow as you want to, migrate as you want to. And we're there every step along the way. We, we also provide a whole Sky DBA team. Some guys just say, I wanna get outta the database world at all. This is, this is expensive, it's costly and it's difficult to be an expert. So you can bring in our DBA team and they'll man and run, they'll, they'll run your entire environment. They'll optimize it, you know, they'll troubleshoot it, they'll bug fix, they'll do everything for you. So you can just say, I just wanna focus on building phenomenal applications for my customers. And the database game as we knew it is not something that I know I want to invest in anymore. Right. I wanna make that transition >>That makes that really, yeah. You know, I mean really attractive to a lot of people because you are, you talk about a lot of headache there. Yeah. So let's talk about AWS before Sure. I let you go just about that relationship. Okay. You've talked about the platform that it provides you and, and obviously the benefits, but just talk about how you've worked with AWS over the years Yep. And, and how you see that relationship allowing you to expand your services, no pun intended. >>For sure. So, I mean, I would start with the way we even contemplated architecture. You know, we worked with the satisfactory team. We made sure that the things that we built were optimized in their environment. You know, I think it was a lot of collaboration on how does this combined entity really make the most value for our customers? How does it make the most sense for our developers as we build it out? Then we work in the, in the global startup team. So the strategic element of who we are, not all startups are created equal, right? We have, right, we have 75% of the Fortune 100, we've got over a billion downloads. So, you know, we come in with promise. And the reason this partnership is so valuable and the reason there's so much investment going forward is cuz what really, what do the cloud guys care about? >>The very, very most, they want all of these mission critical, big workloads that are on prem to land in their cloud. What do we have a massive, massive TAM sitting out there, these customers that could go to aws. So we both see, like if we can deliver incredible value to that customer base, these big workloads will end up in aws. They'll use other AWS services. And as we scale and grow, you know, we have that platform that's already built for it. So I think that when you go back to like the tenants, the core principles of aws, the one that always stands out, the one that we always kind of lean back on is, are we delivering customer value? Is this the best thing for the customer? Because we do have some competition just like many other, other partners do, right? So there is Aurora and there is rds and there is times when that's a great service for a customer. But when people are really thinking about where do I need my database to go? Where do I really need to be set for the future growth? Where am I gonna get the kind of ROI I need going forward? That's where you can go, Hey, sky sql, expand distributed sql. This is the best game in town. It's built on aws and collectively, you know, we're gonna present that to a customer. I'm >>Sold. Done. >>I love it. Right? >>Maria db, check 'em out, they're on the show floor. Great traffic. I know at at the, at the booth. They're here at AWS Reinvent. So check 'em out. Maria db. Thanks >>Kevin. Hey, thanks John. Appreciate your >>Time. Appreciate Great. That was great. Right back with more, you're watching the cube, the leader in high tech coverage.

>>Good afternoon, brilliant humans, and welcome back to the Cube. We're live in Detroit, Michigan at Cub Con, and I'm joined by John Furrier. John three exciting days buzzing. How you doing? >>That's great. I mean, we're coming down to the third day. We're keeping the energy going, but this segment's gonna be awesome. The CD foundation's doing amazing work. Developers are gonna be running businesses and workflows are changing. Productivity's the top conversation, and you're gonna start to see a coalescing of the communities who are continuous delivery, and it's gonna be awesome. >>And, and our next guess is an outstanding person to talk about this. We are joined by Stephen Chin, the chair of the CD Foundation. Steven, thanks so much for being here. >>No, no, my pleasure. I mean, this has been an amazing week quote that CubeCon with all of the announcements, all of the people who came out here to Detroit and, you know, fantastic. Like just walking around, you bump into all the right people here. Plus we held a CD summit zero day events, and had a lot of really exciting announcements this week. >>Gotta love the shirt. I gotta say, it's one of my favorites. Love the logos. Love the love the branding. That project got traction. What's the news in the CD foundation? I tried to sneak in the back. I got a little laid into your co-located event. It was packed. Everyone's engaged. It was really looked, look really cool. Give us the update. >>What's the news? Yeah, I know. So we, we had a really, really powerful event. All the key practitioners, the open source leads and folks were there. And one of, one of the things which I think we've done a really good job in the past six months with the CD foundation is getting back to the roots and focusing on technical innovation, right? This is what drives foundations, having strong projects, having people who are building innovation, and also bringing in a new innovation. So one of the projects which we added to the CD foundation this week is called Persia. So it's a, it's a decentralized package repository for getting open source libraries. And it solves a lot of the problems which you get when you have centralized infrastructure. You don't have the right security certificates, you don't have the right verification libraries. And these, these are all things which large companies provision and build out inside of their infrastructure. But the open source communities don't have the benefit of the same sort of really, really strong architecture. A lot of, a lot of the systems we depend upon. It's >>A good point, yeah. >>Yeah. I mean, if you think about the systems that developers depend upon, we depend upon, you know, npm, ruby Gems, Mayn Central, and these systems been around for a while. Like they serve the community well, right? They're, they're well supported by the companies and it's, it's, it's really a great contribution that they give us. But every time there's an outage or there's a security issue, guess, guess how many security issues that our, our research team found at npm? Just ballpark. >>74. >>So there're >>It's gotta be thousands. I mean, it's gotta be a lot of tons >>Of Yeah, >>They, they're currently up to 60,000 >>Whoa. >>Vulnerable, malicious packages in NPM and >>Oh my gosh. So that's a super, that's a jar number even. I know it was gonna be huge, but Holy mo. >>Yeah. So that's a software supply chain in actually right there. So that's, that's open source. Everything's out there. What's, how do, how does, how do you guys fix that? >>Yeah, so per peria kind of shifts the whole model. So when, when you think about a system that can be sustained, it has to be something which, which is not just one company. It has to be a, a, a set of companies, be vendor neutral and be decentralized. So that's why we donated it to the Continuous Delivery Foundation. So that can be that governance body, which, which makes sure it's not a single company, it is to use modern technologies. So you, you, you just need something which is immutable, so it can't be changed. So you can rely on it. It has to have a strong transaction ledger so you can see all of the history of it. You can build up your software, build materials off of it, and it, it has to have a strong peer-to-peer architecture, so it can be sustained long term. >>Steven, you mentioned something I want to just get back to. You mentioned outages and disruption. I, you didn't, you didn't say just the outages, but this whole disruption angle is interesting if something happens. Talk about the impact of the developer. They stalled, inefficiencies create basically disruption. >>No, I mean, if, if, so, so if you think about most DevOps teams in big companies, they support hundreds or thousands of teams and an hour of outage. All those developers, they, they can't program, they can't work. And that's, that's a huge loss of productivity for the company. Now, if you, if you take that up a level when MPM goes down for an hour, how many millions of man hours are wasted by not being able to get your builds working by not being able to get your codes to compile. Like it's, it's >>Like, yeah, I mean, it's almost hard to fathom. I mean, everyone's, It's stopped. Exactly. It's literally like having the plug pulled >>Exactly on whenever you're working on, That's, that's the fundamental problem we're trying to solve. Is it, it needs to be on a, like a well supported, well architected peer to peer network with some strong backing from big companies. So the company is working on Persia, include J Frog, which who I work for, Docker, Oracle. We have Deploy hub, Huawei, a whole bunch of other folks who are also helping out. And when you look at all of those folks, they all have different interests, but it's designed in a way where no single party has control over the network. So really it's, it's a system system. You, you're not relying upon one company or one logo. You're relying upon a well-architected open source implementation that everyone can rely >>On. That's shared software, but it's kind of a fault tolerant feature too. It's like, okay, if something happens here, you have a distributed piece of it, decentralized, you're not gonna go down. You can remediate. All right, so where's this go next? I mean, cuz we've been talking about the role of developer. This needs to be a modern, I won't say modern upgrade, but like a modern workflow or value chain. What's your vision? How do you see that? Cuz you're the center of the CD foundation coming together. People are gonna be coalescing multiple groups. Yeah. >>What's the, No, I think this is a good point. So there, there's a, a lot of different continuous delivery, continuous integration technologies. We're actually, from a Linux Foundation standpoint, we're coalescing all the continued delivery events into one big conference >>Next. You just made an announcement about this earlier this week. Tell us about CD events. What's going on, what's in, what's in the cooker? >>Yeah, and I think one of the big announcements we had was the 0.1 release of CD events. And CD events allows you to take all these systems and connect them in an event scalable, event oriented architecture. The first integration is between Tecton and Capin. So now you can get CD events flowing cleanly between your, your continuous delivery and your observability. And this extends through your entire DevOps pipeline. We all, we all need a standards based framework Yep. For how we get all the disparate continuous integration, continuous delivery, observability systems to, to work together. That's also high performance. It scales with our needs and it, it kind of gives you a future architecture to build on top of. So a lot of the companies I was talking with at the CD summit Yeah. They were very excited about not only using this with the projects we announced, but using this internally as an architecture to build their own DevOps pipelines on. >>I bet that feels good to hear. >>Yeah, absolutely. Yeah. >>Yeah. You mentioned Teton, they just graduated. I saw how many projects have graduated? >>So we have two graduated projects right now. We have Jenkins, which is the first graduated project. Now Tecton is also graduated. And I think this shows that for Tecton it was, it was time, the very mature project, great support, getting a lot of users and having them join the set of graduated projects. And the continuous delivery foundation is a really strong portfolio. And we have a bunch of other projects which also are on their way towards graduation. >>Feels like a moment of social proof I bet. >>For you all. Yeah, yeah. Yeah. No, it's really good. Yeah. >>How long has the CD Foundation been around? >>The CD foundation has been around for, i, I won't wanna say the exact number of years, a few years now. >>Okay. >>But I, I think that it, it was formed because what we wanted is we wanted a foundation which was purpose built. So CNCF is a great foundation. It has a very large umbrella of projects and it takes kind of that big umbrella approach where a lot of different efforts are joining it, a lot of things are happening and you can get good traction, but it produces its own bottlenecks in process. Having a foundation which is just about continuous delivery caters to more of a DevOps, professional DevOps audience. I think this, this gives a good platform for best practices. We're working on a new CDF best practices Yeah. Guide. We're working when use cases with all the member companies. And it, it gives that thought leadership platform for continuous delivery, which you need to be an expert in that area >>And the best practices too. And to identify the issues. Because at the end of the day, with the big thing that's coming out of this is velocity and more developers coming on board. I mean, this is the big thing. More people doing more. Yeah. Well yeah, I mean you take this open source continuous thunder away, you have more developers coming in, they be more productive and then people are gonna even either on the DevOps side or on the straight AP upside. And this is gonna be a huge issue. And the other thing that comes out that I wanna get your thoughts on is the supply chain issue you talked about is hot verifications and certifications of code is such big issue. Can you share your thoughts on that? Because Yeah, this is become, I won't say a business model for some companies, but it's also becoming critical for security that codes verified. >>Yeah. Okay. So I, I think one of, one of the things which we're specifically doing with the Peria project, which is unique, is rather than distributing, for example, libraries that you developed on your laptop and compiled there, or maybe they were built on, you know, a runner somewhere like Travis CI or GitHub actions, all the libraries being distributed on Persia are built by the authorized nodes in the network. And then they're, they're verified across all of the authorized nodes. So you nice, you have a, a gar, the basic guarantee we're giving you is when you download something from the Peria network, you'll get exactly the same binary as if you built it yourself from source. >>So there's a lot of trust >>And, and transparency. Yeah, exactly. And if you remember back to like kind of the seminal project, which kicked off this whole supply chain security like, like whirlwind it was SolarWinds. Yeah. Yeah. And the exact problem they hit was the build ran, it produced a result, they modified the code of the bill of the resulting binary and then they signed it. So if you built with the same source and then you went through that same process a second time, you would've gotten a different result, which was a malicious pre right. Yeah. And it's very hard to risk take, to take a binary file Yep. And determine if there's malicious code in it. Cuz it's not like source code. You can't inspect it, you can't do a code audit. It's totally different. So I think we're solving a key part of this with Persia, where you're freeing open source projects from the possibility of having their binaries, their packages, their end reduces, tampered with. And also upstream from this, you do want to have verification of prs, people doing code reviews, making sure that they're looking at the source code. And I think there's a lot of good efforts going on in the open source security foundation. So I'm also on the governing board of Open ssf >>To Do you sleep? You have three jobs you've said on camera? No, I can't even imagine. Yeah. Didn't >>You just spin that out from this open source security? Is that the new one they >>Spun out? Yeah, So the Open Source Security foundation is one of the new Linux Foundation projects. They, they have been around for a couple years, but they did a big reboot last year around this time. And I think what they really did a good job of now is bringing all the industry players to the table, having dialogue with government agencies, figuring out like, what do we need to do to support open source projects? Is it more investment in memory, safe languages? Do we need to have more investment in, in code audits or like security reviews of opensource projects. Lot of things. And all of those things require money investments. And that's what all the companies, including Jay Frogger doing to advance open source supply chain security. I >>Mean, it's, it's really kind of interesting to watch some different demographics of the developers and the vendors and the customers. On one hand, if you're a hardware person company, you have, you talk zero trust your software, your top trust, so your trusted code, and you got zero trust. It's interesting, depending on where you're coming from, they're all trying to achieve the same thing. It means zero trust. Makes sense. But then also I got code, I I want trust. Trust and verified. So security is in everything now. So code. So how do you see that traversing over? Is it just semantics or what's your view on that? >>The, the right way of looking at security is from the standpoint of the hacker, because they're always looking for >>Well said, very well said, New >>Loop, hope, new loopholes, new exploits. And they're, they're very, very smart people. And I think when you, when you look some >>Of the smartest >>Yeah, yeah, yeah. I, I, I work with, well former hackers now, security researchers, >>They converted, they're >>Recruited. But when you look at them, there's like two main classes of like, like types of exploits. So some, some attacker groups. What they're looking for is they're looking for pulse zero days, CVEs, like existing vulnerabilities that they can exploit to break into systems. But there's an increasing number of attackers who are now on the opposite end of the spectrum. And what they're doing is they're creating their own exploits. So, oh, they're for example, putting malicious code into open source projects. Little >>Trojan horse status. Yeah. >>They're they're getting their little Trojan horses in. Yeah. Or they're finding supply chain attacks by maybe uploading a malicious library to NPM or to pii. And by creating these attacks, especially ones that start at the top of the supply chain, you have such a large reach. >>I was just gonna say, it could be a whole, almost gives me chills as we're talking about it, the systemic, So this is this >>Gnarly nation state attackers, like people who wanted serious >>Damages. Engineered hack just said they're high, highly funded. Highly skilled. Exactly. Highly agile, highly focused. >>Yes. >>Teams, team. Not in the teams. >>Yeah. And so, so one, one example of this, which actually netted quite a lot of money for the, for the hacker who exposed it was, you guys probably heard about this, but it was a, an attack where they uploaded a malicious library to npm with the same exact namespace as a corporate library and clever, >>Creepy. >>It's called a dependency injection attack. And what happens is if you, if you don't have the right sort of security package management guidelines inside your company, and it's just looking for the latest version of merging multiple repositories as like a, like a single view. A lot of companies were accidentally picking up the latest version, which was out in npm uploaded by Alex Spearson was the one who did the, the attack. And he simultaneously reported bug bounties on like a dozen different companies and netted 130 k. Wow. So like these sort of attacks that they're real Yep. They're exploitable. And the, the hackers >>Complex >>Are finding these sort of attacks now in our supply chain are the ones who really are the most dangerous. That's the biggest threat to us. >>Yeah. And we have stacker ones out there. You got a bunch of other services, the white hat hackers get the bounties. That's really important. All right. What's next? What's your vision of this show as we end Coan? What's the most important story coming outta Coan in your opinion? And what are you guys doing next? >>Well, I, I actually think this is, this is probably not what most hooks would say is the most exciting story to con, but I find this personally the best is >>I can't wait for this now. >>So, on, on Sunday, the CNCF ran the first kids' day. >>Oh. >>And so they had a, a free kids workshop for, you know, underprivileged kids for >>About, That's >>Detroit area. It was, it was taught by some of the folks from the CNCF community. So Arro, Eric hen my, my older daughter, Cassandra's also an instructor. So she also was teaching a raspberry pie workshop. >>Amazing. And she's >>Here and Yeah, Yeah. She's also here at the show. And when you think about it, you know, there's always, there's, there's, you know, hundreds of announcements this week, A lot of exciting technologies, some of which we've talked about. Yeah. But it's, it's really what matters is the community. >>It this is a community first event >>And the people, and like, if we're giving back to the community and helping Detroit's kids to get better at technology, to get educated, I think that it's a worthwhile for all of us to be here. >>What a beautiful way to close it. That is such, I'm so glad you brought that up and brought that to our attention. I wasn't aware of that. Did you know that was >>Happening, John? No, I know about that. Yeah. No, that was, And that's next generation too. And what we need, we need to get down into the elementary schools. We gotta get to the kids. They're all doing robotics club anyway in high school. Computer science is now, now a >>Sport, in my opinion. Well, I think that if you're in a privileged community, though, I don't think that every school's doing robotics. And >>That's why Well, Cal Poly, Cal Poly and the universities are stepping up and I think CNCF leadership is amazing here. And we need more of it. I mean, I'm, I'm bullish on this. I love it. And I think that's a really great story. No, >>I, I am. Absolutely. And, and it just goes to show how committed CNF is to community, Putting community first and Detroit. There has been such a celebration of Detroit this whole week. Stephen, thank you so much for joining us on the show. Best Wishes with the CD Foundation. John, thanks for the banter as always. And thank you for tuning in to us here live on the cube in Detroit, Michigan. I'm Savannah Peterson and we are having the best day. I hope you are too.

