(upbeat electronic music) >> Hello everyone, welcome to this CUBE conversation here from the studios in the CUBE in Palo Alto, California. I'm John Furrier, your host. We're featuring a startup, Astronomer. Astronomer.io is the URL, check it out. And we're going to have a great conversation around one of the most important topics hitting the industry, and that is the future of machine learning and AI, and the data that powers it underneath it. There's a lot of things that need to get done, and we're excited to have some of the co-founders of Astronomer here. Viraj Parekh, who is co-founder of Astronomer, and Paola Peraza Calderon, another co-founder, both with Astronomer. Thanks for coming on. First of all, how many co-founders do you guys have? >> You know, I think the answer's around six or seven. I forget the exact, but there's really been a lot of people around the table who've worked very hard to get this company to the point that it's at. We have long ways to go, right? But there's been a lot of people involved that have been absolutely necessary for the path we've been on so far. >> Thanks for that, Viraj, appreciate that. The first question I want to get out on the table, and then we'll get into some of the details, is take a minute to explain what you guys are doing. How did you guys get here? Obviously, multiple co-founders, sounds like a great project. The timing couldn't have been better. ChatGPT has essentially done so much public relations for the AI industry to kind of highlight this shift that's happening. It's real, we've been chronicalizing, take a minute to explain what you guys do. >> Yeah, sure, we can get started. So, yeah, when Viraj and I joined Astronomer in 2017, we really wanted to build a business around data, and we were using an open source project called Apache Airflow that we were just using sort of as customers ourselves. And over time, we realized that there was actually a market for companies who use Apache Airflow, which is a data pipeline management tool, which we'll get into, and that running Airflow is actually quite challenging, and that there's a big opportunity for us to create a set of commercial products and an opportunity to grow that open source community and actually build a company around that. So the crux of what we do is help companies run data pipelines with Apache Airflow. And certainly we've grown in our ambitions beyond that, but that's sort of the crux of what we do for folks. >> You know, data orchestration, data management has always been a big item in the old classic data infrastructure. But with AI, you're seeing a lot more emphasis on scale, tuning, training. Data orchestration is the center of the value proposition, when you're looking at coordinating resources, it's one of the most important things. Can you guys explain what data orchestration entails? What does it mean? Take us through the definition of what data orchestration entails. >> Yeah, for sure. I can take this one, and Viraj, feel free to jump in. So if you google data orchestration, here's what you're going to get. You're going to get something that says, "Data orchestration is the automated process" "for organizing silo data from numerous" "data storage points, standardizing it," "and making it accessible and prepared for data analysis." And you say, "Okay, but what does that actually mean," right, and so let's give sort of an an example. So let's say you're a business and you have sort of the following basic asks of your data team, right? Okay, give me a dashboard in Sigma, for example, for the number of customers or monthly active users, and then make sure that that gets updated on an hourly basis. And then number two, a consistent list of active customers that I have in HubSpot so that I can send them a monthly product newsletter, right? Two very basic asks for all sorts of companies and organizations. And when that data team, which has data engineers, data scientists, ML engineers, data analysts get that request, they're looking at an ecosystem of data sources that can help them get there, right? And that includes application databases, for example, that actually have in product user behavior and third party APIs from tools that the company uses that also has different attributes and qualities of those customers or users. And that data team needs to use tools like Fivetran to ingest data, a data warehouse, like Snowflake or Databricks to actually store that data and do analysis on top of it, a tool like DBT to do transformations and make sure that data is standardized in the way that it needs to be, a tool like Hightouch for reverse ETL. I mean, we could go on and on. There's so many partners of ours in this industry that are doing really, really exciting and critical things for those data movements. And the whole point here is that data teams have this plethora of tooling that they use to both ingest the right data and come up with the right interfaces to transform and interact with that data. And data orchestration, in our view, is really the heartbeat of all of those processes, right? And tangibly the unit of data orchestration is a data pipeline, a set of tasks or jobs that each do something with data over time and eventually run that on a schedule to make sure that those things are happening continuously as time moves on and the company advances. And so, for us, we're building a business around Apache Airflow, which is a workflow management tool that allows you to author, run, and monitor data pipelines. And so when we talk about data orchestration, we talk about sort of two things. One is that crux of data pipelines that, like I said, connect that large ecosystem of data tooling in your company. But number two, it's not just that data pipeline that needs to run every day, right? And Viraj will probably touch on this as we talk more about Astronomer and our value prop on top of Airflow. But then it's all the things that you need to actually run data and production and make sure that it's trustworthy, right? So it's actually not just that you're running things on a schedule, but it's also things like CICD tooling, secure secrets management, user permissions, monitoring, data lineage, documentation, things that enable other personas in your data team to actually use those tools. So long-winded way of saying that it's the heartbeat, we think, of of the data ecosystem, and certainly goes beyond scheduling, but again, data pipelines are really at the center of it. >> One of the things that jumped out, Viraj, if you can get into this, I'd like to hear more about how you guys look at all those little tools that are out. You mentioned a variety of things. You look at the data infrastructure, it's not just one stack. You've got an analytic stack, you've got a realtime stack, you've got a data lake stack, you got an AI stack potentially. I mean you have these stacks now emerging in the data world that are fundamental, that were once served by either a full package, old school software, and then a bunch of point solution. You mentioned Fivetran there, I would say in the analytics stack. Then you got S3, they're on the data lake stack. So all these things are kind of munged together. >> Yeah. >> How do you guys fit into that world? You make it easier, or like, what's the deal? >> Great question, right? And you know, I think that one of the biggest things we've found in working with customers over the last however many years is that if a data team is using a bunch of tools to get what they need done, and the number of tools they're using is growing exponentially and they're kind of roping things together here and there, that's actually a sign of a productive team, not a bad thing, right? It's because that team is moving fast. They have needs that are very specific to them, and they're trying to make something that's exactly tailored to their business. So a lot of times what we find is that customers have some sort of base layer, right? That's kind of like, it might be they're running most of the things in AWS, right? And then on top of that, they'll be using some of the things AWS offers, things like SageMaker, Redshift, whatever, but they also might need things that their cloud can't provide. Something like Fivetran, or Hightouch, those are other tools. And where data orchestration really shines, and something that we've had the pleasure of helping our customers build, is how do you take all those requirements, all those different tools and whip them together into something that fulfills a business need? So that somebody can read a dashboard and trust the number that it says, or somebody can make sure that the right emails go out to their customers. And Airflow serves as this amazing kind of glue between that data stack, right? It's to make it so that for any use case, be it ELT pipelines, or machine learning, or whatever, you need different things to do them, and Airflow helps tie them together in a way that's really specific for a individual business' needs. >> Take a step back and share the journey of what you guys went through as a company startup. So you mentioned Apache, open source. I was just having an interview with a VC, we were talking about foundational models. You got a lot of proprietary and open source development going on. It's almost the iPhone/Android moment in this whole generative space and foundational side. This is kind of important, the open source piece of it. Can you share how you guys started? And I can imagine your customers probably have their hair on fire and are probably building stuff on their own. Are you guys helping them? Take us through, 'cause you guys are on the front end of a big, big wave, and that is to make sense of the chaos, rain it in. Take us through your journey and why this is important. >> Yeah, Paola, I can take a crack at this, then I'll kind of hand it over to you to fill in whatever I miss in details. But you know, like Paola is saying, the heart of our company is open source, because we started using Airflow as an end user and started to say like, "Hey wait a second," "more and more people need this." Airflow, for background, started at Airbnb, and they were actually using that as a foundation for their whole data stack. Kind of how they made it so that they could give you recommendations, and predictions, and all of the processes that needed orchestrated. Airbnb created Airflow, gave it away to the public, and then fast forward a couple years and we're building a company around it, and we're really excited about that. >> That's a beautiful thing. That's exactly why open source is so great. >> Yeah, yeah. And for us, it's really been about watching the community and our customers take these problems, find a solution to those problems, standardize those solutions, and then building on top of that, right? So we're reaching to a point where a lot of our earlier customers who started to just using Airflow to get the base of their BI stack down and their reporting in their ELP infrastructure, they've solved that problem and now they're moving on to things like doing machine learning with their data, because now that they've built that foundation, all the connective tissue for their data arriving on time and being orchestrated correctly is happening, they can build a layer on top of that. And it's just been really, really exciting kind of watching what customers do once they're empowered to pick all the tools that they need, tie them together in the way they need to, and really deliver real value to their business. >> Can you share some of the use cases of these customers? Because I think that's where you're starting to see the innovation. What are some of the companies that you're working with, what are they doing? >> Viraj, I'll let you take that one too. (group laughs) >> So you know, a lot of it is... It goes across the gamut, right? Because it doesn't matter what you are, what you're doing with data, it needs to be orchestrated. So there's a lot of customers using us for their ETL and ELT reporting, right? Just getting data from other disparate sources into one place and then building on top of that. Be it building dashboards, answering questions for the business, building other data products and so on and so forth. From there, these use cases evolve a lot. You do see folks doing things like fraud detection, because Airflow's orchestrating how transactions go, transactions get analyzed. They do things like analyzing marketing spend to see where your highest ROI is. And then you kind of can't not talk about all of the machine learning that goes on, right? Where customers are taking data about their own customers, kind of analyze and aggregating that at scale, and trying to automate decision making processes. So it goes from your most basic, what we call data plumbing, right? Just to make sure data's moving as needed, all the ways to your more exciting expansive use cases around automated decision making and machine learning. >> And I'd say, I mean, I'd say that's one of the things that I think gets me most excited about our future, is how critical Airflow is to all of those processes, and I think when you know a tool is valuable is when something goes wrong and one of those critical processes doesn't work. And we know that our system is so mission critical to answering basic questions about your business and the growth of your company for so many organizations that we work with. So it's, I think, one of the things that gets Viraj and I and the rest of our company up every single morning is knowing how important the work that we do for all of those use cases across industries, across company sizes, and it's really quite energizing. >> It was such a big focus this year at AWS re:Invent, the role of data. And I think one of the things that's exciting about the open AI and all the movement towards large language models is that you can integrate data into these models from outside. So you're starting to see the integration easier to deal with. Still a lot of plumbing issues. So a lot of things happening. So I have to ask you guys, what is the state of the data orchestration area? Is it ready for disruption? Has it already been disrupted? Would you categorize it as a new first inning kind of opportunity, or what's the state of the data orchestration area right now? Both technically and from a business model standpoint. How would you guys describe that state of the market? >> Yeah, I mean, I think in a lot of ways, in some ways I think we're category creating. Schedulers have been around for a long time. I released a data presentation sort of on the evolution of going from something like Kron, which I think was built in like the 1970s out of Carnegie Mellon. And that's a long time ago, that's 50 years ago. So sort of like the basic need to schedule and do something with your data on a schedule is not a new concept. But to our point earlier, I think everything that you need around your ecosystem, first of all, the number of data tools and developer tooling that has come out industry has 5X'd over the last 10 years. And so obviously as that ecosystem grows, and grows, and grows, and grows, the need for orchestration only increases. And I think, as Astronomer, I think we... And we work with so many different types of companies, companies that have been around for 50 years, and companies that got started not even 12 months ago. And so I think for us it's trying to, in a ways, category create and adjust sort of what we sell and the value that we can provide for companies all across that journey. There are folks who are just getting started with orchestration, and then there's folks who have such advanced use case, 'cause they're hitting sort of a ceiling and only want to go up from there. And so I think we, as a company, care about both ends of that spectrum, and certainly want to build and continue building products for companies of all sorts, regardless of where they are on the maturity curve of data orchestration. >> That's a really good point, Paola. And I think the other thing to really take into account is it's the companies themselves, but also individuals who have to do their jobs. If you rewind the clock like 5 or 10 years ago, data engineers would be the ones responsible for orchestrating data through their org. But when we look at our customers today, it's not just data engineers anymore. There's data analysts who sit a lot closer to the business, and the data scientists who want to automate things around their models. So this idea that orchestration is this new category is right on the money. And what we're finding is the need for it is spreading to all parts of the data team, naturally where Airflow's emerged as an open source standard and we're hoping to take things to the next level. >> That's awesome. We've been up saying that the data market's kind of like the SRE with servers, right? You're going to need one person to deal with a lot of data, and that's data engineering, and then you're got to have the practitioners, the democratization. Clearly that's coming in what you're seeing. So I have to ask, how do you guys fit in from a value proposition standpoint? What's the pitch that you have to customers, or is it more inbound coming into you guys? Are you guys doing a lot of outreach, customer engagements? I'm sure they're getting a lot of great requirements from customers. What's the current value proposition? How do you guys engage? >> Yeah, I mean, there's so many... Sorry, Viraj, you can jump in. So there's so many companies using Airflow, right? So the baseline is that the open source project that is Airflow that came out of Airbnb, over five years ago at this point, has grown exponentially in users and continues to grow. And so the folks that we sell to primarily are folks who are already committed to using Apache Airflow, need data orchestration in their organization, and just want to do it better, want to do it more efficiently, want to do it without managing that infrastructure. And so our baseline proposition is for those organizations. Now to Viraj's point, obviously I think our ambitions go beyond that, both in terms of the personas that we addressed and going beyond that data engineer, but really it's to start at the baseline, as we continue to grow our our company, it's really making sure that we're adding value to folks using Airflow and help them do so in a better way, in a larger way, in a more efficient way, and that's really the crux of who we sell to. And so to answer your question on, we get a lot of inbound because they're... >> You have a built in audience. (laughs) >> The world that use it. Those are the folks who we talk to and come to our website and chat with us and get value from our content. I mean, the power of the opensource community is really just so, so big, and I think that's also one of the things that makes this job fun. >> And you guys are in a great position. Viraj, you can comment a little, get your reaction. There's been a big successful business model to starting a company around these big projects for a lot of reasons. One is open source is continuing to be great, but there's also supply chain challenges in there. There's also we want to continue more innovation and more code and keeping it free and and flowing. And then there's the commercialization of productizing it, operationalizing it. This is a huge new dynamic, I mean, in the past 5 or so years, 10 years, it's been happening all on CNCF from other areas like Apache, Linux Foundation, they're all implementing this. This is a huge opportunity for entrepreneurs to do this. >> Yeah, yeah. Open source is always going to be core to what we do, because we wouldn't exist without the open source community around us. They are huge in numbers. Oftentimes they're nameless people who are working on making something better in a way that everybody benefits from it. But open source is really hard, especially if you're a company whose core competency is running a business, right? Maybe you're running an e-commerce business, or maybe you're running, I don't know, some sort of like, any sort of business, especially if you're a company running a business, you don't really want to spend your time figuring out how to run open source software. You just want to use it, you want to use the best of it, you want to use the community around it, you want to be able to google something and get answers for it, you want the benefits of open source. You don't have the time or the resources to invest in becoming an expert in open source, right? And I think that dynamic is really what's given companies like us an ability to kind of form businesses around that in the sense that we'll make it so people get the best of both worlds. You'll get this vast open ecosystem that you can build on top of, that you can benefit from, that you can learn from. But you won't have to spend your time doing undifferentiated heavy lifting. You can do things that are just specific to your business. >> It's always been great to see that business model evolve. We used a debate 10 years ago, can there be another Red Hat? And we said, not really the same, but there'll be a lot of little ones that'll grow up to be big soon. Great stuff. Final question, can you guys share the history of the company? The milestones of Astromer's journey in data orchestration? >> Yeah, we could. So yeah, I mean, I think, so Viraj and I have obviously been at Astronomer along with our other founding team and leadership folks for over five years now. And it's been such an incredible journey of learning, of hiring really amazing people, solving, again, mission critical problems for so many types of organizations. We've had some funding that has allowed us to invest in the team that we have and in the software that we have, and that's been really phenomenal. And so that investment, I think, keeps us confident, even despite these sort of macroeconomic conditions that we're finding ourselves in. And so honestly, the milestones for us are focusing on our product, focusing on our customers over the next year, focusing on that market for us that we know can get valuable out of what we do, and making developers' lives better, and growing the open source community and making sure that everything that we're doing makes it easier for folks to get started, to contribute to the project and to feel a part of the community that we're cultivating here. >> You guys raised a little bit of money. How much have you guys raised? >> Don't know what the total is, but it's in the ballpark over $200 million. It feels good to... >> A little bit of capital. Got a little bit of cap to work with there. Great success. I know as a Series C Financing, you guys have been down. So you're up and running, what's next? What are you guys looking to do? What's the big horizon look like for you from a vision standpoint, more hiring, more product, what is some of the key things you're looking at doing? >> Yeah, it's really a little of all of the above, right? Kind of one of the best and worst things about working at earlier stage startups is there's always so much to do and you often have to just kind of figure out a way to get everything done. But really investing our product over the next, at least over the course of our company lifetime. And there's a lot of ways we want to make it more accessible to users, easier to get started with, easier to use, kind of on all areas there. And really, we really want to do more for the community, right, like I was saying, we wouldn't be anything without the large open source community around us. And we want to figure out ways to give back more in more creative ways, in more code driven ways, in more kind of events and everything else that we can keep those folks galvanized and just keep them happy using Airflow. >> Paola, any final words as we close out? >> No, I mean, I'm super excited. I think we'll keep growing the team this year. We've got a couple of offices in the the US, which we're excited about, and a fully global team that will only continue to grow. So Viraj and I are both here in New York, and we're excited to be engaging with our coworkers in person finally, after years of not doing so. We've got a bustling office in San Francisco as well. So growing those teams and continuing to hire all over the world, and really focusing on our product and the open source community is where our heads are at this year. So, excited. >> Congratulations. 200 million in funding, plus. Good runway, put that money in the bank, squirrel it away. It's a good time to kind of get some good interest on it, but still grow. Congratulations on all the work you guys do. We appreciate you and the open source community does, and good luck with the venture, continue to be successful, and we'll see you at the Startup Showcase. >> Thank you. >> Yeah, thanks so much, John. Appreciate it. >> Okay, that's the CUBE Conversation featuring astronomer.io, that's the website. Astronomer is doing well. Multiple rounds of funding, over 200 million in funding. Open source continues to lead the way in innovation. Great business model, good solution for the next gen cloud scale data operations, data stacks that are emerging. I'm John Furrier, your host, thanks for watching. (soft upbeat music)

(soft music) >> Hello everyone, welcome to this Cube conversation here from the studios of theCube in Palo Alto, California. John Furrier, your host. We're featuring a startup, Astronomer, astronomer.io is the url. Check it out. And we're going to have a great conversation around one of the most important topics hitting the industry, and that is the future of machine learning and AI and the data that powers it underneath it. There's a lot of things that need to get done, and we're excited to have some of the co-founders of Astronomer here. Viraj Parekh, who is co-founder and Paola Peraza Calderon, another co-founder, both with Astronomer. Thanks for coming on. First of all, how many co-founders do you guys have? >> You know, I think the answer's around six or seven. I forget the exact, but there's really been a lot of people around the table, who've worked very hard to get this company to the point that it's at. And we have long ways to go, right? But there's been a lot of people involved that are, have been absolutely necessary for the path we've been on so far. >> Thanks for that, Viraj, appreciate that. The first question I want to get out on the table, and then we'll get into some of the details, is take a minute to explain what you guys are doing. How did you guys get here? Obviously, multiple co-founders sounds like a great project. The timing couldn't have been better. ChatGPT has essentially done so much public relations for the AI industry. Kind of highlight this shift that's happening. It's real. We've been chronologicalizing, take a minute to explain what you guys do. >> Yeah, sure. We can get started. So yeah, when Astronomer, when Viraj and I joined Astronomer in 2017, we really wanted to build a business around data and we were using an open source project called Apache Airflow, that we were just using sort of as customers ourselves. And over time, we realized that there was actually a market for companies who use Apache Airflow, which is a data pipeline management tool, which we'll get into. And that running Airflow is actually quite challenging and that there's a lot of, a big opportunity for us to create a set of commercial products and opportunity to grow that open source community and actually build a company around that. So the crux of what we do is help companies run data pipelines with Apache Airflow. And certainly we've grown in our ambitions beyond that, but that's sort of the crux of what we do for folks. >> You know, data orchestration, data management has always been a big item, you know, in the old classic data infrastructure. But with AI you're seeing a lot more emphasis on scale, tuning, training. You know, data orchestration is the center of the value proposition when you're looking at coordinating resources, it's one of the most important things. Could you guys explain what data orchestration entails? What does it mean? Take us through the definition of what data orchestration entails. >> Yeah, for sure. I can take this one and Viraj feel free to jump in. So if you google data orchestration, you know, here's what you're going to get. You're going to get something that says, data orchestration is the automated process for organizing silo data from numerous data storage points to organizing it and making it accessible and prepared for data analysis. And you say, okay, but what does that actually mean, right? And so let's give sort of an example. So let's say you're a business and you have sort of the following basic asks of your data team, right? Hey, give me a dashboard in Sigma, for example, for the number of customers or monthly active users and then make sure that that gets updated on an hourly basis. And then number two, a consistent list of active customers that I have in HubSpot so that I can send them a monthly product newsletter, right? Two very basic asks for all sorts of companies and organizations. And when that data team, which has data engineers, data scientists, ML engineers, data analysts get that request, they're looking at an ecosystem of data sources that can help them get there, right? And that includes application databases, for example, that actually have end product user behavior and third party APIs from tools that the company uses that also has different attributes and qualities of those customers or users. And that data team needs to use tools like Fivetran, to ingest data, a data warehouse like Snowflake or Databricks to actually store that data and do analysis on top of it, a tool like DBT to do transformations and make sure that that data is standardized in the way that it needs to be, a tool like Hightouch for reverse ETL. I mean, we could go on and on. There's so many partners of ours in this industry that are doing really, really exciting and critical things for those data movements. And the whole point here is that, you know, data teams have this plethora of tooling that they use to both ingest the right data and come up with the right interfaces to transform and interact with that data. And data orchestration in our view is really the heartbeat of all of those processes, right? And tangibly the unit of data orchestration, you know, is a data pipeline, a set of tasks or jobs that each do something with data over time and eventually run that on a schedule to make sure that those things are happening continuously as time moves on. And, you know, the company advances. And so, you know, for us, we're building a business around Apache Airflow, which is a workflow management tool that allows you to author, run and monitor data pipelines. And so when we talk about data orchestration, we talk about sort of two things. One is that crux of data pipelines that, like I said, connect that large ecosystem of data tooling in your company. But number two, it's not just that data pipeline that needs to run every day, right? And Viraj will probably touch on this as we talk more about Astronomer and our value prop on top of Airflow. But then it's all the things that you need to actually run data and production and make sure that it's trustworthy, right? So it's actually not just that you're running things on a schedule, but it's also things like CI/CD tooling, right? Secure secrets management, user permissions, monitoring, data lineage, documentation, things that enable other personas in your data team to actually use those tools. So long-winded way of saying that, it's the heartbeat that we think of the data ecosystem and certainly goes beyond scheduling, but again, data pipelines are really at the center of it. >> You know, one of the things that jumped out Viraj, if you can get into this, I'd like to hear more about how you guys look at all those little tools that are out there. You mentioned a variety of things. You know, if you look at the data infrastructure, it's not just one stack. You've got an analytic stack, you've got a realtime stack, you've got a data lake stack, you got an AI stack potentially. I mean you have these stacks now emerging in the data world that are >> Yeah. - >> fundamental, but we're once served by either a full package, old school software, and then a bunch of point solution. You mentioned Fivetran there, I would say in the analytics stack. Then you got, you know, S3, they're on the data lake stack. So all these things are kind of munged together. >> Yeah. >> How do you guys fit into that world? You make it easier or like, what's the deal? >> Great question, right? And you know, I think that one of the biggest things we've found in working with customers over, you