(soft music) >> Good morning from Detroit, Michigan. theCUBE is live on our second day of coverage of KubeCon + CloudNativeCon North America 2022. Lisa Martin here with John Furrier. John, great to be back with you. The buzz is here, no doubt. We've been talking a lot about the developers. And one of the biggest bottlenecks that they face in software delivery, is when they're stuck waiting for access to environments. >> Yeah, this next segment's going to be very interesting. It's a company that's making DevOps more productive, but recognizing the reality of how people are working remotely, but also company to company developers. People are collaborating in all kinds of forms, so this is really going to be a great segment. >> Exactly. Two new guests to theCUBE who know theCUBE, but are first time on theCUBE from Release Hub, Tommy McClung, it's CEO and Matt Carter, it's CMO. Guys, great to have you on the program. >> Thank you. >> Thanks for having us here. >> So we want to dig into Release Hub, so the audience really gets an understanding. But Tommy, I want to get an understanding of your background. >> Sure. >> You've been at Release Hub for what, three years? >> Yep, I'm the co-founder. >> Before that you were at TrueCar? >> I was, yeah, I was the CTO at TrueCar. And prior to that, I've been a software engineer my entire career. I've started a couple of companies before this. Software engineer at heart. I've been working on systems management and making developers productive since 2000, long time. So it's fun to be working on developer productivity stuff. And this is our home and this is where I feel the most comfortable. >> Lisa: Yeah. And Matt, you're brand new to the company as it's chief marketing officer. >> Matt: Yeah, so I just joined earlier this month, so really excited to be here. I came over from Docker, so it's great to be able to keep working with developers and helping them, not only get their jobs done better and faster, but just get more delight out of what they do every day, that's a super important privilege to me and it's exciting to go and work on this at Release here. >> Well, they're lucky to have you. And we work together, Matt, at Docker, in the past. Developer productivity's always been a key, but communities are now more important. We've been seeing on theCUBE that developers are going to decide the standards, they're going to vote with their axes and their code. And what they decide to work on, it has to be the best. And that's going to be the new defacto standard. You guys have a great solution that I like. And I love the roots from the software engineering background because that's the hardest thing right now, is how do you scale the software, making things simpler and easier. And when things happen, you don't want to disrupt the tool chains, you want to make sure the code is right, you guys have a unique solution. Can you take a minute to explain what it is and why it's so important? >> Tommy: Yeah, I'll use a little bit of my experience to explain it. I was the CTO of a company that had 300 engineers, and sharing a handful of environments, really slowed everybody down, you bottleneck there. So in order to unlock the productivity of that team, developers need environments for development, they need it for testing, they need it for staging, you run your environments in production. So the environment is the key building block in every software development process. And like my last company, there were very few of them, one or two, everybody sharing them. And so the idea at Release is to make environments available on demand, so if a developer needs one for anything, they can spin one up. So if they want to write their code in a environment based in the cloud, they can do that, if they want to test on a poll request, an environment will automatically spin up. And the environments are full stack, include all the services, data, settings, configuration that runs the app. So developers literally get an isolated copy of the application, so they can develop knowing they're not stepping on other developers' toes. >> John: Can you give an example of what that looks like? Do they have to pre-configure the environment, or how does that work? Can you give an example? >> Yeah, sure. You have to, just like infrastructure is code, we call this environments is code. So you need to define your environment, which we have a lot of tools that help you do that. Analyze your repositories, help you define that environment. Now that you have the template for that, you can easily use that template to derive multiple environments out of it. A key part of this is everybody wants to make sure their development and data is secure. It runs within the AWS account of our customer. So we're the control plane that orchestrates it and the data and applications run within the context of their AWS account, so it's- >> John: What's the benefit? >> Tommy: Well, bottlenecking, increased developer productivity, developer happiness is a big one. Matt talks about this all the time, keeping developers in flow, so that they're focused on the job and not being distracted with, "Hey DevOps team, I need you to go spin up an environment." And a lot of times in larger organizations, not just the environments, but the process to get access to resources is a big issue. And so DevOps was designed to let developers take control of their own development process, but were still bottlenecking, waiting for environments, waiting for resources from the DevOps team, so this allows that self-service capability to really be there for the developer. >> Lisa: Matt, talk about... Target audience is the developer, talk about though... Distill that down into the business value. What am I, if I'm a financial services organization, or a hospital, or a retailer in e-commerce, what is my business value going to be with using technology like this and delighting those developers? >> Matt: I think there's three things that really matter to the developers and to the financial leader in the organization, A, developers are super expensive and they have a lot of opportunities. So if a developer's not happy and finding joy and productivity in what they're doing, they're going to look elsewhere. So that's the first thing, the second thing is that when you're running a business, productivity is one measure, but also, are you shipping something confidently the first time, or do you have to go back and fix things? And by having the environment spun up with all of your name space established, your tendencies are managed, all of your data being brought in, you're testing against a very high fidelity version of your application when you check in code. And so by doing that, you're testing things more quickly, and they talk a lot about shifting left, but it's making that environment as fully functional and featured as possible. So you're looking at something as it will appear in production, not a subset of that. And then the last thing, and this is one where the value of Figma is very important, a lot of times, you'll spin up an environment on AWS and you may forget about it and might just keep running and chewing up resources. Knowing that when you're done it goes away, means that you're not spending money on things just sitting there on your AWS instance, which is very important for competitors. >> Lisa: So I hear retention of developers, you're learning that developers, obviously business impact their speed to value as well. >> Tommy: Yep. >> And trust, you're enabling your customers to instill trust in their developers with them. >> Tommy: That's right, yeah. >> Matt: And trust and delight, they can be across purposes, a developer wants to move fast and they're rewarded for being creative, whereas your IT team, they're rewarded for predictability and consistency, and those can be opposing forces. And by giving developers a way to move quickly and the artifact that they're creating is something that the IT team understands and works within their processes, allows you to let both teams do what they care about and not create a friction there. >> John: What about the environment as a service? I love that 'cause it makes it sound like it's scaling in the cloud, which you have mentioned you do that. Is it for companies that are working together? So I don't want to spin up an environment, say we're a businesses, "Hey, let's do a deal. "I'm going to integrate my solution into yours. "I got to get my developers to maybe test it out, "so I'm spinning up an environment with you guys," then what do I do? >> Tommy: Well as far as if you're a customer of ours, is that the way you're asking? Well, a lot of times, it's being used a lot in internal development. So that's the first use case, is I'm a developer, you have cross collaboration amongst teams, so a developer tools. And what you're talking about is more, I'm using an environment for a demo environment, or I'm creating a new feature that I want to share with a customer, That's also possible. So if I'm a developer and I'm building a feature and it's for a specific customer of mine, I can build that feature and preview it with the customer before it actually goes into production. So it's a sandbox product development area for the developers to be actually integrating with their customers very, very quickly before it actually makes its way to all of the end users. >> A demo? >> It could be a demo. >> It's like a collaboration feature? >> Sandbox environment. We have customers- >> Kind of like we're seeing more of this collaboration with developers. This becomes a well- >> Tommy: And it's not even just collaboration with internal teams, it's now you're collaborating with your customer while you're building your software, which is actually really difficult to do if you only have one environment, you can't have- >> John: Yeah, I think that's a killer right there, that's the killer app right there. >> Matt: Instead of sending a Figma to a customer, this is what's going to look like, it's two dimensions, this is the app. That is a massive, powerful difference. >> Absolutely. In terms of customer delay, customer retention, employee engagement, those are all inextricably linked. Can you share, Matt, the voice of the customer? I just saw the release with TripActions, I've been a TripActions user myself, but give us this sense, I know that you're brand new, but the voice of the customer, what is it? What is it reflecting? How is it reinforcing your value prop? >> Matt: I think the voice that comes through consistently is instead of spending time building the system that is hard to do and complicated and takes our engineering cycles, our engineers can focus on whether it's platform engineering, new features and whatnot, it's more valuable to the company to build features, it's more exciting for a developer to build features and to not have to keep going back and doing things manually, which you're doing a... This is what we do all day long. To do it as a sideline is hard. And the customers are excited 'cause they get to move onto higher value activities with their time. >> Lisa: And everybody wants that, everybody wants to be able to contribute high value projects, programs for their organization rather than doing the boring stuff. >> Tommy: Yeah. I think with TripActions specifically, a lot of platform engineering teams are trying to build something like this in house, and it's a lot of toil, it's work that isn't value added, it enables developers to get their job done, but it's not really helping the business deliver a feature to the user. And so this whole movement of platform engineering, this is what those groups are doing and we're a big enabler to those teams, to get that to market faster. >> John: You're targeting businesses, enterprises, developers. >> That's right. >> Mainly, right, developers? >> Yeah. >> What's the business model? How are you guys making money? What's the strategy there? >> Yeah, I mean we really like to align with the value that we deliver. So if a user creates an environment, we get paid when that happens. So it's an on-demand, if you use the environment, you pay us, if you don't, you don't. >> John: Typical cloud-based pricing. >> Yeah. >> Pay as you go. >> Tommy: Usage based pricing. >> Is there a trigger on certain of how it gets cost? Is it more of the environment size, or what's the- >> Yeah, I mean there's a different tier for if you have really large, complicated environments. And that's the trend, that distributed applications aren't simple anymore, so if you have a small little rails app, it's going to be cheaper than if you have a massive distributed system. But manageable, the idea here is that this should help you save money over investing deeply into a deep platform engineering team. So it's got to be cost effective and we're really cognizant of that. >> So you got a simple approach, which is great. Talk about the alternative. What does it look like for a customer that you want to target? What's their environment? What does it look like, so that if I'm a customer, I would know I need to call you guys at Relief Hub. Is it sprawl? Is it multiple tool chains? Chaos, mayhem? What does it look like? >> Tommy: Yeah, let's have Matty, Matt could do this one. >> When you look at the systems right now, I think complexity is the word that keeps coming up, which is that, whether you're talking about multi-cloud or actually doing it, that's a huge thing. Microservices proliferation are happening over and over again, different languages. What I'm excited about with Release, is not dissimilar from what we saw in the Docker movement, which is that there's all this great stuff out there, but there's that common interface there, so you can actually run it locally on your machine, do your dev and test, and know that it's going to operate with, am I using Couchbase or Postgres or whatever, I don't care, it's going to work this way. Similar with Release, people are having to build a lot of these bespoke solutions that are purpose built for one thing and they're not designed to the platform. And the platform for platform engineering gives us a way to take that complexity out the equation, so you're not limited to what you can do, or, "Oh crud, I want to move to something else, "I have to start over again," that process is going to be consistent no matter what you're doing. So you're not worried about evolution and success and growth, you know that you've got a foundation that's going to grow. Doing it on your own, you have to build things in that very bespoke, specific manner, and that just creates a lot more toil than you'd want to get if you were using a platform and focusing on the value after your company. >> Matt Klein was just on here. He was with Lyft, he was the one who open source Envoy, which became very popular. We asked him what he thought about the future and he's like, it's too hard to work with all this stuff. He was mentioning Yamo code, but he got triggered a little bit, but his point was there's a lot to pull together. And it sounds like you guys have this solution, back in the old days, spin up some EC2, compute, similar way, right? "Hey, I don't want to person a server, I person a server, rack and stack, top of rack switch, I'm going to go to the cloud, use EC2. >> Tommy: Yeah, I mean just think about if- >> You're an environment version of that. Why wait for it to be built? >> Yeah. >> Is that what I'm getting- >> Yeah, I mean, and an application today isn't just the EC2 instances, it's all of your data, it's your configuration. Building it one time is actually complicated to get your app to work it, doing it lots of times to make your developers productive with copies of that, is incredibly difficult. >> John: So you saw the problem of developers waiting around for someone to provision an environment. >> Tommy: That's right. >> So they can do whatever they want to do. >> Tommy: That's right. >> Test, ship, do, play around, test the customer. Whatever that project scope is, they're waiting around versus spinning up an environment. >> Yeah, absolutely, 100%. >> And that's the service. >> That's what it is. >> Take time, reduce the steps it takes, make it more productive. >> And build an amazing developer experience that you know your developers are going to love. If you're at Facebook or Google, they have thousands of DevOps people building platforms. If you're a company that doesn't have that resource, you have a choice of go build this yourself, which is a distraction, or invest in something like us and focus on your core. >> John: You got Matt on board, got a new CMO, you got enterprise class features and I saw the press release. Talk about the origination story, why you developed it, and then take a minute to give a plug for the company, on what you're looking for, I'm sure you're hiring, what's going on? >> Tommy: Yeah, I've been an entrepreneur for 20 years. My last experience at TrueCar, I saw this problem firsthand. And as the CTO of that company, I looked into the market for a solution to this, 'cause we had this problem of 300 developers, environments needed for everything. So we ended up building it ourselves and it costs multiple millions of dollars to build it. And so as the buyer at the time, I was like, man, I would've spent to solve this, and I just couldn't. So as a software engineer at heart, having seen this problem my entire career, it was just a natural thing to go work on. So yeah, I mean, for anybody that wants to create unlimited environments for their team, just go to releasehub.com. It's pretty self-explanatory, how to give it a shot and try it out. >> Environments is a service, from someone who had the problem, fixed it, built it- >> That's right. >> For other people. What are you guys hiring, looking for some people? >> Yeah, we have engineering hires, sales hires, Matt's got a few marketing hires coming, >> Matt: I was going to say, got some marketing coming. >> Selfishly he has that. (John laughs) The team's growing and it's a really great place to work. We're 100% remote. Part of this helps that, we build this product and we use it every day, so you get to work on what you build and dog food, it's pretty cool. >> Great solution. >> We love remote development environments. Being here and watching that process where building a product and a feature for the team to work better, wow, we should share this with customers. And the agility to deliver that was really impressive, and definitely reinforced how excited I am to be here 'cause we're building stuff for ourselves, which is- >> Matt: Well we're psyched that you're here in theCUBE. Matt, what's your vision for marketing? You got a hiring plan, you got a vision, I'm sure you got some things to do. What's your goals? What's your objective? >> My goal is... The statement people say, you can't market to developers. And I don't want to market to developers, I want to make sure developers are made aware of how they can learn new things in a really efficient way, so their capabilities grow. If we get people more and more successful with what they're doing, give them joy, reduce their toil and create that flow, we help them do things that make you excited, more creative. And that's to me, the reward of this. You teach people how to do that. And wow, these customers, they're building the greatest innovations in the world, I get to be part of that, which is awesome. >> Lisa: Yeah. Delighted developers has so many positive business outcomes that I'm sure organizations in any industry are going to be able to achieve. So exciting stuff, guys. Thank you so much for joining John and me on the program. Good luck with the growth and congrats on what you've enabled so far in just a few short years. >> Thank you, appreciate it. >> Thanks you so much. >> Thank you for having us on. >> Appreciate it. >> Pleasure. >> Thank you. >> For our guests and for John Furrier, I'm Lisa Martin. You're watching theCUBE, live in Detroit, at KubeCon + CloudNativeCon '22. We're back after a short break. (soft music)

(upbeat music) >> Hey guys, welcome back to the show floor of KubeCon + CloudNativeCon '22 North America from Detroit, Michigan. Lisa Martin here with John Furrier. This is day one, John at theCUBE's coverage. >> CUBE's coverage. >> theCUBE's coverage of KubeCon. Try saying that five times fast. Day one, we have three wall-to-wall days. We've been talking about Kubernetes, containers, adoption, cloud adoption, app modernization all morning. We can't talk about those things without addressing security. >> Yeah, this segment we're going to hear container and Kubernetes security for modern application 'cause the enterprise are moving there. And this segment with Red Hat's going to be important because they are the leader in the enterprise when it comes to open source in Linux. So this is going to be a very fun segment. >> Very fun segment. Two guests from Red Hat join us. Please welcome Doron Caspin, Senior Principal Product Manager at Red Hat. Michael Foster joins us as well, Principal Product Marketing Manager and StackRox Community Lead at Red Hat. Guys, great to have you on the program. >> Thanks for having us. >> Thank you for having us. >> It's awesome. So Michael StackRox acquisition's been about a year. You got some news? >> Yeah, 18 months. >> Unpack that for us. >> It's been 18 months, yeah. So StackRox in 2017, originally we shifted to be the Kubernetes-native security platform. That was our goal, that was our vision. Red Hat obviously saw a lot of powerful, let's say, mission statement in that, and they bought us in 2021. Pre-acquisition we were looking to create a cloud service. Originally we ran on Kubernetes platforms, we had an operator and things like that. Now we are looking to basically bring customers in into our service preview for ACS as a cloud service. That's very exciting. Security conversation is top notch right now. It's an all time high. You can't go with anywhere without talking about security. And specifically in the code, we were talking before we came on camera, the software supply chain is real. It's not just about verification. Where do you guys see the challenges right now? Containers having, even scanning them is not good enough. First of all, you got to scan them and that may not be good enough. Where's the security challenges and where's the opportunity? >> I think a little bit of it is a new way of thinking. The speed of security is actually does make you secure. We want to keep our images up and fresh and updated and we also want to make sure that we're keeping the open source and the different images that we're bringing in secure. Doron, I know you have some things to say about that too. He's been working tirelessly on the cloud service. >> Yeah, I think that one thing, you need to trust your sources. Even if in the open source world, you don't want to copy paste libraries from the web. And most of our customers using third party vendors and getting images from different location, we need to trust our sources and we have a really good, even if you have really good scanning solution, you not always can trust it. You need to have a good solution for that. >> And you guys are having news, you're announcing the Red Hat Advanced Cluster Security Cloud Service. >> Yes. >> What is that? >> So we took StackRox and we took the opportunity to make it as a cloud services so customer can consume the product as a cloud services as a start offering and customer can buy it through for Amazon Marketplace and in the future Azure Marketplace. So customer can use it for the AKS and EKS and AKS and also of course OpenShift. So we are not specifically for OpenShift. We're not just OpenShift. We also provide support for EKS and AKS. So we provided the capability to secure the whole cloud posture. We know customer are not only OpenShift or not only EKS. We have both. We have free cloud or full cloud. So we have open. >> So it's not just OpenShift, it's Kubernetes, environments, all together. >> Doron: All together, yeah. >> Lisa: Meeting customers where they are. >> Yeah, exactly. And we focus on, we are not trying to boil the ocean or solve the whole cloud security posture. We try to solve the Kubernetes security cluster. It's very unique and very need unique solution for that. It's not just added value in our cloud security solution. We think it's something special for Kubernetes and this is what Red that is aiming to. To solve this issue. >> And the ACS platform really doesn't change at all. It's just how they're consuming it. It's a lot quicker in the cloud. Time to value is right there. As soon as you start up a Kubernetes cluster, you can get started with ACS cloud service and get going really quickly. >> I'm going to ask you guys a very simple question, but I heard it in the bar in the lobby last night. Practitioners talking and they were excited about the Red Hat opportunity. They actually asked a question, where do I go and get some free Red Hat to test some Kubernetes out and run helm or whatever. They want to play around. And do you guys have a program for someone to get start for free? >> Yeah, so the cloud service specifically, we're going to service preview. So if people sign up, they'll be able to test it out and give us feedback. That's what we're looking for. >> John: Is that a Sandbox or is that going to be in the cloud? >> They can run it in their own environment. So they can sign up. >> John: Free. >> Doron: Yeah, free. >> For the service preview. All we're asking for is for customer feedback. And I know it's actually getting busy there. It's starting December. So the quicker people are, the better. >> So my friend at the lobby I was talking to, I told you it was free. I gave you the sandbox, but check out your cloud too. >> And we also have the open source version so you can download it and use it. >> Yeah, people want to know how to get involved. I'm getting a lot more folks coming to Red Hat from the open source side that want to get their feet wet. That's been a lot of people rarely interested. That's a real testament to the product leadership. Congratulations. >> Yeah, thank you. >> So what are the key challenges that you have on your roadmap right now? You got the products out there, what's the current stake? Can you scope the adoption? Can you share where we're at? What people are doing specifically and the real challenges? >> I think one of the biggest challenges is talking with customers with a slightly, I don't want to say outdated, but an older approach to security. You hear things like malware pop up and it's like, well, really what we should be doing is keeping things into low and medium vulnerabilities, looking at the configuration, managing risk accordingly. Having disparate security tools or different teams doing various things, it's really hard to get a security picture of what's going on in the cluster. That's some of the biggest challenges that we talk with customers about. >> And in terms of resolving those challenges, you mentioned malware, we talk about ransomware. It's a household word these days. It's no longer, are we going to get hit? It's when? It's what's the severity? It's how often? How are you guys helping customers to dial down some of the risk that's inherent and only growing these days? >> Yeah, risk, it's a tough word to generalize, but our whole goal is to give you as much security information in a way that's consumable so that you can evaluate your risk, set policies, and then enforce them early on in the cluster or early on in the development pipeline so that your developers get the security information they need, hopefully asynchronously. That's the best way to do it. It's nice and quick, but yeah. I don't know if Doron you want to add to that? >> Yeah, so I think, yeah, we know that ransomware, again, it's a big world for everyone and we understand the area of the boundaries where we want to, what we want to protect. And we think it's about policies and where we enforce it. So, and if you can enforce it on, we know that as we discussed before that you can scan the image, but we never know what is in it until you really run it. So one of the thing that we we provide is runtime scanning. So you can scan and you can have policy in runtime. So enforce things in runtime. But even if one image got in a way and get to your cluster and run on somewhere, we can stop it in runtime. >> Yeah. And even with the runtime enforcement, the biggest thing we have to educate customers on is that's the last-ditch effort. We want to get these security controls as early as possible. That's where the value's going to be. So we don't want to be blocking things from getting to staging six weeks after developers have been working on a project. >> I want to get you guys thoughts on developer productivity. Had Docker CEO on earlier and since then I had a couple people messaging me. Love the vision of Docker, but Docker Hub has some legacy and it might not, has does something kind of adoption that some people think it does. Are people moving 'cause there times they want to have these their own places? No one place or maybe there is, or how do you guys see the movement of say Docker Hub to just using containers? I don't need to be Docker Hub. What's the vis-a-vis competition? >> I mean working with open source with Red Hat, you have to meet the developers where they are. If your tool isn't cutting it for developers, they're going to find a new tool and really they're the engine, the growth engine of a lot of these technologies. So again, if Docker, I don't want to speak about Docker or what they're doing specifically, but I know that they pretty much kicked off the container revolution and got this whole thing started. >> A lot of people are using your environment too. We're hearing a lot of uptake on the Red Hat side too. So, this is open source help, it all sorts stuff out in the end, like you said, but you guys are getting a lot of traction there. Can you share what's happening there? >> I think one of the biggest things from a developer experience that I've seen is the universal base image that people are using. I can speak from a security standpoint, it's awesome that you have a base image where you can make one change or one issue and it can impact a lot of different applications. That's one of the big benefits that I see in adoption. >> What are some of the business, I'm curious what some of the business outcomes are. You talked about faster time to value obviously being able to get security shifted left and from a control perspective. but what are some of the, if I'm a business, if I'm a telco or a healthcare organization or a financial organization, what are some of the top line benefits that this can bubble up to impact? >> I mean for me, with those two providers, compliance is a massive one. And just having an overall look at what's going on in your clusters, in your environments so that when audit time comes, you're prepared. You can get through that extremely quickly. And then as well, when something inevitably does happen, you can get a good image of all of like, let's say a Log4Shell happens, you know exactly what clusters are affected. The triage time is a lot quicker. Developers can get back to developing and then yeah, you can get through it. >> One thing that we see that customers compliance is huge. >> Yes. And we don't want to, the old way was that, okay, I will provision a cluster and I will do scans and find things, but I need to do for PCI DSS for example. Today the customer want to provision in advance a PCI DSS cluster. So you need to do the compliance before you provision the cluster and make all the configuration already baked for PCI DSS or HIPAA compliance or FedRAMP. And this is where we try to use our compliance, we have tools for compliance today on OpenShift and other clusters and other distribution, but you can do this in advance before you even provision the cluster. And we also have tools to enforce it after that, after your provision, but you have to do it again before and after to make it more feasible. >> Advanced cluster management and the compliance operator really help with that. That's why OpenShift Platform Plus as a bundle is so popular. Just being able to know that when a cluster gets provision, it's going to be in compliance with whatever the healthcare provider is using. And then you can automatically have ACS as well pop up so you know exactly what applications are running, you know it's in compliance. I mean that's the speed. >> You mentioned the word operator, I get triggering word now for me because operator role is changing significantly on this next wave coming because of the automation. They're operating, but they're also devs too. They're developing and composing. It's almost like a dashboard, Lego blocks. The operator's not just manually racking and stacking like the old days, I'm oversimplifying it, but the new operators running stuff, they got observability, they got coding, their servicing policy. There's a lot going on. There's a lot of knobs. Is it going to get simpler? How do you guys see the org structures changing to fill the gap on what should be a very simple, turn some knobs, operate at scale? >> Well, when StackRox originally got acquired, one of the first things we did was put ACS into an operator and it actually made the application life cycle so much easier. It was very easy in the console to go and say, Hey yeah, I want ACS my cluster, click it. It would get provisioned. New clusters would get provisioned automatically. So underneath it might get more complicated. But in terms of the application lifecycle, operators make things so much easier. >> And of course I saw, I was lucky enough with Lisa to see Project Wisdom in AnsibleFest. You going to say, Hey, Red Hat, spin up the clusters and just magically will be voice activated. Starting to see AI come in. So again, operations operator is got to dev vibe and an SRE vibe, but it's not that direct. Something's happening there. We're trying to put our finger on. What do you guys think is happening? What's the real? What's the action? What's transforming? >> That's a good question. I think in general, things just move to the developers all the time. I mean, we talk about shift left security, everything's always going that way. Developers how they're handing everything. I'm not sure exactly. Doron, do you have any thoughts on that. >> Doron, what's your reaction? You can just, it's okay, say what you want. >> So I spoke with one of our customers yesterday and they say that in the last years, we developed tons of code just to operate their infrastructure. That if developers, so five or six years ago when a developer wanted VM, it will take him a week to get a VM because they need all their approval and someone need to actually provision this VM on VMware. And today they automate all the way end-to-end and it take two minutes to get a VM for developer. So operators are becoming developers as you said, and they develop code and they make the infrastructure as code and infrastructure as operator to make it more easy for the business to run. >> And then also if you add in DataOps, AIOps, DataOps, Security Ops, that's the new IT. It seems to be the new IT is the stuff that's scaling, a lot of data's coming in, you got security. So all that's got to be brought in. How do you guys view that into the equation? >> Oh, I mean you become big generalists. I