know, the last however many years, is that like if a data team is using a bunch of tools to get what they need done and the number of tools they're using is growing exponentially and they're kind of roping things together here and there, that's actually a sign of a productive team, not a bad thing, right? It's because that team is moving fast. They have needs that are very specific to them and they're trying to make something that's exactly tailored to their business. So a lot of times what we find is that customers have like some sort of base layer, right? That's kind of like, you know, it might be they're running most of the things in AWS, right? And then on top of that, they'll be using some of the things AWS offers, you know, things like SageMaker, Redshift, whatever. But they also might need things that their Cloud can't provide, you know, something like Fivetran or Hightouch or anything of those other tools and where data orchestration really shines, right? And something that we've had the pleasure of helping our customers build, is how do you take all those requirements, all those different tools and whip them together into something that fulfills a business need, right? Something that makes it so that somebody can read a dashboard and trust the number that it says or somebody can make sure that the right emails go out to their customers. And Airflow serves as this amazing kind of glue between that data stack, right? It's to make it so that for any use case, be it ELT pipelines or machine learning or whatever, you need different things to do them and Airflow helps tie them together in a way that's really specific for a individual business's needs. >> Take a step back and share the journey of what your guys went through as a company startup. So you mentioned Apache open source, you know, we were just, I was just having an interview with the VC, we were talking about foundational models. You got a lot of proprietary and open source development going on. It's almost the iPhone, Android moment in this whole generative space and foundational side. This is kind of important, the open source piece of it. Can you share how you guys started? And I can imagine your customers probably have their hair on fire and are probably building stuff on their own. How do you guys, are you guys helping them? Take us through, 'cuz you guys are on the front end of a big, big wave and that is to make sense of the chaos, reigning it in. Take us through your journey and why this is important. >> Yeah Paola, I can take a crack at this and then I'll kind of hand it over to you to fill in whatever I miss in details. But you know, like Paola is saying, the heart of our company is open source because we started using Airflow as an end user and started to say like, "Hey wait a second". Like more and more people need this. Airflow, for background, started at Airbnb and they were actually using that as the foundation for their whole data stack. Kind of how they made it so that they could give you recommendations and predictions and all of the processes that need to be or needed to be orchestrated. Airbnb created Airflow, gave it away to the public and then, you know, fast forward a couple years and you know, we're building a company around it and we're really excited about that. >> That's a beautiful thing. That's exactly why open source is so great. >> Yeah, yeah. And for us it's really been about like watching the community and our customers take these problems, find solution to those problems, build standardized solutions, and then building on top of that, right? So we're reaching to a point where a lot of our earlier customers who started to just using Airflow to get the base of their BI stack down and their reporting and their ELP infrastructure, you know, they've solved that problem and now they're moving onto things like doing machine learning with their data, right? Because now that they've built that foundation, all the connective tissue for their data arriving on time and being orchestrated correctly is happening, they can build the layer on top of that. And it's just been really, really exciting kind of watching what customers do once they're empowered to pick all the tools that they need, tie them together in the way they need to, and really deliver real value to their business. >> Can you share some of the use cases of these customers? Because I think that's where you're starting to see the innovation. What are some of the companies that you're working with, what are they doing? >> Raj, I'll let you take that one too. (all laughing) >> Yeah. (all laughing) So you know, a lot of it is, it goes across the gamut, right? Because all doesn't matter what you are, what you're doing with data, it needs to be orchestrated. So there's a lot of customers using us for their ETL and ELT reporting, right? Just getting data from all the disparate sources into one place and then building on top of that, be it building dashboards, answering questions for the business, building other data products and so on and so forth. From there, these use cases evolve a lot. You do see folks doing things like fraud detection because Airflow's orchestrating how transactions go. Transactions get analyzed, they do things like analyzing marketing spend to see where your highest ROI is. And then, you know, you kind of can't not talk about all of the machine learning that goes on, right? Where customers are taking data about their own customers kind of analyze and aggregating that at scale and trying to automate decision making processes. So it goes from your most basic, what we call like data plumbing, right? Just to make sure data's moving as needed. All the ways to your more exciting and sexy use cases around like automated decision making and machine learning. >> And I'd say, I mean, I'd say that's one of the things that I think gets me most excited about our future is how critical Airflow is to all of those processes, you know? And I think when, you know, you know a tool is valuable is when something goes wrong and one of those critical processes doesn't work. And we know that our system is so mission critical to answering basic, you know, questions about your business and the growth of your company for so many organizations that we work with. So it's, I think one of the things that gets Viraj and I, and the rest of our company up every single morning, is knowing how important the work that we do for all of those use cases across industries, across company sizes. And it's really quite energizing. >> It was such a big focus this year at AWS re:Invent, the role of data. And I think one of the things that's exciting about the open AI and all the movement towards large language models, is that you can integrate data into these models, right? From outside, right? So you're starting to see the integration easier to deal with, still a lot of plumbing issues. So a lot of things happening. So I have to ask you guys, what is the state of the data orchestration area? Is it ready for disruption? Is it already been disrupted? Would you categorize it as a new first inning kind of opportunity or what's the state of the data orchestration area right now? Both, you know, technically and from a business model standpoint, how would you guys describe that state of the market? >> Yeah, I mean I think, I think in a lot of ways we're, in some ways I think we're categoric rating, you know, schedulers have been around for a long time. I recently did a presentation sort of on the evolution of going from, you know, something like KRON, which I think was built in like the 1970s out of Carnegie Mellon. And you know, that's a long time ago. That's 50 years ago. So it's sort of like the basic need to schedule and do something with your data on a schedule is not a new concept. But to our point earlier, I think everything that you need around your ecosystem, first of all, the number of data tools and developer tooling that has come out the industry has, you know, has some 5X over the last 10 years. And so obviously as that ecosystem grows and grows and grows and grows, the need for orchestration only increases. And I think, you know, as Astronomer, I think we, and there's, we work with so many different types of companies, companies that have been around for 50 years and companies that got started, you know, not even 12 months ago. And so I think for us, it's trying to always category create and adjust sort of what we sell and the value that we can provide for companies all across that journey. There are folks who are just getting started with orchestration and then there's folks who have such advanced use case 'cuz they're hitting sort of a ceiling and only want to go up from there. And so I think we as a company, care about both ends of that spectrum and certainly have want to build and continue building products for companies of all sorts, regardless of where they are on the maturity curve of data orchestration. >> That's a really good point Paola. And I think the other thing to really take into account is it's the companies themselves, but also individuals who have to do their jobs. You know, if you rewind the clock like five or 10 years ago, data engineers would be the ones responsible for orchestrating data through their org. But when we look at our customers today, it's not just data engineers anymore. There's data analysts who sit a lot closer to the business and the data scientists who want to automate things around their models. So this idea that orchestration is this new category is spot on, is right on the money. And what we're finding is it's spreading, the need for it, is spreading to all parts of the data team naturally where Airflows have emerged as an open source standard and we're hoping to take things to the next level. >> That's awesome. You know, we've been up saying that the data market's kind of like the SRE with servers, right? You're going to need one person to deal with a lot of data and that's data engineering and then you're going to have the practitioners, the democratization. Clearly that's coming in what you're seeing. So I got to ask, how do you guys fit in from a value proposition standpoint? What's the pitch that you have to customers or is it more inbound coming into you guys? Are you guys doing a lot of outreach, customer engagements? I'm sure they're getting a lot of great requirements from customers. What's the current value proposition? How do you guys engage? >> Yeah, I mean we've, there's so many, there's so many. Sorry Raj, you can jump in. - >> It's okay. So there's so many companies using Airflow, right? So our, the baseline is that the open source project that is Airflow that was, that came out of Airbnb, you know, over five years ago at this point, has grown exponentially in users and continues to grow. And so the folks that we sell to primarily are folks who are already committed to using Apache Airflow, need data orchestration in the organization and just want to do it better, want to do it more efficiently, want to do it without managing that infrastructure. And so our baseline proposition is for those organizations. Now to Raj's point, obviously I think our ambitions go beyond that, both in terms of the personas that we addressed and going beyond that data engineer, but really it's for, to start at the baseline. You know, as we continue to grow our company, it's really making sure that we're adding value to folks using Airflow and help them do so in a better way, in a larger way and a more efficient way. And that's really the crux of who we sell to. And so to answer your question on, we actually, we get a lot of inbound because they're are so many - >> A built-in audience. >> In the world that use it, that those are the folks who we talk to and come to our website and chat with us and get value from our content. I mean the power of the open source community is really just so, so big. And I think that's also one of the things that makes this job fun, so. >> And you guys are in a great position, Viraj, you can comment, to get your reaction. There's been a big successful business model to starting a company around these big projects for a lot of reasons. One is open source is continuing to be great, but there's also supply chain challenges in there. There's also, you know, we want to continue more innovation and more code and keeping it free and and flowing. And then there's the commercialization of product-izing it, operationalizing it. This is a huge new dynamic. I mean, in the past, you know, five or so years, 10 years, it's been happening all on CNCF from other areas like Apache, Linux Foundation, they're all implementing this. This is a huge opportunity for entrepreneurs to do this. >> Yeah, yeah. Open source is always going to be core to what we do because, you know, we wouldn't exist without the open source community around us. They are huge in numbers. Oftentimes they're nameless people who are working on making something better in a way that everybody benefits from it. But open source is really hard, especially if you're a company whose core competency is running a business, right? Maybe you're running e-commerce business or maybe you're running, I don't know, some sort of like any sort of business, especially if you're a company running a business, you don't really want to spend your time figuring out how to run open source software. You just want to use it, you want to use the best of it, you want to use the community around it. You want to take, you want to be able to google something and get answers for it. You want the benefits of open source. You don't want to have, you don't have the time or the resources to invest in becoming an expert in open source, right? And I think that dynamic is really what's given companies like us an ability to kind of form businesses around that, in the sense that we'll make it so people get the best of both worlds. You'll get this vast open ecosystem that you can build on top of, you can benefit from, that you can learn from, but you won't have to spend your time doing undifferentiated heavy lifting. You can do things that are just specific to your business. >> It's always been great to see that business model evolved. We used to debate 10 years ago, can there be another red hat? And we said, not really the same, but there'll be a lot of little ones that'll grow up to be big soon. Great stuff. Final question, can you guys share the history of the company, the milestones of the Astronomer's journey in data orchestration? >> Yeah, we could. So yeah, I mean, I think, so Raj and I have obviously been at astronomer along with our other founding team and leadership folks, for over five years now. And it's been such an incredible journey of learning, of hiring really amazing people. Solving again, mission critical problems for so many types of organizations. You know, we've had some funding that has allowed us to invest in the team that we have and in the software that we have. And that's been really phenomenal. And so that investment, I think, keeps us confident even despite these sort of macroeconomic conditions that we're finding ourselves in. And so honestly, the milestones for us are focusing on our product, focusing on our customers over the next year, focusing on that market for us, that we know can get value out of what we do. And making developers' lives better and growing the open source community, you know, and making sure that everything that we're doing makes it easier for folks to get started to contribute to the project and to feel a part of the community that we're cultivating here. >> You guys raised a little bit of money. How much have you guys raised? >> I forget what the total is, but it's in the ballpark of 200, over $200 million. So it feels good - >> A little bit of capital. Got a little bit of cash to work with there. Great success. I know it's a Series C financing, you guys been down, so you're up and running. What's next? What are you guys looking to do? What's the big horizon look like for you? And from a vision standpoint, more hiring, more product, what is some of the key things you're looking at doing? >> Yeah, it's really a little of all of the above, right? Like, kind of one of the best and worst things about working at earlier stage startups is there's always so much to do and you often have to just kind of figure out a way to get everything done, but really invest in our product over the next, at least the next, over the course of our company lifetime. And there's a lot of ways we wanting to just make it more accessible to users, easier to get started with, easier to use all kind of on all areas there. And really, we really want to do more for the community, right? Like I was saying, we wouldn't be anything without the large open source community around us. And we want to figure out ways to give back more in more creative ways, in more code driven ways and more kind of events and everything else that we can do to keep those folks galvanized and just keeping them happy using Airflow. >> Paola, any final words as we close out? >> No, I mean, I'm super excited. You know, I think we'll keep growing the team this year. We've got a couple of offices in the US which we're excited about, and a fully global team that will only continue to grow. So Viraj and I are both here in New York and we're excited to be engaging with our coworkers in person. Finally, after years of not doing so, we've got a bustling office in San Francisco as well. So growing those teams and continuing to hire all over the world and really focusing on our product and the open source community is where our heads are at this year, so. >> Congratulations. - >> Excited. 200 million in funding plus good runway. Put that money in the bank, squirrel it away. You know, it's good to kind of get some good interest on it, but still grow. Congratulations on all the work you guys do. We appreciate you and the open sourced community does and good luck with the venture. Continue to be successful and we'll see you at the Startup Showcase. >> Thank you. - >> Yeah, thanks so much, John. Appreciate it. - >> It's theCube conversation, featuring astronomer.io, that's the website. Astronomer is doing well. Multiple rounds of funding, over 200 million in funding. Open source continues to lead the way in innovation. Great business model. Good solution for the next gen, Cloud, scale, data operations, data stacks that are emerging. I'm John Furrier, your host. Thanks for watching. (soft music)

(upbeat music) >> Hello and welcome back to theCUBE's coverage of Cloud Native SecurityCon North America 2023. Its first inaugural event. It's theCUBE's coverage. We were there at the first event for a KubeCon before CNCF kind of took it over. It was in Seattle. And so in Seattle this week is Cloud Native SecurityCon. Of course, theCUBE is there covering via our Palo Alto Studios and our experts around the world who are bringing in Bassam Tabbara who's the CEO and founder of upbound.io. That's the URL, but Upbound is the company. The creators of Crossplane. Really kind of looking at the Crossplane, across the abstraction layer, across clouds. A big part of, as we call supercloud trend. Bassam, great to see you. You've been legend in the open source community. Great to have you on. >> Thanks, John. Always good to be on theCUBE. >> I really wanted to bring you in 'cause I want to get your perspective. You've seen the movie, you've seen open source software grow, it continues to grow. Now you're starting to see the Linux Foundation, which has CNCF really expanding their realm. They got the CloudNativeCon, KubeCon, which is Kubernetes event. That's gotten so massive and so successful. We've been to every single one as you know. I've seen you there and all of them as well. So that's going great. Now they got this new event that's spins out dedicated to security. Everybody wants to know why the new event? What's the focus? Is it needed? What will they do? What's different from KubeCon? Where do I play? And so there's a little bit of a question mark in the ecosystem around this event. And so we've been reporting on it. Looking good so far. People are buzzing, again, they're keeping it small. So that kind of managing expectations like any good event would do. But I think it's been successful, which I wanted like to get your take on how you see it. Is this good? Are you indifferent? Are you excited by this? What's your take? >> I mean, look, it's super exciting to see all the momentum around cloud native. Obviously there are different dimensions of cloud native securities, an important piece. Networking, storage, compute, like all those things I think tie back together and in some ways you can look at this event as a focused event on the security aspect as it relates to cloud native. And there are lots of vendors in this space. There's lots of interesting projects in the space, but the unifying theme is that they come together and probably around the Kubernetes API and the momentum around cloud native and with Kubernetes at the center of it. >> On the focus on Kubernetes, it seems this event is kind of classic security where you want to have deep dives. Again, I call it the event operating system 'cause you decouple, make things highly cohesive, and you link them together. I don't see a problem with it. I kind of like this. I gave it good reviews if they stay focused because security is super critical. There was references to bind and DNS. There's a lot of things in the infrastructure plumbing that need to be looked at or managed or figured out or just refactored for modernization needs. And I know you've done a lot with storage, for instance, storage, networking, kernel. There's a lot of things in the old tech or tech in the cloud that needs to be kind, I won't say rebooted, but maybe reset or jump. Do you see it that way? Are there things that need to get done or is it just that there's so much complexity in the different cloud cluster code thing going on? >> It's obviously security is a very, very big space and there are so many different aspects of it that people you can go into. I think the thing that's interesting around the cloud native community is that there is a unifying theme. Like forget the word cloud native for a second, but the unifying theme is that people are building around what looks like a standardized play around Kubernetes and the Kubernetes API. And as a result you can recast a lot of the technologies that we are used to in the past in a traditional security sense. You can recast them on top of this new standardized approach or on Kubernetes, whether it's policy or protecting a supply chain or scanning, or like a lot of the access control authorization, et cetera. All of those things can be either revived to apply to this cloud native play and the Kubernetes play or creating new opportunities for companies to actually build new and interesting projects and companies around a standardized play. >> Do you think this also will help the KubeCon be more focused around the developer areas there and just touching on security versus figuring out how to take something so important in KubeCon, which the stakeholders in KubeCon have have grown so big, I can see security sucking a lot of oxygen out of the room there. So here you move it over, you keep it over here. Will anything change on the KubeCon site? We'll be there in in Amsterdam in April. What do you think the impact will be? Good? Is it good for the community? Just good swim lanes? What's your take? >> Yeah, I still think KubeCon will be an umbrella event for the whole cloud native community. I suspect that you'll see some of the same vendors and projects and everything else represented in KubeCon. The way I think about all the branched cloud native events are essentially a way to have a more focused discussion, get people together to talk about security topics or networking topics or things that are more focused way. But I don't think it changes the the effect of KubeCon being the umbrella around all of it. So I think you'll see the same presence and maybe larger presence going forward at Amsterdam. We're planning to be there obviously and I'm excited to be there and I think it'll be a big event and having a smaller event is not going to diminish the effect of KubeCon. >> And if you look at the developer community they've all been online for a long time, from IRC chat to now Slack and now new technologies and stuff like Discord out there. The event world has changed post-pandemic. So it makes sense. And we're seeing this with all vendors, by the way, and projects. The digital community angle is huge because if you have a big tent event like KubeCon you can make that a rallying moment in the industry and then have similar smaller events that are highly focused that build off that that are just connective tissue or subnets, if you will, or communities targeted for really deeper conversations. And they could be smaller events. They don't have to be monster events, but they're connected and traverse into the main event. This might be the event format for the future for all companies, whether it's AWS or a company that has a community where you create this network effect, if you will, around the people. >> That's right. And if you look at things like AWS re:Invent, et cetera, I mean, that's a massive events. And in some ways it, if it was a set of smaller sub events, maybe it actually will flourish more. I don't know, I'm not sure. >> They just killed the San Francisco event. >> That's right. >> But they have re:Inforce, all right, so they just established that their big events are re:Invent and re:Inforce as their big. >> Oh, I didn't hear about re:Inforce. That's news to me. >> re:Inforce is their third event. So they're doing something similar as CloudNativeCon, which is you have to have an event and then they're going to create a lot of sub events underneath. So I think they are trying to do that. Very interesting. >> Very interesting for sure. >> So let's talk about what you guys are up to. I know from your standpoint, you had a lot of security conversations. How is Crossplane doing? Obviously, you saw our Supercloud coverage. You guys fit right into that model where clients, customers, enterprises are going to want to have multiple cloud operating environments for whatever the use case, whether you're using ChatGPT, you got to get an Azure instance up and running for that. Now with APIs, we're hearing a lot of developers doing that. So you're going to start to see this cross cloud as VMware calls, what we call it supercloud. There's more need for Crossplane like thinking. What's the update? >> For sure, and we see this very clearly as well. So the fact that there is a standardization layer, there is a layer that lets you converge the different vendors that you have, the different clouds that you have, the different hype models that you have, whether it's hybrid or private, public, et cetera. The unifying theme is that you're literally bringing all those things under one control plane that enables you to actually centralize and standardize on security, access control, helps you standardize on cost control, quota policy, as well as create a self-service experience for your developers. And so from a security standpoint, the beauty of this is like, you could use really popular projects like open policy agent or Kyverno or others if you want to do policy and do so uniformly across your entire stack, your entire footprint of tooling, vendors, services and across deployment models. Those things are possible because you're standardizing and consolidating on a control plane on top of all. And that's the thing that gets our customers excited. That we're seeing in the community that they could actually now normalize standardize on small number of projects and tools to manage everything. >> We were talking about that in our summary of the keynote yesterday. Dave Vellante and I were talking about the idea of clients want to have a redo of their security. They've been, just the tooling has been building up. They got zero trust in place, maybe with some big vendor, but now got the cloud native opportunity to refactor and reset and reinvent their security paradigm. And so that's the positive thing we're hearing. Now we're seeing enterprises want this cross cloud capabilities or Crossplane like thinking that you guys are talking about. What are your customers telling you? Can you share from an enterprise perspective where they're at in this journey? Because part of the security problems that we've been reporting on has been because clients are moving from IT to cloud native and not everyone's moved over yet. So they're highly vulnerable to ransomware and all kinds of other crap. So another attacks, so they're wide open, But people who are moving into cloud native, are they stepping up their game on this Crossplane opportunity? Where are they at? Can you share data on that? >> Yeah, we're grateful to be talking to a lot of customers these days. And the interesting thing is even if you talked about large financial institutions, banks, et cetera, the common theme that we hear is that they bought tools for each of the different departments and however they're organized. Sometimes you see the folks that are running databases, networking, being separated from say, the computer app developers or they're all these different departments within an organization. And for each one of those, they've made localized decisions for tooling and services that they bought. What we're seeing now consistently is that they're all together, getting together, and trying to figure out how to standardize on a smaller one set of tooling and services that goes across all the different departments and all different aspects of the business that they're running. And this is where this discussion gets a lot very interesting. If instead of buying a different policy tool for each department, or once that fits it you could actually standardize on policy or the entire footprint of services that they're managing. And you get that by standardizing on a control plane or standardizing on effectively one point of control for everything that they're doing. And that theme is like literally, it gets all our customers excited. This is why they're engaging in all of this. It's almost the holy grail. The thing that I've been trying to do for a long time. >> I know. >> And it's finally happening. >> I know you and I have talked about this many times, but I got to ask you the one thing that jumps into everybody's head when you hear control plane is lock-in. So how do you discuss that lock-in, perception from the reality of the situation? How do you unpack that for the customer? 'Cause they want choice at the end of the day. There's the preferred vendors for sure on the hyperscale side and app side and open source, but what's the lock-in? What does the lock-in conversation look like? Or do they even have that conversation? >> Yeah. To be honest, I mean, so their lock-in could be a two dimensions here. Most of our customers and people are using Crossplane or using app on product around it. Most of our do, concentrated in, say a one cloud vendor and have others. So I don't think this is necessarily about multicloud per se or being locked into one vendor. But they do manage many different services and they have legacy tooling and they have different systems that they bought at different stages and they want to bring them all together. And by bringing them all together that helps them make choices about consulting or even replacing some of them. But right now everything is siloed, everything is separate, both organizationally as well as the code bases or investments and tooling or contracts. Everything is just completely separated and it requires humans to put them together. And organizations actually try to gather around and put them together. I don't know if lock-in is the driving goal for this, but it is standardization consolidation. That's the driving initiative. >> And so unification and building is the big driver. They're building out >> Correct, and you can ask why are they doing that? What does standardization help with? It helps them to become more productive. They can move faster, they can innovate faster. Not as a ton of, like literally revenue written all over. So it's super important to them that they achieved this, increase their pace of innovation around this and they do that by standardizing. >> The great point in all this and your success at Upbound and now CNCF success with KubeCon + CloudNativeCon and now with the inaugural event of Cloud Native SecurityCon is that the customers are involved, a lot of end users are involved. There's a big driver not only from the industry and the developers and getting architecture right and having choice. The customers want this to happen. They're leaning in, they're part of it. So that's a big driver. Where does this go? If you had to throw a dart at the board five years from now Cloud Native SecurityCon, what does it look like if you had to predict the trajectory of this event and community? >> Yeah, I mean, look, I think the trajectory one is that we have what looks like a standardization layer emerging that is all encompassing. And as a result, there is a ton of opportunity for vendors, projects, communities to build around within on top of this layer. And essentially create, I think you talked about an operating system earlier and decentralized aspect of this, but it's an opportunity to actually, what it looks like for the first time we have a convergence happening industry-wide and through open source and open source foundations. And I think that means that there'll be new opportunity and lots of new projects and things that are created in the space. And it also means that if you don't attach this space, you'll likely be left out. >> Awesome. Bassam, great to have you on, great expert commentary, obviously multi CUBE alumni and supporter of theCUBE and as you become successful we really appreciate your support for helping us get the content out there. And best of luck to your team and thanks for weighing in on Cloud Native SecurityCon. >> Awesome. It's always good talking to you, John. Thank you. >> Great stuff. This is more CUBE coverage from Palo Alto, getting folks on the ground on location, getting us the stories in Seattle. Of course, Cloud Native SecurityCon, the inaugural event, which looks like will be the beginning of a series of multi-year journey for the CNCF, focusing on security. Of course, theCUBE's here to cover it, every angle of it, and extract the signal from the noise. I'm John Furrier, thanks for watching. (upbeat music)

(energetic music plays) >> Lisa: Hey everyone, we're so glad you're here with us. theCUBE is covering Cloud Native Security Con 23. Lisa Martin here with John Furrier. This is our second day of coverage of the event. We've had some great conversations with a lot of intellectual, exciting folks, as you know cuz you've been watching. John and I are very pleased to welcome back one of our alumni to theCUBE Taylor Dolezal joins us the head of ecosystem at CNCF. Taylor, welcome back to theCUBE. Great to see you. >> Taylor: Hey everybody, great to see you again. >> Lisa: So you are on the ground in Seattle. We're jealous. We've got fomo as John would say. Talk to us about, this is a inaugural event. We were watching Priyanka keynote yesterday. Seemed like a lot of folks there, 72 sessions a lot of content, a lot of discussions. What's the buzz, what's the reception of this inaugural event from your perspective? >> Taylor: So it's been really fantastic. I think the number one thing that has come out of this conference so far is that it's a wonderful chance to come together and for people to see one another. It's, it's been a long time that we've kind of had that opportunity to be able to interact with folks or you know, it's just a couple months since last Cube Con. But this is truly a different vibe and it's nice to have that focus on security. We're seeing a lot of folks within different organizations work through different problems and then finally have a vendor neutral space in which to talk about all of those contexts and really raise everybody up with all this new knowledge and new talking points, topics, and different facets of knowledge. >> John: Taylor, we were joking on our yesterday's summary of the keynotes, Dave Vellante and I, and the guests, Lisa and I, about the CNCF having an event operating system, you know, very decoupled highly cohesive events, strung together beautifully through the Linux Foundation, you know, kind of tongue in cheek but it was kind of fun to play on words because it's a very technical community. But the business model of, of hackers is booming. The reality of businesses booming and Cloud Native is the preferred developer environment for the future application. So the emphasis, it's very clear that this is a good move to do and targeting the community around security's a solid move. Amazon's done it with reinforce and reinvent. We see that Nice segmentation. What's the goal? Because this is really where it connects to Cube Con and Cloud Native Con as well because this shift left there too. But here it's very much about hardcore Cloud Native security. What's your positioning on this? Am I getting it right or is there is that how you guys see it? >> Taylor: Yeah, so, so that's what we've see that's what we were talking about as well as we were thinking on breaking this event out. So originally this event was a co-located event during the Cube Con windows in both Europe and North America. And then it just was so consistently popular clearly a topic that people wanted to talk, which is good that people want to talk of security. And so when we saw this massive continued kind of engagement, we wanted to break this off into its own conference. When we were going through that process internally, like you had mentioned the events team is just phenomenal to work with and they, I love how easy that they make it for us to be able to do these kinds of events too though we wanted to talk through how we differentiate this event from others and really what's changed for us and kind of how we see this space is that we didn't really see any developer-centric open source kinds of conferences. Ones that were really favoring of the developer and focus on APIs and ways in which to implement these things across all of your workloads within your organization. So that's truly what we're looking to go for here during these, all of these sessions. And that's how it's been playing out so far which has been really great to see. >> John: Taylor, I want to ask you on the ecosystem obviously the built-in ecosystem at CNCF.IO with Cube Cons Cloud Cons there, this is a new ecosystem opportunity to add more people that are security focused. Is their new entrance coming into the fold and what's been the reaction? >> Taylor: So short answer is yes we've seen a huge uptick across our vendor members and those are people that are creating Cloud offerings and selling those and working with others to implement them as well as our end users. So people consuming Cloud Native projects and using them to power core parts of their business. We have gotten a lot of data from groups like IBM and security, IBM security and put 'em on institute. They gave us a cost of data breach report that Priyanka mentioned and talked about 43% of those organizations haven't started or in the early stages of updating security practices of their cloud environments and then here on the ground, you know, talking through some best practices and really sharing those out as well. So it's, I've gotten to hear pieces and parts of different conversations and and I'm certain we'll hear more about those soon but it's just really been great to, to hear everybody with that main focus of, hey, there's more that we can do within the security space and you know, let's let's help one another out on that front just because it is such a vast landscape especially in the security space. >> Lisa: It's a huge landscape. And to your point earlier, Taylor it's everyone has the feeling that it's just so great to be back together again getting folks out of the silos that they've been operating in for such a long time. But I'd love to get some of your, whatever you can share in terms of some of the Cloud Native security projects that you've heard about over the last day or so. Anything exciting that you think is really demonstrating the value already and this inaugural event? >> Taylor: Yes, so I I've been really excited to hear a lot of, personally I've really liked the talks around EBPF. There are a whole bunch of projects utilizing that as far as runtime security goes and actually getting visibility into your workloads and being able to see things that you do expect and things that you don't expect and how to remediate those. And then I keep hearing a lot of talks about open policy agents and projects like Caverno around you know, how do we actually automate different policies or within regulated industries, how do we actually start to solve those problems? So I've heard even more around CNCF projects and other contexts that have come up but truly most of them have been around the telemetry space EBPF and, and quite a few others. So really great to, to see all those projects choosing something to bind to and making it that much more accessible for folks to implement or build on top of as well. >> John: I love the reference you guys had just the ChatGPT that was mentioned in the keynote yesterday and also the reference to Dan Kaminsky who was mentioned on the reference to DNS and Bind, lot of root level security going on. It seems like this is like a Tiger team event where all the top alpha security gurus come together, Priyanka said, experts bottoms up, developer first practitioners, that's the vibe. Is that kind of how you guys want it to be more practitioners hardcore? >> Taylor: Absolutely, absolutely. I think that when it comes to security, we really want to help. It's definitely a grassroots movement. It's great to have the people that have such a deep understanding of certain security, just bits of knowledge really when it comes to EBPF. You know, we have high surveillance here that we're talking things through. Falco is here with Sysdig and so it it's great to have all of these people here, though I have seen a good spread of folks that are, you know, most people have started their security journey but they're not where they want to be. And so people that are starting at a 2 0 1, 3 0 1, 4 0 1 level of understanding definitely seeing a good spread of knowledge on that front. But it's really, it's been great to have folks from all varying experiences, but then to have the expertise of the folks that are writing these specifications and pushing the boundaries of what's possible with security to to ensure that we're all okay and updated on that front too, I think was most notable yesterday. Like you had said >> Lisa: Sorry Taylor, when we think of security, again this is an issue that, that organizations in every industry face, nobody is immune to this. We can talk about the value in it for the hackers in terms of ransomware alone for example. But you mentioned a stat that there's a good amount of organizations that are really either early in their security journeys or haven't started yet which kind of sounds a bit scary given the landscape and how much has changed in the last couple of years. But it sounds like on the good news front it isn't too late for organizations. Talk a little bit about some of the recommendations and best practices for those organizations who are behind the curve knowing that the next attack is going to happen. >> Taylor: Absolutely. So fantastic question. I think that when it comes to understanding the fact that people need to implement security and abide by best practices, it's like I I'm sure that many of us can agree on that front, you know, hopefully all of us. But when it comes to actually implementing that, that's I agree with you completely. That's where it's really difficult to find where where do I start, where do I actually look at? And there are a couple of answers on that front. So within the CNTF ecosystem we have a technical action group security, so tag security and they have a whole bunch of working groups that cover different facets of the Cloud Native experience. So if you, for example, are concerned about runtime security or application delivery concerns within there, those are some really good places to find people knowledgeable about, that even when the conference isn't going on to get a sense of what's going on. And then TAG security has also published recently version two of their security report which is free accessible online. They can actually look through that, see what some of the recent topics are and points of focus and of interest are within our community. There are also other organizations like Open SSF which is taking a deeper dive into security. You know, initially kind of having a little bit more of an academic focus on that space and then now getting further into things around software bill materials or SBOMs supply chain security and other topics as well. >> John: Well we love you guys doing this. We think it's very big deal. We think it's important. We're starting to see events post COVID take a certain formation, you know joking aside about the event operating systems smaller events are happening, but they're tied together. And so this is key. And of course the critical need is our businesses are under siege with threats, ransomware, security challenges, that's IT moves to Cloud Native, not everyone's moved over yet. So that's in progress. So there's a huge business imperative and the hackers have a business model. So this isn't like pie in the sky, this is urgent. So, that being said, how do you see this developing from who should attend the next one or who are you looking for to be involved to get input from you guys are open arms and very diverse and great great culture there, but who are you looking for? What's the makeup persona that you hope to attract and nurture and grow? >> Taylor: Absolutely. I, think that when it comes to trying the folks that we're looking for the correct answer is it varies you know, from, you know, you're asking Priyanka or our executive director or Chris Aniszczyk our CTO, I work mostly with the end users, so for me personally I really want to see folks that are operating within our ecosystem and actually pulling these down, these projects down and using them and sharing those stories. Because there are people creating these projects and contributing to them might not always have an idea of how they're used or how they can be exploited too. A lot of these groups that I work with like Mercedes or Intuit for example, they're out there in the world using these, these projects and getting a sense for, you know, what can come up. And by sharing that knowledge I think that's what's most important across the board. So really looking for those stories to be told and novel ways in which people are trying to exploit security and attacking the supply chain, or building applications, or just things we haven't thought about. So truly that that developer archetype is really helpful to have the consumers, the end users, the folks that are actually using these. And then, yeah, and I'm truly anywhere knowledgeable about security or that wants to learn more >> John: Super important, we're here to help you scale those stories up whatever you need, send them our way. We're looking forward to getting those. This is a super important movement getting the end users who are on the front lines bringing it back into the open, building, more software, making it secure and verified, all super important. We really appreciate the mission you guys are on and again we're here to help. So send those stories our way. >> Taylor: Cool, cool. We couldn't do it without you. Yeah, just everyone contributing, everyone sharing the news. This is it's people, people is the is the true operating system of our ecosystem. So really great to, really great to share. >> Lisa: That's such a great point Taylor. It is all about people. You talked about this event having a different vibe. I wanted to learn a little bit more about that as we, as we wrap up because there's so much cultural change that's required for organizations to evolve their security practices. And so people of course are at the center of culture. Talk a little bit about why that vibe is different and do you think that yeah, it's finally time. Everyone's getting on the same page here we're understanding, we're learning from each other. >> Taylor: Yes. So, so to kind of answer that, I think it's really a focus on, there's this term shift left and shift right. And talking about where do we actually put security in the mix as it comes to people adopting this and and figuring out where things go. And if you keep shifting at left, that meaning that the developers should care more deeply about this and a deeper understanding of all of these, you know, even if it's, even if they don't understand how to put it together, maybe understand a little bit about it or how these topics and, and facets of knowledge work. But you know, like with anything, if you shift everything off to one side or the other that's also not going to be efficient. You know, you want a steady stream of knowledge flowing throughout your whole organization. So I think that that's been something that has been a really interesting topic and, and hearing people kind of navigate and try to get through, especially groups that have had, you know, deployed an app and it's going to be around for 40 years as well. So I think that those are some really interesting and unique areas of focus that I've come up on the floor and then in a couple of the sessions here >> Lisa: There's got to be that, that balance there. Last question as we wrap the last 30 seconds or so what are you excited about given the success and the momentum of day one? What excites you about what's ahead for us on day two? >> Taylor: So on day two, I'm really, it's, there's just so many sessions. I think that it was very difficult for me to, you know pick which one I was actually going to go see. There are a lot of favorites that I had kind of doubled up at each of the time so I'm honestly going to be in a lot of the sessions today. So really excited about that. Supply chain security is definitely one that's close to my heart as well but I'm really curious to see what new topics, concepts or novel ideas people have to kind of exploit things. Like one for example is a package is out there it's called Browser Test but somebody came up with one called Bowser Test. Just a very simple misname and then when you go and run that it does a fake kind of like, hey you've been exploited and just even these incorrect name attacks. That's something that is really close and dear to me as well. Kind of hearing about all these wild things people wouldn't think about in terms of exploitation. So really, really excited to hear more stories on that front and better protect myself both at home and within the Cloud Community as I stand these things up. >> Lisa: Absolutely you need to clone yourself so that you can, there's so many different sessions. There needs to be multiple versions of Taylor that you can attend and then you can all get together and talk about and learn. But that's actually a really good problem to have as we mentioned when we started 72 sessions yesterday and today. Lots of great content. Taylor, we thank you for your participation. We thank you for bringing the vibe and the buzz of the event to us and we look forward as well to hearing and seeing what day two brings us today. Thank you so much for your time Taylor. >> Taylor: Thank you for having me. >> John: All right >> Lisa: Right, for our guest and John Furrier, I'm Lisa Martin. You're watching theCube's Day two coverage of Cloud Native Security Con 23. (energetic music plays)

(upbeat music) >> Hey, everyone. Welcome back to theCUBE's day one coverage of Cloud Native SecurityCon 2023. This has been a great conversation that we've been able to be a part of today. Lisa Martin with John Furrier and Dave Vellante. Dave and John, I want to get your take on the conversations that we had today, starting with the keynote that we were able to see. What are your thoughts? We talked a lot about technology. We also talked a lot about people and culture. John, starting with you, what's the story here with this inaugural event? >> Well, first of all, there's two major threads. One is the breakout of a new event from CloudNativeCon/KubeCon, which is a very successful community and events that they do international and in North America. And that's not stopping. So that's going to be continuing to go great. This event is a breakout with an extreme focus on security and all things security around that ecosystem. And with extensions into the Linux Foundation. We heard Brian Behlendorf was on there from the Linux Foundation. So he was involved in Hyperledger. So not just Cloud Native, all things containers, Kubernetes, all things Linux Foundation as an open source. So, little bit more of a focus. So I like that piece of it. The other big thread on this story is what Dave and Yves were talking about on our panel we had earlier, which was the business model of security is real and that is absolutely happening. It's impacting business today. So you got this, let's build as fast as possible, let's retool, let's replatform, refactor and then the reality of the business imperative. To me, those are the two big high-order bits that are going on and that's the reality of this current situation. >> Dave, what are your top takeaways from today's day one inaugural coverage? >> Yeah, I would add a third leg of the stool to what John said and that's what we were talking about several times today about the security is a do-over. The Pat Gelsinger quote, from what was that, John, 2011, 2012? And that's right around the time that the cloud was hitting this steep part of the S-curve and do-over really has meant in looking back, leveraging cloud native tooling, and cloud native technologies, which are different than traditional security approaches because it has to take into account the unique characteristics of the cloud whether that's dynamic resource allocation, unlimited resources, microservices, containers. And while that has helped solve some problems it also brings new challenges. All these cloud native tools, securing this decentralized infrastructure that people are dealing with and really trying to relearn the security culture. And that's kind of where we are today. >> I think the other thing too that I had Dave is that was we get other guests on with a diverse opinion around foundational models with AI and machine learning. You're going to see a lot more things come in to accelerate the scale and automation piece of it. It is one thing that CloudNativeCon and KubeCon has shown us what the growth of cloud computing is is that containers Kubernetes and these new services are powering scale. And scale you're going to need to have automation and machine learning and AI will be a big part of that. So you start to see the new formation of stacks emerging. So foundational stacks is the machine learning and data apps are coming out. It's going to start to see more apps coming. So I think there's going to be so many new applications and services are going to emerge, and if you don't get your act together on the infrastructure side those apps will not be fully baked. >> And obviously that's a huge risk. Sorry, Dave, go ahead. >> No, that's okay. So there has to be hardware somewhere. You can't get away with no hardware. But increasingly the security architecture like everything else is, is software-defined and makes it a lot more flexible. And to the extent that practitioners and organizations can consolidate this myriad of tools that they have, that means they're going to have less trouble learning new skills, they're going to be able to spend more time focused and become more proficient on the tooling that is being applied. And you're seeing the same thing on the vendor side. You're seeing some of these large vendors, Palo Alto, certainly CrowdStrike and fundamental to their strategy is to pick off more and more and more of these areas in security and begin to consolidate them. And right now, that's a big theme amongst organizations. We know from the survey data that consolidating redundant vendors is the number one cost saving priority today. Along with, at a distant second, optimizing cloud costs, but consolidating redundant vendors there's nowhere where that's more prominent than in security. >> Dave, talk a little bit about that, you mentioned the practitioners and obviously this event bottoms up focused on the practitioners. It seems like they're really in the driver's seat now. With this being the inaugural Cloud Native SecurityCon, first time it's been pulled out of an elevated out of KubeCon as a focus, do you think this is about time that the practitioners are in the driver's seat? >> Well, they're certainly, I mean, we hear about all the tech layoffs. You're not laying off your top security pros and if you are, they're getting picked up very quickly. So I think from that standpoint, anybody who has deep security expertise is in the driver's seat. The problem is that driver's seat is pretty hairy and you got to have the stomach for it. I mean, these are technical heroes, if you will, on the front lines, literally saving the world from criminals and nation-states. And so yes, I think Lisa they have been in the driver's seat for a while, but it it takes a unique person to drive at those speeds. >> I mean, the thing too is that the cloud native world that we are living in comes from cloud computing. And if you look at this, what is a practitioner? There's multiple stakeholders that are being impacted and are vulnerable in the security front at many levels. You have application developers, you got IT market, you got security, infrastructure, and network and whatever. So all that old to new is happening. So if you look at IT, that market is massive. That's still not transformed yet to cloud. So you have companies out there literally fully exposed to ransomware. IT teams that are having practices that are antiquated and outdated. So security patching, I mean the blocking and tackling of the old securities, it's hard to even support that old environment. So in this transition from IT to cloud is changing everything. And so practitioners are impacted from the devs and the ones that get there faster and adopt the ways to make their business better, whether you call it modern technology and architectures, will be alive and hopefully thriving. So that's the challenge. And I think this security focus hits at the heart of the reality of business because like I said, they're under threats. >> I wanted to pick up too on, I thought Brian Behlendorf, he did a forward looking what could become the next problem that we really haven't addressed. He talked about generative AI, automating spearphishing and he flat out said the (indistinct) is not fixed. And so identity access management, again, a lot of different toolings. There's Microsoft, there's Okta, there's dozens of companies with different identity platforms that practitioners have to deal with. And then what he called free riders. So these are folks that go into the repos. They're open source repos, and they find vulnerabilities that developers aren't hopping on quickly. It's like, you remember Patch Tuesday. We still have Patch Tuesday. That meant Hacker Wednesday. It's kind of the same theme there going into these repos and finding areas where the practitioners, the developers aren't responding quickly enough. They just don't necessarily have the resources. And then regulations, public policy being out of alignment with what's really needed, saying, "Oh, you can't ship that fix outside of Germany." Or I'm just making this up, but outside of this region because of a law. And you could be as a developer personally liable for it. So again, while these practitioners are in the driver's seat, it's a hairy place to be. >> Dave, we didn't get the word supercloud in much on this event, did we? >> Well, I'm glad you brought that up because I think security is the big single, biggest challenge for supercloud, securing the supercloud with all the diversity of tooling across clouds and I think you brought something up in the first supercloud, John. You said, "Look, ultimately the cloud, the hyperscalers have to lean in. They are going to be the enablers of supercloud. They already are from an infrastructure standpoint, but they can solve this problem by working together. And I think there needs to be more industry collaboration. >> And I think the point there is that with security the trend will be, in my opinion, you'll see security being reborn in the cloud, around zero trust as structure, and move from an on-premise paradigm to fully cloud native. And you're seeing that in the network side, Dave, where people are going to each cloud and building stacks inside the clouds, hyperscaler clouds that are completely compatible end-to-end with on-premises. Not trying to force the cloud to be working with on-prem. They're completely refactoring as cloud native first. And again, that's developer first, that's data first, that's security first. So to me that's the tell sign. To me is if when you see that, that's good. >> And Lisa, I think the cultural conversation that you've brought into these discussions is super important because I've said many times, bad user behavior is going to trump good security every time. So that idea that the entire organization is responsible for security. You hear that all the time. Well, what does that mean? It doesn't mean I have to be a security expert, it just means I have to be smart. How many people actually use a VPN? >> So I think one of the things that I'm seeing with the cultural change is face-to-face problem solving is one, having remote teams is another. The skillset is big. And I think the culture of having these teams, Dave mentioned something about intramural sports, having the best people on the teams, from putting captains on the jersey of security folks is going to happen. I think you're going to see a lot more of that going on because there's so many areas to work on. You're going to start to see security embedded in all processes. >> Well, it needs to be and that level of shared responsibility is not trivial. That's across the organization. But they're also begs the question of the people problem. People are one of the biggest challenges with respect to security. Everyone has to be on board with this. It has to be coming from the top down, but also the bottom up at the same time. It's challenging to coordinate. >> Well, the training thing I think is going to solve itself in good time. And I think in the fullness of time, if I had to predict, you're going to see managed services being a big driver on the front end, and then as companies realize where their IP will be you'll see those managed service either be a core competency of their business and then still leverage. So I'm a big believer in managed services. So you're seeing Kubernetes, for instance, a lot of managed services. You'll start to see more, get the ball going, get that rolling, then build. So Dave mentioned bottoms up, middle out, that's how transformation happens. So I think managed services will win from here, but ultimately the business model stuff is so critical. >> I'm glad you brought up managed services and I want to add to that managed security service providers, because I saw a stat last year, 50% of organizations in the US don't even have a security operations team. So managed security service providers MSSPs are going to fill the gap, especially for small and midsize companies and for those larger companies that just need to augment and compliment their existing staff. And so those practitioners that we've been talking about, those really hardcore pros, they're going to go into these companies, some large, the big four, all have them. Smaller companies like Arctic Wolf are going to, I think, really play a key role in this decade. >> I want to get your opinion Dave on what you're hoping to see from this event as we've talked about the first inaugural standalone big focus here on security as a standalone. Obviously, it's a huge challenge. What are you hoping for this event to get groundswell from the community? What are you hoping to hear and see as we wrap up day one and go into day two? >> I always say events like this they're about educating, aspiring to action. And so the practitioners that are at this event I think, I used to say they're the technical heroes. So we know there's going to be another Log4j or a another SolarWinds. It's coming. And my hope is that when that happens, it's not an if, it's a when, that the industry, these practitioners are able to respond in a way that's safe and fast and agile and they're able to keep us protected, number one and number two, that they can actually figure out what happened in the long tail of still trying to clean it up is compressed. That's my hope or maybe it's a dream. >> I think day two tomorrow you're going to hear more supply chain, security. You're going to start to see them focus on sessions that target areas if within the CNCF KubeCon + CloudNativeCon area that need support around containers, clusters, around Kubernetes cluster. You're going to start to see them laser focus on cleaning up the house, if you will, if you can call it cleaning up or fixing what needs to get fixed or solved what needs to get solved on the cloud native front. That's going to be urgent. And again, supply chain software as Dave mentioned, free riders too, just using open source. So I think you'll see open source continue to grow, but there'll be an emphasis on verification and certification. And Docker has done a great job with that. You've seen what they've done with their business model over hundreds of millions of dollars in revenue from a pivot. Catch a few years earlier because they verify. So I think we're going to be in this verification blue check mark of code era, of code and software. Super important bill of materials. They call SBOMs, software bill of materials. People want to know what's in their software and that's going to be, again, another opportunity for machine learning and other things. So I'm optimistic that this is going to be a good focus. >> Good. I like that. I think that's one of the things thematically that we've heard today is optimism about what this community can generate in terms of today's point. The next Log4j is coming. We know it's not if, it's when, and all organizations need to be ready to Dave's point to act quickly with agility to dial down and not become the next headline. Nobody wants to be that. Guys, it's been fun working with you on this day one event. Looking forward to day two. Lisa Martin for Dave Vellante and John Furrier. You're watching theCUBE's day one coverage of Cloud Native SecurityCon '23. We'll see you tomorrow. (upbeat music)