think there's a reason why those cloud security or cloud professional certificates are becoming so popular. You have to know a lot about all the different applications, be able to code it, automate it, like you said, hopefully everything as code. And then it also makes it easy for security tools to come in and look and examine where the vulnerabilities are when those things are as code. So because you're going and developing all this automation, you do become, let's say a generalist. >> We've been hearing on theCUBE here and we've been hearing the industry, burnout, associated with security professionals and some DataOps because the tsunami of data, tsunami of breaches, a lot of engineers getting called in the middle of the night. So that's not automated. So this got to get solved quickly, scaled up quickly. >> Yes. There's two part question there. I think in terms of the burnout aspect, you better send some love to your security team because they only get called when things get broken and when they're doing a great job you never hear about them. So I think that's one of the things, it's a thankless profession. From the second part, if you have the right tools in place so that when something does hit the fan and does break, then you can make an automated or a specific decision upstream to change that, then things become easy. It's when the tools aren't in place and you have desperate environments so that when a Log4Shell or something like that comes in, you're scrambling trying to figure out what clusters are where and where you're impacted. >> Point of attack, remediate fast. That seems to be the new move. >> Yeah. And you do need to know exactly what's going on in your clusters and how to remediate it quickly, how to get the most impact with one change. >> And that makes sense. The service area is expanding. More things are being pushed. So things will, whether it's a zero day vulnerability or just attack. >> Just mix, yeah. Customer automate their all of things, but it's good and bad. Some customer told us they, I think Spotify lost the whole a full zone because of one mistake of a customer because they automate everything and you make one mistake. >> It scale the failure really. >> Exactly. Scaled the failure really fast. >> That was actually few contact I think four years ago. They talked about it. It was a great learning experience. >> It worked double edge sword there. >> Yeah. So definitely we need to, again, scale automation, test automation way too, you need to hold the drills around data. >> Yeah, you have to know the impact. There's a lot of talk in the security space about what you can and can't automate. And by default when you install ACS, everything is non-enforced. You have to have an admission control. >> How are you guys seeing your customers? Obviously Red Hat's got a great customer base. How are they adopting to the managed service wave that's coming? People are liking the managed services now because they maybe have skills gap issues. So managed service is becoming a big part of the portfolio. What's your guys' take on the managed services piece? >> It's just time to value. You're developing a new application, you need to get it out there quick. If somebody, your competitor gets out there a month before you do, that's a huge market advantage. >> So you care how you got there. >> Exactly. And so we've had so much Kubernetes expertise over the last 10 or so, 10 plus year or well, Kubernetes for seven plus years at Red Hat, that why wouldn't you leverage that knowledge internally so you can get your application. >> Why change your toolchain and your workflows go faster and take advantage of the managed service because it's just about getting from point A to point B. >> Exactly. >> Well, in time to value is, you mentioned that it's not a trivial term, it's not a marketing term. There's a lot of impact that can be made. Organizations that can move faster, that can iterate faster, develop what their customers are looking for so that they have that competitive advantage. It's definitely not something that's trivial. >> Yeah. And working in marketing, whenever you get that new feature out and I can go and chat about it online, it's always awesome. You always get customers interests. >> Pushing new code, being secure. What's next for you guys? What's on the agenda? What's around the corner? We'll see a lot of Red Hat at re:Invent. Obviously your relationship with AWS as strong as a company. Multi-cloud is here. Supercloud as we've been saying. Supercloud is a thing. What's next for you guys? >> So we launch the cloud services and the idea that we will get feedback from customers. We are not going GA. We're not going to sell it for now. We want to get customers, we want to get feedback to make the product as best what we can sell and best we can give for our customers and get feedback. And when we go GA and we start selling this product, we will get the best product in the market. So this is our goal. We want to get the customer in the loop and get as much as feedback as we can. And also we working very closely with our customers, our existing customers to announce the product to add more and more features what the customer needs. It's all about supply chain. I don't like it, but we have to say, it's all about making things more automated and make things more easy for our customer to use to have security in the Kubernetes environment. >> So where can your customers go? Clearly, you've made a big impact on our viewers with your conversation today. Where are they going to be able to go to get their hands on the release? >> So you can find it on online. We have a website to sign up for this program. It's on my blog. We have a blog out there for ACS cloud services. You can just go there, sign up, and we will contact the customer. >> Yeah. And there's another way, if you ever want to get your hands on it and you can do it for free, Open Source StackRox. The product is open source completely. And I would love feedback in Slack channel. It's one of the, we also get a ton of feedback from people who aren't actually paying customers and they contribute upstream. So that's an awesome way to get started. But like you said, you go to, if you search ACS cloud service and service preview. Don't have to be a Red Hat customer. Just if you're running a CNCF compliant Kubernetes version. we'd love to hear from you. >> All open source, all out in the open. >> Yep. >> Getting it available to the customers, the non-customers, they hopefully pending customers. Guys, thank you so much for joining John and me talking about the new release, the evolution of StackRox in the last season of 18 months. Lot of good stuff here. I think you've done a great job of getting the audience excited about what you're releasing. Thank you for your time. >> Thank you. >> Thank you. >> For our guest and for John Furrier, Lisa Martin here in Detroit, KubeCon + CloudNativeCon North America. Coming to you live, we'll be back with our next guest in just a minute. (gentle music)

(upbeat music) >> Welcome back, everyone. Live coverage here at KubeCon + CloudNativeCon here in Detroit, Michigan. I'm John Furrier, your host of theCUBE for special one-on-one conversation with Scott Johnston, who's the CEO of Docker, CUBE alumni, been around the industry, multiple cycles of innovation, leading one of the most important companies in today's industry inflection point as Docker what they've done since they're, I would say restart from the old Docker to the new Docker, now modern, and the center of the conversation with containers driving the growth of Kubernetes. Scott, great to see you. Thanks for coming on theCUBE. >> John, thanks for the invite. Glad to be here. >> You guys have had great success this year with extensions. Docker as a business model's grown. Congratulations, you guys are monetizing well. Pushing up over 50 million. >> Thank you. >> I hear over pushing a hundred million maybe. What the year to the ground will tell me, but it's good sign. Plus you've got the community and nurturing of the ecosystem continuing to power away and open source is not stopping. It's thundering away growth. Younger generation coming in. >> That's right. >> Developer tool chain that you have has become consistent. Almost de facto standard. Others are coming in the market. A lot of competition emerging. You got a lot going on right now. What's going on? >> Well, I know it's fantastic time in our industry. Like all companies are becoming software companies. That means they need to build new applications. That means they need developers to be productive and to be safely productive. And we, and this wonderful CNCF ecosystem are right in the middle of that trend, so it's fantastic. >> So you have millions of developers using Docker. >> Tens of millions. >> Tens of millions of developed Docker and as the market's changing, I was commenting before we came on camera, and I'd love to get your reaction, comment on it. You guys represent the modernization of containers, open source. You haven't really changed how open source works, but you've kind of modernized it. You're starting to see developers at the front lines, more and more power going to developers. >> Scott: That's right. >> They want self-service. They vote with their code. >> That's right. >> They vote with their actions. >> Scott: That's right. >> And if you take digital transformation to its conclusion, it's not IT serves the business or it's a department, the company is IT. >> That's right. >> The company is the application, which means developers are running everything. >> Yes, yes. I mean, one of the jokes, not jokes in the valley is that Tesla is in a car company. Tesla is a computer company that happens to have wheels on the computer. And I think we can smile at that, but there's so many businesses, particularly during COVID, that realize that. What happened during COCID? If you're going to the movies, nope, you're now going to Netflix. If you're going to the gym, now you're doing Peloton. So this realization that like I have to have a digital game, not just on the side, but it has to be the forefront of my business and drive my business. That realization is now any industry, any company across the board. >> We've been reporting aggressively for past three years now. Even now we're calling some things supercloud. If companies, if they don't realize that IT is not a department, they will probably be out of business. >> That's a hundred percent. >> It's going to transform into full on invisible infrastructure. Infrastructure as code, whatever you want to call that going, configuration, operations, developers will set the pace. This has a lot to do with some of your success. You're at the beginning of it. This is just the beginning. What can you talk about that in your mind is contributing to the success of Docker? I know you're going to say team, everything, I get that, but like what specifically in the industry is driving Docker's success right now? >> Well, it did. We did have a fantastic team. We do have a fantastic team and that is one of the reasons, primary reasons our success. But what is also happening, John, is because there's a demand for applications, I'll just throw it out there. 750 million new applications are coming in the market in the next two years. That is more applications that have been developed in the entire 40 years history of IT. So just think about the productivity demands that are coming at developers. And then you also see the need to do so safely, meaning ship quickly, but ship safely. And yet 90 some percent of every application consists of open source components that are now on attack surface for criminals. And so typically our industry has had to say one or the other, okay, you can ship quickly but not safely, or you can ship safely, but it's not going to go fast. And one of the reasons I think Docker is where it is today is that we're able to offer both. We're able to unlock that you can ship quickly, safely using Docker, using the Docker toolchain, using integrations we have with all the wonderful partners here at CNCF that is unique. And that's a big reason why we're seeing the success we're seeing. >> And you're probably pleased with extensions this year. >> Yes. >> The performance of extensions that you launched at DockerCon '22. >> Yes. Well, extensions are part of that story and that developers have multiple tools. They want choice, developers like choice to be productive and Docker is part of that, but it's not the only solution. And so Docker extensions allow the monitoring providers and the observability and if you want a separate Kubernetes stack, like all of that flexibility, extensions allows. And again, offers the power and the innovation of this ecosystem to be used in a Docker development and context. >> Well, I want to get into some of the details of some of your products and how they're evolving. But first I want to get your thoughts on the trend line here that we reported at the opening segment. The hot story is WebAssembly, the Wasm, which really got a lot of traction or interest. People enthous about it. >> Interest, yeah. >> Lot of enthusiasm. Confidence we'll see how that evolves, but a lot of enthusiasm for sure. I've never seen something this hyped up since Envoy, in my opinion. So a lot of interest from developers. What is Wasm or WebAssembly is actually what it is, but Wasm is the codeword or nickname. What is Wasm? >> So in brief, WebAssembly is a new application type, full stop. And it's just enough of the components that you need and it's just a binary format that is very, very secure. And so it's lightweight, it's fast and secure. And so it opens up a lot of interesting use cases for developer, particularly on the edge. Another use case for Wasm is in the browser. Again, lightweight, fast, secure also. >> John: Sounds like an app server to me. >> And so we think it's a very, very interesting trend. And you ask, Okay, what's Docker's role in that? Well, Docker has been around eight years now, eight plus years, tens of millions developers using it. They've already made investments in skills, talent, automation, toolchains, pipelines. And Docker started with Linux containers as we know, then brought that same experience to Windows containers, then brought it to serverless functions. About 25% of Amazon Lambdas are OCI image containers. And so we were seeing that trend. We were also seeing the community actually without any prompting from us, start to fork and play with Docker and apply it to Wasm. And we're like, Huh, that's interesting. What if we helped get behind that trend, such that you changed just one line of a Docker file, now you're able to produce Wasm objects instead of Linux containers and just bring that same easy to use. >> So that's not a competition to Docker's? >> Not a competition at all. In fact, very complimentary. We showed off on Monday at the Wasm day, how in the same Docker compose application, multi-service application. One service is delivered via Linux container, Another service is delivered via Wasm. >> And Wasm is what? Multiple languages? 'Cause what is it? >> Yes. So the binary can be compiled from multiple languages. So RAS, JavaScript, on and on and on. At the end of the day, it's a smaller binary that provides a function, typically a single function that you can stand up and deploy on an edge. You can stand up and deploy on the server side or stand up and deploy on the browser. >> So from a container standpoint, from your customer standpoint, what a Linux container is is a similar thing to what a Wasm container is. >> They could implement the same function. That's right. Now a Linux container can have more capabilities that a function might not have, but that's. >> John: From a workflow standpoint. >> That's right. And that's more of a use case by use case standpoint. What we serve is we serve developers and we started out serving developers with Linux containers, then Windows containers, then Lambdas, now Wasm. Whatever other use case, what other application type comes along, we want to be there to serve developers. >> So one of the things I want to get your thoughts on, because this has come up in a couple CUBE interviews before, and we were talking before we came on camera, is developers want ease of use and simplicity. They don't want more steps to do things. They don't want things harder. >> That's right. So the classic innovation is reduce the time it takes to do something, reduce the steps, make it easier. That's a formula of success. >> Scott: That's right. >> When you start adding more toolchains into the mix, you get tool sprawl. So that's not really, that's antithesis to developer. So the argument is, okay, do I have to use a new tool chain for Wasm? Is that a fact or no? >> That's exactly right. That was what we were seeing and we thought, well, how can Docker help with this situation? And Docker can help by bringing the same existing toolchain that developers are already familiar with. The same automation, the same pipelines. And just by changing a line of Docker file, changing a single line of composed file, now they get the power of Wasm unlocked in the very same tools they were using before. >> So your position is, hey, don't adopt some toolchain for Wasm. You can just do it in line with Docker. >> No need to, no need to. We're providing it right there out of the box, ready for them. >> That's raise and extend, as they would say, build Microsoft strategy there. That's nice. Okay, so let's get back into like the secure trusted 'cause that was another theme at DockerCon. We covered that deeply. Software supply chain, I was commenting on my intro with Savannah and Lisa that at some point open source means so plentiful. You might not have to write code. You got to glue together. So as code proliferates, the question what's in there? >> That's right. This is what they call the software supply chain. You've been all over this. Where are we with this? Is it harder now? Is it easier? Was there progress? Take us through what's the state of the art. I think we're early on this one, John, in the industry because I think the realization of how much open source is inside a given app is just now hitting consciousness. And so the data we have is that for any given application, anywhere from 75 to 85% is actually not unique to the developer or the organization. It's open source components that they have put together. And it's really down to that last 15, 25%, which is their own unique code that they're adding on top of all this open source code. So right there, it's like, aha, that's a pretty interesting profile or distribution of value, which means those open source components, where are they finding them? How are they integrating them? How do they know those open source components are going to be supported and trusted and secured? And that's the challenge for us as an industry right now is to make it just obvious where to get the components, how safe they are, who's standing behind them, and how easy it is to assemble them into a working application. >> All right. So the question that I had specifically on security 'cause this had come up before. All good on the trusted and I think that message is evergreen. It's a north star. That's a north star for you. How are you making images more secure and how are you enabling organizations to identify security issues in containers? Can you share your strategy and thoughts on that particular point? >> Yes. So there's a range of things in the secure software supply chain and it starts with, are you starting with trusted open source components that you know have support, that you know are secured? So in Docker Hub today, we have 14 million applications, but a subset of that, we've worked with the upstream providers to basically designate as trusted open source content. So this is the Docker official images, Docker verified publisher images, Docker sponsored open source. And those different categories have levels of certification assurance that they must go through. Generate an SBOM, so you know what's inside that container. It has to be scanned by a scanning tool and those scanning results have to be made available. >> John: Are you guys scanning that? >> So we provide a scanner, they can use another scanner as long as they publish the results of that scan. And then the whole thing is signed. >> Are you publishing the results on your side too? >> Yeah, we published our results through an open database that's accessible to all. >> Free. >> Free, a hundred percent free. You come in and you can see every image on hub. >> So I'm a user, for free I can see security vulnerabilities that are out there that have been identified. >> By version, by layer, all the way through. And you can see tracking all the way back to the package that's upstream. So you know how to remediate and we provide recommendations on how to remediate that with the latest version. >> John: And you don't charge for that. >> We don't charge for that. We do not charge for that. And so that's the trusted upstream. >> So organization can look at the scan, they can look at the scan data and hopefully, what happens if they're not scanned? >> So we provide scanning tools both for the local environments for Docker Desktop, as well as for hub. So if you want to do your own scan, so for example, when you're that developer adding the 15, 25%, you got to scan your stuff as well. Not just leave it up to the already scanned components. And so we provide tools there. We also provide tools to track the packages that that developer might be including in their custom code, all the way back upstream to whatever MPM repo or what have you that they picked up. And then if there's a CVE 30 days later, we also track that as well. We say, Hey, that package was was safe 29 days ago, but today CVE just came out, better upgrade to the latest version and get that out there. So basically if you get down to it, it's like start with trusted components and then have observability not just on the moment. >> And scan all the time. >> Scan all the time and scanning gives you that observability and importantly not just at that moment, but through the lifecycle of the application, through lifecycle of the artifact. So end-to-end 24/7 observability of the state of your supply chain. That's what's key, John. >> That's the best practice. >> That's the key. That's the key. >> Awesome, I agree. That's great. Well, I'm glad we've dug into that's super important. Obviously organizations can get that scanning that's exceed the vulnerabilities, that can take action. That's going to be a big focus here for you, security. It's not going to stop, is it? >> It's never going to stop because criminals are incentive to keep attacking. And so it's the gift that keeps on giving, if you will. >> Okay, so let's get into some of the products. Docker Desktop seems to be doing well. Docker Hub has always been a staple of it. And how's that going? >> Yeah, Docker Hub has 18 million monthly actives hitting it and that's growing by double digits year over year. And what they're finding, going back to our previous thread, John, is that they're coming there for the trusted content. In fact, those three categories that I referenced earlier are about 2000 applications of the 14 million. And yet they represent 56% of the 15 billion downloads a month from Docker Hub. Meaning developers are identifying that, hey, I want trusted source. We raise those in the search results and we have a visual cue. And so that's the big driver of hub's growth right now, is I want trusted content, where do I go? I go to Hub, download that trusted open source and I'm ready to go. >> I have been seeing some chatter on the internet and some people's sharing that they're looking at other places, besides hub, to do some things. What's your message to folks out there around Docker Hub? Why Docker Hub and desktop together? 'Cause you mentioned the toolchain before, but those two areas, I know they've been around for a while, you continue to work on them. What's the message to the folks out there about stay with the hub? >> Sure. I mean the beauty of our ecosystem is that it's interoperable. The standards for build, share and run, we're all using them here at CNCF. So yes, there's other registries. What we would say is we have the 18 million monthly active that are pulling, we have the worldwide distribution that is 24/7 high, five nines reliability, and frankly, we're there to provide choice. And so yes, we have have our trusted content, but for example, the Tanzu apps, they also distribute through us. Red Hat applications also distribute through us because we have the reach and the distribution and offer developers choice of Dockers content, choice of Red Hats content, choice of VMware's, choice of Bitnami, so on so forth. So come to the hub for the distribution to reach and that the requirements we have for security that we put in place for our publishers, give users and publishers an extra degree of assurance. >> So the Docker Hub is an important part of the system? >> Scott: Yes, very much so. >> And desktop, what's new with desktop? >> So desktop of course is the other end of the spectrum. So if trusted components start up on Docker Hub, developers are pulling them down to the desktop to start assembling their application. And so the desktop gives that developer all the tools he or she needs to build that modern application. So you can have your build tooling, your debug tooling, your IDE sitting alongside there, your Docker run, your Docker compose up. And so the loop that we see happening is the dev will have a database they download from hub, a front-end, they'll add their code to it and they'll just rapidly iterate. They'll make a change, stand it up, do a unit test, and when they're satisfied do a git commit, off it goes into production. >> And your goal obviously is to have developers stay with Docker for their toolchain, their experience, make it their home base. >> And their trusted content. That's right. And the trusted content and the extensions are part of that. 'Cause the extensions provide complimentary tooling for that local experience. >> You guys have done an amazing job. I want to give you personal props. I've been following Docker from the beginning when they had the pivot, they sold the enterprise to Mirantis, went back to the roots, modernized, riding the wave. You guys are having a good time. I got to ask the question 'cause people always want to know 'cause open source is about transparency. How you guys making your money? Business is good. How's that work and what was the lucky, what was the not lucky strike, but what was the aha moment? What was the trigger that just made you just kick in this new monetization growth wave? >> So the monetization is per seat, per developer seat. And that changed in November 2019. We were pricing on the server side before, and as you said, we sold that off. And what changed is some of the trends we were talking about that the realization by all organizations that they had to become software companies. And Docker provided the productivity in an engineered desktop product and the trusted content, it provided the productivity safely to developers. And frankly then we priced it at a rate that is very reasonable from an economic standpoint. If you look at developer productivity, developers are paid anywhere from 150 to 300 to 400, 500,000 even higher. >> But when you're paying your developers that much, then productivity is a premium. And what we were asking for from companies from a licensing standpoint was really a modest relative to the making those developers product. >> It's not like Oracle. I mean talk about extracting the value out of the customer. But your point is your positioning is always stay quarter of the open source, but for companies that adopt the structural change to be developer first, a software company, there's a premium to pay because you devalue there. >> And need the tooling to roll it out at scales. So the companies are paying us. They're rolling it out to tens of thousand developers, John. So they need management, they need visibility, they need guardrails that are all around the desktop. So, but just to put a stat on it, so to your point about open source and the freemium wheel working, of our 13 million Docker accounts, 12 are free, about a million are paid for accounts. And that's by design because the open source. >> And you're not gouging developers per se, it's just, not gouging anyone, but you're not taking money out of their hands. It's the company. >> If the company is paying for their productivity so that they can build safely. >> More goodness more for the developer. >> That's right. That's right. >> Gouging would be more like the Oracle strategy. Don't comment. You don't need to comment. I keep saying that, but it's not like you're taxing. It's not a heavy. >> No, $5 a month, $9 a month, $24 a month depending on level. >> But I think the big aha to me and in my opinion is that you nailed the structural change culturally for a company. If they adopt the software ecosystem approach for transforming their business, they got to pay for it. So like a workflow, it's a developer. >> It's another tool. I mean, do they pay for their spreadsheet software? Do they pay for their back office ERP software? They do >> That's my point. >> to make those people popular or sorry, make those people successful, those employees successful. This is a developer tool to make developer successful. >> It's a great, great business model. Congratulations. What's next for you guys? What are you looking for? You just had your community events, you got DockerCon coming up next year. What's on the horizon for you? Put a plugin for the company. What are you looking for? Hiring? >> Yeah, so we're growing like gangbusters. We grew from 60 with the reset. We're now above 300 and we're continuing to grow despite this economic climate. Like our customers are very much investing in software capabilities. So that means they're investing in Docker. So we're looking for roles across the board, software engineers, product managers, designers, marketing, sales, customer success. So if you're interested, please reach out. The next year is going to be really interesting because we're bringing to market products that are doubling down on these areas, doubling down a developer productivity, doubling down on safety to make it even more just automatic that developers just build so they don't have to think about it. They don't need a new tool just to be safer. We hinted a bit about automating SBOM creation. You can see more of that pull through. And in particular, developers want to make the right decision. Everyone comes to work wanting to make the right decision. But what they often lack is context. They often lack like, well, is this bit of code safe or not? Or is this package that I just downloaded over here safe or not? And so you're going to see us roll out additional capabilities that give them very explicit contextual guidance of like, should you use this or not? Or here's a better version over here, a safer version over there. So stay tuned for some exciting stuff. >> It's going to be a massive developer growth wave coming even bigger we've ever seen. Final questions just while I got you here. Where do you see WebAssembly, Wasm going? If you had to throw a dart at the board out a couple years, what does it turn into? >> Yeah, so I think it's super exciting. Super exciting, John. And there's three use cases today. There's browser, there's edge, and there's service side in the data center of the cloud. We see the edge taking off in the next couple years. It's just such a straight line through from what they're doing today and the value that standing up a single service on the edge go. The service side needs some work on the Wasm runtime. The Wasm runtime is not multi-threaded today. And so there's some deep, deep technical work that's going on. The community's doing a fantastic job, but that'll take a while to play through. Browsers also making good progress. There's a component model that Wasm's working on that'll really ignite the industry. That is going to take another couple years as well. So I'd say let's start with the edge use case. Let's get everyone excited about that value proposition. And these other two use cases will come along. >> It'll all work itself out in the wash as open source always does. Scott Johnston, the Chief Executive Officer at Docker. Took over at the reset, kicking butt and taking names. Congratulations. You guys are doing great. Continue to power the developer movement. Thanks for coming on. >> John, thanks so much. Pleasure to be here. >> We're bringing you all the action here. Extracting the signal from the noise. I'm John Furrier, day one of three days of wall-to-wall live coverages. We'll be back for our next guest after this short break. (gentle music)