(rousing music) >> Hello everyone. Welcome back to "theCUBE's" day one coverage of Cloud Native Security Con 23. This is going to be an exciting panel. I've got three great guests. I'm Lisa Martin, you know our esteemed analysts, John Furrier, and Dave Vellante well. And we're excited to welcome to "theCUBE" for the first time, Yves Sandfort, the CEO of Comdivision Group, who's coming to us from Germany. As you know, Cloud Native Security Con is a global event. Everyone welcome Yves, great to have you in particular. Welcome to "theCUBE." >> Great to be here. >> Thank you for inviting me. >> Yves, tell us a little bit, before we dig into really wanting to understand your perspectives on the event and get Dave and John's feedback as well, tell us a little bit about you. >> So yeah, talking about me, or talking about Comdivision real quick. We are in the business for over 27 years already. We started as a SaaS company, then became more like an architecture and, and Cloud Native company over the last few years. But what's interesting is, and I think that's, that's, that's really interesting when we look at our industry. It hasn't really, the requirements haven't really changed over the years. It's still security. We still have to figure out how we deal with security. We still have to figure out how we deal with compliance and everything else. And I think therefore, it's more and more important that we take these items more seriously. Also, based on the fact that when we look at it, how development and other things happen nowadays, it's, it's, everybody says it's like open source. It's great because everybody can look into the code. We, I think the last few years have shown us enough example that that's not necessarily solving all the issues, but it's also code and development has changed rapidly when we look at the Cloud Native approach, where it's far more about gluing the pieces together, versus the development pieces. When I was actually doing software development 25 years ago, and had to basically build my code because I didn't have that much internet access for it. So it has evolved, but even back then we had to deal with security and everything. >> Right. The focus on security is, is incredibly important, and the focus keeps growing as you mentioned. This is, guys, and I want to get your perspectives on this. We're going to start with John. This is the first time Cloud Native Security Con is its own event being extracted from, and amplified from KubeCon. John, I want to understand from your perspective, break down the event, what you see, what you've heard, and Cloud Native Security in general. What does this mean to companies? What does it mean to customers? Is this a reality? >> Well, I think that's the topic we want to discuss, and I think Yves background, you see the VMware certification, I love that. Because what VMware did with virtualization, was abstract that from server virtualization, kind of really changed the game on things, and you start to see Cloud Native kind of go that next level of how companies will be operating their business, not just digital transformation, as digital transformation goes to completion, it's total business transformation where IT is everywhere. And so you're starting to see the trends where, "Okay, that's happening." Now you're starting to see, that's Cloud Native Con, or KubeCon, AWS re:Invent, or whatever show, or whatever way you want to look at it. But in, in the past decade, past five years, security has always been front and center as almost a separate thing, and, in and of itself, but the same thing. So you're starting to see the breakout of security conversations around how to make things work. So a lot of operational conversations around what used to be DevOps makes infrastructure as code, and that was great, that fueled that. Then DevSecOps came. So the Cloud Native next level, is more application development at scale, developers driving the standards with developer first thinking, shifting left, I get all that. But down in the lower ends of the stack, you got real operational issues. DNS we've heard in the keynote, we heard about the Colonel, the Lennox Colonel. Things that need to be managed and taken care of at a security level. These are like, seem like in the weeds, but you're starting to see that happen. And the other thing that I think's real about Cloud Native Security Con that's going to be interesting to watch, is Amazon has pretty much canceled all their re:Invent like shows except for two; Re:Invent, which is their annual conference, and Re:Inforce, which is dedicated to securities. So Cloud Native, Linux, the Linux Foundation has now breaking out Cloud Native Con and KubeCon, and now Cloud Native Security Con. They can't call it KubeCon because it's not Kubernetes, but it's like security focus. I think this is the beginning of starting to see this new developer driving, developers driving the standards, and it has it implications, what used to be called IT ops, and that's like the VMwares of the world. You saw all the stuff that was not at developer focus, but more ops, becoming much more in the application. So I think, I think it's real. The question is where does it go? How fast does it develop? So to me, I think it's a real trend, and it's worthy of a breakout, but it's not yet clear of where the landing zone is for people to start doing it, how they get started, what are the best practices. Machine learning's going to be a big part of this. So to me it's totally cool, but I'm not yet seeing the beachhead. So that's kind of my take. >> Dave, our inventor and host of breaking analysis, what's your take? >> So when you, I think when you zoom out, there's some, there's a big macro change that's been going on. I think when you look back, let's say 10, 12 years ago, the, the need for speed far trumped the, the, the security aspect, the governance, the data privacy. It was like, "Yeah, the risks, they're not that great compared to our opportunity." That has completely changed because the risks are now so much higher. And so what's happening, I think there's a, there's a major effort amongst CIOs and CISOs to try to make security not a blocker because it use to be, it still is. "Okay, I got this great initiative." Eh, give it to the SecOps pros, and let them take it for a while before we can go to market. And so a huge challenge now is to simplify, automate, AI comes in, the whole supply chain security, so the, so the companies can not be facing so much friction. And that is non-trivial. I don't think we're anywhere close there, but I think the goal is by, within the next several years, we're going to be in a position, that security, we heard today, is, wasn't designed in to the initial internet protocols. It was bolted on. And so increasingly, the fundamental architecture of the internet, the Cloud, et cetera, is, is seeing designed in security, and, and that is an imperative, or else business is going to come to a grinding halt. >> Right. It's no longer, the bolt no longer works. Yves, what's your perspective on Cloud Native Security, where it stands today? What's in it for customers, whether we're talking about banks, or hospitals, or retailers, what do you think? >> I think when we, when we look at security in the, in the modern world, is we need to as, as Dave mentioned, we need to rethink how we apply it. Very often, security in the past has been always bolted on in the end. If we continue to do that, it'll become more and more difficult, because as companies evolve, and as companies want to bring products and software to market in a much faster and faster way, it's getting more and more difficult if we bolt on the security process at the end. It's like, developers build something and then someone checks security. That's not going to work any longer. Especially if we also consider now the changes in the industry. We had Stack Overflow over the last 10 years. If I would've had Stack Overflow 15, 20, what, 25 years ago when I was a developer, it would've changed a hell lot. Looking at it now, and looking at it what we had in the last few weeks, it's like where nearly all of my team members say is like finally I don't need any script kiddies anymore because I can't go to (indistinct) who writes the code for me. Which is on one end great, because it enables us to solve certain problems in a much higher pace. But the challenge with that is, if the people who just copy and past that code, don't understand the implications of that code, we have a much higher risk continuously. And what people thought was, is challenging with Stack Overflow. Imagine that something in one of these AI engines, is actually going ballistic, and it creates holes in nearly every one of these applications. And trust me, there will be enough developers who are going to use these tools to develop codes, the same as students in university are going to take this to write their essays and everything else. And so it's really important that every developer team basically has a security person within their team, and not a security at the end. So we build something, we check it, go through QA, and then it goes to security. Security needs to be at the forefront. And I think that's where we see Cloud Native Security Con, where we see AWS. I saw it during re:Invent already where they said is like, we have reinforced next year. I think this becomes more and more of a topic, and I think companies, as much as it is become a norm that you have a firewall and everything else, it needs to become a norm that when you are doing software development, and every development team needs to have a security person on that needs to be trained. >> I love that chat comment Dave, 'cause you and I were talking about this. And I think that is going to be the issue. Do we need security chat for the chat bot? And there's like a, like a recursive model there. The biases are built in. I think, and I think our interview with the Palo Alto Network's co-founder, Dave, when he talked about zero trust as a structured way to start things, but he was referencing that with Cloud, there's a chance to rethink or do a do-over in security. So, I think this is kind of to me, where this is all going. And I think you asked Pat Gelsinger what, year 2013, 2014, can, is security a do over? I think we're in that do over time. >> He said yes. >> He said yes. (laughing) He was right. But yeah, eight years later... But this is, how do you, zero trust gives you some structure, but how do you organize and redo security? Because to me, I think that's what's happening here. >> And John you heard, Zuk at Palo Alto Network said, "Yeah, the, the words security and architecture, they don't go together historically." And so it is a total, total retake. >> Well is that because there's too many tools out there and- >> Yeah. For sure. >> Yeah, well, first of all, a lot of hardware. And then yeah, a lot of tools. You even see IIOT and industry 40, you see IOT security coming up as another stove pipe, and that's not the right approach. And, and so- >> Well let me, let me ask you a question Dave, and Yves, if you don't mind. 'Cause I was just riffing on this yesterday about this. In the ML space, you're seeing the ML models, you're seeing proprietary models versus open source. Is security going to go down this proprietary security methods and open source? Because that's interesting, because the CNCF is run by the the Linux Foundation. So you can almost maybe see a model where there's more proprietary security methods than open source. Or is it, is that a non-issue? >> I would, I would, let me, if I, if I jump in here first, I think the last, especially last five or 10 years have clearly shown the, the whole and, and I invested early on in the, in the end 90s in several open source startups in the Bay area. So, I'm well behind the whole open source idea and, and mid (indistinct) and others back then several times. But the point is, I think what we have seen is open source is not in general, more secure or less secure, because code is too complex nowadays. You have millions of lines of code, and it's not that either one way or the other is going to solve it. The ways I think we are going to look at it is more is what's the role to market, because only because something is open source doesn't necessarily mean it's going to be available for everyone. And the same for proprietary source from that perspective, even though everybody mixes licensing and payments and all that all the time, but it doesn't necessarily have anything to do with it. But I think as we are going through it, and when we also look at the industry, security industry over the last 10 plus years has been primarily hardware focused. And a lot of these vendors have done a good business out of selling hardware boxes, putting software on top of it. Whereas in reality, those were still X86 standard boxes in the end. So it was not that we had specific security ethics or anything like that in there anymore. And so overall, the question of the market is going to change. And as we are looking into Cloud Native, think about someone like an AWS, do you really envision them to have a hardware box of every supplier in their data center, and that in every availability zone in every region? Same for Microsoft, same for Google, etc? So we need to have new ways on how we can apply security. And that applies both on the backend services, but also on the front end side. >> And if I, and if I could chime in, I think the, the good, I think the answer is, is, is no and yes. And what I mean by that is if you take, antivirus and known malware, I mean pretty much anybody today can, can solve that problem, it's the unknown malware. So I think the yes part of the answer is yes, it's, it's going to be proprietary, but in the sense we're going to use open source tooling, and then apply that in a proprietary way with, with specific algorithms and unique architectures that are going to solve problems. For example, XDR with, with unknown malware. So, and that's the, that's the hard part. As somebody said, I think this morning at the keynote, it's, it's all the stuff that, that the SecOps team couldn't find. That's the really hard part. >> (laughs) Well the question will be will, is the new IP, the ability to feed ChatGPT some magical spelled insertion query string that does the job, that's unique, that might be the new IP, the the question to ask. >> Well, that's what the hackers are going to do. And I, they're on offense. (John laughs) And the offense knows what play is coming. So, they're going to start. >> So guys, let's take this conversation up a level. I want to get your perspectives on what's in this for me as a customer? We know security is a board level conversation. We talk about this all the time. We also know that they're based on, I think David, was the conversations that you and I had, with Palo Alto Networks at Ignite in December. There's a, there's a lack of alignment between the executives and the board from a security perspective. When we talk about Cloud Native Security, we all talked about the value in that, what's in it for customers? I want to get your perspectives on should this be a board level conversation, and if so, how do you advise organizations, whether it is a hospital, or a bank, or an organization that is really affected by things like ransomware? How should they be thinking about this from an organizational perspective? >> Well, I'll start first, because we had this conversation during our Super Cloud event last month, and this comes up a lot. And this is, the CEO board level. Yes it is a board level conversation for security, as is application development as in terms of transforming their business to be competitive, not to be on the wrong side of history with this wave coming. So I think that's more of a management. But the issue is, they tell their people, "Go do it." And they're like, 'cause they get sold on the idea of, "Hey, won't you transform your business, and everything's going to be data driven, and machine learning's going to power your apps, get new customers, be profitable." "Oh, sign me up for that." When you have to implement this, it's really hard. And I think the core issue is, where are companies in their life cycle of the ability to execute and architect this thing properly as Dave said, Nick Zuk said, "You can't have architecture and security, you need platforms." So, I think the re-platforming, and the re-factoring of business is a big factor, and that's got to get down into the, the organizational shifts and the people to do it. So are there skills? Do I do a managed service? How do I architect it? Are there more services? Are there developers doing applications that are going to be more agile? So, this is not an easy thing. And to move a business from IT operations that is proven, to be positioned for this enablement, is just really difficult. And it's expensive. And if you screw it up, you could be, could be on the wrong side of things. So, to me, that's the big issue is, you sell the dream and then you got to implement it. And that's really difficult. >> Yves, give us your perspective on, based on John's comments, how do organizations shift so dramatically? There's a cultural element there as well, but there's also organizations that are, have competitive competitors in the rear view mirror, and there's time to waste. What are your thoughts on that? >> I think that's exactly the point. It's like, as an organization, you need to take the decision between the time, the risk, and all the other elements we have into this game. Because you can try to achieve 100% security, but that's exactly the same as trying to, to protect gold or anything else 100%. It's most likely not going to be from a risk perspective anyway sensible. And that's the same from a corporational perspective. When you look at building new internet services, or IOT services, or any kind of new shopping experience or whatever else, you need to balance out between the risks and the advantages out of it. And you also need to be accepting that you potentially on the way make mistakes, but then it's more important than ever that you are able to quickly fix any mistakes, and to adjust to anything what's happening in the market. Because as we are building all these new Cloud Native applications, and build up all these skill sets, one of the big scenarios is we are far more depending on individual building blocks. These building blocks come out of open source communities, which have a much different way. When we look back in software development, back then we had application servers from Oracle, Web Logic, whatsoever, they had a release cycles of every three to six months. As now we have to deal with open source, where sometimes release cycles are on a four week schedule, in between security patches. So you need to be much faster in adopting that, checking that, implementing that, getting things to work. So there is a security stretch from that perspective. There is a speech stretch on the other thing companies have to deal with, and on the other side it's always a measurement between the risk, and the security you can afford. Because reality is, you will not be 100% protected no matter what you do. So, you need to balance out what you as an organization can actually build on. But I think, coming back also to the point, it's on the bot level nowadays. It's like nearly every discussion we have with companies nowadays as they move into the Cloud, especially also here in Europe where for the last five years, it was always, it's like "It's data privacy." Data privacy is no longer, I mean, yes, for certain people, it's still the point, but for many more people it's like, "How protected is my data?" "What do we do in case of ransomware attack?" "What do we do in case of a denial of service?" All of these things become more vulnerable, where in the past you were discussing these things with a becking page, or, or like a stock exchange. They were, it's like, "What the hell is going to happen if we have a denial of service?" Now all of the sudden, this now affects nearly everyone in their storefronts and everything else, because everything is depending on it. >> Yeah, I think you're right on. You think about how cultural change occurs, it's bottom ups or, bottom up, top down or middle out. And what, what's happened with security is the people in the security team cared about it, they were the, everybody said, "Oh, it's their problem." And then it just did an end run to the board, kind of mid, early last decade. And then the board sort of pushed that down. And the line of business is realizing, "Holy cow. My business, my EBIT can be dramatically affected by this, so I care." Now it's this whole house, cultural team sport. I know it's sort of a, a cliche, but it, it's true. Everybody actually is beginning to care about security because the risks are now so high, and it's going to affect not only the bottom line of the company, the bottom line of the business, their job, it's, it's, it's virtually everywhere. It's a huge cultural shift that we're seeing. >> And that's a big challenge for organizations in any industry. And Yves, you talked about ransomware service. Every industry across the globe is vulnerable to this. But how can, maybe John, we'll start with you. How can Cloud Native Security help organizations if they're able to embrace it, operationally, culturally, dial down some of the vulnerabilities that just seem to keep growing? >> Well, I mean that's the big question. The breaches are, are critical. The governances also could be a way that anchors down growth. So I think the balance between the governance compliance piece of it is key, but making the developers faster and more productive is the key to me. And I think having the security paradigm where they're not blockers, as Dave said, is critical. So I love the whole shift left, but now that we have more data focused initiatives around how that, you can use data to understand the security issues, I think data and security are together, and I think there's a going to be a data operating system model emerging, where data and security will be almost one thing. And that will be set up by the security teams, and the data teams together. And that will feed guardrails into the developer environment. So the developer should feel no pain at all in doing this. So I think the best practice will end up being what we're seeing with supply chain, security, with making sure code's verified. And you're going to see the container, security side completely address has been, and KubeCon, we just, I asked Scott Johnson, the CEO of Docker, and I asked him directly, "Are you guys all tight on container security?" He said, yes, but other people are suggesting that's not true. There's a lot of issues with the container security. So, there's all kinds of areas where there's holes. So Cloud Native is cool on one hand, and very relevant, but if it's not shored up, it's going to be a problem. But I, so I think that's where the action will be, at the developer pipeline, in the containers, and the data. So, that will be very relevant, and if companies nail that, they'll be faster, they'll have better apps, and that'll be the differentiator. And again, if they don't on this next wave, they're going to be driftwood. >> Dave, how do they prevent becoming driftwood? >> Well, I think Cloud has had a huge impact. And a Cloud's by no means a panacea, but let's face it, it's dramatically improved a lot of companies security posture. Now there's still that shared responsibility. Even though an S3 bucket is encrypted, it's still your responsibility to make sure that it doesn't get decrypted by somebody who has access to it. So there are things like that, but to Yve's earlier point, that can be, that's done through software now, it's done through best practices. Those best practices can be shared. So the way you, you don't become driftwood, is you start to, you step back, rethink that security architecture as we were talking about earlier, take advantage of the Cloud, take advantage of Cloud Native, and all the, the rapid pace of innovation that's occurring there, and you don't use, it's called before, The audit is the last line of defense. That's no longer a check box item. "Oh yeah, we're in compliance." It's, this is a business imperative, and because we're going to reduce our expected loss and reduce our business risk. That's part of the business case today. >> Yeah. >> It's a huge, critically important part of the business case. Yves, question for you. If you're in an elevator with a CEO, a CFO, and a CISO, and they're talking about security and Cloud Native Security, what's your value proposition to them on a, on a say a 32nd elevator ride? >> Difficult story. I think at the moment, the most important part is, we need to get people to work together, and we need to train people to work more much better together. I think that's the overall most important part for all of these solutions, because in the end, security is always a person issue. If, we can have the best tools in the industry, as long as we don't get all of these teams to work together, then we have a problem. If the security team is always seen as the end of the solution to fix everything, that's not going to work because they always are the bad guys in the game. And so we need to bring the teams together. And once we have the teams work together, I think we have a far better track on, on maintaining security. >> John and Dave, I want to get your perspectives on what Yves just said. In all the experience that the two of you have as industry analysts here on "theCUBE," Wikibon, Siliconangle Media. How do you advise organizations to get those teams together? As Eve said, that alignment is critical, but John, we'll start with you, then Dave go to you. What's your advice for organizations that need to align those teams and really don't have a lot of time to wait to do it? >> (chuckling) That's a great question. I think, I think that's everyone pays hundreds of thousands of millions of dollars to get that advice from these consultants, organizations out there doing the transformations. But I think it comes down to personnel and commitment. I think if there's a C-level commitment to the effort, you'll see the institutional structure change. So you can see really getting behind it with their, with their wallet and their, and their support of either getting more personnel to support and assist, or manage services, or giving the power to the teams to execute and doing it in a way that, that's, that's well known and best practices. Start small, build out the pilots, build the platform, and then start getting it right. And I think that's the key. Not the magic wand, the old model of rolling out stuff in, in six month cycles. It's really, get the proof points, double down and change the culture, but also execute and have real metrics. And changing the architecture, like having more penetration tests as a service. Doing pen tests is like a joke now. So that doesn't make any sense. You got to have that built in almost every day, and every minute. So, these kinds of new techniques have to be implemented and have to be tried. So that's why these communities are growing. That's why I like what open source has been doing, and I like the open source as the place to have these conversations, because that's where the action will be for new stuff. And I think people will implement open source like they did before, but with different ways, better testing, better supply chain on the software side, verifying code. So, I see open source actually getting a tailwind from this, not a headwind. So, I'm bullish on the open source piece here on, on all levels, machine learning- >> Lisa, my answer is intramural sports. And it's 'cause I think it's cultural. And what I mean by that, is you take your your best and brightest security, and this is what frankly, a lot of CISOs do, an examples is Lena Smart, MongoDB. Take your best and brightest security pros, make them captains of the intramural teams, and pair them up with pods of individuals across the organization, which is most people who don't know anything about security, and put them together, so that they can, they, so that the folks that understand security can, can realize how little people know, what, what, what, how, what the worst practices that are out there in the reverse, how they can cross pollinate. And they do that on a regular basis, I know at Mongo and other companies. And that kind of cultural assimilation is a starting point for how you get security awareness up to your question around making it a team sport. >> Absolutely critical. Yves, I want to kind of wrap things with you. We've got a couple of minutes left. When you're really looking at the Cloud Native community, the growth of it, we talked about earlier in the program, Cloud Native Security Con being now extracted and elevated out of KubeCon, what are your thoughts on the groundswell that this community is generating around Cloud Native Security, the benefits that organizations will achieve from it? >> I think overall, when we have these securities conferences, or these security arms a bit spread out and separated out of the main conference, it helps to a certain degree, because especially in the security space, when you look at at other like black hat or white hat conferences and things like that in the past, although they were not focused on Cloud Native, a lot of these security folks didn't feel well taken care of in any of the other conferences because they were always these, it's like they are always blocking us, they're always making us problems, and all these kinds of things. Now that we really take the Cloud Native piece and the security piece together, or like AWS does it with re:Inforce, I think we will see more and more that people understand is that security is a permanent topic we need to cover, but we need to bring different people together, because security also has compliance and a lot of other components in there. So we will see at these conferences moving forward, also a different audience. It's not going to be only the Cloud Native developers. And if I see some of these security audiences, I can't really imagine them to really be at KubeCon because there is too much other things going on. And you couldn't really see much of that at re:Invent because re:Invent by itself has become a complete monster of a conference. It covers too many topics. And so having this very, very important security piece separated, also gives the opportunity, I think, that we can bring in the security people, but also have the type of board level discussions potentially, between the leaders of the industry, to also discuss on how we can evolve, how we can make things better, and how, how we can actually, yeah, evolve our industry for it. Because let's face it, that threat is not going to go away. It's, it's a business. And one of the last security conferences I was on, on the ransomware part, it was one of the topics someone said is like, "Look, currently on average, it takes a hacker group roughly around they said 15 to 20 K to break into a company, and they on average make 100K. It's a business, let's face it. And it's a business we don't like. And ethically, it's no discussion that this is not good, but that's something which is happening. People are making money with it. And as long as that's going to go on, and we have enough countries where these people can hide, it's going to stay and survive. And so, with that being said, it's important for us to really build an industry around this. But I also think it's good that we have separate conferences. In the past we had more the RSA conference, which tried to cover all of these areas. But that is not really fitting Cloud Native and everything else. So I think it's good that we have these new opportunities, the Cloud Native one, but also what AWS brings up for someone. >> Yves, you just nailed it. It just comes down to simple math. It's a fraction. Revenue over cost. And if you could increase the hacker's cost, increase the denominator, their ROI will go down. And that is the game. >> Great point, Dave. What I'm hearing guys, and we can talk about technology for days and days. I know all of you. But there's, there's a big component that, that the elevation of Cloud Native Security, on its own as standalone is critical, as is the people component. You guys all talked about that. We talked about the cultural change necessary for that. Hopefully what we're seeing with Cloud Native Security Con 23, this first event is going to give us more insight over the next couple of days, and the next months or so, as to how this elevation, and how the people can come together to really help organizations from a math perspective as, as Dave talked about, really dial down the risks there, understand more of the vulnerabilities so that ransomware as a service is not as lucrative as it is today. Guys, so much appreciate your time, really breaking down Cloud Native Security, the value in it from different perspectives, and what your thoughts are on where it's going. Thanks so much for your time. >> All right. Thanks. >> Thanks, Lisa. >> Thank you. >> Thanks, Yves. >> All right. For my guests, I'm Lisa Martin. You're watching theCUBE's day one coverage of Cloud Native Security Con 23. Thanks for watching. (rousing music)