(upbeat music) >> We're back in Boston, theCUBE's coverage of Re:Inforce 2022. My name is Dave Vellante. Dave Hatfield is here. He's the co-CEO of Lacework. Dave, great to see again. Hat. >> Thanks Dave. >> Do you still go by Hat? >> Hat is good for me. (Dave V laughing) >> All right cool. >> When you call me David, I'm in trouble for something. (Dave V Laughing) So just call me Hat for now. >> Yeah, like my mom, David Paul. >> Exactly. >> All right. So give us the update. I mean, you guys have been on a tear. Obviously the Techlash, >> Yep. >> I mean, a company like yours, that has raised so much money. You got to be careful. But still, I'm sure you're not taking the foot off the gas. What's the update? >> Yeah no. We were super focused on our mission. We want to de deliver a cloud security for everybody. Make it easier for developers and builders, to do their thing. And we're fortunate to be in a situation, where people are in the early innings of moving into the cloud, you know. So our customers, largely digital natives. And now increasingly cloud migrants, are recognizing that in order to build fast, you know, in the cloud, they need to have a different approach to security. And, you know, it used to be that you're either going be really secure or really fast. And we wanted to create a platform that allowed you to have both. >> Yeah. So when you first came to theCUBE, you described it. We are the first company. And at the time, I think you were the only company, thinking about security as a data problem. >> Yeah. >> Explain what that means. >> Well, when you move to the cloud, you know, there's literally a quintillion data sets, that are out there. And it's doubling every several days or whatever. And so it creates a massive problem, in that the attack surface grows. And different than when you're securing a data center or device, where you have a very fixed asset, and you kind of put things around it and you kind of know how to do it. When you move to the shared ephemeral massive scale environment, you can't write rules, and do security the way you used to do it, for a data centers and devices. And so the insight for us was, the risk was the data, the upside was the data, you know? And so if you can harness all of this data, ingest it, process it, contextualize it, in the context of creating a baseline of what normal is for a company. And then monitor it constantly in real time. Figure out, you know, identify abnormal activity. You can deliver a security posture for a company, unlike anything else before. Because it used to be, you'd write a rule. You have a known adversary or a bad guy that's out there, and you constantly try and keep up with them for a very specific attack service. But when you move to the cloud, the attack service is too broad. And so, the risk of the massive amount of data, is also the solution. Which is how do you harness it and use it with machine learning and AI, to solve these problems. >> So I feel like for CISOs, the cloud is now becoming the first line of defense. >> Yep. The CISOs is now the second line. Maybe the auditing is the third line. I don't know. >> Yeah. >> But, so how do you work with AWS? You mentioned, you know, quadrillion. We heard, I think it was Steven Schmidt, who talked about in his keynote. A quadrillion, you know, data points of a month or whatever it was. That's 15 zeros. Mind boggling. >> Yeah. >> How do you interact with AWS? You know, where's your data come from? Are you able to inspect that AWS data? Is it all your own kind of first party data? How does that all work? >> Yeah, so we love AWS. I mean we ultimately, we started out our company building our own service, you know, on AWS. We're the first cloud native built on the cloud, for the cloud, leveraging data and harnessing it. So AWS enabled us to do that. And partners like Snowflake and others, allowed us to do that. But we are a multi-cloud solution too. So we allow builders and customers, to be able to have choice. But we'd go deep with AWS and say, the shared responsibility model they came up with. With partners and themselves to say, all right, who ultimately owns security? Like where is the responsibility? And AWS does a great job on database storage, compute networking. The customer is responsible for the OS, the platform, the workloads, the applications, et cetera, and the data. And that's really where we come in. And kind of help customers secure their posture, across all of their cloud environments. And so we take a cloud trail data. We look at all of the network data. We look at configuration data. We look at rules based data and policies, that customers might have. Anything we can get our hands on, to be able to ingest into our machine learning models. And everybody knows, the more data you put into a machine learning model, the finer grain it's going to be. The more insightful and the more impactful it's going to be. So the really hard computer science problem that we set out to go do seven years ago, when we founded the company, was figure out a way to ingest, process, and contextualize mass amounts of data, from multiple streams. And the make sense out of it. And in the traditional way of protecting customers' environments, you know, you write a rule, and you have this linear sort of connection to alerts. And so you know, if you really want to tighten it down and be really secure, you have thousands of alerts per day. If you want to move really fast and create more risk and exposure, turn the dial the other way. And you know, we wanted to say, let's turn it all the way over, but maintain the amount of alerts, that really are only the ones that they need to go focus on. And so by using machine learning and artificial intelligence, and pulling all these different disparate data systems into making sense of them, we can take, you know, your alert volume from thousands per day, to one or two high fidelity critical alerts per day. And because we know the trail, because we're mapping it through our data graph, our polygraph data platform, the time to remediate a problem. So figure out the needle in the haystack. And the time to remediate is 90, 95% faster, than what you have to do on your own. So we want to work with AWS, and make it really easy for builders to use AWS services, and accelerate their consumption of them. So we were one of the first to really embrace Fargate and Graviton. We're embedded in Security Hub. We're, you know, embedded in all of the core platforms. We focus on competencies, you know. So, you know, we got container competency. We've got security and compliance competencies. And we really just want to continue to jointly invest with AWS. To deliver a great customer outcome and a really integrated seamless solution. >> I got a lot to unpack there. >> Okay. >> My first question is, what you just described, that needle in the haystack. You're essentially doing that in near real time? >> Yep. >> Or real time even, with using AI inferencing. >> Yeah. >> Describe it a little better. >> You're processing all of this data, you know, how do you do so efficiently? You know. And so we're the fastest. We do it in near real time for everything. And you know, compared to our competitors, that are doing, you know, some lightweight side scanning technology, and maybe they'll do a check or a scan once a day or twice a day. Well, the adversaries aren't sleeping, you know, over the other period of time. So you want to make it as near real time as you can. For certain applications, you know, you get it down into minutes. And ideally over time, you want to get it to actual real time. And so there's a number of different technologies that we're deploying, and that we're putting patents around. To be able to do as much data as you possibly can, as fast as you possibly can. But it varies on the application of the workload. >> And double click in the technology. >> Yeah. >> Like tell me more about it. What is it? Is it a purpose-built data store? >> Yeah. Is it a special engine? >> Yeah. There's two primary elements to it. The first part is the polygraph data platform. And this is this ingestion engine, the processing engine, you know, correlation engine. That has two way APIs, integrates into your workflows, ingests as much data as we possibly can, et cetera. And unifies all the data feeds that you've got. So you can actually correlate and provide context. And security now in the cloud, and certainly in the future, the real value is being able to create context and correlate data across the board. And when you're out buying a bunch of different companies, that have different architectures, that are all rules based engines, and trying to stitch them together, they don't talk to each other. And so the hard part first, that we wanted to go do, was build a cloud native platform, that was going to allow us to build applications, that set on top of it. And that, you know, handled a number of different security requirements. You know, behavior based threat detection, obviously is one of the first services that we offered, because we're correlating all this data, and we're creating a baseline, and we're figuring out what normal is. Okay, well, if your normal behavior is this. What's abnormal? So you can catch not only a known bad threat, you know, with rules, et cetera, that are embedded into our engines, but zero day threats and unknown unknowns. Which are the really scary stuff, when you're in the cloud. So, you know, we've got, you know, application, you know, for behavioral threat detection. You have vulnerability management, you know. Where you're just constantly figuring out, what vulnerabilities do I have across my development cycle and my run time cycle, that I need to be able to keep up on, and sort of patch and remediate, et cetera. And then compliance. And as you're pulling all these data points in, you want to be able to deliver compliance reports really efficiently. And the Biden Administration, you know, is issuing, you know, all of these, you know, new edicts for regulations. >> Sure. Obviously countries in, you know, in Europe. They have been way ahead of the US, in some of these regulations. And so they all point to a need for continuous monitoring of your cloud environment, to ensure that you're, you know, in real time, or near real time complying with the environments. And so being able to hit a button based on all of this data and, you know, deliver a compliance report for X regulation or Y regulation, saves a lot of time. But also ensures customers are secure. >> And you mentioned your multi-cloud, so you started on AWS. >> Yeah. >> My observation is that AWS isn't out trying to directly, I mean, they do some monetization of their security, >> Yep. >> But it's more like security here it is, you know. Use it. >> Yeah. >> It comes with the package. Whereas for instance, take Microsoft for example, I mean, they have a big security business. I mean, they show up in the spending surveys. >> Yeah. >> Like wow, off the charts. So sort of different philosophies there. But when you say you're Multicloud, you're saying, okay, you run on AWS. Obviously you run on Azure. You run on GCP as well. >> Yeah. Yep. >> We coin this term, Supercloud, Dave. It's it's like Multicloud 2.0. The idea is it's a layer above the clouds, that hides the underlying complexity. >> Yep. >> You mentioned Graviton. >> Yep. >> You worry about Graviton. Your customer don't, necessarily. >> We should be able to extract that. >> Right. But that's going to be different than what goes on Microsoft. With Microsoft primitives or Google primitives. Are you essentially building a Supercloud, that adds value. A layer, >> Yeah. >> on top of those Hyperscalers. >> Yeah. >> Or is it more, we're just going to run within each of those individual environments. >> Yeah. No we definitely want to build the Security OS, you know, that sort of goes across the Supercloud, as you talk about. >> Yeah. >> I would go back on one thing that you said, you know, if you listen to Andy or Adam now, talk about AWS services, and all the future growth that they have. I mean, security is job one. >> Yeah. Right, so AWS takes security incredibly seriously. They need to. You know, they want to be able to provide confidence to their customers, that they're going to be able to migrate over safely. So I think they do care deeply it. >> Oh, big time. >> And are delivering a number of services, to be able to do it for their customers,. Which is great. We want to enhance that, and provide Multicloud flexibility, deeper dives on Kubernetes and containers, and just want to stay ahead, and provide an option for companies. You know, when you're operating in AWS, to have better or deeper, more valuable, more impactful services to go layer on top. >> I see. >> And then provide the flexibility, like you said, of, hey look, I want to have a consistent security posture across all of my clouds. If I choose to use other clouds. And you don't, the schema are different on all three. You know, all of the protocols are different, et cetera. And so removing all of that complexity. I was just talking with the CISO at our event last night, we had like 300 people at this kind of cocktail event. Boston's pretty cool in the summertime. >> Yeah. Boston in July is great. >> It's pretty great. They're like going, look, we don't want to hire a Azure specialist, and a AWS specialist, and you know, a GCP specialist. We don't want to have somebody that is deep on just doing container security, or Kubernetes security. Like we want you to abstract all of that. Make sense of it. Stay above it. Continue to innovate. So we can actually do what we want to do. Which is, we want to build. We want to build fast. Like the whole point here, is to enable developers to do their job without restriction. And they intuitively want to have, and build secure applications. And, you know, because they recognize the importance of it. But if it slows them down. They're not going to do it. >> Right. >> And so we want to make that as seamless as possible, on top of AWS. So their developers feel confident. They can move more and more applications over. >> So to your point about AWS, I totally agree. I mean, security's job one. I guess the way I would say it is, from a monetization standpoint. >> Yeah. >> My sense is AWS, right now anyway, is saying we want the ecosystem, >> Yeah. >> to be able to monetize. >> Yeah. >> We're going to leave that meat on the bone for those guys. Whereas Microsoft is, they sometimes, they're certainly competitive with the ecosystem, sometimes. End point. >> Yeah. >> They compete with CrowdStrike. There's no question about it. >> Yeah. >> Are they competitive with you in some cases? Or they're not there yet. Are you different. >> Go talk to George, about what he thinks about CrowdStrike and I, versus Microsoft. (Dave V laughing) >> Well, yeah. (Dave H laughing) A good point in terms of the depth of capability. >> Yeah. >> But there's definitely opportunities for the ecosystem there as well. >> Yeah. But I think on certain parts of that, there are more, there's higher competitiveness, than less. I think in the cloud, you know, having flexibility and being open, is kind of core to the cloud's premise. And I think all three of the Hyperscalers, want to provide a choice for customers. >> Sure. >> And they want to provide flexibility. They obviously, want to monetize as much as they possibly can too. And I think they have varying strategies of those. And I do think AWS is the most open. And they're also the biggest. And I think that bodes well for what the marketplace really wants. You know, if you are a customer, and you want to go all in for everything, with one cloud. All right, well then maybe you use their security stack exclusively. But that's not the trend on where we're going. And we're talking about a $154 billion market, growing at, you know, 15% for you. It's a $360 billion market. And one of the most fragmented in tech. Customers do want to consolidate on platforms. >> Absolutely. >> If they can consolidate on CSPs, or they consolidate on the Supercloud, I'm going to steal that from you, with the super cloud. You know, to be able to, you know, have a consistent clarity posture, for all of your workloads, containers, Kubernetes, applications, across multiple clouds. That's what we think customers want. That's what we think customers need. There's opportunity for us to build a really big, iconic security business as well. >> I'm going to make you laugh. Because, so AWS doesn't like the term Supercloud. And the reason is, because it implies that they're the infrastructure, kind of commodity layer. And my response is, you'll appreciate this, is Pure Storage has 70% gross margin. >> Yeah. Yep. >> Right. Look at Intel. You've got Graviton. You control, you can have Intel, like gross margin. So maybe, your infrastructure. But it's not necessarily commodity, >> Yeah. >> But it leaves, to me, it leaves the ecosystem value. Companies like Lacework. >> Amazon offers 220 something services, for customers to make their lives easier. There's all kinds of ways, where they're actually focusing on delivering value, to their customers that, you know, is far from commodity and always will be. >> Right. >> I think when it comes to security, you're going to have, you're going to need security in your database. Your storage. Your network compute. They do all of that, you know, monetize all of that. But customers also want to, you know, be able to have a consistent security posture, across the Supercloud. You know, I mean, they don't have time. I think security practitioners, and security hiring in general, hasn't had unemployment for like seven or 10 years. It's the hardest place to find quality people. >> Right. >> And so our goal, is if we can up level and enable security practitioners, and DevSecOps teams, to be able to do their job more efficiently, it's a good thing for them. It's a win for them. And not having to be experts, on all of these different environments, that they're operating in. I think is really important. >> Here's the other thing about Supercloud. And I think you'll appreciate this. You know, Andreesen says, all companies are software companies. Well, all companies are becoming SAS and Cloud companies. >> Yeah. >> So you look at Capital One. What they're doing with on Snowflake. You know, Goldman what they're doing with AWS. Oracle by Cerner, you know that. So industries, incumbents, are building their own Superclouds. They don't want to deal with all this crap. >> Yeah. >> They want to add their own value. Their own tools. Their own software. And their own data. >> Yeah. >> And actually serve their specific vertical markets. >> Yeah. A hundred percent. And they also don't want tools, you know. >> Right. >> I think when you're in the security business. It's so fragmented, because you had to write a rule for everything, and they were super nuanced. When you move to a data driven approach, and you actually have a platform, that removes the need to actually have very nuanced, specific expertise across all these different. Because you're combining it into your baseline and understanding it. And so, customers want to move from, you know, one of the biggest banks in North America, has 550 different point solutions for security. Thousands of employees to go manage all of this. They would love to be able to consolidate around a few platforms, that integrate the data flows, so they can correlate value across it. And this platform piece is really what differentiates our approach. Is that we already have that built. And everybody else is sort of working backwards from Legacy approaches, or from a acquired companies. We built it natively from the ground up. Which we believe gives us an advantage for our customers. An advantage of time to market speed, efficacy, and a much lower cost. Because you can get rid of a bunch of point solutions in the process. >> You mentioned Devs. Did you, you know, that continuous experience across clouds. >> Yep. >> Do you have like the equivalent of a Super PAs layer, that is specific to your use case? Or are you kind of using, I mean, I know you use off the shelf tooling, >> Yep. >> you allow your developers to do so, but is, is the developer experience consistent across the clouds? That's really what I'm asking? >> Well, I think it is. I mean, I was talking to another CEO of a company, you know, on the floor here, and it's focusing on the build side. You know we focus on both the build and the run time. >> Right. >> And we were talking about, you know, how many different applications, or how fragmented the developer experience is, with all the different tools that they have. And it's phenomenal. I mean, like this, either through acquisition or by business unit. And developers, like to have choice. Like they don't like to be told what to do or be standardized, you know, by anybody. Especially some compliance organization or security organization. And so, it's hard for them to have a consistent experience, that they're using a bunch of different tools. And so, yeah. We want to be able to integrate into whatever workload, a workflow a customer uses, in their Dev cycle, and then provide consistent security on top of it. I mean, for our own company, you know, we got about a thousand people. And a lot of them are developers. We want to make it as consistent as we possibly can, so they can build code, to deliver security efficacy, and new applications and new tools for us. So I think where you can standardize and leverage a platform approach, it's always going to be better. But the reality is, especially in large existing companies. You know, they've got lots of different tools. And so you need to be able to set above it. Integrate with it and make it consistent. And security is one of those areas, where having a consistent view, a consistent posture, a consistent read, that you can report to the board, and know that your efficacy is there. Whatever environment you're in. Whatever cloud you're on. Is super, super critical. >> And in your swim lane, you're providing that consistency, >> Yep. >> for Devs. But you're right. You've got to worry about containers. You got to worry about the run time. You got to worry about the platform. The DevSecOps team is, you know, becoming the new line of defense, right? I mean, security experts. >> Absolutely. Well, we have one customer, that we just have been working with for four years ago. And it's, you know, a Fortune, a Global 2000 company. Bunch of different industries grew through acquisition, et cetera. And four years ago, their CTO said, we're moving to the cloud. Because we want to drive efficiency and agility, and better service offerings across the board. And so he has engineering. So he has Dev, you know. He has operations. And he has security teams. And so organizationally, I think that'll be the model, as companies do follow entries in to sort of, you know, quote. Become software companies and move on their digital journeys. Integrating the functions of DevSecOps organizationally, and then providing a platform, and enabling platform, that makes their jobs easier for each of those personas. >> Right. >> Is what we do. You want to enable companies to shift left. And if you can solve the problems in the code, on the front end, you know, before it gets out on the run time. You're going to solve, you know, a lot of issues that exist. Correlating the data, between what's happening in your runtime, and what's happening in your build time, and being able to fix it in near realtime. And integrate with those joint workflows. We think is the right answer. >> Yeah. >> Over the long haul. So it's a pretty exciting time. >> Yeah. Shift left, ops team shield right. Hat, great to see you again. >> Good to see you, Dave. >> Thanks so much for coming on theCUBE. >> Thanks a lot. >> All Right. Keep it right there. We'll be back. Re:Inforce 2022. You're watching theCUBE from Boston. (calming music)

>> From theCUBE Studios in Palo Alto and Boston bringing you data driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. >> After a two year hiatus, AWS re:Inforce is back on as an in-person event in Boston next week. Like the All-Star break in baseball, re:Inforce gives us an opportunity to evaluate the cyber security market overall, the state of cloud security and cross cloud security and more specifically what AWS is up to in the sector. Welcome to this week's Wikibon cube insights powered by ETR. In this Breaking Analysis we'll share our view of what's changed since our last cyber update in May. We'll look at the macro environment, how it's impacting cyber security plays in the market, what the ETR data tells us and what to expect at next week's AWS re:Inforce. We start this week with a checkpoint from Breaking Analysis contributor and stock trader Chip Simonton. We asked for his assessment of the market generally in cyber stocks specifically. So we'll summarize right here. We've kind of moved on from a narrative of the sky is falling to one where the glass is half empty you know, and before today's big selloff it was looking more and more like glass half full. The SNAP miss has dragged down many of the big names that comprise the major indices. You know, earning season as always brings heightened interest and this time we're seeing many cross currents. It starts as usual with the banks and the money centers. With the exception of JP Morgan the numbers were pretty good according to Simonton. Investment banks were not so great with Morgan and Goldman missing estimates but in general, pretty positive outlooks. But the market also shrugged off IBM's growth. And of course, social media because of SNAP is getting hammered today. The question is no longer recession or not but rather how deep the recession will be. And today's PMI data was the weakest since the start of the pandemic. Bond yields continue to weaken and there's a growing consensus that Fed tightening may be over after September as commodity prices weaken. Now gas prices of course are still high but they've come down. Tesla, Nokia and AT&T all indicated that supply issues were getting better which is also going to help with inflation. So it's no shock that the NASDAQ has done pretty well as beaten down as tech stocks started to look oversold you know, despite today's sell off. But AT&T and Verizon, they blamed their misses in part on people not paying their bills on time. SNAP's huge miss even after guiding lower and then refusing to offer future guidance took that stock down nearly 40% today and other social media stocks are off on sympathy. Meta and Google were off, you know, over 7% at midday. I think at one point hit 14% down and Google, Meta and Twitter have all said they're freezing new hires. So we're starting to see according to Simonton for the first time in a long time, the lower income, younger generation really feeling the pinch of inflation. Along of course with struggling families that have to choose food and shelter over discretionary spend. Now back to the NASDAQ for a moment. As we've been reporting back in mid-June and NASDAQ was off nearly 33% year to date and has since rallied. It's now down about 25% year to date as of midday today. But as I say, it had been, you know much deeper back in early June. But it's broken that downward trend that we talked about where the highs are actually lower and the lows are lower. That's started to change for now anyway. We'll see if it holds. But chip stocks, software stocks, and of course the cyber names have broken those down trends and have been trading above their 50 day moving averages for the first time in around four months. And again, according to Simonton, we'll see if that holds. If it does, that's a positive sign. Now remember on June 24th, we recorded a Breaking Analysis and talked about Qualcomm trading at a 12 X multiple with an implied 15% growth rate. On that day the stock was 124 and it surpassed 155 earlier this month. That was a really good call by Simonton. So looking at some of the cyber players here SailPoint is of course the anomaly with the Thoma Bravo 7 billion acquisition of the company holding that stock up. But the Bug ETF of basket of cyber stocks has definitely improved. When we last reported on cyber in May, CrowdStrike was off 23% year to date. It's now off 4%. Palo Alto has held steadily. Okta is still underperforming its peers as it works through the fallout from the breach and the ingestion of its Auth0 acquisition. Meanwhile, Zscaler and SentinelOne, those high flyers are still well off year to date, with Ping Identity and CyberArk not getting hit as hard as their valuations hadn't run up as much. But virtually all these tech stocks generally in cyber issues specifically, they've been breaking their down trend. So it will now come down to earnings guidance in the coming months. But the SNAP reaction is quite stunning. I mean, the environment is slowing, we know that. Ad spending gets cut in that type of market, we know that too. So it shouldn't be a huge surprise to anyone but as Chip Simonton says, this shows that sellers are still in control here. So it's going to take a little while to work through that despite the positive signs that we're seeing. Okay. We also turned to our friend Eric Bradley from ETR who follows these markets quite closely. He frequently interviews CISOs on his program, on his round tables. So we asked to get his take and here's what ETR is saying. Again, as we've reported while CIOs and IT buyers have tempered spending expectations since December and early January when they called for an 8% plus spending growth, they're still expecting a six to seven percent uptick in spend this year. So that's pretty good. Security remains the number one priority and also is the highest ranked sector in the ETR data set when you measure in terms of pervasiveness in the study. Within security endpoint detection and extended detection and response along with identity and privileged account management are the sub-sectors with the most spending velocity. And when you exclude Microsoft which is just dominant across the board in so many sectors, CrowdStrike has taken over the number one spot in terms of spending momentum in ETR surveys with CyberArk and Tanium showing very strong as well. Okta has seen a big dropoff in net score from 54% last survey to 45% in July as customers maybe put a pause on new Okta adoptions. That clearly shows in the survey. We'll talk about that in a moment. Look Okta still elevated in terms of spending momentum, but it doesn't have the dominant leadership position it once held in spend velocity. Year on year, according to ETR, Tenable and Elastic are seeing the biggest jumps in spending momentum, with SailPoint, Tanium, Veronis, CrowdStrike and Zscaler seeing the biggest jump in new adoptions since the last survey. Now on the downside, SonicWall, Symantec, Trellic which is McAfee, Barracuda and TrendMicro are seeing the highest percentage of defections and replacements. Let's take a deeper look at what the ETR data tells us about the cybersecurity space. This is a popular view that we like to share with net score or spending momentum on the Y axis and overlap or pervasiveness in the data on the X axis. It's a measure of presence in the data set we used to call it market share. With the data, the dot positions, you see that little inserted table, that's how the dots are plotted. And it's important to note that this data is filtered for firms with at least 100 Ns in the survey. That's why some of the other ones that we mentioned might have dropped off. The red dotted line at 40% that indicates highly elevated spending momentum and there are several firms above that mark including of course, Microsoft, which is literally off the charts in both dimensions in the upper right. It's quite incredible actually. But for the rest of the pack, CrowdStrike has now taken back its number one net score position in the ETR survey. And CyberArk and Okta and Zscaler, CloudFlare and Auth0 now Okta through the acquisition, are all above the 40% mark. You can stare at the data at your leisure but I'll just point out, make three quick points. First Palo Alto continues to impress and as steady as she goes. Two, it's a very crowded market still and it's complicated space. And three there's lots of spending in different pockets. This market has too many tools and will continue to consolidate. Now I'd like to drill into a couple of firms net scores and pick out some of the pure plays that are leading the way. This series of charts shows the net score or spending velocity or granularity for Okta, CrowdStrike, Zscaler and CyberArk. Four of the top pure plays in the ETR survey that also have over a hundred responses. Now the colors represent the following. Bright red is defections. We're leaving the platform. The pink is we're spending less, meaning we're spending 6% or worse. The gray is flat spend plus or minus 5%. The forest green is spending more, i.e, 6% or more and the lime green is we're adding the platform new. That red dotted line at the 40% net score mark is the same elevated level that we like to talk about. All four are above that target. Now that blue line you see there is net score. The yellow line is pervasiveness in the data. The data shown in each bar goes back 10 surveys all the way back to January 2020. First I want to call out that all four again are seeing down trends in spending momentum with the whole market. That's that blue line. They're seeing that this quarter, again, the market is off overall. Everybody is kind of seeing that down trend for the most part. Very few exceptions. Okta is being hurt by fewer new additions which is why we highlighted in red, that red dotted area, that square that we put there in the upper right of that Okta bar. That lime green, new ads are off as well. And the gray for Okta, flat spending is noticeably up. So it feels like people are pausing a bit and taking a breather for Okta. And as we said earlier, perhaps with the breach earlier this year and the ingestion of Auth0 acquisition the company is seeing some friction in its business. Now, having said that, you can see Okta's yellow line or presence in the data set, continues to grow. So it's a good proxy from market presence. So Okta remains a leader in identity. So again, I'll let you stare at the data if you want at your leisure, but despite some concerns on declining momentum, notice this very little red at these companies when it comes to the ETR survey data. Now one more data slide which brings us to our four star cyber firms. We started a tradition a few years ago where we sorted the ETR data by net score. That's the left hand side of this graphic. And we sorted by shared end or presence in the data set. That's the right hand side. And again, we filtered by companies with at least 100 N and oh, by the way we've excluded Microsoft just to level the playing field. The red dotted line signifies the top 10. If a company cracks the top 10 in both spending momentum and presence, we give them four stars. So Palo Alto, CrowdStrike, Okta, Fortinet and Zscaler all made the cut this time. Now, as we pointed out in May if you combined Auth0 with Okta, they jumped to the number two on the right hand chart in terms of presence. And they would lead the pure plays there although it would bring down Okta's net score somewhat, as you can see, Auth0's net score is lower than Okta's. So when you combine them it would drag that down a little bit but it would give them bigger presence in the data set. Now, the other point we'll make is that Proofpoint and Splunk both dropped off the four star list this time as they both saw marked declines in net score or spending velocity. They both got four stars last quarter. Okay. We're going to close on what to expect at re:Inforce this coming week. Re:Inforce, if you don't know, is AWS's security event. They first held it in Boston back in 2019. It's dedicated to cloud security. The past two years has been virtual and they announced that reinvent that it would take place in Houston in June, which everybody said, that's crazy. Who wants to go to Houston in June and turns out nobody did so they postponed the event, thankfully. And so now they're back in Boston, starting on Monday. Not that it's going to be much cooler in Boston. Anyway, Steven Schmidt had been the face of AWS security at all these previous events as the Chief Information Security Officer. Now he's dropped the I from his title and is now the Chief Security Officer at Amazon. So he went with Jesse to the mothership. Presumably he dropped the I because he deals with physical security now too, like at the warehouses. Not that he didn't have to worry about physical security at the AWS data centers. I don't know. Anyway, he and CJ Moses who is now the new CISO at AWS will be keynoting along with some others including MongoDB's Chief Information Security Officer. So that should be interesting. Now, if you've been following AWS you'll know they like to break things down into, you know, a couple of security categories. Identity, detection and response, data protection slash privacy slash GRC which is governance, risk and compliance, and we would expect a lot more talk this year on container security. So you're going to hear also product updates and they like to talk about how they're adding value to services and try to help, they try to help customers understand how to apply services. Things like GuardDuty, which is their threat detection that has machine learning in it. They'll talk about Security Hub, which centralizes views and alerts and automates security checks. They have a service called Detective which does root cause analysis, and they have tools to mitigate denial of service attacks. And they'll talk about security in Nitro which isolates a lot of the hardware resources. This whole idea of, you know, confidential computing which is, you know, AWS will point out it's kind of become a buzzword. They take it really seriously. I think others do as well, like Arm. We've talked about that on previous Breaking Analysis. And again, you're going to hear something on container security because it's the hottest thing going right now and because AWS really still serves developers and really that's what they're trying to do. They're trying to enable developers to design security in but you're also going to hear a lot of best practice advice from AWS i.e, they'll share the AWS dogfooding playbooks with you for their own security practices. AWS like all good security practitioners, understand that the keys to a successful security strategy and implementation don't start with the technology, rather they're about the methods and practices that you apply to solve security threats and a top to bottom cultural approach to security awareness, designing security into systems, that's really where the developers come in, and training for continuous improvements. So you're going to get heavy doses of really strong best practices and guidance and you know, some good preaching. You're also going to hear and see a lot of partners. They'll be very visible at re:Inforce. AWS is all about ecosystem enablement and AWS is going to host close to a hundred security partners at the event. This is key because AWS doesn't do it all. Interestingly, they don't even show up in the ETR security taxonomy, right? They just sort of imply that it's built in there even though they have a lot of security tooling. So they have to apply the shared responsibility model not only with customers but partners as well. They need an ecosystem to fill gaps and provide deeper problem solving with more mature and deeper security tooling. And you're going to hear a lot of positivity around how great cloud security is and how it can be done well. But the truth is this stuff is still incredibly complicated and challenging for CISOs and practitioners who are understaffed when it comes to top talent. Now, finally, theCUBE will be at re:Inforce in force. John Furry and I will be hosting two days of broadcast so please do stop by if you're in Boston and say hello. We'll have a little chat, we'll share some data and we'll share our overall impressions of the event, the market, what we're seeing, what we're learning, what we're worried about in this dynamic space. Okay. That's it for today. Thanks for watching. Thanks to Alex Myerson, who is on production and manages the podcast. Kristin Martin and Cheryl Knight, they helped get the word out on social and in our newsletters and Rob Hoff is our Editor in Chief over at siliconangle.com. You did some great editing. Thank you all. Remember all these episodes they're available, this podcast. Wherever you listen, all you do is search Breaking Analysis podcast. I publish each week on wikibon.com and siliconangle.com. You can get in touch with me by emailing avid.vellante@siliconangle.com or DM me @dvellante, or comment on my LinkedIn post and please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for theCUBE Insights powered by ETR. Thanks for watching and we'll see you in Boston next week if you're there or next time on Breaking Analysis (soft music)

>>mhm. Hello and welcome to the cubes Ducker con coverage. I'm John Ferry, host of the Cube. We've got a great segment here with slim dot AI CEO John Amaral. Stealth mode, SAS Company. Start up in the devops space with tools today and open source around. Supply chain security with containers closed beta with developers. John, Thanks for coming on. Congratulations for being platinum sponsor here, Dr Khan. Thanks for coming on The Cube. >>Thanks so much on my pleasure. >>You know, container analysis, management optimisation. You know, that's super important. But security is at the centre of all the action we're seeing with containers. We've been talking shift left on a lot of cube conversations. What that means? Is it an outcome? Is that the product software supply chain? You seek them? A secure where malware. All these things are part of now the new normal in cloud Native. You guys at the centre of this, the surface areas change. All these things are important. Take a minute to explain what you guys are doing as a as a tools and open source. Some of the things you're doing, I know you got a stealth mode product. You probably can't talk about. But you gotta close, Beta. Can you give us a little bit of a teaser? What slim dot ai about >>sure. So someday I is about helping developers build secure containers fast, and that really plays to a few trends in the marketplace that are really apparent and important right now in a federal mandate and a bunch of really highly publicised breaches that have all been caused by software supply, chain risks and security and software supply, chain security has become a really top of mind concept for people who secure things and people who develop software and runs. SAS so slim that AI has built a bunch of capabilities and tools that allow software developers at their desks to better understand and build secure containers that really reduce software supply. Chain risk as you think about containers being run in production. And we do three things to help developers one, as we help them know everything about their software. It's a kind of a core concept of suffering supply chain security. Just know what software is in your containers to. Another core concept is only ship to production. What you need to run. That's all about risk surface and the ability for you to easily make a container small that has as much a software reduction in it as possible. And three, it's removed as many vulnerabilities as possible to Slim Toolset. Both are open source and our SAS data platform make that easy for developers to do >>so. Basically, you have a nice, clean, secure environment. Know what's in there. Don't only put in production was needed and make sure it's tight and it's trimmed down perfectly. So you're kind of teasing out this concept of slimming, which is in the name of the company. But it really is about surface area of attack around containers and super important as it becomes more and more prominent in the environment these days. What is container slimming and why is it important for supply chain security? >>Sure. So in the in the in the realm of software supply chain security, best practises right, there are three core concepts. One is the idea of an S bahn that you should know the inventory of all the software that runs in your world to its security posture, signing containers, making sure that the authenticity of the software that you use and production is well understood. And the third is, well, managing exactly what shopper you ship. The first two things I said are simply just inventory and basics about knowing what software you have. But no one answers the question. What software do I need? So I run a container and say, It's a gig and it's got all these packages in. It comes from the operating system from note, etcetera. It's got all this stuff in it. I know the parts that I write my code to. But all that other stuff, what is it? Why is it there? What's the risk in it? That slimming part is all about managing the list of things you actually shipped to the absolute minimum and with confidence that you know that that code will actually work when it gets production but be as small as possible. That's what slimming is all about, and it really reduces supply chain risk by lowering the attack surface in your container, but also trimming your supply chain to only the minimum pieces you need, which really causes a lot of improvements in in the operational overhead of having software supply chain security >>It's interesting as you get more more volume and velocity around containers, uh, and automation kicks in. Sometimes things are turning on and off you don't even know. And shift left has been a great trend for getting in the CI CD pipeline for developer productivity. Really cool. What are some of the consequences that's going on with this? Because then you start to get into some of these areas like some stuff happens that the developers have to come shift back and can take care of stuff. So, you know, C. Tus and CSOs are really worried about this container dynamic. What's the What's the new thing that's causing the problems here? What's the issue around the management that CDOs and CDOs care about? >>Sure. And I'll talk about the shift left implications as well for that exact point. So as you start to worry about software supply, chain security and get a handle on all the software you ship to prod well, part of that is knowledge is power. But it's also, um, risk and work as soon as I know about problems with my containers or the risk surface, and I got to do something about it so we're really getting into the age where everyone has to know about the software they ship. As soon as you know about that, say there's a vulnerability or a package that's a little risky or some surface area you don't really understand. The only place that can be evaded is by going back to the developers and asking them. What is that? How do I remove it? Please do that work. So the software supply chain security knowledge turns into developer security work. Now the problem is, is that historically, the knowledge was imperfect, and the developer, you know, involvement in that was, I'd say, at Hawk, meaning that developers had best practises that did the best they could. But the scrutiny we have now on minimising this kind of risk is really high. The beautiful part about containers is their portable, and it's an easily transferrable piece of software. So you have a lot of producers and a lot of consumers of containers. Consumers of containers that care about supply chain risk are now starting to push back on, producers saying, Take those vulnerabilities out, move those packages, make this thing more secure, lower the risk profile this works its way all the way back to the developers who don't really have the tools, capabilities and automation is to do the work I just described easily, and that's an opportunity that Slim is really addressing, making it easy for developers to remove risk. >>And that's really the consequences of shifting left without having the slimming. Because what you're saying is your shift left and that's kind of annulled out because you've got to go back and fix it. The work comes, >>that's right. And yeah, and it's not an easy task for a developer to understand the code that they didn't intentionally put in the container. It's like, Okay, there's a package in that operating system. What does it do? I don't know. Do I even use it? I don't know. So there's like tonnes of analytic and I would say even optimisation questions and work to be done, but they're just not equipped to, because the tooling for that is really immature Slims on a mission to make that really easy for them and do it automatically so they don't have to think about it. We just automatically remove stuff you don't use and voila! You've got this like perfectly pre optimised capability. >>You know, this suffer supply chain is huge, and I remember when open source started when I remember when I was breaking into the business. Now it's such a height in such an escalation of new developers. This it's a real issue that that's going to be resolved. It has to be because supply chain is part of open source, right? As more code comes in, you got to verify. You gotta make sure it's it's slimming where it needs to be slim and optimised. There needs to be optimised, huge trend. Um and so I just love this area. I think it's really innovative and needed. So congratulations on that, you know, have one more question for you before we get into to close out. Um, you guys are part of the Docker Extensions launch and your partner, >>Why >>is this important to participate in this programme and and what do you guys hope to hope it does for slim dot ai, >>First of all, doctors, the ubiquitous platform, their hub has millions and millions of containers. We've got millions and millions of developers using Docker desktop to actually build and work on containers. It's like literally the sandbox for all local work for building containers. It's a fair statement. So inclusion in Dr Khan and the relationship we're building with Docker is really important for developers and that we're bringing these capabilities to the place where developers work and live every day. It's where all the containers live in the world. So we want to have our technology be easy to use with docker tools. We want to keep developers workflows and systems and and tools of record be the same. We just want to help them use those tools better and optimist outputs. From that we've we've worked since our inception to make our tools really, really friendly for darker and darker environments to, um, we are building a doctor extension. Uh, they have, uh, in this darker con. They're launching their doctor extensions programme to the worldwide audience. We have been one of the lucky Cos that's been selected to build one of the early Dr desktop plug ins. It's derived from our capabilities and our Saas platform and an open source, and it's it's effectively an MRI machine, an awesome analytic tool that allows any developer to really understand the composition, security and profile of any container they work with. So it's giving the sight to the blind, so to speak, that it's this new tool to make container analysis easy. >>Well, John, you guys got a great opportunity. Container analysis, management, optimisation key to security, enabling it and maintaining and sustaining it. And it's changing. I know you guys. Your co founder also did a doctor Slim. So you guys are deep in the open source. I Congratulations on that. We'll see a Q. Khan for the remaining time. We have give a plug for the company, obviously in stealth mode price going to come out later this year. You got a developer preview? What's What's the company all about? What's the most important story here? Dr. Khan? >>Sure, just to playback. So we help developers do three important things. Know everything about the software in their containers to only ship stuff to production that you need, and and and three remove as many vulnerabilities as possible. That's really about managing and understanding the risk surface. It ties right back to software supply chain security, and any developer can use these tools today to emit and build containers that are more secure and better production grade containers, and it's easy to do. We have an open source project called Dioxin. Go check it out. Uh, it's not. It's on git Hub. It's easy to find if you go to w w w dot slim that ai you can find access to that. We have tens of thousands of developers, 500,000 plus downloads. We have developers everywhere using those tools today and open source to do the objectives. I just said You can also easily sign up for our data for our Saas platform, you can use the doctor extension, go ahead and do that and really get on your journey to make those outcomes reality for you. And really kind of make those SEC ops people downstream not have to shift anything left. It's super easy for you to be a great participant in software slash insecurity. >>All right. John Amaral, CEO slim dot ai Stealth. Most thanks for coming The Cube Cube coverage of Dr Khan. Thanks for watching. I'm John Kerry hosted the Cube back to more Dr Khan after the short break. Mhm mhm

>> theCUBE presents Dell Technologies World, brought to you by Dell. >> Hey everyone. Happy afternoon. Welcome back to theCUBE. This is Lisa Martin with Dave Vallante. We are on day three of our coverage of Dell Technologies World live from Las Vegas with about 7,000- 8,000 people here. It's been a great two and a half days. Lots of people are still here. We're going to be talking more about Dell Services. I got a couple of guys from Dell Technologies joining us next. Please welcome Patrick Mooney, Senior Vice President of Services Product Management at Dell and Satish Iyer, Vice President of Emerging Services at Dell. Guys, welcome to the program. >> Thank you. Good evening. Great to be here to you. >> Happy to be here. >> So isn't it great to be back in person? >> So great. >> Those hallway conversations you just can't replicate it for video conferencing, right? >> Yeah. >> Priceless. >> It is priceless, I agree. Patrick, let's start with you. Talk to us about from a customer's perspective. What are some of the key services they've been looking for the last couple of years particularly, and how has Dell changed its strategic direction to deliver? >> Great question. Customers want outcomes and services are at the heart of outcomes. So when we look at customers transforming we're continually transforming and modernizing what we do and everything we're doing is centered around making it easy to buy, easy to consume and just centered around the customer. >> What are people looking for these days, Satish? I mean, what's the top three or four priorities. And we know cyber's up there. The cloud. One is when customers are consuming cloud, now there is more and more what we call as customers are looking for full stack solutions. So they start with giving me the best infrastructure on the platforms. Now they're saying, "I'm going to use those infrastructure to drive X, Y, and Z. "Now Mr. Dell, can you come and gimme those tags? "So I don't need to worry about anything "and I can actually consume it in the cloud like way." That's been massive for us. >> So, how do you guys respond to that? I mean, things in our little business things change so fast. And we can, but we're little. We can move fast. Customers are saying, okay, pandemic forced match to digital and now we got to figure it out. And now we got to modernize our HQ. How are you able to keep up? How are you changing your strategy as your customers pull you in different directions? What's going on inside the organization to enable that? >> Yeah. I think the key is that we meet customers where they are and help them plot out where they want to be. And then bring them along that journey. And we've really spent a lot of time developing four practices to help get there. One's around data and applications another around multi-cloud, another around workforce and another around security and resiliency. And no matter where they want to be, whether they want to do it themselves. They want us to help them do it or they want us to do it for them, we're there for them and we'll help them get where they want to be. >> Do you have like formal customer councils or how do you actually, especially the last couple years staying engaged with those customers? >> Absolutely. We're always talking to customers. It is critical to the model and we got a lot of ideas and customers have a lot of ideas and we want to vet those and talk through them. So no matter what point we're at in our product development cycle, we're always talking with customers, "Hey, do we hear you right? "Is this the value you're looking for?" And as we're developing it, can you help us test it? And so on. And we do that through regular conversations, field testing, customer insight councils, and it just feels so great to be having face to face conversations again as well. >> What is- >> Oh, go ahead. >> I was going to say, what are some of the things that you've heard face to face this week in terms of the direction, what Dell Services is delivering? >> Well, one big one for sure is that remote workforce is here to stay. And in our workforce pillar we spent a lot of time around how do we make it easy for customers to manage a remote workforce? It's a big challenge. So we've recently we announced here at Dell World, Lifecycle Hub Services where we it's a managed service where we're helping customers manage their entire device lifecycle around their PC. So imagine this you have a new hire joint or somebody leaves, how do you get 'em that PC? Have it ready? Let Dell take care of all the logistics, we'll we'll store it. We'll configure it. We'll send it to 'em we'll take the old machines back, we'll kit it for 'em anything that's needed and fully integrated it from the customer system into our system. So it's all automated. >> Okay. And all the patching, et cetera, >> Everything. Okay. So you got four pillars, data and apps multi-cloud, workforce and resiliency. What you just described, the automation, does IP and what's the IP portfolio look like? How does it map into those four pillars? >> Sure, you want to take that? >> Sure, so obviously when you look at growth areas and services, it's absolutely important for us to develop sustainable IP. If you look at one of the areas where we have invested and we are growing is cloud managed services platform. So Dell is unique in terms of managing our customer services. We actually do full lifecycle management of the customers. So we invested quite a bit of, I would say time and energy and engineering efforts to basically solve problems in engineered way. So the customer cloud managed services platform allows us to actually bring both, you talked about apex before to our other colleagues. So it allows us to both bring apex services to our customers and also allows us to bring non apex services in terms of fully managed to our customers. >> So multi-cloud must be a rich opportunity's probably almost infinite. There's a lot of gaps there for IP development. What are you seeing and hearing from customer with regard to those gaps? >> So one of the key areas when you talk about multi-cloud is we talk to customers about is the solution things we talked about. So we launched, we announced three solutions one we already launched. And the two of them will be announced is customers want that end-to-end outcome, right? 'Cause they are saying, well we are currently where we started today. We announced cyber security as a service. As you guys know, within the current geopolitical climate, cyber attacks are common, ransomware is common. So, and this is something which we are doing today to customers. What customers want is the simplicity of offering. They're like, you can help us with cyber security when something happens I have an insurance policy, so I can actually go I know where my data sets are. I can record from it, but can you streamline it for me? I don't want all the headaches. Can you make sure that it's easily consumable and Dell can take care of everything for me. And we are also investing on other LED solutions like machine learning, high performance compute. And we are also looking at vertical areas. So our customers, especially in telco, Edge and enterprise applications. So we are looking at those as a full stack offerings so that we can actually educate and take our customers on the journey on our MacCloud platforms. >> I going to talk about Dell Services as a facilitator of multi-cloud Chuck Whitton was on stage, He was here yesterday talking about multi-cloud is here by default. Well, Dell wants to change that to multi-cloud by design. How can Dell Services be a facilitator of that transformation that customers in telco or whatever industry have going from, We've got it by default to now it's actually by design, facilitating that? >> Yeah. I'll jump in and let you take it, we have a a robust consulting practice which can help you come in and understand where you're at and where you want to be and design that future. So that it's not, as you said by default, it's absolutely multi-cloud by design. Anything you want to add? >> Yeah. I mean, look again Dell has been doing multi-cloud for a long time. We just didn't call it multi-cloud. I would probably say 2014, 2015, Dell's been there. We know our customers have a choice. We want to operationalize. We want to help our customers run workloads wherever they want to run. Now, we have a term for it. We have a dedicated way of talking about it. And again, more automation more IP development, more software. And again, taking a lot of the people part away from services and driving more innovation, more IPs where we are going to be able to differentiate. >> So you're a large and pretty sophisticated services organization. We've talked about some of your IP. You now bring that to your customers. What are some of the adoption barriers that they have? How are you addressing those, in terms of taking your IP and your ideas? And you probably say, "Hey, we got this, you can apply this". What are they not ready for? That you sort of advise them, okay you got to do, these are some maybe, some out scope things that you haven't talked about or thought about. >> Yeah. I mean, I'll take one. And I know Patrick will probably touch on, I would say two big ones. I can think about the one is data. One is on security, right? I'll give you the data use case. So data has gravity, right? When customers think about, multi-cloud think about solution, think about these services. It's not easy to take petabytes and terabytes of data and shift all over the place. It's very, very expensive. So a lot of their cloud strategy really hinges on where the data is, and how they're going to optimize those data for the outcomes they want to decide. And that's something a lot of our customers initially don't think about it as we actually go and talk to them about this specific use case and application that actually becomes forefront of the discussion. >> Yeah. On the security front, customers are just overwhelmed with the number of options in a very fragmented, extremely important space. So we've tried to make that very easy for them with our managed detection and response services, bringing the best of the industry and Dell Services together to give them a one stop shop managed service, let us watch for you so that you can run your business. And when we detect something, we'll advise you and help you respond. >> What's the tooling like there. I mean, you have, do you have your preferred tooling? Are the customers saying, well we got to use this vendor or that vendor, how do you manage all that complex? >> Of course we have our preferred tooling and we partner greatly with secure works to do it as well as some other company, but that said what's important to us with the service is that a customer meets specific, they're green in five different categories. And if they're green in those categories, then we're good to help them. And if they don't know how to do that, then we'll come in and do a security assessment to help them get there. And just taking what's very complicated and making it easy. >> On the security front. We've been talking about the cyber skills gap, massive skills gap that's been around for years. How is Dell Services facilitator of organizations being able to close that gap? >> Sure. In a few ways, one, we can just do it for you, right? Two, if you want to do it yourself, we can supplement you with security residents to help you manage through the complexity and cross train while as part of your staff. And then three, we have our Dell Education Services where we can come in and train you as well. So lots of different options on how you want to do it. >> Yeah. >> No matter what you choose, we're here for you. (panelists laughing) >> That people option's important. I mean, people being the biggest threat factor that there is, right. >> Absolutely. >> For sure. >> That's probably one of the hardest ones to augment. >> Yeah. I mean, that's the reason why when you look at cyber security customers, want somebody else to manage it because you don't want the same folks making the same mistake on an insurance policy. So they're like Dell, you manage it for me. So I don't have the same actor is doing same things. So I have somebody managing my data but somebody managing my record option. So in case something goes wrong I know it's a different handset different people who are much more relaxed when things go back >> That's always nice to have somebody that's relaxed in a crisis. >> Absolutely. And I think I'll take that in my personal life too. Guys thank you for joining Dave and me talking about what's new with Dell Services the modernization that you're undergoing and how your customers are really helping to evolve this strategy. We appreciate your insight. >> Thank you, Lisa. >> Thank you so much for your time. Great seeing you. >> Right. Likewise for Dave Vallante, I'm Lisa Martin. You're watching theCUBE. This is day three of our coverage of Dell Technologies World, live from Las Vegas, stick around Dave and I will be right back with our next guest. (bright music)

(upbeat music) >> Kubernetes is maturing for example moving from quarterly releases to three per year, it's adding many of the capabilities that early on were avoided by Kubernetes committers, but now are going more mainstream, for example, more robust security and better support from mobile cluster management and other functions. But core Kubernetes by itself, doesn't get organizations where they need to go. That's why the ecosystem has stepped up to fill the gaps in application development. Developers as we know, they don't care about infrastructure, but they do care about building new apps, they care about modernizing existing apps, leveraging data, scaling, they care about automation look, they want to be cloud native. And one of the companies leading the ecosystem charge and building out more robust capabilities is Red Hat. And ahead of KubeCon Spain. It's our pleasure to welcome in Stu Miniman director of market insights at Red Hat to preview the event, Stu, good to see you, how you been? >> I'm doing awesome, Dave. Thanks for having me, great to be here. >> Yeah. So what's going on in Kube land these days? >> So it's funny Dave, if you were to kind of just listen out there in the marketplace, the CNCF has a survey that's like 96% of companies running Kubernetes production, everybody's doing it. And others will say, oh no, Kubernetes, only a small group group of people are using it, it's already probably got newer technologies that's replacing it. And the customers that I'm talking to Dave, first of all, yes, containers of Kubernetes, great growth growth rate, good adoption overall, I think we've said more than a year or two ago, we've probably crossed that chasm, the Jeff Moore, it's longer the early people just building all their own thing, taking all the open source, building this crazy stack that they need to had to do a lot of work we used to say. Chewing glass to be able to make it work right or anything, but it's still not as easy as you would like, almost no company that I talk to, if you're talking about big enterprises has Kubernetes just enterprise wide, and a hundred percent of their applications running on it. What is the tough challenge for people? And I mean, Dave, something, you and I have covered for many, many years, , that application portfolio that I have, most enterprises, hundreds, thousands of applications modernizing that having that truly be cloud native, that that's a really long journey and we are still in the midst of that, so I still still think we are in that, that if you look at the cross in the chasm that early majority chunk, so some of it is how do we mature things even better? And how do we make things simpler? Talk about things like automation, simplicity, security, we need to make sure they're all there so that it can be diffused and rolled out more broadly. And then we also need to think about where are we? We talk about the next million cloud customers, where does Kubernetes and containers and all the cloud native pieces fit into that broader discussion. Yes, there's some maturity there and we can declare victory on certain things, but there's still a lot, a lot of work that everyone's doing and that leads us into the show. I mean, dozens of projects that are already graduated, many more along that process from sandbox through a whole bunch of co-located events that are there, and it's always a great community event which Red Hat of course built on open source and community projects, so we're happy to have a good presence there as always. >> So you and I have talked about this in the past how essentially container's going to be embedded into a lot of different places, and sometimes it's hard to find, it's hard to track, but if you look at kind of the pre DevOps world skillsets like provisioning LANs, or configuring ports, or troubleshooting, squeezing more, server utilism, I mean, those who are really in high demand. If that's your skillset, then you're probably out of a job today. And so that's shifted toward things like Kubernetes. So you see and you see in the ETR data, it's along with cloud, and RPA, or automation, it is right up there I mean, it's top, the big four if you will, cloud, automation, RPA, and containers. And so we know there's a lot of spending activity going on there, but sometimes, like I said, it's hard to track I mean, if you got cloud growing at 35% a year, at least for the hyperscalers that we track, Kubernetes should be growing faster than that, should it not? >> Yeah, Dave, I would agree with you when I look at the big analyst firms that track this, I believe they've only got the container space at about a 25 per percent growth rate. >> Slower than cloud. But I compare that with Deepak Singh who runs at AWS, he has the open source office, he has all the containers and Kubernetes, and has visibility in all of that. And he says, basically, containers of the default when somebody's deploying to AWS today. Yes, serverless has its place, but it has not replaced or is not pushing down, slowing down the growth of containers or Kubernetes. We've got a strong partnership, I have lots of customers running on AWS. I guess I look at the numbers and like you, I would say that I would expect that that growth rate to be north of where just cloud in general is because the general adoption of containers and Kubernetes, we're still in the early phases of things. >> And I think a lot of the spendings Stu is actually in labor resources within companies and that's hard to track. Let's talk about what we should expect at the show. Obviously this whole notion of secure supply chain was a big deal last year in LA, what's hot? >> Yeah, so security Dave, absolutely. You said for years, it's a board level discussion, it's now something that really everyone in the organization has to know about the dev sec ops movement, has seen a lot of growth, secure supply chain, we're just trying to make sure that when I use open source, there's lots of projects, there is the huge ecosystem in marketplaces that are out there. So I want to make sure that as I grab all of the pieces that I know where they got came from the proper signature certification to make sure that the full solution that I build, I understand it. And if there are vulnerabilities, I know if there's an issue, how I patch it in the industry, we talk about CBEs, so those vulnerabilities, those exploits that come out, then everybody has to do a quick runaround to understand wait, hey, is my configuration? Am I vulnerable? Do I have to patch things? So security, absolutely still a huge, huge thing. Quick from a Red Hat standpoint, people might notice we made an acquisition a year ago of StackRox. That product itself also now has a completely fully open source project itself, also called StackRox. So the product is Red Hat advanced cluster