(upbeat music) >> Hey everyone and welcome to theCUBE's coverage day one of CloudNativeSecurityCon '23. Lisa Martin here with John Furrier and Dave Vellante. Dave and John, great to have you guys on the program. This is interesting. This is the first inaugural CloudNativeSecurityCon. Formally part of KubeCon, now a separate event here happening in Seattle over the next couple of days. John, I wanted to get your take on, your thoughts on this being a standalone event, the community, the impact. >> Well, this inaugural event, which is great, we love it, we want to cover all inaugural events because you never know, there might not be one next year. So we were here if it happens, we're here at creation. But I think this is a good move for the CNCF and the Linux Foundation as security becomes so important and there's so many issues to resolve that will influence many other things. Developers, machine learning, data as code, supply chain codes. So I think KubeCon, Kubernetes conference and CloudNativeCon, is all about cloud native developers. And it's a huge event and there's so much there. There's containers, there's microservices, all that infrastructure's code, the DevSecOps on that side, there's enough there and it's a huge ecosystem. Pulling it as a separate event is a first move for them. And I think there's a toe in the water kind of vibe here. Testing the waters a little bit on, does this have legs? How is it organized? Looks like they took their time, thought it out extremely well about how to craft it. And so I think this is the beginning of what will probably be a seminal event for the open source community. So let's listen to the clip from Priyanka Sharma who's a CUBE alumni and executive director of the CNCF. This is kind of a teaser- >> We will tackle issues of security together here and further on. We'll share our experiences, successes, perhaps more importantly, failures, and help with the collecting of understanding. We'll create solutions. That's right. The practitioners are leading the way. Having conversations that you need to have. That's all of you. This conference today and tomorrow is packed with 72 sessions for all levels of technologists to reflect the bottoms up, developer first nature of the conference. The co-chairs have selected these sessions and they are true blue practitioners. >> And that's a great clip right there. If you read between the lines, what she's saying there, let's unpack this. Solutions, we're going to fail, we're going to get better. Linux, the culture of iterating. But practitioners, the mention of practitioners, that was very key. Global community, 72 sessions, co-chairs, Liz Rice and experts that are crafting this program. It seems like very similar to what AWS has done with re:Invent as their core show. And then they have re:Inforce which is their cloud native security, Amazon security show. There's enough there, so to me, practitioners, that speaks to the urgency of cloud native security. So to me, I think this is the first move, and again, testing the water. I like the vibe. I think the practitioner angle is relevant. It's very nerdy, so I think this is going to have some legs. >> Yeah, the other key phrase Priyanka mentioned is bottoms up. And John, at our predictions breaking analysis, I asked you to make a prediction about events. And I think you've nailed it. You said, "Look, we're going to have many more events, but they're going to be smaller." Most large events are going to get smaller. AWS is obviously the exception, but a lot of events like this, 500, 700, 1,000 people, that is really targeted. So instead of you take a big giant event and there's events within the event, this is going to be really targeted, really intimate and focused. And that's exactly what this is. I think your prediction nailed it. >> Well, Dave, we'll call to see the event operating system really cohesive events connected together, decoupled, and I think the Linux Foundation does an amazing job of stringing these events together to have community as the focus. And I think the key to these events in the future is having, again, targeted content to distinct user groups in these communities so they can be highly cohesive because they got to be productive. And again, if you try to have a broad, big event, no one's happy. Everyone's underserved. So I think there's an industry concept and then there's pieces tied together. And I think this is going to be a very focused event, but I think it's going to grow very fast. >> 72 sessions, that's a lot of content for this small event that the practitioners are going to have a lot of opportunity to learn from. Do you guys, John, start with you and then Dave, do you think it's about time? You mentioned John, they're dipping their toe in the water. We'll see how this goes. Do you think it's about time that we have this dedicated focus out of this community on cloud native security? >> Well, I think it's definitely time, and I'll tell you there's many reasons why. On the front lines of business, there's a business model for security hackers and breaches. The economics are in favor of the hackers. That's a real reality from ransomware to any kind of breach attacks. There's corporate governance issues that's structural challenges for companies. These are real issues operationally for companies in the enterprise. And at the same time, on the tech stack side, it's been very slow movement, like glaciers in terms of security. Things like DNS, Linux kernel, there are a lot of things in the weeds in the details of the bowels of the tech world, protocol levels that just need to be refactored. And I think you're seeing a lot of that here. It was mentioned from Brian from the Linux Foundation, mentioned Dan Kaminsky who recently passed away who found that vulnerability in BIND which is a DNS construct. That was a critical linchpin. They got to fix these things and Liz Rice is talking about the Linux kernel with the extended Berkeley Packet Filtering thing. And so this is where they're going. This is stuff that needs to be paid attention to because if they don't do it, the train of automation and machine learning is going to run wild with all kinds of automation that the infrastructure just won't be set up for. So I think there's going to be root level changes, and I think ultimately a new security stack will probably be very driven by data will be emerging. So to me, I think this is definitely worth being targeted. And I think you're seeing Amazon doing the same thing. I think this is a playbook out of AWS's event focus and I think that's right. >> Dave, what are you thoughts? >> There was a lot of talk in, again, I go back to the progression here in the last decade about what's the right regime for security? Should the CISO report to the CIO or the board, et cetera, et cetera? We're way beyond that now. I think DevSecOps is being asked to do a lot, particularly DevOps. So we hear a lot about shift left, we're hearing about protecting the runtime and the ops getting much more involved and helping them do their jobs because the cloud itself has brought a lot to the table. It's like the first line of defense, but then you've really got a lot to worry about from a software defined perspective. And it's a complicated situation. Yes, there's less hardware, yes, we can rely on the cloud, but culturally you've got a lot more people that have to work together, have to share data. And you want to remove the blockers, to use an Amazon term. And the way you do that is you really, if we talked about it many times on theCUBE. Do over, you got to really rethink the way in which you approach security and it starts with culture and team. >> Well the thing, I would call it the five C's of security. Culture, you mentioned that's a good C. You got cloud, tons of issues involved in cloud. You've got access issues, identity. you've got clusters, you got Kubernetes clusters. And then you've got containers, the fourth C. And then finally is the code itself, supply chain. So all areas of cloud native, if you take out culture, it's cloud, cluster, container, and code all have levels of security risks and new things in there that need to be addressed. So there's plenty of work to get done for sure. And again, this is developer first, bottoms up, but that's where the change comes in, Dave, from a security standpoint, you always point this out. Bottoms up and then middle out for change. But absolutely, the imperative is today the business impact is real and it's urgent and you got to pedal as fast as you can here, so I think this is going to have legs. We'll see how it goes. >> Really curious to understand the cultural impact that we see being made at this event with the focus on it. John, you mentioned the four C's, five with culture. I often think that culture is probably the leading factor. Without that, without getting those teams aligned, is the rest of it set up to be as successful as possible? I think that's a question that's- >> Well to me, Dave asked Pat Gelsinger in 2014, can security be a do-over at VMWorld when he was the CEO of VMware? He said, "Yes, it has to be." And I think you're seeing that now. And Nick from the co-founder of Palo Alto Networks was quoted on theCUBE by saying, "Zero Trust is some structure to give to security, but cloud allows for the ability to do it over and get some scale going on security." So I think the best people are going to come together in this security world and they're going to work on this. So you're going to start to see more focus around these security events and initiatives. >> So I think that when you go to the, you mentioned re:Inforce a couple times. When you go to re:Inforce, there's a lot of great stuff that Amazon puts forth there. Very positive, it's not that negative. Oh, the world is falling, the sky is falling. And so I like that. However, you don't walk away with an understanding of how they're making the CISOs and the DevOps lives easier once they get beyond the cloud. Of course, it's not Amazon's responsibility. And that's where I think the CNCF really comes in and open source, that's where they pick up. Obviously the cloud's involved, but there's a real opportunity to simplify the lives of the DevSecOps teams and that's what's critical in terms of being able to solve, or at least keep up with this never ending problem. >> Yeah, there's a lot of issues involved. I took some notes here from some of the keynote you heard. Security and education, training and team structure. Detection, incidents that are happening, and how do you respond to that architecture. Identity, isolation, supply chain, and governance and compliance. These are all real things. This is not like hand-waving issues. They're mainstream and they're urgent. Literally the houses are on fire here with the enterprise, so this is going to be very, very important. >> Lisa: That's a great point. >> Some of the other things Priyanka mentioned, exposed edges and nodes. So just when you think we're starting to solve the problem, you got IOT, security's not a one and done task. We've been talking about culture. No person is an island. It's $188 billion business. Cloud native is growing at 27% a year, which just underscores the challenges, and bottom line, practitioners are leading the way. >> Last question for you guys. What are you hoping those practitioners get out of this event, this inaugural event, John? >> Well first of all, I think this inaugural event's going to be for them, but also we at theCUBE are going to be doing a lot more security events. RSA's coming up, we're going to be at re:Inforce, we're obviously going to be covering this event. We've got Black Hat, a variety of other events. We'll probably have our own security events really focused on some key areas. So I think the thing that people are going to walk away from this event is that paying attention to these security events are going to be more than just an industry thing. I think you're going to start to see group gatherings or groups convening virtually and physically around core issues. And I think you're going to start to see a community accelerate around cloud native and open source specifically to help teams get faster and better at what they do. So I think the big walkaway for the customers and the practitioners here is that there's a call to arms happening and this is, again, another signal that it's worth breaking out from the core event, but being tied to it, I think that's a good call and I think it's a well good architecture from a CNCF standpoint and a worthy effort, so I give it a thumbs up. We still don't know what it's going to look like. We'll see what day two looks like, but it seems to be experts, practitioners, deep tech, enabling technologies. These are things that tend to be good things to hear when you're at an event. I'll say the business imperative is obvious. >> The purpose of an event like this, and it aligns with theCUBE's mission, is to educate and inspire business technology pros to action. We do it in theCUBE with free content. Obviously this event is a for-pay event, but they are delivering some real value to the community that they can take back to their organizations to make change. And that's what it's all about. >> Yep, that is what it's all about. I'm looking forward to seeing over as the months unfold, the impact that this event has on the community and the impact the community has on this event going forward, and really the adoption of cloud native security. Guys, great to have you during this keynote analysis. Looking forward to hearing the conversations that we have on theCUBE today. Thanks so much for joining. And for my guests, for my co-hosts, John Furrier and Dave Vellante. I'm Lisa Martin. You're watching theCUBE's day one coverage of CloudNativeSecurityCon '23. Stick around, we got great content on theCUBE coming up. (upbeat music)

(intro music) >> Good afternoon guys and gals. Welcome back to The Strip, Las Vegas. It's "theCUBE" live day four of our coverage of "AWS re:Invent". Lisa Martin, Dave Vellante. Dave, we've had some awesome conversations the last four days. I can't believe how many people are still here. The AWS ecosystem seems stronger than ever. >> Yeah, last year we really noted the ecosystem, you know, coming out of the isolation economy 'cause everybody had this old pent up demand to get together and the ecosystem, even last year, we were like, "Wow." This year's like 10x wow. >> It really is 10x wow, it feels that way. We're going to have a 10x wow conversation next. We're bringing back DataStax to "theCUBE". Please welcome Thomas Bean, it's CMO. Thomas welcome to "theCUBE". >> Thanks, thanks a lot, thanks for having me. >> Great to have you, talk to us about what's going on at DataStax, it's been a little while since we talked to you guys. >> Indeed, so DataStax, we are the realtime data company and we've always been involved in technology such as "Apache Cassandra". We actually created to support and take this, this great technology to the market. And now we're taking it, combining it with other technologies such as "Apache Pulse" for streaming to provide a realtime data cloud. Which helps our users, our customers build applications faster and help them scale without limits. So it's all about mobilizing all of this information that is going to drive the application going to create the awesome experience, when you have a customer waiting behind their mobile phone, when you need a decision to take place immediately to, that's the kind of data that we, that we provide in the cloud on any cloud, but especially with, with AWS and providing the performance that technologies like "Apache Cassandra" are known for but also with market leading unit economics. So really empowering customers to operate at speed and scale. >> Speaking of customers, nobody wants less data slower. And one of the things I think we learned in the in the pan, during the pandemic was that access to realtime data isn't nice to have anymore for any business. It is table stakes, it's competitive advantage. There's somebody right behind in the rear view mirror ready to take over. How has the business model of DataStax maybe evolved in the last couple of years with the fact that realtime data is so critical? >> Realtime data has been around for some time but it used to be really niches. You needed a lot of, a lot of people a lot of funding actually to, to implement these, these applications. So we've adapted to really democratize it, made super easy to access. Not only to start developing but also scaling. So this is why we've taken these great technologies made them serverless cloud native on the cloud so that developers could really start easily and scale. So that be on project products could be taken to the, to the market. And in terms of customers, the patterns is we've seen enterprise customers, you were talking about the pandemic, the Home Depot as an example was able to deliver curbside pickup delivery in 30 days because they were already using DataStax and could adapt their business model with a real time application that combines you were just driving by and you would get the delivery of what exactly you ordered without having to go into the the store. So they shifted their whole business model. But we also see a real strong trend about customer experiences and increasingly a lot of tech companies coming because scale means success to them and building on, on our, on our stack to, to build our applications. >> So Lisa, it's interesting. DataStax and "theCUBE" were started the same year, 2010, and that's when it was the beginning of the ascendancy of the big data era. But of course back then there was, I mean very little cloud. I mean most of it was on-prem. And so data stacks had, you know, had obviously you mentioned a number of things that you had to do to become cloud friendly. >> Thomas: Yes. >> You know, a lot of companies didn't make it, make it through. You guys just raised a bunch of dough as well last summer. And so that's been quite a transformation both architecturally, you know, bringing the customers through. I presume part of that was because you had such a great open source community, but also you have a unique value problem. Maybe you could sort of describe that a little. >> Absolutely, so the, I'll start with the open source community where we see a lot of traction at the, at the moment. We were always very involved with, with the "Apache Cassandra". But what we're seeing right now with "Apache Cassandra" is, is a lot of traction, gaining momentum. We actually, we, the open source community just won an award, did an AMA, had a, a vote from their readers about the top open source projects and "Apache Cassandra" and "Apache Pulse" are part of the top three, which is, which is great. We also run a, in collaboration with the Apache Project, the, a series of events around the, around the globe called "Cassandra Days" where we had tremendous attendance. We, some of them, we had to change venue twice because there were more people coming. A lot of students, a lot of the big users of Cassandra like Apple, Netflix who spoke at these, at these events. So we see this momentum actually picking up and that's why we're also super excited that the Linux Foundation is running the Cassandra Summit in in March in San Jose. Super happy to bring that even back with the rest of the, of the community and we have big announcements to come. "Apache Cassandra" will, will see its next version with major advances such as the support of asset transactions, which is going to make it even more suitable to more use cases. So we're bringing that scale to more applications. So a lot of momentum in terms of, in terms of the, the open source projects. And to your point about the value proposition we take this great momentum to which we contribute a lot. It's not only about taking, it's about giving as well. >> Dave: Big committers, I mean... >> Exactly big contributors. And we also have a lot of expertise, we worked with all of the members of the community, many of them being our customers. So going to the cloud, indeed there was architectural work making Cassandra cloud native putting it on Kubernetes, having the right APIs for developers to, to easily develop on top of it. But also becoming a cloud company, building customer success, our own platform engineering. We, it's interesting because actually we became like our partners in a community. We now operate Cassandra in the cloud so that all of our customers can benefit from all the power of Cassandra but really efficiently, super rapidly, and also with a, the leading unit economies as I mentioned. >> How will the, the asset compliance affect your, you know, new markets, new use cases, you know, expand your TAM, can you explain that? >> I think it will, more applications will be able to tap into the power of, of "NoSQL". Today we see a lot on the customer experience as IOT, gaming platform, a lot of SaaS companies. But now with the ability to have transactions at the database level, we can, beyond providing information, we can go even deeper into the logic of the, of the application. So it makes Cassandra and therefore Astra which is our cloud service an even more suitable database we can address, address more even in terms of the transaction that the application itself will, will support. >> What are some of the business benefits that Cassandra delivers to customers in terms of business outcomes helping businesses really transform? >> So Cassandra brings skill when you have millions of customers, when you have million of data points to go through to serve each of the customers. One of my favorite example is Priceline, who runs entirely on our cloud service. You may see one offer, but it's actually everything they know about you and everything they have to offer matched while you are refreshing your page. This is the kind of power that Cassandra provide. But the thing to say about "Apache Cassandra", it used to be also a database that was a bit hard to manage and hard to develop with. This is why as part of the cloud, we wanted to change these aspects, provide developers the API they like and need and what the application need. Making it super simple to operate and, and, and super affordable, also cost effective to, to run. So the the value to your point, it's time to market. You go faster, you don't have to worry when you choose the right database you're not going to, going to have to change horse in the middle of the river, like sixth month down the line. And you know, you have the guarantee that you're going to get the performance and also the best, the best TCO which matters a lot. I think your previous person talking was addressing it. That's also important especially in the, in a current context. >> As a managed service, you're saying, that's the enabler there, right? >> Thomas: Exactly. >> Dave: That is the model today. I mean, you have to really provide that for customers. They don't want to mess with, you know, all the plumbing, right? I mean... >> Absolutely, I don't think people want to manage databases anymore, we do that very well. We take SLAs and such and even at the developer level what they want is an API so they get all the power. All of of this powered by Cassandra, but now they get it as a, and it's as simple as using as, as an API. >> How about the ecosystem? You mentioned the show in in San Jose in March and the Linux Foundation is, is hosting that, is that correct? >> Yes, absolutely. >> And what is it, Cassandra? >> Cassandra Summit. >> Dave: Cassandra Summit >> Yep. >> What's the ecosystem like today in Cassandra, can you just sort of describe that? >> Around Cassandra, you have actually the big hyperscalers. You have also a few other companies that are supporting Cassandra like technologies. And what's interesting, and that's been a, a something we've worked on but also the "Apache Project" has worked on. Working on a lot of the adjacent technologies, the data pipelines, all of the DevOps solutions to make sure that you can actually put Cassandra as part of your way to build these products and, and build these, these applications. So the, the ecosystem keeps on, keeps on growing and actually the, the Cassandra community keeps on opening the database so that it's, it's really easy to have it connect to the rest of the, the rest environment. And we benefit from all of this in our Astra cloud service. >> So things like machine learning, governance tools that's what you would expect in the ecosystem forming around it, right? So we'll see that in March. >> Machine learning is especially a very interesting use case. We see more and more of it. We recently did a, a nice video with one of our customers called Unifour who does exactly this using also our abstract cloud service. What they provide is they analyze videos of sales calls and they help actually the sellers telling them, "Okay here's what happened here was the customer sentiment". Because they have proof that the better the sentiment is, the shorter the sell cycle is going to be. So they teach the, the sellers on how to say the right things, how to control the thing. This is machine learning applied on video. Cassandra provides I think 200 data points per second that feeds this machine learning. And we see more and more of these use cases, realtime use cases. It happens on the fly when you are on your phone, when you have a, a fraud maybe to detect and to prevent. So it is going to be more and more and we see more and more of these integration at the open source level with technologies like even "Feast" project like "Apache Feast". But also in the, in, in the partners that we're working with integrating our Cassandra and our cloud service with. >> Where are customer conversations these days, given that every company has to be a data company. They have to be able to, to democratize data, allow access to it deep into the, into the organizations. Not just IT or the data organization anymore. But are you finding that the conversations are rising up the, up the stack? Is this, is this a a C-suite priority? Is this a board level conversation? >> So that's an excellent question. We actually ran a survey this summer called "The State of the Database" where we, we asked these tech leaders, okay what's top of mind for you? And real time actually was, was really one of the top priorities. And they explained for the one that who call themselves digital leaders that for 71% of them they could correlate directly the use of realtime data, the quality of their experience or their decision making with revenue. And that's really where the discussion is. And I think it's something we can relate to as users. We don't want the, I mean if the Starbucks apps take seconds to to respond there will be a riot over there. So that's, that's something we can feel. But it really, now it's tangible in, in business terms and now then they take a look at their data strategy, are we equipped? Very often they will see, yeah, we have pockets of realtime data, but we're not really able to leverage it. >> Lisa: Yeah. >> For ML use cases, et cetera. So that's a big trend that we're seeing on one end. On the other end, what we're seeing, and it's one of the things we discussed a lot at the event is that yeah cost is important. Growth at all, at all cost does not exist. So we see a lot of push on moving a lot of the workloads to the cloud to make them scale but at the best the best cost. And we also see some organizations where like, okay let's not let a good crisis go to waste and let's accelerate our innovation not at all costs. So that we see also a lot of new projects being being pushed but reasonable, starting small and, and growing and all of this fueled by, by realtime data, so interesting. >> The other big topic amongst the, the customer community is security. >> Yep. >> I presume it's coming up a lot. What's the conversation like with DataStax? >> That's a topic we've been working on intensely since the creation of Astra less than two years ago. And we keep on reinforcing as any, any cloud provider not only our own abilities in terms of making sure that customers can manage their own keys, et cetera. But also integrating to the rest of the, of the ecosystem when some, a lot of our customers are running on AWS, how do we integrate with PrivateLink and such? We fit exactly into their security environment on AWS and they use exactly the same management tool. Because this is also what used to cost a lot in the cloud services. How much do you have to do to wire them and, and manage. And there are indeed compliance and governance challenges. So that's why making sure that it's fully connected that they have full transparency on what's happening is, is a big part of the evolution. It's always, security is always something you're working on but it's, it's a major topic for us. >> Yep, we talk about that on pretty much every event. Security, which we could dive into, but we're out of time. Last question for you. >> Thomas: Yes. >> We're talking before we went live, we're both big Formula One fans. Say DataStax has the opportunity to sponsor a team and you get the whole side pod to, to put like a phrase about DataStax on the side pod of this F1 car. (laughter) Like a billboard, what does it say? >> Billboard, because an F1 car goes pretty fast, it will be hard to, be hard to read but, "Twice the performance at half the cost, try Astra a cloud service." >> Drop the mike. Awesome, Thomas, thanks so much for joining us. >> Thank for having me. >> Pleasure having you guys on the program. For our guest, Thomas Bean and Dave Vellante, I'm Lisa Martin and you're watching "theCUBE" live from day four of our coverage. "theCUBE", the leader in live tech coverage. (outro music)