security for Kubernetes, there's an open source equivalent for that called StackRox now, open source, community, there's a monthly office hour live streaming that a guy on my team actually does, and so there'll be a lot of activity at the show talking about security. So many other things happening at the show Dave. Another key area, you talked about the developers and what they want to worry about and what they don't. In the container space, there's a project called Knative. So Google helped create that, and that's to help me really have a serverless operational model, with still the containers and Kubernetes underneath that. So at the show, there will be the firs Knative con. And if you hadn't looked at Knative in a couple of years, one of the missing pieces that is now there is eventing. So if I look at functions and events, now that event capability is there, it's something I've talked to a lot of customers that were waiting for that to have it. It's not quite the same as like a Lambda, but is similar functionality that I can have with my containers in Kubernetes world. So that's an area that's there and so many others, I mean, GitOps are super hot at the last show. It's something that we've seen, really broad adoption since Argo CD went generally available last year, and lots of customers that are taking that to help them. That's both automation put together because I can allow GitHub to be my single source of truth for where I keep code, make sure I don't have any deviation from where the kind of the golden image if you will, it lives. >> So we're talking earlier about, how hard it is to track this stuff. So with the steep trajectory of growth and new customers coming on, there's got to be a lot of experimentation going on. That probably is being done, somebody downloads the open source code and starts playing with it. And then when they go to production that I would imagine Stu that's the point at which they say, hey, we need to fill some of these gaps. And they reach out to a company like yours and say, now we got to have certifications and trust., Do you. see that? >> So here's the big shift that happened, if we were looking four or five years ago, absolutely, I'd grab the open source code and some people might do that, but what cloud really enabled Dave, is rather than just grabbing, going to the dot the GitHub repo and pulling it down itself, I can go to the cloud so Microsoft, AWS, and Google all have their Kubernetes offering and I click a button. But that just gives me Kubernetes so there's still a steep learning curve. And as you said to build out out that full stack, that is one of the big things that we do with OpenShift is we take dozens of projects, pull them in together so you get a full platform. So you spend less time on curating, integrating, and managing that platform. And more time on the real value for your business, which is the application stack itself, the security and the like. And when we deliver OpenShift in the cloud, we have an SRE team that manages that for you. So one of the big challenges we have out there, there is a skillset gap, there are thousands of people getting certified on Kubernetes. There are, I think I saw over a hundred thousand job openings with Kubernetes mentioned in it, we just can't train people up fast enough, and the question I would have as an enterprise company is, if I'm going to the cloud, how much time do I want to build having SREs, having them focus on the infrastructure versus the things that are business specific. What did Amazon promise Dave? We're going to help you get rid of undifferentiated heavy lifting. Well, I just consume things as a service where I have an SRE team manage that environment. That might make more sense so that I can spend more time focusing on my business activities. That's a big focus that we've had on Red Hat, is our offerings that we have with the cloud providers to do and need offering. >> Yeah, the managed service capability is key. We saw, go back to the Hadoop days, we saw that's where Cloudera really struggled. They had to support every open source project. And then the customers largely had to figure it out themselves. Whereas you look at what data bricks did with spark. It was a managed service that was getting much greater adoption. So these complex areas, that's what you need. So people win sometimes when I use the term super cloud, and we getting little debates on Twitter, which is a lot of fun, but the idea is that you create the abstraction layer that spans your on-prem, your cloud, so you've got a hybrid. You want to go across clouds, what people call multi-cloud but as you know, I've sort of been skeptical of multi-cloud is really multi-vendor. But so we're talking about a substantial experience that's identical across those clouds and then ultimately out to the edge and we see a super Paas layer emerging, And people building on top of that, hiding the underlying complexity. What are your thoughts on that? How does Kubernetes in your view fit in? >> Yeah, it's funny, Dave, if you look at this container space at the beginning, Docker came out of a company called dotCloud. That was a PaaS company. And there's been so many times that that core functionality of how do I make my developers not have to worry about that underlying gank, but Dave, while the storage people might not have to worry about the LANs, somebody needs to understand how storage works, how networking works, if something breaks, how do I make sure I can take care of it. Sometimes that's a service that the SRE team manages that away from me. so that yes, there is something I don't need to think of about, but these are technically tough configurations. So first to one of your main questions, what do we see in customers with their hybrid and multi-cloud journey? So OpenShift over 10 years old, we started OpenShift before Kubernetes even was a thing. Lots of our customers run in what most people would consider hybrid, what does that mean? I have something in my data center, I have something in the cloud, OpenShift health, thanks to Kubernetes, I can have consistency for the developers, the operators, the security team, across those environments. Over the last few years, we've been doing a lot in the Kubernetes space as a whole, as the community, to get Kubernetes out to the edge. So one of the nice things, where do containers live Dave? Anywhere Linux does, is Linux going to be out of the edge? Absolutely, it can be a small footprint, we can do a lot with it. There were a lot of vendors that came out with it wasn't quite Kubernetes, they would strip certain things out or make a configuration that was smaller out at the edge, but a lot of times it was something that was just for a developer or something I could play with, and what it would break sometimes was that consistency out at the edge to what my other environments would like to have. And if I'm a company that needs consistency there. So take for example, if I have an AI workload where I need edge, and I need something in the cloud, or in my data center of consistency. So the easy use case that everybody thinks about is autonomous vehicles. We work with a lot of the big car manufacturers, I need to have when my developer build something, and often my training will be done either in the data center or in the public cloud, but I need to be able to push that out to the vehicle itself and let it run. We've actually even got Dave, we've got Kubernetes running up on the ISS. And you want to make sure that we have a consistency. >> The ultimate edge. >> Yeah, so I said, right, it's edge above and beyond the clouds even, we've gone to beyond. So that is something that the industry as a whole has been working at, from a Red Hat standpoint, we can take OpenShift to a really small footprint. Last year we launched was known as single node OpenShift. We have a project called micro shift, which is also fully open source that it has less pieces of the overall environment to be able to fit onto smaller and smaller devices there. But we want to be able to manage all of them consistently because you talked about multi cluster management. Well, what if I have thousands or 10 of thousands of devices out of the edge? I don't necessarily have network, I don't have people, I need to be able to do things from an automated standpoint. And that's where containers and Kubernetes really can shine. And where a lot of effort has been done in general and something specifically, we're working on it, Red Hat, we've had some great customers in the telecommunication space. Talk about like the 5G rollout with this, and industrial companies that need to be able to push out at the edge for these type of solutions. >> So you just kind of answered my next question, but I want to double click on it which was, if I'm in the cloud, why do I need you? And you touched on it because you've got primitives, and APIs, and AWS, Google, and Microsoft, they're different, if you're going to hide the underlying complexity of that, it takes a lot of RND and work, now extend that to a Tesla. You got to make it run there, different use case, but that's kind of what Linux and OpenShift are design to do, so double click on that. >> Yeah, so right. If I look at the discussion you've been having about super clouds is interesting because there are many companies that we work with that do live across multiple environments. So number one, if I'm a developer, if my company came to me and said, hey, you've got all your certifications and you got years of experience running on Amazon, well, we need you to go run over on Google. That developer might switch companies rather than switch clouds because they've got all of their knowledge and skillset, and it's a steep learning curve. So there's a lot of companies that work on, how can we give you tools and solutions that can live across those environments? So I know you mentioned companies like Snowflake, MongoDB, companies like Red Hat, HashiCorp, GitLab, also span all of those environments. There's a lot of work, Dave, to be different than not just, I say, I don't love the term like we're cloud agnostic, which would mean, well, you can use any cloud. >> You can run on any cloud. >> That's not what we're talking about. Look at the legacy that Red Hat has is, Red Hat has decades of running in every customer's data center and pick your X 86 server of choice. And we would have deep relationships when Dell, HP, IBM, Lenovo, you name it, comes out with a new piece of hardware that was different. We would have to make sure that the Linux primitives work from a Red Hat standpoint. Interesting Dave, we're now supporting OpenShift on Azure Stack Hub. And I talked to our head of product management, and I said, we've been running OpenShift in Azure for years, isn't Azure Stack Hub? Isn't that just Azure in your data center. He's like, yeah, but down at the operating system level, we had to change some flags and change some settings and things like that, so what do we know in IT? It's always the yeah, at the high level, it looks the same, it acts the same, it feels the same. >> Seamless. >> It's seamless in everything when you get down to the primitives level, sometimes that we need to be able to do that. I'll tell you Dave, there's things even when I look at A cloud, if I'm in US East One, or US West One, there actually could be some differences in what services are there or how things react, and so therefore we have a lot of deep work that goes into all of those environments, and it's not just Red Hat, we have a marketplace and an ecosystem, we want to make sure you've got API compatibility across all of those. So we are trying to help lift up this entire ecosystem and bring everybody along with it because you set it at the upfront, Kubernetes alone won't do it, oo one vendor gives you an entire, everything that you need for your developer tool chain. There's a lot that goes into this, and that's where we have deep commitment to partnerships. We build out and support lots of ecosystems. And this show itself is very much a community driven show. And, and therefore, that's why Red Hat has a strong presence at it, 'cause that's the open source community and everything that we built on. >> You guys are knee deep in it. You know I wrote down when you were talking about Snowflake and Mongo, HashiCorps, another one, I wrote down Dell, HP, Cisco, Lenovo, that to me, that should be their strategy. NetApp, their strategy should be to basically build out that abstraction layer, the so-called super cloud. So be interesting to see if they're going to be at this show. It requires a lot of R and D number one, number two, to your point, it requires an ecosystem. So you got all these guys, most of them now do in their own as a service, as a service is their own cloud. Their own cloud means you better have an ecosystem that's robust. I want to ask you about, do you ever think about what's next beyond Kubernetes? Or do you feel like, hey, there's just so much headroom in Kubernetes and so many active projects, we got ways to go. >> Yeah, so the Kubernetes itself Dave, should be able to fade into the background some. In many ways it does mirror what happened with Linux. So Linux is just the foundation of everything we have. We would not have the public cloud providers if it wasn't for Linux. I mean, Google, of course you wouldn't have without Linux, Amazon. >> Is on the internet. >> Right, but you might not have a lot of it. So Kubernetes, I think really goes the same way is, it is the foundational layer of what so much of it is built on top of it, and it's not really. So many people think about that portability. Oh, Google's the one that created it, and they wanted to make sure that it was easy if I want to go from the cloud provider that I had to use Kubernetes on Google cloud. And while that is a piece of it, that consistency is more important. And what I can build on top of it, it is really more of a distributed systems challenge that we are solving and that we've been working on in industry now for decades. So that is what we help solve, and what's really nice, containers and Kubernetes, it's less of an abstraction, it's more of new atomic unit of how we build things. So virtualization, I don't know what's underneath, and we spent like a decade fixing the storage networking components underneath so that the LANs matched right, and the network understood what was happening in the virtual machine. The atomic unit of a container, which is what Kubernetes manages is an application or a piece of an application. And therefore that there is less of an abstraction, more of just a rearchitecting of how we build things, and that is part of what is needed, and boy, Dave, the ecosystem, oh my God, yes, we've gone to only three releases a year, but I can tell you our roadmaps are all public on the internet and we talk heavily about them. There is still so many things that just at the basic Kubernetes piece, new architectures, arm devices are now in there, we're now supporting them, Kubernetes can support them too. So there are so many hardware pieces that are coming, so many software devices, the edge, we talked about it a bit, so there's so much that's going on. One of the areas that I love hearing about at the show, we have a community event called OpenShift Comments, which one of the main things of OpenShift Comments, is customers coming to talk about what they've been doing, and not about our products, we're talking about the projects and their journey overall. We've got a at Flenty Show, Airbus and Telefonica, are both going to be talking about what they're doing. We've seen Dave, every industry is going through their digital transformation journey. And it's great to hear straight from them what they're doing, and one of the big pieces in area, we actually spend a bunch of time on that application journey. There's a group of open source projects under what's known as Konveyor, that's conveyor with a K, Konveyor.io. It's modernization in migration. So how do I go from a VM to a container? How do I go from my data center to a cloud? How do I switch between services, open source projects to help with that journey? And, oh my gosh, Dave, I mean, you know in the cloud space, I mean that's what all the SIs and all the consultancies are throwing thousands of people at, is to help us get along that curve of that modernization journey. >> Okay, so let's see May 16th, the week of May 16th is KubeCon in Valencia Spain. theCUBE's going to be there, there was a little bit of a curfuffle on Twitter because the mask mandate was lifted in Spain and people had made plans thinking, okay, it's safe everybody's going to be wearing masks. Well, now I mean, you're going to have to make your own decisions on that front. I mean, you saw that you follow Twitter quite closely, but hey, this is the world we live in. So I'll give you the last word. >> Yeah, we'll see if Twitter still exists by the time we get to that show with. >> Could be private. What happens, but yeah, no, Dave, I'll be participating remotely, it is a hybrid event, so one of the things we'll be watching is, how many people are there in person LA was a pretty small show, core contributors, brought it back to some of the early days that you covered heavily from theCUBE standpoint, how Valencia will be? I know from Red Hat standpoint, we have people there, many of them from Europe, both speaking, we talked about many of the co-located events that are there, so a lot of pieces all participate remotely. So if you stop by the OpenShift commons event, I'll be part of the event just from a hybrid standpoint. And yeah, we've actually got the week before, we've got Red Hat Summit. So it's nice to actually to have back to back weeks. We'd had that a whole bunch of times before I remember, back to back weeks in Boston one year where we had both of those events and everything. That's definitely. >> Connective tissue. >> Keeps us busy there. You've got a whole bunch of travel going on. I'm not doing too much travel just yet, Dave, but it's good to see you and it's great to be connected with community. >> Yeah, so theCUBE will be there. John Furrier is hosting with Keith Townsend. So if you're in Valencia, definitely stop by. Stu thanks so much for coming into theCUBE Studios I appreciate it. >> Thanks, Dave. >> All right, and thank you for watching. We'll see you the week of May 16th in Valencia, Spain. (upbeat music)

from the cube studios in palo alto in boston bringing you data driven insights from the cube and etr this is breaking analysis with dave vellante data mesh is a new way of thinking about how to use data to create organizational value leading edge practitioners are beginning to implement data mesh in earnest and importantly data mesh is not a single tool or a rigid reference architecture if you will rather it's an architectural and organizational model that's really designed to address the shortcomings of decades of data challenges and failures many of which we've talked about on the cube as important by the way it's a new way to think about how to leverage data at scale across an organization and across ecosystems data mesh in our view will become the defining paradigm for the next generation of data excellence hello and welcome to this week's wikibon cube insights powered by etr in this breaking analysis we welcome the founder and creator of data mesh author thought leader technologist jamaak dagani shamak thank you for joining us today good to see you hi dave it's great to be here all right real quick let's talk about what we're going to cover i'll introduce or reintroduce you to jamaac she joined us earlier this year in our cube on cloud program she's the director of emerging tech at dot works north america and a thought leader practitioner software engineer architect and a passionate advocate for decentralized technology solutions and and data architectures and jamaa since we last had you on as a guest which was less than a year ago i think you've written two books in your spare time one on data mesh and another called software architecture the hard parts both published by o'reilly so how are you you've been busy i've been busy yes um good it's been a great year it's been a busy year i'm looking forward to the end of the year and the end of these two books but it's great to be back and um speaking with you well you got to be pleased with the the momentum that data mesh has and let's just jump back to the agenda for a bit and get that out of the way we're going to set the stage by sharing some etr data our partner our data partner on the spending profile and some of the key data sectors and then we're going to review the four key principles of data mesh just it's always worthwhile to sort of set that framework we'll talk a little bit about some of the dependencies and the data flows and we're really going to dig today into principle number three and a bit around the self-service data platforms and to that end we're going to talk about some of the learnings that shamak has captured since she embarked on the datamess journey with her colleagues and her clients and we specifically want to talk about some of the successful models for building the data mesh experience and then we're going to hit on some practical advice and we'll wrap with some thought exercises maybe a little tongue-in-cheek some of the community questions that we get so the first thing i want to do we'll just get this out of the way is introduce the spending climate we use this xy chart to do this we do this all the time it shows the spending profiles and the etr data set for some of the more data related sectors of the ecr etr taxonomy they they dropped their october data last friday so i'm using the july survey here we'll get into the october survey in future weeks but about 1500 respondents i don't see a dramatic change coming in the october survey but the the y-axis is net score or spending momentum the horizontal axis is market share or presence in the data set and that red line that 40 percent anything over that we consider elevated so for the past eight quarters or so we've seen machine learning slash ai rpa containers and cloud is the four areas where cios and technology buyers have shown the highest net scores and as we've said what's so impressive for cloud is it's both pervasive and it shows high velocity from a spending standpoint and we plotted the three other data related areas database edw analytics bi and big data and storage the first two well under the red line are still elevated the storage market continues to kind of plot along and we've we've plotted the outsourced it just to balance it out for context that's an area that's not so hot right now so i just want to point out that these areas ai automation containers and cloud they're all relevant to data and they're fundamental building blocks of data architectures as are the two that are directly related to data database and analytics and of course storage so it just gives you a picture of the spending sector so i wanted to share this slide jamark uh that that we presented in that you presented in your webinar i love this it's a taxonomy put together by matt turk who's a vc and he called this the the mad landscape machine learning and ai and data and jamock the key point here is there's no lack of tooling you've you've made the the data mesh concept sort of tools agnostic it's not like we need more tools to succeed in data mesh right absolutely great i think we have plenty of tools i think what's missing is a meta architecture that defines the landscape in a way that it's in step with organizational growth and then defines that meta architecture in a way that these tools can actually interoperable and to operate and integrate really well like the the clients right now have a lot of challenges in terms of picking the right tool regardless of the technology they go down the path either they have to go in and big you know bite into a big data solution and then try to fit the other integrated solutions around it or as you see go to that menu of large list of applications and spend a lot of time trying to kind of integrate and stitch this tooling together so i'm hoping that data mesh creates that kind of meta architecture for tools to interoperate and plug in and i think our conversation today around self-subjective platform um hopefully eliminate that yeah we'll definitely circle back because that's one of the questions we get all the time from the community okay let's review the four main principles of data mesh for those who might not be familiar with it and those who are it's worth reviewing jamar allow me to introduce them and then we can discuss a bit so a big frustration i hear constantly from practitioners is that the data teams don't have domain context the data team is separated from the lines of business and as a result they have to constantly context switch and as such there's a lack of alignment so principle number one is focused on putting end-to-end data ownership in the hands of the domain or what i would call the business lines the second principle is data as a product which does cause people's brains to hurt sometimes but it's a key component and if you start sort of thinking about it you'll and talking to people who have done it it actually makes a lot of sense and this leads to principle number three which is a self-serve data infrastructure which we're going to drill into quite a bit today and then the question we always get is when we introduce data meshes how to enforce governance in a federated model so let me bring up a more detailed slide jamar with the dependencies and ask you to comment please sure but as you said the the really the root cause we're trying to address is the siloing of the data external to where the action happens where the data gets produced where the data needs to be shared when the data gets used right in the context of the business so it's about the the really the root cause of the centralization gets addressed by distribution of the accountability end to end back to the domains and these domains this distribution of accountability technical accountability to the domains have already happened in the last you know decade or so we saw the transition from you know one general i.t addressing all of the needs of the organization to technology groups within the itu or even outside of the iit aligning themselves to build applications and services that the different business units need so what data mesh does it just extends that model and say okay we're aligning business with the tech and data now right so both application of the data in ml or inside generation in the domains related to the domain's needs as well as sharing the data that the domains are generating with the rest of the organization but the moment you do that then you have to solve other problems that may arise and that you know gives birth to the second principle which is about um data as a product as a way of preventing data siloing happening within the domain so changing the focus of the domains that are now producing data from i'm just going to create that data i collect for myself and that satisfy my needs to in fact the responsibility of domain is to share the data as a product with all of the you know wonderful characteristics that a product has and i think that leads to really interesting architectural and technical implications of what actually constitutes state has a product and we can have a separate conversation but once you do that then that's the point in the conversation that cio says well how do i even manage the cost of operation if i decentralize you know building and sharing data to my technical teams to my application teams do i need to go and hire another hundred data engineers and i think that's the role of a self-serve data platform in a way that it enables and empowers generalist technologies that we already have in the technical domains the the majority population of our developers these days right so the data platform attempts to mobilize the generalist technologies to become data producers to become data consumers and really rethink what tools these people need um and the last last principle so data platform is really to giving autonomy to domain teams and empowering them and reducing the cost of ownership of the data products and finally as you mentioned the question around how do i still assure that these different data products are interoperable are secure you know respecting privacy now in a decentralized fashion right when we are respecting the sovereignty or the domain ownership of um each domain and that leads to uh this idea of both from operational model um you know applying some sort of a federation where the domain owners are accountable for interoperability of their data product they have incentives that are aligned with global harmony of the data mesh as well as from the technology perspective thinking about this data is a product with a new lens with a lens that all of those policies that need to be respected by these data products such as privacy such as confidentiality can we encode these policies as computational executable units and encode them in every data product so that um we get automation we get governance through automation so that's uh those that's the relationship the complex relationship between the four principles yeah thank you for that i mean it's just a couple of points there's so many important points in there but the idea of the silos and the data as a product sort of breaking down those cells because if you have a product and you want to sell more of it you make it discoverable and you know as a p l manager you put it out there you want to share it as opposed to hide it and then you know this idea of managing the cost you know number three where people say well centralize and and you can be more efficient but that but that essentially was the the failure in your other point related point is generalist versus specialist that's kind of one of the failures of hadoop was you had these hyper specialist roles emerge and and so you couldn't scale and so let's talk about the goals of data mesh for a moment you've said that the objective is to extend exchange you call it a new unit of value between data producers and data consumers and that unit of value is a data product and you've stated that a goal is to lower the cognitive load on our brains i love this and simplify the way in which data are presented to both producers and consumers and doing so in a self-serve manner that eliminates the tapping on the shoulders or emails or raising tickets so how you know i'm trying to understand how data should be used etc so please explain why this is so important and how you've seen organizations reduce the friction across the data flows and the interconnectedness of things like data products across the company yeah i mean this is important um as you mentioned you know initially when this whole idea of a data-driven innovation came to exist and we needed all sorts of you know technology stacks we we centralized um creation of the data and usage of the data and that's okay when you first get started with where the expertise and knowledge is not yet diffused and it's only you know the privilege of a very few people in the organization but as we move to a data driven um you know innovation cycle in the organization as we learn how data can unlock new new programs new models of experience new products then it's really really important as you mentioned to get the consumers and producers talk to each other directly without a broker in the middle because even though that having that centralized broker could be a cost-effective model but if you if we include uh the cost of missed opportunity for something that we could have innovated well we missed that opportunity because of months of looking for the right data then that cost parented the cost benefit parameters and formula changes so um so to to have that innovation um really embedded data-driven innovation embedded into every domain every team we need to enable a model where the producer can directly peer-to-peer discover the data uh use it understand it and use it so the litmus test for that would be going from you know a hypothesis that you know as a data scientist i think there is a pattern and there is an insight in um you know in in the customer behavior that if i have access to all of the different informations about the customer all of the different touch points i might be able to discover that pattern and personalize the experience of my customer the liquid stuff is going from that hypothesis to finding all of the different sources be able to understanding and be able to connect them um and then turn them them into you know training of my machine learning and and the rest is i guess known as an intelligent product got it thank you so i i you know a lot of what we do here in breaking it house is we try to curate and then point people to new resources so we will have some additional resources because this this is not superficial uh what you and your colleagues in the community are creating but but so i do want to you know curate some of the other material that you had so if i bring up this next chart the left-hand side is a curated description both sides of your observations of most of the monolithic data platforms they're optimized for control they serve a centralized team that has hyper-specialized roles as we talked about the operational stacks are running running enterprise software they're on kubernetes and the microservices are isolated from let's say the spark clusters you know which are managing the analytical data etc whereas the data mesh proposes much greater autonomy and the management of code and data pipelines and policy as independent entities versus a single unit and you've made this the point that we have to enable generalists to borrow from so many other examples in the in the industry so it's an architecture based on decentralized thinking that can really be applied to any domain really domain agnostic in a way yes and i think if i pick one key point from that diagram is really um or that comparison is the um the the the data platforms or the the platform capabilities need to present a continuous experience from an application developer building an application that generates some data let's say i have an e-commerce application that generates some data to the data product that now presents and shares that data as as temporal immutable facts that can be used for analytics to the data scientist that uses that data to personalize the experience to the deployment of that ml model now back to that e-commerce application so if we really look at this continuous journey um the walls between these separate platforms that we have built needs to come down the platforms underneath that generate you know that support the operational systems versus supported data platforms versus supporting the ml models they need to kind of play really nicely together because as a user i'll probably fall off the cliff every time i go through these stages of this value stream um so then the interoperability of our data solutions and operational solutions need to increase drastically because so far we've got away with running operational systems an application on one end of the organization running and data analytics in another and build a spaghetti pipeline to you know connect them together neither of the ends are happy i hear from data scientists you know data analyst pointing finger at the application developer saying you're not developing your database the right way and application point dipping you're saying my database is for running my application it wasn't designed for sharing analytical data so so we've got to really what data mesh as a mesh tries to do is bring these two world together closer because and then the platform itself has to come closer and turn into a continuous set of you know services and capabilities as opposed to this disjointed big you know isolated stacks very powerful observations there so we want to dig a little bit deeper into the platform uh jamar can have you explain your thinking here because it's everybody always goes to the platform what do i do with the infrastructure what do i do so you've stressed the importance of interfaces the entries to and the exits from the platform and you've said you use a particular parlance to describe it and and this chart kind of shows what you call the planes not layers the planes of the platform it's complicated with a lot of connection points so please explain these planes and how they fit together sure i mean there was a really good point that you started with that um when we think about capabilities or that enables build of application builds of our data products build their analytical solutions usually we jump too quickly to the deep end of the actual implementation of these technologies right do i need to go buy a data catalog or do i need you know some sort of a warehouse storage and what i'm trying to kind of elevate us up and out is to to to force us to think about interfaces and apis the experiences that the platform needs to provide to run this secure safe trustworthy you know performance mesh of data products and if you focus on then the interfaces the implementation underneath can swap out right you can you can swap one for the other over time so that's the purpose of like having those lollipops and focusing and emphasizing okay what is the interface that provides a certain capability like the storage like the data product life cycle management and so on the purpose of the planes the mesh experience playing data product expense utility plan is really giving us a language to classify different set of interfaces and capabilities that play nicely together to provide that cohesive journey of a data product developer data consumer so then the three planes are really around okay at the bottom layer we have a lot of utilities we have that mad mac turks you know kind of mad data tooling chart so we have a lot of utilities right now they they manage workflow management you know they they do um data processing you've got your spark link you've got your storage you've got your lake storage you've got your um time series of storage you've got a lot of tooling at that level but the layer that we kind of need to imagine and build today we don't buy yet as as long as i know is this linger that allows us to uh exchange that um unit of value right to build and manage these data products so so the language and the apis and interface of this product data product experience plan is not oh i need this storage or i need that you know workflow processing is that i have a data product it needs to deliver certain types of data so i need to be able to model my data it needs to as part of this data product i need to write some processing code that keeps this data constantly alive because it's receiving you know upstream let's say user interactions with a website and generating the profile of my user so i need to be able to to write that i need to serve the data i need to keep the data alive and i need to provide a set of slos and guarantees for my data so that good documentation so that some you know someone who comes to data product knows but what's the cadence of refresh what's the retention of the data and a lot of other slos that i need to provide and finally i need to be able to enforce and guarantee certain policies in terms of access control privacy encryption and so on so as a data product developer i just work with this unit a complete autonomous self-contained unit um and the platform should give me ways of provisioning this unit and testing this unit and so on that's why kind of i emphasize on the experience and of course we're not dealing with one or two data product we're dealing with a mesh of data products so at the kind of mesh level experience we need a set of capabilities and interfaces to be able to search the mesh for the right data to be able to explore the knowledge graph that emerges from this interconnection of data products need to be able to observe the mesh for any anomalies did we create one of these giant master data products that all the data goes into and all the data comes out of how we found ourselves the bottlenecks to be able to kind of do those level machine level capabilities we need to have a certain level of apis and interfaces and once we decide and decide what constitutes that to satisfy this mesh experience then we can step back and say okay now what sort of a tool do i need to build or buy to satisfy them and that's that is not what the data community or data part of our organizations used to i think traditionally we're very comfortable with buying a tool and then changing the way we work to serve to serve the tool and this is slightly inverse to that model that we might be comfortable with right and pragmatists will will to tell you people who've implemented data match they'll tell you they spent a lot of time on figuring out data as a product and the definitions there the organizational the getting getting domain experts to actually own the data and and that's and and they will tell you look the technology will come and go and so to your point if you have those lollipops and those interfaces you'll be able to evolve because we know one thing's for sure in this business technology is going to change um so you you had some practical advice um and i wanted to discuss that for those that are thinking about data mesh i scraped this slide from your presentation that you made and and by the way we'll put links in there your colleague emily who i believe is a data scientist had some really great points there as well that that practitioners should dig into but you made a couple of points that i'd like you to summarize and to me that you know the big takeaway was it's not a one and done this is not a 60-day project it's a it's a journey and i know that's kind of cliche but it's so very true here yes um this was a few starting points for um people who are embarking on building or buying the platform that enables the people enables the mesh creation so it was it was a bit of a focus on kind of the platform angle and i think the first one is what we just discussed you know instead of thinking about mechanisms that you're building think about the experiences that you're enabling uh identify who are the people like what are the what is the persona of data scientists i mean data scientist has a wide range of personas or did a product developer the same what is the persona i need to develop today or enable empower today what skill sets do they have and and so think about experience as mechanisms i think we are at this really magical point i mean how many times in our lifetime we come across a complete blanks you know kind of white space to a degree to innovate so so let's take that opportunity and use a bit of a creativity while being pragmatic of course we need solutions today or yesterday but but still think about the experiences not not mechanisms that you need to buy so that was kind of the first step and and the nice thing about that is that there is an evolutionary there is an iterative path to maturity of your data mesh i mean if you start with thinking about okay which are the initial use cases i need to enable what are the data products that those use cases depend on that we need to unlock and what is the persona of my or general skill set of my data product developer what are the interfaces i need to enable you can start with the simplest possible platform for your first two use cases and then think about okay the next set of data you know data developers they have a different set of needs maybe today i just enable the sql-like querying of the data tomorrow i enable the data scientists file based access of the data the day after i enable the streaming aspect so so have this evolutionary kind of path ahead of you and don't think that you have to start with building out everything i mean one of the things we've done is taking this harvesting approach that we work collaboratively with those technical cross-functional domains that are building the data products and see how they are using those utilities and harvesting what they are building as the solutions for themselves back into the back into the platform but at the end of the day we have to think about mobilization of the large you know largest population of technologies we have we'd have to think about diffusing the technology and making it available and accessible by the generous technologies that you know and we've come a long way like we've we've gone through these sort of paradigm shifts in terms of mobile development in terms of functional programming in terms of cloud operation it's not that we are we're struggling with learning something new but we have to learn something that works nicely with the rest of the tooling that we have in our you know toolbox right now so so again put that generalist as the uh as one of your center personas not the only person of course we will have specialists of course we will always have data scientists specialists but any problem that can be solved as a general kind of engineering problem and i think there's a lot of aspects of data michigan that can be just a simple engineering problem um let's just approach it that way and then create the tooling um to empower those journalists great thank you so listen i've i've been around a long time and so as an analyst i've seen many waves and we we often say language matters um and so i mean i've seen it with the mainframe language it was different than the pc language it's different than internet different than cloud different than big data et cetera et cetera and so we have to evolve our language and so i was going to throw a couple things out here i often say data is not the new oil because because data doesn't live by the laws of scarcity we're not running out of data but i get the analogy it's powerful it powered the industrial economy but it's it's it's bigger than that what do you what do you feel what do you think when you hear the data is the new oil yeah i don't respond to those data as the gold or oil or whatever scarce resource because as you said it evokes a very different emotion it doesn't evoke the emotion of i want to use this i want to utilize it feels like i need to kind of hide it and collect it and keep it to myself and not share it with anyone it doesn't evoke that emotion of sharing i really do think that data and i with it with a little asterisk and i think the definition of data changes and that's why i keep using the language of data product or data quantum data becomes the um the most important essential element of existence of uh computation what do i mean by that i mean that you know a lot of applications that we have written so far are based on logic imperative logic if this happens do that and else do the other and we're moving to a world where those applications generating data that we then look at and and the data that's generated becomes the source the patterns that we can exploit to build our applications as in you know um curate the weekly playlist for dave every monday based on what he has listened to and the you know other people has listened to based on his you know profile so so we're moving to the world that is not so much about applications using the data necessarily to run their businesses that data is really truly is the foundational building block for the applications of the future and then i think in that we need to rethink the definition of the data and maybe that's for a different conversation but that's that's i really think we have to converge the the processing that the data together the substance substance and the processing together to have a unit that is uh composable reusable trustworthy and that's that's the idea behind the kind of data product as an atomic unit of um what we build from future solutions got it now something else that that i heard you say or read that really struck me because it's another sort of often stated phrase which is data is you know our most valuable asset and and you push back a little bit on that um when you hear people call data and asset people people said often have said they think data should be or will eventually be listed as an asset on the balance sheet and i i in hearing what you said i thought about that i said well you know maybe data as a product that's an income statement thing that's generating revenue or it's cutting costs it's not necessarily because i don't share my my assets with people i don't make them discoverable add some color to this discussion i think so i think it's it's actually interesting you mentioned that because i read the new policy in china that cfos actually have a line item around the data that they capture we don't have to go to the political conversation around authoritarian of um collecting data and the power that that creates and the society that leads to but that aside that big conversation little conversation aside i think you're right i mean the data as an asset generates a different behavior it's um it creates different performance metrics that we would measure i mean before conversation around data mesh came to you know kind of exist we were measuring the success of our data teams by the terabytes of data they were collecting by the thousands of tables that they had you know stamped as golden data none of that leads to necessarily there's no direct line i can see between that and actually the value that data generated but if we invert that so that's why i think it's rather harmful because it leads to the wrong measures metrics to measure for success so if you invert that to a bit of a product thinking or something that you share to delight the experience of users your measures are very different your measures are the the happiness of the user they decrease lead time for them to actually use and get value out of it they're um you know the growth of the population of the users so it evokes a very different uh kind of behavior and success metrics i do say if if i may that i probably come back and regret the choice of word around product one day because of the monetization aspect of it but maybe there is a better word to use but but that's the best i think we can use at this point in time why do you say that jamar because it's too directly related to monetization that has a negative connotation or it might might not apply in things like healthcare or you know i think because if we want to take your shortcuts and i remember this conversation years back that people think that the reason to you know kind of collect data or have data so that we can sell it you know it's just the monetization of the data and we have this idea of the data market places and so on and i think that is actually the least valuable um you know outcome that we can get from thinking about data as a product that direct cell an exchange of data as a monetary you know exchange of value so so i think that might redirect our attention to something that really matters which is um enabling using data for generating ultimately value for people for the customers for the organizations for the partners as opposed to thinking about it as a unit of exchange for for money i love data as a product i think you were your instinct was was right on and i think i'm glad you brought that up because because i think people misunderstood you know in the last decade data as selling data directly but you really what you're talking about is using data as a you know ingredient to actually build a product that has value and value either generate revenue cut costs or help with a mission like it could be saving lives but in some way for a commercial company it's about the bottom line and that's just the way it is so i i love data as a product i think it's going to stick so one of the other things that struck me in one of your webinars was one of the q a one of the questions was can i finally get rid of my data warehouse so i want to talk about the data warehouse the data lake jpmc used that term the data lake which some people don't like i know john furrier my business partner doesn't like that term but the data hub and one of the things i've learned from sort of observing your work is that whether it's a data lake a data warehouse data hub data whatever it's it should be a discoverable node on the mesh it really doesn't matter the the technology what are your your thoughts on that yeah i think the the really shift is from a centralized data warehouse to data warehouse where it fits so i think if you just cross that centralized piece uh we are all in agreement that data warehousing provides you know interesting and capable interesting capabilities that are still required perhaps as a edge node of the mesh that is optimizing for certain queries let's say financial reporting and we still want to direct a fair bit of data into a node that is just for those financial reportings and it requires the precision and the um you know the speed of um operation that the warehouse technology provides so i think um definitely that technology has a place where it falls apart is when you want to have a warehouse to rule you know all of your data and model canonically model your data because um it you have to put so much energy into you know kind of try to harness this model and create this very complex the complex and fragile snowflake schemas and so on that that's all you do you spend energy against the entropy of your organization to try to get your arms around this model and the model is constantly out of step with what's happening in reality because reality the model the reality of the business is moving faster than our ability to model everything into into uh into one you know canonical representation i think that's the one we need to you know challenge not necessarily application of data warehousing on a node i want to close by coming back to the issues of standards um you've specifically envisioned data mesh to be technology agnostic as i said before and of course everyone myself included we're going to run a vendor's technology platform through a data mesh filter the reality is per the matt turc chart we showed earlier there are lots of technologies that that can be nodes within the data mesh or facilitate data sharing or governance etc but there's clearly a lack of standardization i'm sometimes skeptical that the vendor community will drive this but maybe like you know kubernetes you know google or some other internet giant is going to contribute something to open source that addresses this problem but talk a little bit more about your thoughts on standardization what kinds of standards are needed and where do you think they'll come from sure i mean the you write that the vendors are not today incentivized to create those open standards because majority of the vet not all of them but some vendors operational model is about bring your data to my platform and then bring your computation to me uh and all will be great and and that will be great for a portion of the clients and portion of environments where that complexity we're talking about doesn't exist so so we need yes other players perhaps maybe um some of the cloud providers or people that are more incentivized to open um open their platform in a way for data sharing so as a starting point i think standardization around data sharing so if you look at the spectrum right now we have um a de facto sound it's not even a standard for something like sql i mean everybody's bastardized to call and extended it with so many things that i don't even know what this standard sql is anymore but we have that for some form of a querying but beyond that i know for example folks at databricks to start to create some standards around delta sharing and sharing the data in different models so i think data sharing as a concept the same way that apis were about capability sharing so we need to have the data apis or analytical data apis and data sharing extended to go beyond simply sql or languages like that i think we need standards around computational prior policies so this is again something that is formulating in the operational world we have a few standards around how do you articulate access control how do you identify the agents who are trying to access with different authentication mechanism we need to bring some of those our ad our own you know our data specific um articulation of policies uh some something as simple as uh identity management across different technologies it's non-existent so if you want to secure your data across three different technologies there is no common way of saying who's the agent that is acting uh to act to to access the data can i authenticate and authorize them so so those are some of the very basic building blocks and then the gravy on top would be new standards around enriched kind of semantic modeling of the data so we have a common language to describe the semantic of the data in different nodes and then relationship between them we have prior work with rdf and folks that were focused on i guess linking data across the web with the um kind of the data web i guess work that we had in the past we need to revisit those and see their practicality in the enterprise con context so so data modeling a rich language for data semantic modeling and data connectivity most importantly i think those are some of the items on my wish list that's good well we'll do our part to try to keep the standards you know push that push that uh uh movement jamaica we're going to leave it there i'm so grateful to have you uh come on to the cube really appreciate your time it's just always a pleasure you're such a clear thinker so thanks again thank you dave that's it's wonderful to be here now we're going to post a number of links to some of the great work that jamark and her team and her books and so you check that out because we remember we publish each week on siliconangle.com and wikibon.com and these episodes are all available as podcasts wherever you listen listen to just search breaking analysis podcast don't forget to check out etr.plus for all the survey data do keep in touch i'm at d vallante follow jamac d z h a m a k d or you can email me at david.velante at siliconangle.com comment on the linkedin post this is dave vellante for the cube insights powered by etrbwell and we'll see you next time you

>> Narrator: From around the globe, It's theCUBE! Covering Fortinet Security Summit, brought to you by Fortinet. >> And welcome to the cube coverage here at the PGA champion-- Fortinet championship, where we're going to be here for Napa valley coverage of Fortinet's, the championships security summit, going on Fortinet, sponsoring the PGA, but a great guest Merritt Baer, who's the principal in the office of the CISO at Amazon web services. Great to see you. Thanks for coming on. >> Merritt: Thank you for having me. It's good to be here. >> So Fortinet, uh, big brand now, sponsoring the PGA. Pretty impressive that they're getting out there with the golf. It's very enterprise focused, a lot of action. A lot of customers here. >> Merritt: It seems like it, for sure. >> Bold move. Amazon, Amazon web services has become the gold standard in terms of cloud computing, seeing DevOps people refactoring. You've seen the rise of companies like Snowflake building on Amazon. People are moving not only to the cloud, but they're refactoring their business and security is top of mind for everyone. And obviously cybersecurity threats that Fortinet helps cover, you guys are partnering with them, is huge. What is your state of the union for cyber? What's the current situation with the threat landscape? Obviously there's no perimeter in the cloud. More end points are coming on board. The Edge is here. 5G, wavelength with outpost, a lot happening. >> That was a long question, but I'll, I'll try. So I think, you know, as always business in innovation is the driver. And security needs to be woven into that. And so I think increasingly we're seeing security not be a no shop, but be an enabler. And especially in cloud, when we're talking about the way that you do DevOps with security, I know folks don't like the term DevSecOps, but you know, to be able to do agile methodology and be able to do the short sprints that are really agile and, and innovative where you can-- So instead of nine months or whatever, nine week timelines, we're talking about short sprints that allow you to elastically scale up and down and be able to innovate really creatively. And to do that, you need to weave in your security because there's no like, okay, you pass go, you collect $200. Security is not an after the fact. So I think as part of that, of course the perimeter is dead, long live the perimeter, right? It does matter. And we can talk about that a little bit. You know, the term zero trust is really hot right now. We can dig into that if that's of interest. But I think part of this is just the business is kind of growing up. And as you alluded to we're at the start of what I think is an S curve that is just at the beginning. >> You know, I was really looking forward to Reinforced this year. It was got canceled last year, but the first inaugural event was in Boston. I remember covering that. This year it was virtual, but the keynote Steven gave was interesting, security hubs at the center of it. And I want to ask you, because I need you to share your view on how security's changed with the cloud, because there's now new things that are there to take advantage of if you're a business or an enterprise, yeah on premises, there's a standard operating procedure. You have the perimeter, et cetera. That's not there anymore, but with the cloud, there's a new, there's new ways to protect and security hub is one. What are some of the new things that cloud enables for security? >> Well, so just to clarify, like perimeters exist logically just like they do physically. So, you know, a VPC for example, would be a logical perimeter and that is very relevant, or a VPN. Now we're talking about a lot of remote work during COVID, for example. But one of the things that I think folks are really interested with Security Hub is just having that broad visibility and one of the beauties of cloud is that, you get this tactile sense of your estate and you can reason about it. So for example, when you're looking at identity and access management, you can look at something like access analyzer that will under the hood be running on a tool that our, our group came up with that is like reasoning about the permissions, because you're talking about software layers, you're talking about computer layer reasoning about security. And so another example is in inspector. We have a tool that will tell you without sending a single packet over the network, what your network reach ability is. There's just like this ability to do infrastructure as code that then allows you to do security as code. And then that allows for ephemeral and immutable infrastructures so that you could, for example, get back to a known good state. That being said, you know, you kill a, your web server gets popped and you kill it and you spin up a new one. You haven't solved your problem, right? You need to have some kind of awareness of networking and how principals work. But at the same time, there's a lot of beauties about cloud that you inherit from a security perspective to be able to work in those top layers. And that's of course the premise of cloud. >> Yeah, infrastructure as code, you mentioned that, it's awesome. And the program ability of it with, with server-less functions, you're starting to see new ways now to spin up resources. How is that changing the paradigm and creating opportunities for better security? Is it, is it more microservices? Is it, is, are there new things that people can do differently now that they didn't have a year ago or two years ago? Because you're starting to see things like server-less functions are very popular. >> So yes, and yes, I think that it is augmenting the way that we're doing business, but it's especially augmenting the way we do security in terms of automation. So server-less, under the hood, whether it's CloudWatch events or config rules, they are all a Lambda function. So that's the same thing that powers your Alexa at home. These are server-less functions and they're really simple. You can program them, you can find them on GitHub, but they are-- one way to really scale your enterprise is to have a lot of automation in place so that you put those decisions in ahead of time. So your gray area of human decision making is scaled down. So you've got, you know, what you know to be allowable, what you know to be not allowable. And then you increasingly kind of whittled down that center into things that really are novel, truly novel or high stakes or both. But the focus on automation is a little bit of a trope for us. We at Amazon like to talk about mechanisms, good intentions are not enough. If it's not someone's job, it's a hope and hope is not a plan, you know, but creating the actual, you know, computerized version of making it be done iteratively. And I think that is the key to scaling a security chain because as we all know, things can't be manual for long, or you won't be able to grow. >> I love the AWS reference. Mechanisms, one way doors, raising the bar. These are all kind of internal Amazon, but I got to ask you about the Edge. Okay. There's a lot of action going on with 5G and wavelength. Okay, and what's interesting is if the Edge becomes so much more robust, how do you guys see that security from a security posture standpoint? What should people be thinking about? Because certainly it's just a distributed Edge point. What's the security posture, How should we be thinking about Edge? >> You know, Edge is a kind of catch all, right, we're talking about Internet of Things. We're talking about points of contact. And a lot of times I think we focus so much on the confidentiality and integrity, but the availability is hugely important when we're talking about security. So one of the things that excites me is that we have so many points of contact and so many availability points at the Edge that actually, so for example, in DynamoDB, the more times you put a call on it, the more available it is because it's fresher, you've already been refreshing it, there are so many elements of this, and our core compute platform, EC2, all runs on Nitro, which is our, our custom hardware. And it's really fascinating, the availability benefits there. Like the best patching is a patching you don't have to do. And there are so many elements that are just so core to that Greengrass, you know, which is running on FreeRTOS, which has an open source software, for example, is, you know, one element of zero trust in play. And there are so many ways that we can talk about this in different incarnations. And of course that speaks to like the breadth and depth of the industries that use cloud. We're talking about automotive, we're talking about manufacturing and agriculture, and there are so many interesting use cases for the ways that we will use IOT. >> Yeah. It's interesting, you mentioned Nitro. we also got Annapurna acquisition years ago. You got latency at the Edge. You can handle low latency, high volume compute with the data. That's pretty powerful. It's a paradigm shift. That's a new dynamic. It's pretty compelling, these new architectures, most people are scratching their heads going, "okay, how do I do this, like what do I do?" >> No, you're right. So it is a security inheritance that we are extremely calculated about our hardware supply chain. And we build our own custom hardware. We build our own custom Silicon. Like, this is not a question. And you're right in that one of the things, one of the north stars that we have is that the security properties of our engineering infrastructure are built in. So there just is no button for it to be insecure. You know, like that is deliberate. And there are elements of the ways that nature works from it running, you know, with zero downtime, being able to be patched running. There are so many elements of it that are inherently security benefits that folks inherit as a product. >> Right. Well, we're here at the security summit. What are you excited for today? What's the conversations you're having here at the Fortinet security summit. >> Well, it's awesome to just meet folks and connect outside. It's beautiful outside today. I'm going to be giving a talk on securing the cloud journey and kind of that growth and moving to infrastructure as code and security as code. I'm excited about the opportunity to learn a little bit more about how folks are managing their hybrid environments, because of course, you know, I think sometimes folks perceive AWS as being like this city on a hill where we get it all right. We struggle with the same things. We empathize with the same security work. And we work on that, you know, as a principal in the office of the CISO, I spend a lot of my time on how we do security and then a lot of my time talking to customers and that empathy back and forth is really crucial. >> Yeah. And you've got to be on the bleeding edge and have the empathy. I can't help but notice your AWS crypto shirt. Tell me about the crypto, what's going on there. NFT's coming out, is there a S3 bucket at NFT now, I mean. (both laughing) >> Cryptography never goes out of style. >> I know, I'm just, I couldn't help-- We'll go back to the pyramids on that one. Yeah, no, this is not a, an advertisement for cryptocurrency. It is, I'm a fangirl of the AWS crypto team. And as a result of wearing their shirts, occasionally they send me more shirts. And I can't argue with that. >> Well, love, love, love the crypto. I'm big fan of crypto, I think crypto is awesome. Defi is amazing. New applications are going to come out. We think it's going to be pretty compelling, again, let's get today right. (laughing) >> Well, I don't think it's about like, so cryptocurrency is just like one small iteration of what we're really talking about, which is the idea that math resolves, and the idea that you can have value in your resolution that the math should resolve. And I think that is a fundamental principle and end-to-end encryption, I believe is a universal human right. >> Merritt, thank you for coming on the cube. Great, great to have you on. Thanks for sharing that awesome insight. Thanks for coming on. >> Merritt: Thank you. >> Appreciate it. Okay. CUBE coverage here in Napa valley, our remote set for Fortinet's security cybersecurity summit here as part of their PGA golf Pro-Am tournament happening here in Napa valley. I'm John Furrier. Thanks for watching.