>>Hello and welcome back to the Cube's coverage of AWS Reinvent 2022. I'm John Furrier, host of the Cube. We got a great conversation with Patrick Kauflin, vice president of Go to Market Strategy and specialization at Splunk. We're talking about the open cybersecurity scheme of framework, also known as the O C sf, a joint strategic collaboration between Splunk and aws. It's got a lot of traction momentum. Patrick, thanks for coming on the cube for reinvent coverage. >>John, great to be here. I'm excited for this. >>You know, I love this open source movement and open source and continues to add value, almost sets the standards. You know, we were talking at the CNCF Linux Foundation this past fall about how standards are coming outta open source. Not so much the the classic standards groups, but you start to see the developers voting with their code groups deciding what to adopt de facto standards and security is a real key part of that where data becomes key for resilience. And this has been the top conversation at reinvent and all around the industry, is how to make data a key part of building into cyber resilience. So I wanna get your thoughts about the problem that you see that's emerging that you guys are solving with this group kind of collaboration around the ocs f >>Yeah, well look, John, I I think, I think you, you've already, you've already hit the high notes there. Data is proliferating across the enterprise. The attack surface area is rapidly expanding. The threat landscape is ever changing. You know, we, we just had a, a lot of scares around open SSL before that we had vulnerabilities and, and Confluence and Atlassian, and you go back to log four J and SolarWinds before that and, and challenges with the supply chain. In this year in particular, we've had a, a huge acceleration in, in concerns and threat vectors around operational technology. In our customer base alone, we saw a huge uptake, you know, and double digit percentage of customers that we're concerned about the traditional vectors like, like ransomware, like business email compromise, phishing, but also from insider threat and others. So you've got this, this highly complex environment where data continues to proliferate and flow through new applications, new infrastructure, new services, driving different types of outcomes in the digitally transformed enterprise of today. >>And, and what happens there is, is our customers, particularly in security, are, are left with having to stitch all of this together. And they're trying to get visibility across multiple different services, infrastructure applications across a number of different point solutions that they've bought to help them protect, defend, detect, and respond better. And it's a massive challenge. And you know, when our, when our customers come to us, they are often looking for ways to drive more consolidation across a variety of different solutions. They're looking to drive better outcomes in terms of speed to detection. How do I detect faster? How do I bind the thing that when bang in the night faster? How do I then fix it quickly? And then how do I layer in some automation so hopefully I don't have to do it again? Now, the challenge there that really OCF Ocsf helps to, to solve is to do that effectively, to detect and to respond at the speed at which attackers are demanding. >>Today we have to have normalization of data across this entire landscape of tools, infrastructure, services. We have to have integration to have visibility, and these tools have to work together. But the biggest barrier to that is often data is stored in different structures and in different formats across different solution providers, across different tools that are, that are, that our customers are using. And that that lack of data, normalization, chokes the integration problem. And so, you know, several years ago, a number of very smart people, and this was, this was a initiative s started by Splunk and AWS came together and said, look, we as an industry have to solve this for our customers. We have to start to shoulder this burden for our customers. We can't, we can't make our customers have to be systems integrators. That's not their job. Our job is to help make this easier for them. And so OCS was born and over the last couple of years we've built out this, this collaboration to not just be AWS and Splunk, but over 50 different organizations, cloud service providers, solution providers in the cybersecurity space have come together and said, let's decide on a single unified schema for how we're gonna represent event data in this industry. And I'm very proud to be here today to say that we've launched it and, and I can't wait to see where we go next. >>Yeah, I mean, this is really compelling. I mean, it's so much packed in that, in that statement, I mean, data normalization, you mentioned chokes, this the, the solution and integration as you call it. But really also it's like data's not just stored in silos. It may not even be available, right? So if you don't have availability of data, that's an important point. Number two, you mentioned supply chain, there's physical supply chain that's coming up big time at reinvent this time as well as in open source, the software supply chain. So you now have the perimeter's been dead for multiple years. We've been talking with that for years, everybody knows that. But now combined with the supply chain problem, both physical and software, there's so much more to go on. And so, you know, the leaders in the industry, they're not sitting on their hands. They know this, but they're just overloaded. So, so how do leaders deal with this right now before we get into the ocs f I wanna just get your thoughts on what's the psychology of the, of the business leader who's facing this landscape? >>Yeah, well, I mean unfortunately too many leaders feel like they have to face these trade offs between, you know, how and where they are really focusing cyber resilience investments in the business. And, and often there is a siloed approach across security, IT developer operations or engineering rather than the ability to kind of drive visibility integration and, and connection of outcomes across those different functions. I mean, the truth is the telemetry that, that you get from an application for application performance monitoring or infrastructure monitoring is often incredibly valuable when there's a security incident and vice versa. Some of the security data that, that you may see in a security operation center can be incredibly valuable in trying to investigate a, a performance degradation in an application and understanding where that may come from. And so what we're seeing is this data layer is collapsing faster than the org charts are or the budget line items are in the enterprise. And so at Splunk here, you know, we believe security resilience is, is fundamentally a data problem. And one of the things that we do often is, is actually help connect the dots for our customers and bring our customers together across the silos they may have internally so that they can start to see a holistic picture of what resilience means for their enterprise and how they can drive faster detection outcomes and more automation coverage. >>You know, we recently had an event called Super Cloud, we're going into the next gen kind of a cloud, how data and security are all kind of part of this NextGen application. It's not just us. And we had a panel that was titled The Innovators Dilemma, kind of talk about you some of the challenges. And one of the panelists said, it's not the innovator's dilemma, it's the integrator's dilemma. And you mentioned that earlier, and I think this a key point right now into integration is so critical, not having the data and putting pieces together now open source is becoming a composability market. And I think having things snap together and work well, it's a platform system conversation, not a tool conversation. So I really wanna get into where the OCS f kind of intersects with this area people are working on. It's not just solution architects or cloud cloud native SREs, especially where DevSecOps is. So this that's right, this intersection is critical. How does Ocsf integrate into that integration of the data making that available to make machine learning and automation smarter and more relevant? >>Right, right. Well look, I mean, I I think that's a fantastic question because, you know, we talk about, we use Bud buzzwords like machine learning and, and AI all the time. And you know, I know they're all over the place here at Reinvent and, and the, there's so much promise and hope out there around these technologies and these innovations. However, machine learning AI is only as effective as the data is clean and normalized. And, and we will not realize the promise of these technologies for outcomes in resilience unless we have better ways to normalize data upstream and better ways to integrate that data to the downstream tools where detection and response is happening. And so Ocsf was really about the industry coming together and saying, this is no longer the job of our customers. We are going to create a unified schema that represents the, an event that we will all bite down on. >>Even some of us are competitors, you know, this is, this is that, that no longer matters because at the point, the point is how do we take this burden off of our customers and how do we make the industry safer together? And so 15 initial members came together along with AWS and Splunk to, to start to create that, that initial schema and standardize it. And if you've ever, you know, if you've ever worked with a bunch of technical grumpy security people, it's kind of hard to drive consensus about around just about anything. But, but I, I'm really happy to see how quickly this, this organization has come together, has open sourced the schema, and, and, and just as you said, like I think this, this unlocks the potential for real innovation that's gonna be required to keep up with the bad guys. But right now is getting stymied and held back by the lack of normalization and the lack of integration. >>I've always said Splunk was a, it eats data for breakfast, lunch, and dinner and turns it into insights. And I think you bring up the silo thing. What's interesting is the cross company sharing, I think this hits point on, so I see this as a valuable opportunity for the industry. What's the traction on that? Because, you know, to succeed it does take a village, it takes a community of security practitioners and, and, and architects and developers to kind of coalesce around this defacto movement has been, has been the uptake been good? How's traction? Can you share your thoughts on how this is translating across companies? >>Yeah, absolutely. I mean, look, I, I think cybersecurity has a, has a long track record of, of, of standards development. There's been some fantastic standards recently. Things like sticks and taxi for threat intelligence. There's been things like the, you know, the Mir attack framework coming outta mi mir and, and, and the adoption, the traction that we've seen with Attack in particular has been amazing to, to watch how that has kind of roared onto the scene in the last couple of years and has become table stakes for how you do security operations and incident response. And, you know, I think with ocs f we're gonna see something similar here, but, you know, we are in literally the first innings of, of this. So right now, you know, we're architecting this into our, into every part of our sort of backend systems here at Polan. I know our our collaborators at AWS and elsewhere are doing it too. >>And so I think it starts with bringing this standard now that the standard exists on a, you know, in schema format and there, there's, you know, confluence and Jira tickets around it, how do we then sort of build this into the code of, of the, the collaborators that have been leading the way on this? And you know, it's not gonna happen overnight, but I think in the coming quarters you'll start to see this schema be the standard across the leaders in this space. Companies like Splunk and AWS and others who are leading the way. And often that's what helps drive adoption of a standard is if you can get the, the big dogs, so to speak, to, to, to embrace it. And, and, you know, there's no bigger one than aws and I think there's no, no more important one than Splunk in the cybersecurity space. And so as we adopt this, we hope others will follow. And, and like I said, we've got over 50 organizations contributing to it today. And so I think we're off to a running >>Start. You know, it's interesting, choking innovation or having things kind of get, get slowed down has really been a problem. We've seen successes recently over the past few years. Like Kubernetes has really unlocked and accelerated the cloud native worlds of runtime with containers to, to kind of have the consensus of the community to say, Hey, if we just do this, it gets better. I think this is really compelling with the o the ocs F because if people can come together around this and get unified as well as all the other official standards, things can go highly accelerated. So I think, I think it looks really good and I think it's great initiative and I really appreciate your insight on that, on, on your relationship with Amazon. Okay. It's not just a partnership, it's a strategic collaboration. Could you share that relationship dynamic, how to start, how's it going, what's strategic about it? Share to the audience kind of the relationship between Splunk and a on this important OCS ocsf initiative. >>Look, I, I mean I think this, this year marks the, the 10th year anniversary that, that Splunk and AWS have been collaborating in a variety of different ways. I, I think our, our companies have a fantastic and, and long standing relationship and we've, we've partnered on a number of really important projects together that bring value obviously to our individual companies, but also to our shared customers. When I think about some of the most important customers at Splunk that I spend a significant amount of time with, I I I know how many of those are, are AWS customers as well, and I know how important AWS is to them. So I think it's, it's a, it's a collaboration that is rooted in, in a respect for each other's technologies and innovation, but also in a recognition that, that our shared customers want to see us work better together over time. And it's not, it's not two companies that have kind of decided in a back room that they should work together. It's actually our customers that are, that are pushing us. And I think we're, we're both very customer centric organizations and I think that has helped us actually be better collaborators and better partners together because we're, we're working back backwards from our customers >>As security becomes a physical and software approach. We've seen the trend where even Steven Schmidt at Amazon Web Services is, is the cso, he is not the CSO anymore. So, and I asked him why, he says, well, security's also physical stuff too. So, so he's that's right. Whole lens is now expanded. You mentioned supply chain, physical, digital, this is an important inflection point. Can you summarize in your mind why open cybersecurity schema for is important? I know the unification, but beyond that, what, why is this so important? Why should people pay attention to this? >>You know, I, if, if you'll let me be just a little abstract in meta for a second. I think what's, what's really meaningful at the highest level about the O C S F initiative, and that goes beyond, I think, the tactical value it will provide to, to organizations and to customers in terms of making them safer over the coming years and, and decades. I think what's more important than that is it's really the, one of the first times that you've seen the industry come together and say, we got a problem. We need to solve. That, you know, doesn't really have anything to do with, with our own economics. Our customers are, are hurt. And yeah, some of us may be competitors, you know, we got different cloud service providers that are participating in this along with aws. We got different cybersecurity solution providers participating in this along with Splunk. >>But, but folks who've come together and say, we can actually solve this problem if, if we're able to kind of put aside our competitive differences in the markets and approach this from the perspective of what's best for information security as a whole. And, and I think that's what I'm most proud of and, and what I hope we can do more of in other places in this industry, because I think that kind of collaboration from real market leaders can actually change markets. It can change the, the, the trend lines in terms of how we are keeping up with the bad guys. And, and I'd like to see a lot more of >>That. And we're seeing a lot more new kind of things emerging in the cloud next kind of this next generation architecture and outcomes are happening. I think it's interesting, you know, we always talk about sustainability, supply chain sustainability about making the earth a better place. But you're hitting on this, this meta point about businesses are under threat of going under. I mean, we want to keep businesses to businesses to be sustainable, not just, you know, the, the environment. So if a business goes outta business business, which they, their threats here are, can be catastrophic for companies. I mean, there is, there is a community responsibility to protect businesses so they can sustain and and stay Yeah. Stay producing. This is a real key point. >>Yeah. Yeah. I mean, look, I think, I think one of the things that, you know, we, we, we complain a lot of in, in cyber security about the lack of, of talent, the talent shortage in cyber security. And every year we kinda, we kind of whack ourselves over the head about how hard it is to bring people into this industry. And it's true. But one of the things that I think we forget, John, is, is how important mission is to so many people in what they do for a living and how they work. And I think one of the things that cybersecurity is strongest in information Security General and has been for decades is this sense of mission and people work in this industry be not because it's, it's, it's always the, the, the most lucrative, but because it, it really drives a sense of safety and security in the enterprises and the fabric of the economy that we use every day to go through our lives. And when I think about the spun customers and AWS customers, I think about the, the different products and tools that power my life and, and we need to secure them. And, and sometimes that means coming to work every day at that company and, and doing your job. And sometimes that means working with others better, faster, and stronger to help drive that level of, of, of maturity and security that this industry >>Needs. It's a human, is a human opportunity, human problem and, and challenge. That's a whole nother segment. The role of the talent and the human machines and with scale. Patrick, thanks so much for sharing the information and the insight on the Open cybersecurity schema frame and what it means and why it's important. Thanks for sharing on the Cube, really appreciate it. >>Thanks for having me, John. >>Okay, this is AWS Reinvent 2022 coverage here on the Cube. I'm John Furry, you're the host. Thanks for watching.

foreign welcome back to thecube's coverage of AWS re invent 2022 I'm John Furrier host of thecube we've got a great conversation with Patrick Coughlin vice president of go to market strategy and specialization at Splunk we're talking about the open cyber security schema framework also known as the ocsf a joint strategic collaboration between Splunk and AWS it's got a lot of traction momentum Patrick thanks for coming on thecube for reinvent coverage John great to be here I'm excited for this you know I love this open source movement and open source continues to add value almost sets the standards you know we were talking at the cncf Linux Foundation this past fall about how standards are coming out of Open Source not so much the the classic standards groups but you start to see the developers voting with their code groups deciding what to adopt to fact those standards and security is a real key part of that where data becomes key for resilience and this has been the top conversation at re invent and all around the industry is how to make data a key part of building into cyber resilience so I want to get your thoughts about the problem that you see that's emerging that you guys are solving with this group kind of collaboration around the ocsf yeah well look John I I think I think you you've already you've already hit the high notes there uh data is proliferating across the Enterprise uh the attack surface area is rapidly expanding the threat landscape is Ever Changing uh you know we we just had a a lot of uh uh scares around openssl before that we had vulnerabilities and Confluence in atlassian and you go back to log 4J and solarwinds before that um and challenges with the supply chain uh in this year in particular we've had a huge acceleration in in concerns and threat vectors around uh operational technology in our customer base alone we saw a huge uptick you know in double digit percentage of customers that we're concerned about the traditional vectors like like ransomware uh like business email compromise phishing but also from Insider threat and others um so you've got this this highly complex Flex environment where data continues to proliferate and flow through new applications new infrastructure new Services driving different types of outcomes in the digitally transformed Enterprise of today and and what happens there is is our customers particularly in security are left with having to stitch all of this together and they're trying to get visibility across multiple different Services infrastructure applications across a number of different point solutions that they've bought to help them protect defend detect and respond better and it's a massive Challenge and uh you know when our when our customers come to us they are often looking for ways to drive more consolidation uh across a variety of different solutions they're looking to drive better outcomes in terms of speed to detection how do I detect faster how do I find the thing that when banging in the night faster um how do I then fix it quickly and then how do I layer in some automation so hopefully I don't have to do it again now the Challenger that really ocf ocsf helps to to solve is to do that effectively to detect and to respond to the speed at which attackers are demanding today we have to have normalization of data across this entire landscape of tools infrastructure Services we have to have integration to have visibility um and these tools have to work together but the biggest barrier to that is often data is stored in different structures and in different formats across different solution providers across different tools that are that are that our customers are using um and that that lack of data normalization chokes the integration problem and so um you know several years ago a number of very smart people in this position this was a initiative started by Splunk and AWS came together and said look we as an industry have to solve this for our customers we have to start to shoulder this burden for our customers we can't we can't make our customers have to be systems integrators that's not their job our job is to help make this easier for them and so ocsf was born and over the last couple of years um we've built out this this collaboration to not just be AWS and Splunk uh but over uh 50 different organizations um uh um cloud service providers solution providers in the cyber security space have come together and said let's decide on a single unified schema for how we're going to represent event data in this industry um and uh I'm very proud to be here today to say that we've launched it and and um uh I can't wait to see where we go next yeah I mean this is really compelling I mean there's so much packed in that in that statement I mean data normalization you mentioned chokes this the the solution and the integration as you call it but really also it's like data is not just stored in silos it may not even be available right so if you don't have availability of data that's an important Point number two you mentioned supply chain there's physical supply chain is coming up big time at re invent this time as well as in open source the software supply chain so you now have the perimeter has been dead for multiple years we've been talking about that for years everybody knows that but now combined with the supply chain problem both physical and software there's so much more to go on and so you know the leaders in the industry they're not sitting on their hands they know this but they're just overloaded so so how do leaders deal with this right now before we get into the ocsf I want to just get your thoughts on what's the psychology of the of the business leader who's facing this landscape yeah well I mean unfortunately too many leaders feel like they have to face these trade-offs between you know how and where they are really focusing cyber resilience investments in the business um and and often there is a siled approach across security I.T developer operations or engineering rather than the ability to kind of Drive visibility integration and and connection of outcomes across those different functions I mean the truth is the Telemetry that that you get from an application for application performance monitoring or infrastructure monitoring is often incredibly valuable when there's a security incident and vice versa some of the security data um that you may see in a security operations center can be incredibly valuable when trying to investigate a performance degradation in an application and understanding where that may come from and so what we're seeing is this data layer is collapsing faster than the org charts are or the budget line items are in the Enterprise and so at Splunk here you know we believe security resilience is is fundamentally a data problem and one of the things that we do often is is actually help connect the dots for our customers and bring our customers together across the silos they may have internally so that they can start to see a holistic picture of what resilience means for their Enterprise and how they can drive faster detection outcomes and more automation coverage you know we recently had an event called super cloud we're going into the next gen kind of a cloud how data and security are all kind of part of this next-gen applications not just SAS and we had a panel that was titled the innovators dilemma kind of talk about getting some of the challenges and one of the panelists said it's not the innovators dilemma it's the integrators dilemma and you mentioned that earlier I think this is a key point right now integration is so critical not having the data and putting pieces together and now open source is becoming a composability market and I think having things snap together and work well it's a platform system conversation not a tool conversation so I really want to get into where the ocsf kind of intersects with this area people are working on it's not just solution Architects or cloud cloud native sres especially where devsecops is so this this intersection is critical how does ocsf integrate into that integration of the data making that available to make machine learning and automation smarter and more relevant right right well look I mean I I think that's a fantastic question because you know we talk about we use buzzwords like machine learning and AI all the time and you know I I know they're all over the place here at reinvented and and um there's so much promise and hope out there around these Technologies and these Innovations however uh machine learning AI is only as effective as the data is clean and normalized uh and and we will not realize the promise of these Technologies for outcomes in resilience unless we have better ways to normalize data upstream and better ways to integrate that data to the downstream tools where detection and response is happening and so ocsf was really about the industry coming together and saying this is no longer the job of our customers we are going to create a unified schema that represents the an event that we will all bite down on even some of us are competitors you know this is this is that that no longer matters because at the point the point is how do we take this burden off of our customers and how do we make the industry safer together um and so 15 initial members came together um along with AWS and Splunk to to start to create that uh that initial schema and standardize it and if you've ever you know if you ever worked with a bunch of technical grumpy security people it's kind of hard to drive consensus about around just about anything but uh um but I'm really happy to see how quickly this this organization Has Come Together has open sourced the schema um and and just as you said like I think this this unlocks the potential for real Innovation that's going to be required to keep up with the bad guys but right now is getting stymied and held back by the lack of normalization and the lack of integration I've always said Splunk was a it's AIDS data for breakfast lunch and dinner and turns it into insights and I think you bring up The Silo thing what's interesting is the cross company sharing I think this hits point on so I see this as a valuable opportunity for the industry what's the traction on that because you know to succeed it does take a village takes a community of security practitioners and and Architects and developers to kind of coalesce around this de facto movement has been has been uptake been good that's attraction can you share your thoughts on how this is translating across companies yeah absolutely I mean look I I think um cyber security has a long track record of of Standards development um there's been some fantastic standards recently things like um sticks and taxi for threat intelligence there's been things like the you know the minor attack framework coming out of my miter and and the adoption the traction that we've seen with attack in particular has been amazing to watch how that has kind of roared onto the scene in the last couple of years and has become table Stakes for um how you do security operations and incident response um and you know I think with ocsf we're going to see something similar here but you know we are in literally the first Innings of of this um so right now you know we're architecting this into our um into every part of our sort of back end systems here at spelunk I know um our collaborators at AWS and elsewhere are doing it too and so I think it starts with bringing this standard now the standard exists on a uh you know in schema format um and there's you know Confluence and jira tickets around it how do we then sort of build this into the code of of the the collaborators that have been leading the way on this and you know it's not going to happen overnight but I think in the coming quarters you'll start to see this schema um be the standard um across the leaders in this space companies like Splunk and AWS and others who are leading the way and often that's what helps Drive adoption of a standard is if you can get the big dogs so to speak to to embrace it and you know there's no bigger one than AWS and I think there's no no more important one than Splunk in the cyber security space and so as we adopt this we hope others will follow and like I said we've got over 50 organizations contributing to it today and so um I think we're off to a running start you know it's interesting choking Innovation or having things kind of get get slowed down has really been a problem we've seen successes recently over the past few years like kubernetes has really unlocked and accelerated the cloud native worlds of runtime with containers to kind of have the consensus of the community say hey if you we just do this it gets better I think this is really compelling with the ocsf because if people can come together around this and get unified as well as other the other official standards things can go highly accelerated so I think I think it looks really good and I think it's great initiative and I really appreciate your Insight on that on on your relationship with Amazon okay it's not just the Partnerships it's a strategic collaboration could you share that uh relationship Dynamic how to start how's it going what's strategic about it share to the audience kind of the relationship between Splunk and natives on this important ocsf initiative look I I mean I think this this year marks the the 10th year anniversary that that Splunk and AWS have been collaborating in a variety of different ways um I I think our our companies have um a fantastic and long-standing relationship and we've we've partnered on a number of really important projects together that bring value um obviously to our individual companies uh but also to our shared customers um uh when I think about some of the most important customers at Splunk that I spend a significant amount of time with um uh I I know how many of those are our AWS customers as well and I know how important AWS is to them so I think it's it's a it's a collaboration that is rooted in in a respect for each other's Technologies um and Innovation but also in a recognition that that our shared customers want to see us work better together over time and it's not it's not two companies that have kind of decided in a back room that they should work together it's actually our customers that are that are pushing us and I think we're both very customer-centric organizations and I think that has helped us actually be better collaborators and better Partners together um because we're working back backwards from our customers as security becomes a physical and software approach we've seen the trend where even Steven Schmidt at Amazon web services is the CSO he's not the CSO anymore so why he says well security is also physical stuff too so so lens is now expanded you mentioned supply chain physical digital this is an important inflection point can you summarize in your mind why open cyber security scheme information is important I know the unification but beyond that what why is this so important why should people pay attention to this you know I if if you'll let me be just a little abstract and meta for a second yeah I think what's what's really meaningful at the highest level about the ocsf initiative um and then it goes beyond I think the Tactical value it will provide to to organizations and to customers in terms of making them safer um over the coming years and and decades I think what's more important than that is it's really the one of the first times that you've seen um the industry come together and say we got a problem we need to solve that you know doesn't really have anything to do with with our own economics um our customers are are hurting and yeah some of us may be competitors um uh you know we got different cloud service providers that are participating in this along with AWS we've got different cyber security solution providers participating in this along with spelunk um but but folks have come together and say we can actually solve this problem um if if we're able to kind of put aside our competitive differences in the markets and approach this from the perspective of what's best for information security as a whole um and and I think that's what I'm most proud of uh and and what I hope we can do more of in other places in this industry because I think that kind of collaboration from real Market leaders can actually um change markets it can change the the the trend lines in terms of how we are keeping up with the bad guys and and I'd like to see a lot more of that and we're seeing a lot more new kind of things emerging in the cloud next kind of this next Generation architecture and alcohol thumbs are happening I think it's interesting you know we always talk about sustainability supply chain sustainability about making the earth a better place but you're hitting on this this meta point about businesses are under threat of going under I mean we want to keep businesses to businesses to be sustainable not just you know the the environment so if a business goes out of business which the threats here are can be catastrophic for companies I mean there is there is a community responsibility to protect businesses so they can sustain and stay stay producing this is a real key point yeah yeah I mean look I think I think one of the things that you know we We complain a lot in in cyber security about the lack of of talent the talent shortage and cyber security and every year we kind of we kind of uh whack ourselves over the head about how hard it is to bring people into this industry and it's true um but one of the things that I think we forget John is is how important mission is to so many people in what they do for a living and how they work and I think one of the things that cyber security is strongest in information security General and has been for decades is this sense of mission and people work in this industry not because it's it's it's always the the the most lucrative but because it really drives a sense of um Safety and Security in the Enterprises and the fabric of the economy that we use every day to go through our lives and when I think about the sport customers and AWS customers I think about um um the the different products and tools that power my life and and we need to secure them and and sometimes that means coming to work every day at that company and doing your job and sometimes that means working with others better faster and stronger to help drive that level of of maturity and security that this industry needs it's a human it's a human opportunity human problem and and challenge that's a whole other segment the role of the talent and the human machines and with scale Patrick thanks so much for sharing the information and the Insight on the open cyber security schema frame and what it means and why it's important thanks for sharing on thecube really appreciate it thanks for having me John okay this is AWS re invent 2022 coverage here on thecube I'm John Furrier the host thanks for watching foreign [Music]

>>Good afternoon, brilliant humans, and welcome back to the Cube. We're live in Detroit, Michigan at Cub Con, and I'm joined by John Furrier. John three exciting days buzzing. How you doing? >>That's great. I mean, we're coming down to the third day. We're keeping the energy going, but this segment's gonna be awesome. The CD foundation's doing amazing work. Developers are gonna be running businesses and workflows are changing. Productivity's the top conversation, and you're gonna start to see a coalescing of the communities who are continuous delivery, and it's gonna be awesome. >>And, and our next guess is an outstanding person to talk about this. We are joined by Stephen Chin, the chair of the CD Foundation. Steven, thanks so much for being here. >>No, no, my pleasure. I mean, this has been an amazing week quote that CubeCon with all of the announcements, all of the people who came out here to Detroit and, you know, fantastic. Like just walking around, you bump into all the right people here. Plus we held a CD summit zero day events, and had a lot of really exciting announcements this week. >>Gotta love the shirt. I gotta say, it's one of my favorites. Love the logos. Love the love the branding. That project got traction. What's the news in the CD foundation? I tried to sneak in the back. I got a little laid into your co-located event. It was packed. Everyone's engaged. It was really looked, look really cool. Give us the update. >>What's the news? Yeah, I know. So we, we had a really, really powerful event. All the key practitioners, the open source leads and folks were there. And one of, one of the things which I think we've done a really good job in the past six months with the CD foundation is getting back to the roots and focusing on technical innovation, right? This is what drives foundations, having strong projects, having people who are building innovation, and also bringing in a new innovation. So one of the projects which we added to the CD foundation this week is called Persia. So it's a, it's a decentralized package repository for getting open source libraries. And it solves a lot of the problems which you get when you have centralized infrastructure. You don't have the right security certificates, you don't have the right verification libraries. And these, these are all things which large companies provision and build out inside of their infrastructure. But the open source communities don't have the benefit of the same sort of really, really strong architecture. A lot of, a lot of the systems we depend upon. It's >>A good point, yeah. >>Yeah. I mean, if you think about the systems that developers depend upon, we depend upon, you know, npm, ruby Gems, Mayn Central, and these systems been around for a while. Like they serve the community well, right? They're, they're well supported by the companies and it's, it's, it's really a great contribution that they give us. But every time there's an outage or there's a security issue, guess, guess how many security issues that our, our research team found at npm? Just ballpark. >>74. >>So there're >>It's gotta be thousands. I mean, it's gotta be a lot of tons >>Of Yeah, >>They, they're currently up to 60,000 >>Whoa. >>Vulnerable, malicious packages in NPM and >>Oh my gosh. So that's a super, that's a jar number even. I know it was gonna be huge, but Holy mo. >>Yeah. So that's a software supply chain in actually right there. So that's, that's open source. Everything's out there. What's, how do, how does, how do you guys fix that? >>Yeah, so per peria kind of shifts the whole model. So when, when you think about a system that can be sustained, it has to be something which, which is not just one company. It has to be a, a, a set of companies, be vendor neutral and be decentralized. So that's why we donated it to the Continuous Delivery Foundation. So that can be that governance body, which, which makes sure it's not a single company, it is to use modern technologies. So you, you, you just need something which is immutable, so it can't be changed. So you can rely on it. It has to have a strong transaction ledger so you can see all of the history of it. You can build up your software, build materials off of it, and it, it has to have a strong peer-to-peer architecture, so it can be sustained long term. >>Steven, you mentioned something I want to just get back to. You mentioned outages and disruption. I, you didn't, you didn't say just the outages, but this whole disruption angle is interesting if something happens. Talk about the impact of the developer. They stalled, inefficiencies create basically disruption. >>No, I mean, if, if, so, so if you think about most DevOps teams in big companies, they support hundreds or thousands of teams and an hour of outage. All those developers, they, they can't program, they can't work. And that's, that's a huge loss of productivity for the company. Now, if you, if you take that up a level when MPM goes down for an hour, how many millions of man hours are wasted by not being able to get your builds working by not being able to get your codes to compile. Like it's, it's >>Like, yeah, I mean, it's almost hard to fathom. I mean, everyone's, It's stopped. Exactly. It's literally like having the plug pulled >>Exactly on whenever you're working on, That's, that's the fundamental problem we're trying to solve. Is it, it needs to be on a, like a well supported, well architected peer to peer network with some strong backing from big companies. So the company is working on Persia, include J Frog, which who I work for, Docker, Oracle. We have Deploy hub, Huawei, a whole bunch of other folks who are also helping out. And when you look at all of those folks, they all have different interests, but it's designed in a way where no single party has control over the network. So really it's, it's a system system. You, you're not relying upon one company or one logo. You're relying upon a well-architected open source implementation that everyone can rely >>On. That's shared software, but it's kind of a fault tolerant feature too. It's like, okay, if something happens here, you have a distributed piece of it, decentralized, you're not gonna go down. You can remediate. All right, so where's this go next? I mean, cuz we've been talking about the role of developer. This needs to be a modern, I won't say modern upgrade, but like a modern workflow or value chain. What's your vision? How do you see that? Cuz you're the center of the CD foundation coming together. People are gonna be coalescing multiple groups. Yeah. >>What's the, No, I think this is a good point. So there, there's a, a lot of different continuous delivery, continuous integration technologies. We're actually, from a Linux Foundation standpoint, we're coalescing all the continued delivery events into one big conference >>Next. You just made an announcement about this earlier this week. Tell us about CD events. What's going on, what's in, what's in the cooker? >>Yeah, and I think one of the big announcements we had was the 0.1 release of CD events. And CD events allows you to take all these systems and connect them in an event scalable, event oriented architecture. The first integration is between Tecton and Capin. So now you can get CD events flowing cleanly between your, your continuous delivery and your observability. And this extends through your entire DevOps pipeline. We all, we all need a standards based framework Yep. For how we get all the disparate continuous integration, continuous delivery, observability systems to, to work together. That's also high performance. It scales with our needs and it, it kind of gives you a future architecture to build on top of. So a lot of the companies I was talking with at the CD summit Yeah. They were very excited about not only using this with the projects we announced, but using this internally as an architecture to build their own DevOps pipelines on. >>I bet that feels good to hear. >>Yeah, absolutely. Yeah. >>Yeah. You mentioned Teton, they just graduated. I saw how many projects have graduated? >>So we have two graduated projects right now. We have Jenkins, which is the first graduated project. Now Tecton is also graduated. And I think this shows that for Tecton it was, it was time, the very mature project, great support, getting a lot of users and having them join the set of graduated projects. And the continuous delivery foundation is a really strong portfolio. And we have a bunch of other projects which also are on their way towards graduation. >>Feels like a moment of social proof I bet. >>For you all. Yeah, yeah. Yeah. No, it's really good. Yeah. >>How long has the CD Foundation been around? >>The CD foundation has been around for, i, I won't wanna say the exact number of years, a few years now. >>Okay. >>But I, I think that it, it was formed because what we wanted is we wanted a foundation which was purpose built. So CNCF is a great foundation. It has a very large umbrella of projects and it takes kind of that big umbrella approach where a lot of different efforts are joining it, a lot of things are happening and you can get good traction, but it produces its own bottlenecks in process. Having a foundation which is just about continuous delivery caters to more of a DevOps, professional DevOps audience. I think this, this gives a good platform for best practices. We're working on a new CDF best practices Yeah. Guide. We're working when use cases with all the member companies. And it, it gives that thought leadership platform for continuous delivery, which you need to be an expert in that area >>And the best practices too. And to identify the issues. Because at the end of the day, with the big thing that's coming out of this is velocity and more developers coming on board. I mean, this is the big thing. More people doing more. Yeah. Well yeah, I mean you take this open source continuous thunder away, you have more developers coming in, they be more productive and then people are gonna even either on the DevOps side or on the straight AP upside. And this is gonna be a huge issue. And the other thing that comes out that I wanna get your thoughts on is the supply chain issue you talked about is hot verifications and certifications of code is such big issue. Can you share your thoughts on that? Because Yeah, this is become, I won't say a business model for some companies, but it's also becoming critical for security that codes verified. >>Yeah. Okay. So I, I think one of, one of the things which we're specifically doing with the Peria project, which is unique, is rather than distributing, for example, libraries that you developed on your laptop and compiled there, or maybe they were built on, you know, a runner somewhere like Travis CI or GitHub actions, all the libraries being distributed on Persia are built by the authorized nodes in the network. And then they're, they're verified across all of the authorized nodes. So you nice, you have a, a gar, the basic guarantee we're giving you is when you download something from the Peria network, you'll get exactly the same binary as if you built it yourself from source. >>So there's a lot of trust >>And, and transparency. Yeah, exactly. And if you remember back to like kind of the seminal project, which kicked off this whole supply chain security like, like whirlwind it was SolarWinds. Yeah. Yeah. And the exact problem they hit was the build ran, it produced a result, they modified the code of the bill of the resulting binary and then they signed it. So if you built with the same source and then you went through that same process a second time, you would've gotten a different result, which was a malicious pre right. Yeah. And it's very hard to risk take, to take a binary file Yep. And determine if there's malicious code in it. Cuz it's not like source code. You can't inspect it, you can't do a code audit. It's totally different. So I think we're solving a key part of this with Persia, where you're freeing open source projects from the possibility of having their binaries, their packages, their end reduces, tampered with. And also upstream from this, you do want to have verification of prs, people doing code reviews, making sure that they're looking at the source code. And I think there's a lot of good efforts going on in the open source security foundation. So I'm also on the governing board of Open ssf >>To Do you sleep? You have three jobs you've said on camera? No, I can't even imagine. Yeah. Didn't >>You just spin that out from this open source security? Is that the new one they >>Spun out? Yeah, So the Open Source Security foundation is one of the new Linux Foundation projects. They, they have been around for a couple years, but they did a big reboot last year around this time. And I think what they really did a good job of now is bringing all the industry players to the table, having dialogue with government agencies, figuring out like, what do we need to do to support open source projects? Is it more investment in memory, safe languages? Do we need to have more investment in, in code audits or like security reviews of opensource projects. Lot of things. And all of those things require money investments. And that's what all the companies, including Jay Frogger doing to advance open source supply chain security. I >>Mean, it's, it's really kind of interesting to watch some different demographics of the developers and the vendors and the customers. On one hand, if you're a hardware person company, you have, you talk zero trust your software, your top trust, so your trusted code, and you got zero trust. It's interesting, depending on where you're coming from, they're all trying to achieve the same thing. It means zero trust. Makes sense. But then also I got code, I I want trust. Trust and verified. So security is in everything now. So code. So how do you see that traversing over? Is it just semantics or what's your view on that? >>The, the right way of looking at security is from the standpoint of the hacker, because they're always looking for >>Well said, very well said, New >>Loop, hope, new loopholes, new exploits. And they're, they're very, very smart people. And I think when you, when you look some >>Of the smartest >>Yeah, yeah, yeah. I, I, I work with, well former hackers now, security researchers, >>They converted, they're >>Recruited. But when you look at them, there's like two main classes of like, like types of exploits. So some, some attacker groups. What they're looking for is they're looking for pulse zero days, CVEs, like existing vulnerabilities that they can exploit to break into systems. But there's an increasing number of attackers who are now on the opposite end of the spectrum. And what they're doing is they're creating their own exploits. So, oh, they're for example, putting malicious code into open source projects. Little >>Trojan horse status. Yeah. >>They're they're getting their little Trojan horses in. Yeah. Or they're finding supply chain attacks by maybe uploading a malicious library to NPM or to pii. And by creating these attacks, especially ones that start at the top of the supply chain, you have such a large reach. >>I was just gonna say, it could be a whole, almost gives me chills as we're talking about it, the systemic, So this is this >>Gnarly nation state attackers, like people who wanted serious >>Damages. Engineered hack just said they're high, highly funded. Highly skilled. Exactly. Highly agile, highly focused. >>Yes. >>Teams, team. Not in the teams. >>Yeah. And so, so one, one example of this, which actually netted quite a lot of money for the, for the hacker who exposed it was, you guys probably heard about this, but it was a, an attack where they uploaded a malicious library to npm with the same exact namespace as a corporate library and clever, >>Creepy. >>It's called a dependency injection attack. And what happens is if you, if you don't have the right sort of security package management guidelines inside your company, and it's just looking for the latest version of merging multiple repositories as like a, like a single view. A lot of companies were accidentally picking up the latest version, which was out in npm uploaded by Alex Spearson was the one who did the, the attack. And he simultaneously reported bug bounties on like a dozen different companies and netted 130 k. Wow. So like these sort of attacks that they're real Yep. They're exploitable. And the, the hackers >>Complex >>Are finding these sort of attacks now in our supply chain are the ones who really are the most dangerous. That's the biggest threat to us. >>Yeah. And we have stacker ones out there. You got a bunch of other services, the white hat hackers get the bounties. That's really important. All right. What's next? What's your vision of this show as we end Coan? What's the most important story coming outta Coan in your opinion? And what are you guys doing next? >>Well, I, I actually think this is, this is probably not what most hooks would say is the most exciting story to con, but I find this personally the best is >>I can't wait for this now. >>So, on, on Sunday, the CNCF ran the first kids' day. >>Oh. >>And so they had a, a free kids workshop for, you know, underprivileged kids for >>About, That's >>Detroit area. It was, it was taught by some of the folks from the CNCF community. So Arro, Eric hen my, my older daughter, Cassandra's also an instructor. So she also was teaching a raspberry pie workshop. >>Amazing. And she's >>Here and Yeah, Yeah. She's also here at the show. And when you think about it, you know, there's always, there's, there's, you know, hundreds of announcements this week, A lot of exciting technologies, some of which we've talked about. Yeah. But it's, it's really what matters is the community. >>It this is a community first event >>And the people, and like, if we're giving back to the community and helping Detroit's kids to get better at technology, to get educated, I think that it's a worthwhile for all of us to be here. >>What a beautiful way to close it. That is such, I'm so glad you brought that up and brought that to our attention. I wasn't aware of that. Did you know that was >>Happening, John? No, I know about that. Yeah. No, that was, And that's next generation too. And what we need, we need to get down into the elementary schools. We gotta get to the kids. They're all doing robotics club anyway in high school. Computer science is now, now a >>Sport, in my opinion. Well, I think that if you're in a privileged community, though, I don't think that every school's doing robotics. And >>That's why Well, Cal Poly, Cal Poly and the universities are stepping up and I think CNCF leadership is amazing here. And we need more of it. I mean, I'm, I'm bullish on this. I love it. And I think that's a really great story. No, >>I, I am. Absolutely. And, and it just goes to show how committed CNF is to community, Putting community first and Detroit. There has been such a celebration of Detroit this whole week. Stephen, thank you so much for joining us on the show. Best Wishes with the CD Foundation. John, thanks for the banter as always. And thank you for tuning in to us here live on the cube in Detroit, Michigan. I'm Savannah Peterson and we are having the best day. I hope you are too.

(gentle upbeat music) >> Hello everyone, and welcome back to KubeCon CloudNativeCon here in Detroit, Michigan. My name is Savannah Peterson, joined with John Furrier. John, we are in the meat of the conference. >> It's really in crunch time, day two of three days of wall-to-wall coverage and this next guest is running the show at CNCF, the OG and been in the community doing a great job. I'm looking forward to this segment. >> Me too. I'm even wearing... You may notice, I am in my CNCF tee, and I actually brought my tee from last year for those of you. And the reason I brought it, actually, I want to use this to help introduce our next guest is the theme last year was resistance realized, and I think that KubeCon this year is an illustration of that resistance realized. Please welcome Priyanka Sharma to the show. Priyanka, thank you so much for being here with us. >> Thank you for having me. >> This is your show. How are you feeling right now? What does it feel like to be here? >> It's all of our show. I am just another participant, but I am so happy to be here. I think this is our third hybrid in person back event. And the whole ecosystem, we seem to have gotten into the groove now. You know, the first one we did, was in LA >> Savannah: Yes. >> Where you have that shirt from. Then we went to Valencia, and now here in Detroit I could sense the ease in the attendees. I can sense that it just feels great for everyone to be here. >> Savannah: Yeah. >> And you guys, who were face to face in LA, but this is really kind of back face to face, somewhat normalized, right? >> Priyanka: Yeah. >> And so that's a lot of feedback there. What's your reaction? Because the community's changed so much in three years, >> Savannah: Yes. >> Even two years, even last year. Where do you see it now? Because there's so much more work to do, but it feels like it's just getting started, but also at the same time it feels like people are celebrating at the same time. >> Yeah. >> Kubernetes is mainstream, CloudNative at scale. >> Savannah: That feels like a celebration. >> People are talking about developer... more developers coming on board, more traction, more scale, more interoperability, just a lot of action. What's your thoughts? >> I think you're absolutely right that we are just getting started. I've been part of many open source movements and communities. This is... I think this is something special where we have our flagship project considered mainstream, but yet so much to be done right over there. I mean, you've seen announcements around more and more vendors coming to support the project in, you know, the boring but essential ways that happened I think this week, just today, I think. And so Kubernetes continues to garner support and energy, which is unique in the ecosystem, right? Because once something becomes mainstream, normally, it's like, "Okay, boring." (John laughs) But that's happening. And I think the reason for that is CloudNative. It's built upon Kubernetes and so much more than Kubernetes. >> We have 140 plus projects >> Absolutely. >> and folks have a choice to contribute to something totally cutting edge or something that's, you know, used by everyone. So, the diversity of options and room for innovation at the same time means this is just the beginning. >> And also projects are coming together too. >> Priyanka: Yes. >> You're starting to see formation, you're starting to see some defacto alignment. >> Priyanka: Yes. >> You're starting to see the- >> Priyanka: Clustering. >> Some visibility into how the big moves are being playing out, almost the harvesting of that hard work. >> Priyanka: Yes, I do think there is consolidation, but I would definitely say that there's consolidation and innovation. >> John: Yeah. >> And that is something... I genuinely have not seen this before. I think there are definitely areas we're all really focusing on. I talked a lot about security in my keynote because it continues to gain importance in CloudNative, whether that is through projects or through practices. The same, I did not mention this in my keynote, but around like, you know, continuous delivery generally the software delivery cycle, there's a lot coming together happening there. And, you know, >> John: Yeah. >> many other spaces. So, absolutely right. >> Let's dig in a little bit actually, because I'm curious. You get to see these 140 plus projects. >> Yes. >> What are some of the other trends that you're seeing, especially now, as we're feeling this momentum around Kubernetes? The excitement is back in the ecosystem. >> Yes. So, so much happening. But I would definitely say that like the underlying basis of all these projects, right? I brought that up in my keynote, is the maintainers. And I think the maintainer group, is the talent keeps thriving and growing, the load on them is very heavy though. >> Savannah: Yeah. >> And I do think there's a lot more we all company, the companies around us need to do to support these people, because the innovation they're bringing is unprecedented. Besides Kubernetes, which has its own cool stuff all the time. I think I'm particularly excited about the Argo projects. >> Savannah: Yeah. >> So, they're the quadruplets as I like to call them. Right? Because there's four of them within the Argo banner. I had Yuan from Argo on my keynote actually. >> Savannah: Oh, nice. >> Alongside Hiba from Kubernetes. And we talked about their maintainer journey. And it's interesting. Totally different projects. Same asks, you know, which is more support and time from employers, more ways to build up contributors and ultimately they love the CNCF marketing supports. >> That Argo project's really in a great umbrella. There are a lot of action going on. Arlon, I saw that. Got some traction. A lot of great stuff. The question I want to ask you, and I want to get your reaction to this, you know, we always go to a lot of events with theCUBE and you can always tell the vibrant of the ecosystem when you see developers doing stuff, projects going on. But when you start seeing the commercialization >> Priyanka: Yes. >> The news briefings coming out of this show feels a lot like reinvent, like it's like a tsunami. I've never seen this much news. Everyone's got a story, they got announcing products. >> Savannah: That was a lot of news. That's a great point, John. >> There was a lot of flow even from the CNCF. >> Yeah. >> What's your reaction to that? I mean like to me it's a tell sign of activity, certainly, >> Right. >> And engagement. >> Right. >> But there's real proof coming out, real visibility into the value propositions, >> Priyanka: Yes. >> rendering itself with real products. What's your reaction to the news flow? >> Absolutely. I think it's market proof, like you said, right? >> Savannah: Yeah. >> That we have awesome technologies that are useful to lots of people around the world. And I think that, I hope this continues to increase. And with the bite basket of project portfolios that's what I hope to see. CNCF itself will continue supporting the maintainers with things like conformance programs which are really essential when you are... when you have people building products on top of your projects and other initiatives so that the technological integrity remains solid while innovation keeps happening. >> I know from a little birdie, Brendan, good friend of mine that you had a board meeting today. >> Priyanka: Yes. >> And I am curious because I hope I'm not going out about an assumption I imagine that room is full of passionate people. >> Priyanka: Absolutely. >> CNCF board would be a wild one. (Priyanka laughs) What are the priorities for the board between now and KubeCon next year? >> Sure. So the CNCF governing board is an over... It's like an oversight body. And their focus is on working with us on the executive team to make sure that we have the right game plan for the foundation. They tend to focus on the business decisions, things such as how do we manage our budget, how do we deploy it, and what are the initiatives? And that's always their priority. But because this is CloudNative and we are all technologists who love our projects, >> Savannah: Yeah. >> we also engage closely with the technical oversight committee who was in the said meeting that we just talked about. And so lots of discussions are around project health, sustainability. How do we keep moving? Because as you said, Kubernetes is going mainstream but it's