>>Welcome back to the cubes coverage of dr khan 2021. I'm john for your host of the cube. We're here with Amanda Silver, corporate vice president, product developer division at Microsoft. Amanda, Great to see you you were on last year, Dr khan. Great to see you again a full year later were remote. Thanks for coming on. I know you're super busy with build happening this week as well. Thanks for making the time to come on the cube for Dr khan. >>Thank you so much for having me. Yeah, I'm joining you like many developers around the globe from my personal home office, >>developers really didn't skip a beat during the pandemic and again, it was not a good situation but developers, as you talked about last year on the front lines, first responders to creating value quite frankly, looking back you were pretty accurate in your prediction, developers did have an impact this year. They did create the kind of change that really changed the game for people's lives, whether it was developing solutions from a medical standpoint or even keeping systems running from call centres to making sure people got their their their goods or services and checks and and and kept sanity together. So. >>Yeah absolutely. I mean I think I think developers you know get the M. V. P. Award for this year because you know at the end of the day they are the digital first responders to the first responders and the pivot that we've had to make over the past year in terms of supporting remote telehealth, supporting you know online retail, curbside pickup. All of these things were done through developers being the ones pushing the way forward remote learning. You know my kids are learning at home right behind me right now so you might hear them during the interview that's happening because developers made that happen. >>I don't think mom please stop hogging the band with, they've got a gigabit. Stop it. Don't be streaming. My kids are all game anyway, Hey, great to have you on and you have to get the great keynote, exciting to see you guys continue the collaboration with Docker uh with GIT hub and Microsoft, A great combination, it's a 123 power punch of value. You guys are really kind of killing it. We heard from scott and dan has been on the cube. What's your thoughts on the partnership with the developer division team at Microsoft with Doctor, What's it all about this year? What's the next level? >>Well, I mean, I think, I think what's really awesome about this partnership is that we all have, we all are basically sharing a common mission. What we want to do is make sure that we're empowering developers, that we're focused on their productivity and that we're delivering value to them so they can do their job better so that they can help others. So that's really kind of what drives us day in and day out. So what we focus on is developer productivity. And I think that's a lot of what dana was talking about in her session, the developer division. Specifically, we really try to make sure that we're improving the state of the art from modern developers. So we want to make sure that every keystroke that they take, every mouse move that they make, it sounds like a song but every every one of those matter because we want to make sure that every developers writing the code that only they can write and in terms of the partnership and how that's going. You know my team and the darker team have been collaborating a ton on things like dr desktop and the Doctor Cli tool integrations. And one of the things that we do is we think about pain points and various workflows. We want to make sure that we're shaving off the edges of all of the user experience is the developers have to go through to piece all of these applications together. So one of the big pain points that we have heard from developers is that signing into the Azure cloud and especially our sovereign clouds was challenging. So we contributed back to uh back to doctor to actually make it easier to sign into these clouds. And so dr developers can now use dr desktop and the Doctor Cli to actually change the doctor context so that its Azure. So that makes it a lot easier to connect the other. Oh, sorry, go ahead. No, I was just >>going to say, I love the reference of the police song. Every breath you take, every >>mouth moving. Great, >>great line there. Uh, but I want to ask you while you're on this modern cloud um, discussion, what is I mean we have a lot of developers here at dr khan. As you know, you guys know developers in your ecosystem in core competency. From Microsoft, Kublai khan is a very operator like focus developed. This is a developer conference. You guys have build, what is the state of the art for a modern cloud developer? Could you just share your thoughts because this comes up a lot. You know, what's through the art? What's next jan new guard guard? It's his legacy. What is the state of the art for a modern cloud developer? >>Fantastic question. And extraordinarily relevant to this particular conference. You know what I think about often times it's really what is the inner loop and the outer loop look like in terms of cycle times? Because at the end of the day, what matters is the time that it takes for you to make that code change, to be able to see it in your test environment and to be able to deploy it to production and have the confidence that it's delivering the feature set that you need it to. And it's, you know, it's secure, it's reliable, it's performance, that's what a developer cares about at the end of the day. Um, at the same time, we also need to make sure that we're growing our team to meet our demand, which means we're constantly on boarding new developers. And so what I take inspiration from our, some of the tech elite who have been able to invest significant amounts in, in tuning their engineering systems, they've been able to make it so that a new developer can join a team in just a couple of minutes or less that they can actually make a code change, see that be reflected in their application in just a few seconds and deploy with confidence within hours. And so our goal is to actually be able to take that state of the art metric and democratize that actually bring it to as many of our customers as we possibly can. >>You mentioned supply chain earlier in securing that. What are you guys doing with Docker and how to make that partnership better with registries? Is there any update there in terms of the container registry on Azure? >>Yeah, I mean, you know, we, we we have definitely seen recent events and and it almost seems like a never ending attacks that that you know, increasingly are getting more and more focused on developer watering holes is how we think about it. Kind of developers being a primary target um for these malicious hackers. And so what it's more important than ever that every developer um and Microsoft especially uh really take security extraordinarily seriously. Our engineers are working around the clock to make sure that we are responding to every security incident that we hear about and partnering with our customers to make sure that we're supporting them as well. One of the things that we announced earlier this week at Microsoft build is that we've actually taken, get have actions and we've now integrated that into the Azure Security Center. And so what this means is that, you know, we can now do things like scan for vulnerabilities. Um look at things like who is logging in, where things like that and actually have that be tracked in the Azure security center so that not just your developers get that notification but also your I. T. Operations. Um In terms of the partnership with dR you know, this is actually an ongoing partnership to make sure that we can provide more guidance to developers to make sure that they are following best practices like pulling from a private registry like Docker hub or at your container registry. So I expect that as time goes on will continue to more in partnership in this space >>and that's going to give a lot of confidence. Actually, productivity wise is going to be a big help for developers. Great stuff is always good, good progress. They're moving the needle. >>Last time we >>spoke we talked about tools and setting Azure as the doctor context duty tooling updates here at dot com this year. That's notable. >>Yeah, I mean, I think, you know, there's one major thing that we've been working on which has a big dependency on docker is get help. Code space is now one of the biggest pain points that developers have is setting up a new DEV box, which they often have to do when they are on boarding a new employee or when they're starting a new project or even if they're just kicking the tires on a new technology that they want to be able to evaluate and sometimes creating a developer environment can actually take hours um and especially when you're trying to create a developer environment that matches somebody else's developer environment that can take like a half a day and you can spend all of your time just debugging the differences in environment variables, for example, um, containers actually makes that much easier. So what you can do with this, this services, you can actually create death environment spun up in the cloud and you can access it in seconds and you get from there are working coding environment and a runtime environment and this is repeatable via containers. So it means that there's no inadvertent differences introduced by each DEV. And you might be interested to know that underneath this is actually using Docker files and dr composed to orchestrate the debits and the runtime bits for a whole bunch of different stacks. And so this is something that we're actually working on in collaboration with the with the doctor team to have a common the animal format. And in fact this week we actually introduced a couple of app templates so that everybody can see this all in action. So if you check out a ca dot m s forward slash app template, you can see this in action yourself. >>You guys have always had such a strong developer community and one thing I love about cloud as it brings more agility, as we always talk about. But when you start to see the enterprise grow into, the direction is going now, it's almost like the developer communities are emerging, it's no longer about all the Lennox folks here and the dot net folks there, you've got windows, you've got cloud, >>it's almost >>the the the solidification of everyone kind of coming together. Um and visual studio, for instance, last year, I think you were talking about that to having to be interrogated dr composed, et cetera. >>How do you see >>this melting pot emerging? Because at the end of the day, you pick the language you love and you got devops, which is infrastructure as code doesn't matter. So give us your take on where we are with that whole progress of of making that happen. >>Well, I mean I definitely think that, you know, developer environments and and kind of, you know, our approach to them don't need to be as dogmatic as they've been in the past. I really think that, you know, you can pick the right tool and language and stand developer stack for your team, for your experience and you can be productive and that's really our goal. And Microsoft is to make sure that we have tools for every developer and every team so that they can build any app that they want to want to create. Even if that means that they're actually going to end up ultimately deploying that not to our cloud, they're going to end up deploying it to AWS or another another competitive cloud. And so, you know, there's a lot of things that we've been doing to make that really much easier. We have integrated container tools in visual studio and visual studio code and better cli integrations like with the doctor context that we had talked about a little bit earlier. We continue to try to make it easier to build applications that are targeting containers and then once you create those containers it's much easier to take it to another environment. One of the examples of this kind of work is now that we have WsL and the Windows subsystem for Lennox. This makes it a lot easier for developers who prefer a Windows operating system as their environment and maybe some tools like Visual Studio that run on Windows, but they can still target Lennox with as their production environment without any impedance mismatch. They can actually be as productive as they would be if they had a Linux box as their Os >>I noticed on this session, I got to call this out. I want to get your reaction to it interesting. Selection of Microsoft talks, the container based development. Visual studio code is one that's where you're going to show some some some container action going on with note and Visual Studio code. And then you get the machine learning with Azure uh containers in the V. S. Code. Interesting how you got, you know, containers with V. S. And now you've got machine learning. What does that tell the world about where Microsoft's at? Because in a way you got the cutting edge container management on one side with the doctor integration. Now you get the machine learning which everyone's talking about shifting, left more automation. Why are these sessions so important? Why should people attend? And what's the what's the bottom line? >>Well, like I said, like containers basically empower developer productivity. Um that's what creates the reputable environments, that's what allows us to make sure that, you know, we're productive as soon as we possibly can be with any text act that we want to be able to target. Um and so that's kind of almost the ecosystem play. Um it's how every developer can contribute to the success of others and we can amor ties the kinds of work that we do to set up an environment. So that's what I would say about the container based development that we're doing with both visual studio and visual studio code. Um in terms of the machine learning development, uh you know, the number of machine learning developers in the world is relatively small, but it's growing and it's obviously a very important set of developers because to train a machine learning uh to train an ml model, it actually requires a significant amount of compute resources, and so that's a perfect opportunity to bring in the research that are in a public cloud. Um What's actually really interesting about that particular develop developer stack is that it commonly runs on things like python. And for those of you who have developed in python, you know, just how difficult it is to actually set up a python environment with the right interpreter, with the right run time, with the right libraries that can actually get going super quickly, um and you can be productive as a developer. And so it's actually one of the hardest, most challenging developer stacks to actually set up. And so this allows you to become a machine learning developer without having to spend all of your time just setting up the python runtime environment. >>Yeah, it's a nice, nice little call out on python, it's a double edged sword. It's easier to sling code around on one hand, when you start getting working then you gotta it gets complicated can get well. Um Well the great, great call out there on the island, but good, good, good project. Let me get your thoughts on this other tool that you guys are talking about project tie. Uh This is interesting because this is a trend that we're seeing a lot of conversations here on the cube about around more too many control planes. Too many services. You know, I no longer have that monolithic application. I got micro micro applications with microservices. What the hell is going on with my services? >>Yeah, I mean, I think, you know, containers brought an incredible amount of productivity in terms of having repeatable environments, both for dev environments, which we talked about a lot on this interview already, but also obviously in production and test environments. Super important. Um and with that a lot of times comes the microservices architecture that we're also moving to and the way that I view it is the microservices architecture is actually accompanied by businesses being more focused on the value that they can actually deliver to customers. And so they're trying to kind of create separations of concerns in terms of the different services that they're offering, so they can actually version and and kind of, you know, actually improve each of these services independently. But what happens when you start to have many microservices working together in a SAS or in some kind of aggregate um service environment or kind of application environment is it starts to get unwieldy, it's really hard to make it so that one micro service can actually address another micro service. They can pass information back and forth. And you know what used to be maybe easy if you were just building a client server application because, you know, within the server tear all of your code was basically contained in the same runtime environment. That's no longer the case when every microservices actually running inside of its own container. So the question is, how can we improve program ability by making it easier for one micro service that's being used in an application environment, be to be able to access another another service and kind of all of that context. Um and so, you know, you want to be able to access the service is the the api endpoint, the containers, the ingress is everything, make everything work together as though it felt just as easy as as um you know, server application development. Um And so what this means as well is that you also oftentimes need to get all of these different containers running at the same time and that can actually be a challenge in the developer and test loop as well. So what project tie does is it improves the program ability and it actually allows you to just write a command like thai run so that you can actually in stan she ate all of these containers and get them up and running and basically deploy and run your application in that environment and ultimately make the dev testing or loop much faster >>than productivity gain. Right. They're making it simple to stand up. Great, great stuff. Let me ask you a question as we kind of wrap down here for the folks here at Dakar Con, are >>there any >>special things you'd like to talk about the development you think are important for the developers here within this space? It's very dynamic. A lot of change happening in a good way. Um, but >>sometimes it's hard to keep >>track of all the cool stuff happening. Could you take a minute to, to share your thoughts on what you think are the most important develops developments in this space? That that might be interesting to ducker con attendees. >>I think the most important things are to recognize that developer environments are moving to containerized uh, environments themselves so that they can be repeated, they can be shared, the work, configuring them can be amortized across many developers. That's important thing. Number one important thing. Number two is it doesn't matter as much what operating system you're running as your chrome, you know, desktop. What matters is ultimately the production environment that you're targeting. And so I think now we're in a world where all of those things can be mixed and matched together. Um and then I think the next thing is how can we actually improve microservices, uh programming development together um so that it's easier to be able to target multiple micro services that are working in aggregate uh to create a single service experience or a single application. And how do we improve the program ability for that? >>You know, you guys have been great supporters of DACA and the community and open source and software developers as they transform and become quite frankly the superheroes for the transformation, which is re factoring businesses. So this has been a big thing. I'd love to get your thoughts on how this is all coming together inside Microsoft, you've got your division, you get the developer division, you got GIT hub, got Azure. Um, and then just historically, and he put this up last year army of an ecosystem. People who have been contributing encoding with Microsoft and the partners for many, many decades. >>Yes. The >>heart Microsoft now, how's it all working? What's the news? I get Lincoln, Lincoln, but there's no yet developer model there yet, but probably is soon. >>Um Yeah, I mean, I think that's a pretty broad question, but in some ways I think it's interesting to put it in the context of Microsoft's history. You know, I think when I think back to the beginning of my career, it was kind of a one stack shop, you know, we was all about dot net and you know, of course we want to dot net to be the best developer environment that it can possibly be. We still actually want that. We still want that need to be the most productive developer environment. It could we could possibly build. Um but at the same time, I think we have to recognize that not all developers or dot net developers and we want to make sure that Azure is the most productive cloud for developers and so to do that, we have to make sure that we're building fantastic tools and platforms to host java applications, javascript applications, no Js applications, python applications, all of those things, you know, all of these developers in the world, we want to make sure it can be productive on our tools and our platforms and so, you know, I think that's really kind of the key of you know what you're speaking of because you know, when I think about the partnership that I have with the GIT hub team or with the Azure team or with the Azure Machine learning team or the Lincoln team, um A lot of it actually comes down to helping empower developers, improving their productivity, helping them find new developers to collaborate with, um making sure that they can do that securely and confidently and they can basically respond to their customers as quickly as they possibly can. Um and when, when we think about partnering inside of Microsoft with folks like linkedin or office as an example, a lot of our partnership with them actually comes down to improving their colleagues efficiency. We build the developer tools that office and lengthen are built on top of and so every once in a while we will make an improvement that has, you know, 5% here, 3% there and it turns into an incredible amount of impact in terms of operations, costs for running these services. >>It's interesting. You mentioned earlier, I think there's a time now we're living in a time where you don't have to be dogmatic anymore, you can pick what you like and go with it. Also that you also mentioned just now this idea of distributed applications, distributed computing. You know, distributed applications and microservices go really well together. Especially with doctor. >>Can you share >>your thoughts on the framework that you guys released called Dapper? >>Yeah, yeah. We recently released Dapper. It's called D A P R. You can look it up on GIT hub and it's a programming model for common microservices pattern, two common microservices patterns that make it really easy and automatic to create those kinds of microservices. So you can choose to work with your favorite state stores or databases or pub sub components and get things like cloud events for free. You can choose either http or g R B C so that you can get mesh capabilities like service discovery and re tries and you can bring your own secret store and easily be able to call it from any environment variable. It's also like I was talking about earlier, multi lingual. Um so you don't need to embrace dot net, for example, as you're programming language to be able to benefit from Dapper, it actually supports many programming languages and Dapper itself is actually written and go. Um and so, you know, all developers can benefit from something like Dapper to make it easier to create microservices applications. >>I mean, always great to have you on great update. Take a minute to give an update on what's going on with your division. I know you had to build conference this week. V. S has got the new preview title. We just talked about what are the things you want to get to plug in for? Take a minute to get to plug in for what you're working on, your goals, your objectives hiring, give us the update. >>Yeah, sure. I mean, you know, we we built integrated container tools in visual studio uh and the Doctor extension and Visual Studio code and cli extensions. Uh and you know, even in this most recent release of our Visual Studio product, Visual Studio 16 10, we added some features to make it easier to use DR composed better. So one of the examples of this is that you can actually have uh Oftentimes you need to be able to use multiple doctor composed files together so that you can actually configure various different container environments for a single single application. But it's hard sometimes to create the right Yeah. My file so that you can actually invoke it and invoke the the container and the micro services that you need. And so what this allows you to do is to actually have just a menu of the different doctor composed files so that you can select the runtime and test environment that you need for the subset of the portion of the application that you're working on at the end of the day. This is always about developer productivity. You know, like I said, every keystroke matters. Um and we want to make sure that you as a developer can focus on the code that only you can Right. >>Amanda Silver, corporate vice president product development division of Microsoft. Always great to see you and chat with you remotely soon. We'll be back in in real life with real events soon as we come out of the pandemic and thanks for sharing your insight and congratulations on your success this year and and congratulations on your announcement here at Dakar Gone. >>Thank you so much for having me. >>Okay Cube coverage for Dunkirk on 2021. I'm John for your host of the Cube. Thanks for watching. Mhm