still cool. There are all these other cool things. It's a lot going on, right? >> Savannah: Yeah. You got a lot of balls in the air. It's complex decision making and balancing of priorities. >> Priyanka: Yes. >> John: And demands, stakeholders. You have how many stakeholders? Every project, every person, every company. >> Everyone's a stakeholder. You're a stakeholder, too. >> And a hundred... I mean, I love how community focused you are. Obviously we're here to talk about the community. You have contributors from 187 different countries. >> Priyanka: It's one of the things I'm the most proud of. >> Savannah: It's... Yeah. It gives me all the feels as a community builder as well. >> Priyanka: Yeah. >> What an accomplishment and supporting community members in those different environments must be so dynamic for you and the team. >> Absolutely, and it behooves us to think globally in how we solve problems. Even when we introduce programs. My first question is, are we by accident being, let's say, default U.S. or are we being default Europe, whatever it may be because we really got to think about the whole world. >> John: It's global culture, it's a global village. >> Priyanka: Yes. >> And I think global now more than ever is so important. And, the Ukraine >> Priyanka: Yes. >> discussion on the main stage was awesome. I love how you guys did that because this is impacting the technology. We need the diverse input. Now I made a comment yesterday that it's going to make... it might slow things down. I meant as is more diversity, there's more conversations. >> Priyanka: Yes. >> But once people get aligned and committed, that's where the magic happens. Share your thoughts on the global diversity, why it's important, how things are made, how decisions are made. What's the philosophy? Because there's more to get your arms around. >> Yes, absolutely. It may seem harder or slower or whatever but once it gets done, aligned and committed, the product's better, everything's better. >> Priyanka: Yes, absolutely. I think the more people involved, the better it is for sure. Especially from a robustness resilience perspective. Because you know, as they say, sunlight makes bugs shallow. That's because the more eyes on something the faster people will solve problems, fix bugs and make, you know, look for security, vulnerability, solve all that. So especially in those areas, I think, where you want to be more resilient, the more the people, the better it is. A hundred percent. And then when it comes to direct technical direction and choosing a path, I think that's where, you know it's the role of the maintainers. And as I was saying there's only a thousand audit maintainers for 140 plus projects, right? So they are catering- >> Wow, they have a lot of responsibility. >> Right. >> Serious amount of responsibility. >> It's crazy. I know. And we have to do everything we can for those people because they are the ones who set the vision, set the direction, and then 176,000 plus contributors follow their lead. So we have... I think, the bright mechanisms of contribution and collaboration in a global way are in place. And we keep chugging along and doing better and better each year. >> What's next for you guys? You got the EU of show coming out, >> Priyanka: Correct, Amsterdam. the economy looking, I don't see your recession for technology, but that's me. I'm Polish on tech. Yeah, there's some layoffs going on, some cleaning up, overinflated expectations on valuations of startups, but I don't see this stopping or slowing down. But what's your take? >> Priyanka: Yeah, I mean, as I said in my keynote, right? Open source usage soars in times of turmoil and financial turmoil is one example of that. So we are expecting growth and heavy growth this year, next year and onwards. And in fact, going back to the whole maintainer journey, now is a time there's even more pressure on them and companies as they manage their, you know, workforces and prioritization, they really need to remember they're building products off of open source. They are... This is open sources on which what their business realize, whether they're a vendor or end user and give maintainers a space time to work on what they need to work on. >> Yeah. They need a little work-life balance. I mean the self-care there, I can't even imagine the complexity of the decision matrix in their mind. Speaking of that, and obviously you... Culture must be a huge part of how you lead these teams. How do you approach that as leader? >> I think the number one... So the foundation is a very small set of staff, just so you know. >> Savannah: I was actually... Let's tell the audience, how many people are on the team? >> Priyanka: You know, it's actually a difficult question because we have folks who like spin up and down and we have matrix support from the Linux Foundation, but about 30 people in total are dedicated to CNCF at any given time. >> Savannah: Wow. >> But compared... >> Savannah: You all do hard work. >> Yes. >> Savannah: You're doing great. I am impressed. >> It's a flat organization. >> It's pretty flat. >> Seriously, it's beautiful. >> It's actually in some ways very similar to the projects and there the, you know, contribution communities there where it's like everyone kind of like steps up and does what needs to be done, which is wonderful and beautiful, but with the responsibility on our shoulders, it's definitely a balancing act. So first off, it is, I ask everyone to have some grace for the staff. They are in a startup land with no IPO on the other side of the rainbow. They're doing it because they love love, love this community and technology so much. >> John: Yeah. Yeah, and then also they're acknowledging that nobody in open source wants to see a bureaucracy. >> Priyanka: Right. >> I mean, everyone see lean, efficient. >> Savannah: Yeah, absolutely John. It's great. It's a great point. And and I think that it's just... It's amazing what passionate people can do if given the opportunity. Let's talk a little bit about the literal event that we're at right now. >> Priyanka: Yes. >> Theme today, building for the road ahead. >> Priyanka: Yes. >> What was the inspiration for that? >> Detroit. (group laughs) We're in Detroit, people drive here. >> Savannah: In case you didn't know, cars have been made in this city. >> Motor city. >> It's everywhere being here in this city, which is awesome. >> But you know, it did... There was of course a geographical element but it also aligns with where we're at, right? >> Savannah: Yeah. >> We're building for the road ahead, which frankly given the changes going on in the world is a bumpy road. So it's important to talk about it. And that's what the theme was. >> And how many folks have shown up... This is a totally different energy from Los Angeles last year. I'm sure we can both agree. Everyone was excited last year, but this is an order of magnitude. >> Yes. >> How many folks do you think are milling around? >> Yeah, it's much more than double of Los Angeles. We are close to 8,000. >> Savannah: That's amazing. And it's so... You're absolutely right. The energy is just... >> Savannah: Way up. >> It's so good. People are enjoying themselves. It's been lovely. >> That's great. So you're feeling good? You're riding the high? >> Congratulations. >> Awesome. >> Yeah, thank you. I mean, I'm a little bit of a zombie right now. (group laughs) >> You don't look it, we wouldn't know. Nobody knows. They don't know. >> If you want to take a break, We got 12 interviews tomorrow. (Savannah and Priyanka laughing) You can co-host with us. We'd love to have you. >> Exactly. You're welcome anytime. Welcome anytime, Priyanka. >> Well thank you. But no, it's been such a wonderful show and you folks are part of the reason you say everybody here is contributing to the awesomeness. >> John: Yep. >> You're part of it. Look at your smiley faces. >> John: And Lisa Marty is over there. Lisa's over there. >> Yes! >> Say hi to Lisa and team. >> Yes, the team is awesome. >> Guys, thank you for your support for theCUBE. We really appreciate it. We enjoy it a lot. And we love the community. Thank you. >> Yes. Thank you for your support for CloudNative. >> Thank you. >> One last thing I just want to point out, because it's not always it happens in this industry. The women outnumber the men on this stage right now. >> John: Proud of that? >> And I know the diversity and inclusion is a priority for CNCF. >> Priyanka: Top priority. >> Yeah. Can you tell us a little bit more about that? >> Yes. It is something at the forefront of my mind, no matter what we do. And it's because I have such great role models. You know, when I was just a participant in the ecosystem, Dan Conn was leading the foundation and he took it so seriously to always try to uplift people from a diverse backgrounds and bring those faces into CloudNative. >> Savannah: Yes. >> And he made a serious lasting impact. >> John: Yes. >> And I am not going to let that go to waste. It's not going to be me who drops the ball. (group laughs) >> We're behind you all the way. >> Right? >> We see improvement over here. >> We got your back. >> I mean, even from an attendance perspective on stage I feel like you've done just an outstanding job with the curation and representation. I don't say that lightly. It really matters to me. But even in the audience looking around, it's so refreshing. Even it sounds silly. The shirts are more fitted. >> It's not silly. >> There's different types of shirts, and I mean, you know how it is. We've been in this industry long enough. >> It's a shirt you want to wear. >> Savannah: Exactly. And that's the whole point. I absolutely love it. Have we announced a location for KubeCon North America 2023, yet? >> It's Chicago. >> Savannah: Exciting! >> Yes. >> Savannah: All right. So we'll be seeing you >> Midwest. >> not that far away. >> This is the first time I've said this publicly, I just realized, It's Chicago, people. >> The scoop, yay! >> Oh, I feel so lucky we got to break the scoop. I was learning from John's lead there and I'm very excited. Amsterdam, Chicago. It's going to be absolutely >> I'll get my hotel now. >> Fantastic. >> Yes. >> Smart move. Everybody listen to him. >> Yeah, right? Especially after Detroit. It's actually not a... It's not a bad move. Priyanka, is there anything else you'd like to say to folks? Maybe they're thinking about coming or contributing to the ecosystem? >> Priyanka: Yes. Anyone and everyone can and should contribute and join us. The maintainers are holding us all up. Let's rally to support them. We have more and more programs to do that. As you know, we did ContribFest here this week which was the first time. So we will help you get involved so you're not on your own. So that's my number one message, which is anyone and everyone, you're welcome here. We'll make sure you have a good time. So just come. >> Okay. Please do it. >> I can tell you that Priyanka is not blowing smoke. I feel very welcome here. This community has welcomed me as a non-technical, so I think you're absolutely preaching the truth. Priyanka, thank you so much for being here with us today on the show, for helping herd the cats and wrangle the brilliant minds that make CNCF possible. And honestly for just bringing your energy and joy to the entire experience. John, thank you for hanging out with me. >> I'm glad I can contribute in a small way. >> I was going to say... I was going to say thank you for founding theCUBE so that we could be here in this little marriage and collaboration can be possible. And thank all of you for tuning in to theCUBE here, live from Detroit, Michigan. My name is Savannah Peterson. I am thrilled to be sharing this content with you today and I hope to see you for the rest of our interviews this afternoon. (gentle upbeat music)

(upbeat techno music) >> Hello, everyone. Welcome to theCUBE here live in Detroit for KubeCon + CloudNativeCon 2022. I'm John Furrier, host of theCUBE. This is our seventh consecutive KubeCon + CloudNativeCon. Since inception, theCube's been there every year. And of course, theCUBE continues to grow. So does the community as well as our host roster. I'm here with my co-host, Lisa Martin. Lisa, great to see you. And our new theCube host, Savannah Peterson. Savannah, welcome to theCUBE. >> Thanks, John. >> Welcome. >> Welcome to the team. >> Thanks, team. It's so wonderful to be here. I met you all last KubeCon and to be sitting on this stage in your company is honestly an honor. >> Well, great to have you. Lisa and I have done a lot of shows together and it's great to have more cadence around. You know, more fluid around the content, and also the people. And I would like you to take a minute to tell people your background. You know the community here. What's the roots? You know the Cloud Native world pretty well. >> I know it as well as someone my age can. As we know, the tools and the tech is always changing. So hello, everyone. I'm Savannah Peterson. You can find me on the internet @SavIsSavvy. Would love to hear from you during the show. Big fan of this space and very passionate about DevOps. I've been working in the Silicon Valley and the Silicon Alley for a long time, helping companies scale internationally as a community builder as well as a international public speaker. And honestly, this is just such a fun evolution for my career and I'm grateful to be here with you both. >> We're looking forward to having you on theCUBE. Appreciate it. Lisa? >> Yes. >> KubeCon. Amazing again this year. Just keeps growing bigger and bigger. >> Yes. >> Keynote review, you were in there. >> Yup. >> I had a chance to peek in a little bit, but you were there and got most of the news. What was the action? >> You know, the action was really a big focus around the maintainers, what they're doing, giving them the props and the kudos and the support that they deserve. Not just physically, but mentally as well. That was a really big focus. It was also a big focus on mentoring and really encouraging more people- >> Love that. >> I did, too. I thought that was fantastic to get involved to help others. And then they showed some folks that had great experiences, really kind of growing up within the community. Probably half of the keynote focus this morning was on that. And then looking at some of the other projects that have graduated from CNCF, some of these successful projects, what they're doing, what folks are doing. Cruise, one of the ones that was featured. You've probably seen their driverless cars around San Francisco. So it was great to see that, the successes that they've had and where that's going. >> Yeah. Lisa, we've done how many shows? Hundreds of shows together. When you see a show like this grow and continue to mature, what's your observation? You've seen many shows we've hosted together. What jumps out this year? Is it just that level of maturization? What's your take on this? >> The maturization of the community and the collaboration of the community. I think those two things jumped out at me even more than last year. Last year, obviously a little bit smaller event in North America. It was Los Angeles. This year you got a much stronger sense of the community, the support that they have for each other. There were a lot of standing ovations particularly when the community came out and talked about what they were doing in Ukraine to support fellow community members in Ukraine and also to support other Ukrainians in terms of getting in to tech. Lot of standing ovations. Lot of- >> Savannah: Love that, yeah. >> Real authenticity around the community. >> Yeah, Savannah, we talked on our intro prior to the event about how inclusive this community is. They are really all in on inclusivity. And the Ukraine highlight, this community is together and they're open. They're open to everybody. >> Absolutely. >> And they're also focused on growing the educational knowledge. >> Yeah, I think there's a real celebration of curiosity within this community that we don't find in certain other sectors. And we saw it at dinner last night. I mean, I was struck just like you Lisa walking in today. The energy in that room is palpably different from last year. I saw on Twitter this morning, people are very excited. Many people, their first KubeCon. And I'm sure we're going to be feeding off of that, that kind of energy and that... Just a general enthusiasm and excitement to be here in Detroit all week. It's a treat. >> Yeah, I even saw Stu Miniman earlier, former theCube host. He's at Red Hat. We were talking on the way in and he made an observation I thought was interesting I'll bring up because this show, it's a lot "What is this show? What isn't this show?" And I think this show is about developers. What it isn't is not a business show. It's not about business. It's not about industry kind of posturing or marketing. All the heavy hitters on the dev side are here and you don't see the big execs. I mean, you got the CEOs of startups here but not the CEOs of the big public companies. We see the doers. So, I mean, I think my take is this show's about creating products for builders and creating products that people can consume. And I think that is the Cloud Native lanes that are starting to form. You're either creating something for builders to build stuff with or you're creating stuff that could be consumed. And that seems for applications. So the whole app side and services seem to be huge. >> They also did a great job this morning of showcasing some of the big companies that we all know and love. Spotify. Obviously, I don't think a day goes by where I don't turn on Spotify. And what it's done- >> Me neither. >> What it's done for the community... Same with Intuit, I'm a user of both. Intuit was given an End User Award this morning during the keynote for their contributions, what they're doing. But it was nice to see some just everyday companies, Cloud Native companies that we all know and love, and to understand their contributions to the community and how those contributions are affecting all of us as end users. >> Yeah, and I think those companies like Intuit... Argo's been popular, Arlo now new, seeing those services, and even enterprises are contributing. You know, Lyft is always here, popular with Envoy. The community isn't just vendors and that's the interesting thing. >> I think that's why it works. To me, this event is really about the celebration of developer relations. I mean, every DevRel from every single one of these companies is here. Like you said, in lieu of the executive, that's essentially who we're attracting. And if you look out over the show floor here, I mean, we've probably got, I don't know, three to four extra vendors that we had last year. It totally is a different tone. This community doesn't like to be sold to. This community likes to be collaborative. They like to learn and they like to help. And I think we see that within the ecosystem inside the room today. >> It's not a top down sales pitch. It's really consensus. >> No. >> Do it out in the open transparency. Don't sell me stuff. And I think the other thing I like about this community is that we're starting to see that... And then we've said this in theCube before. We'll say it again. Maybe be more controversial. Digital transformation is about the developer, right? And I think the power is going to shift in every company to the developer because if you take digital transformation to completion, everything happens the way it's happening, the company is the application. It's not IT who serves the organization- >> I love thinking about it like that. That's a great point, John. >> The old phase was IT was a department that served the business. Well, the business is IT now. So that means developer community is going to grow like crazy and they're going to be in the front lines driving all the change. In my opinion, you going to see this developer community grow like crazy and then the business side on industry will match up with that. I think that's what's going to happen. >> So, the developers are becoming the influencers? >> Developers are the power source for all companies. They're in charge. They're going to dictate terms to how businesses will run because that's going to be natural 'cause digital transformation's about the app and the business is the app. So that mean it has to be coded. So I think you're going to see a lot of innovation around app server-like experiences where the the apps are just being developed faster than the infrastructures enabling that completely invisible. And I think you're going to see this kind of architecture-less, I'll put it out there that term architecture-less, environment where you don't need an architecture. It's just you code away. >> Yeah, yeah. We saw GitHub's mentioned in the keynote this morning. And I mean, low code, no code. I think your fingers right on the pulse there. >> Yeah. What did you guys see? Anything else you see? >> I think just the overall... To your point, Savannah, the energy. Definitely higher than last year. When I saw those standing ovations, people really come in together around the sense of community and what they've accomplished especially in the last two plus years of being remote. They did a great job of involving a lot of folks, some of whom are going to be on the program with us this week that did remote parts of the keynote. One of our guests on today from Vitess was talking about the successes and the graduation of their program so that the sense of community, but also not just the sense of it, the actual demonstration of it was also quite palpable this morning, and I think that's something that I'm excited for us to hear about with our guests on the program this week. >> Yeah, and I think the big story coming out so far as the show starts is the developers are in charge. They're going to set the pace for all the ops, data ops, security ops, all operations. And then the co-located events that were held Monday and Tuesday prior to kickoff today. You saw WebAssembly's come out of the woodwork as it got a lot of attention. Two startups got funded heavily on Series A. You're starting to see that project really work well. That's going to be an additional to the container market. So, interesting to see how Docker reacts to that. Red Hat's doing great. ServiceMeshCon was phenomenal. I saw Solo.iOS got massive traction with those guys. So like Service Mesh, WebAssembly, you can start to see the dots connecting. You're starting to see this layer below Kubernetes and then a layer above Kubernetes developing. So I think it's going to be great for applications and great for the infrastructure. I think we'll see how it comes out and all these companies we have on here are all about faster, more integrated, some very, very interesting to see. So far, so good. >> You guys talked about in your highlight session last week or so. Excited to hear about the end users, the customer stories. That's what I'm interested in understanding as well. It's why it resonates with me when I see brands that I recognize. Well, I use it every day. How are they using containers and Kubernetes? How are they actually not just using it to deploy their app, their technologies, that we all expect are going to be up 24/7, but how are they also contributing to the development of it? So I'm really excited to hear those end users. >> We're going to have Lockheed Martin. And we wrote a story on SiliconANGLE, the Red Hat, Lockheed Martin, real innovation on the edge. You're starting to see educate with the edge. It's really the industrial edge coming to be big. It'd be very interesting to see. >> Absolutely, we got Ford Motor Company coming on as well. I always loved stories, Savannah, that are history of companies. Ford's been around since 1903. How is a company that- >> Well, we're in the home of Ford- as well here. >> We are. How they evolved digitally? What are they doing to enable the developers to be those influencers that John says? It's going to be them. >> They're a great example of a company that's always been on the forefront, too. I mean, they had a head of VRs 25 years ago when most people didn't even know what VR was going to stand for. So, I can't wait for that one. You tease the Docker interview coming up very well, John. I'm excited for that one. One last thing I want to bring up that I think is really refreshing and it's reflected right here on this stage is you talked about the inclusion. I think there's a real commitment to diversity here. You can see the diversity stats on CNCF's website. It's right there on KubeCon. At the bottom, there's a link in every email I've gotten highlighting that. We've got two women on this stage all week which is very exciting. And the opening keynote was a woman. So quite frankly, I am happy as a female in this industry to see a bit more representation. And I do appreciate just on the note of being inclusive, it's not just about gender or age, it's also about the way that CNCF thinks about your experience since we're in this kind of pandemic transitional period. They've got little pins. Last year, we had bracelets depending on your level of comfort. Equivocally like a stoplight which is... I just think it's really nice and sensitive and that attention to detail makes people feel comfortable. Which is why we have the community energy that we have. >> Yeah, and being 12 years in the business... With theCUBE, we've been 12 years in the business, seven years with KubeCon and Cloud Native, I really appreciate the Linux Foundation including me as I get older. (Lisa and Savannah laugh) >> Savannah: That's a good point. >> Ageism were, "Hey!" Thank you. >> There was a lot of representation. You talked about females and so often we go to shows and there's very few females. Some companies are excellent at it. But from an optics perspective, to me it stands out. There was great representation across. There was disabled people on stage, people of color, women, men of all ages. It was very well-orchestrated. >> On the demographic- >> And sincere. >> Yeah, yeah. >> And the demographics, too. On the age side, it's lower too. You're starting to see younger... I mean, high school, college representation. I saw a lot of college students last night. I saw on the agenda sessions targeting universities. I mean, I'm telling you this is reaching down. Open source now is so great. It's growing so fast. It's continuing to thunder away. And with success, it's just getting better and better. In fact, we were talking last night about at some point we might not have to write code. Just glue it together. And that's why I think the supply chain and security thing is an issue. But this is why it's so great. Anyone can code and I think there's a lot of learning to have. So, I think we'll continue to do our job to extract the signal from the noise. So, thanks for the kickoff. Good commentary. Thank you. All right. >> Of course. >> Let's get started. Day one of three days of live coverage here at KubeCon + CloudNativeCon. I'm John Furrier with Lisa Martin, and Savannah Peterson. Be back with more coverage starting right now. (gentle upbeat music)

foreign [Music] my name is Savannah Peterson and I am very excited to be coming to you today from the cube in Palo Alto we're going to be talking about kubecon giving a little preview of the hype and what you might be able to expect in Detroit with the one and only co-founder and CEO of the cube and siliconangle John ferriere John hello how are you today thanks for hosting and doing the preview with me my goodness a pleasure I we got acquainted this time last year how do you think the ecosystem has changed are you excited well first of all I missed kubecon Valencia because I had covid I was so excited to be there this big trip plan and then couldn't make it but so much has gone on I mean we've been at every kubecon the cube was there at the beginning when openstack was still going on kubernetes just started came out of Google we were there having beers with Lou Tucker and a bunch of The Luminaries when it all kind of came together and then watch it year by year progress through and how it's changed the industry and mainly how open source has been really the wave behind it combining with the Linux foundation and then cncf and then open source movement and good kubernetes has been amazing and under it all containers has been the real driver and all this so you know Docker containers Docker was a well-funded company they had to Pivot and were restructured now they're pure open source so containers have gone Supernova on top of that kubernetes and with that's a complete ecosystem of opportunity to create the next operating system in in software development so to me kubecon is at the center of software software 2030 what do you want to call it super cloud it's that it's really action it's not where the old school is it's where the new school is excellent so what has you most excited this year what's the biggest change from this time last year and now well two things I'm looking at this year uh carefully both from an editorial lens and also from a sponsorship lenses where is the funding going on the sponsorships because again a very diverse ecosystem of Builders but also vendors so I'm going to see how that Dynamics going on but also on the software side a lot of white space going on in the stack or in the map if you will you know the run times you've got observability you got a lot of competition maybe projects might be growing some Rising some falling maybe merge together I'm going to see how that but there's a lot of white spaces developing so I'm curious to see what's new on that area and then service meshes is a big deal this year so I'm looking for what's going on so it's been kind of a I won't say cold war but kind of like uh you know where is this going to go and because it's a super important part of of the of the orchestration and managing containers and so be very interested to see how service mesh does istio and other versions out there have been around for a while so that and also the other controversy is the number of stars on GitHub a project may have so sometimes that carries a lot of weight but we're going to look at which ones are rising which ones are falling again um which ones are getting the most votes by the developers vote with their code yeah absolutely well we did definitely miss you down in Los Angeles but it will be great to be in Detroit what has you most excited do you think that we're going to see the number of people in person that we have in the past I know you've seen it since the beginning so I think this year is going to be explosive from that psychology angle because I think it was really weird because La was on they were a bold to make that move we're all there is first conference back it was a lot a lot of like badges don't touch me only handshakes fist pumps but it was at the beginning of the covid second wave right so it was kind of still not yet released where everyone's was not worried about it so I think it's in the past year in the past eight months I mean I've been places with no masks people have no masks Vegas other places so I think it's going to be a year where it will be a lot more people in person because the growth and the opportunities are so big it's going to drive a lot of people in person just like Amazon reinvent those yeah absolutely and as the most important and prominent event in the kubernetes space I think everyone's very excited to to get back together when we think about this space do you think there that anyone's the clear winner yet or do you think it's still a bit of a open territory in terms of the companies and Partnerships I think Red Hat has done a great job and they're you know I think they're going to see how well they can turn this into gold for them because they've positioned themselves very well open shift years ago was kind of waffling I won't say it in a bad way but like but once they got view on containers and kubernetes red has done an exceptional job in how they position their company being bought by ibms can be very interesting to see how that influences change so if Red Hat can stay red hat I think IBM will win I think customers that's one company I like the startups we're seeing companies like platform nine Rafi systems young companies coming out in the kubernetes as a service space because I think whoever can make kubernetes easier because I think that's the hard part right now even though that the show is called kubecon is a lot more than kubernetes I think the container layer what docker's doing has been exceptional that's the real action the question is how does that impact the kubernetes layers so kubernetes is not a done deal yet I think it hasn't really crossed the chasm yet it's certainly popular but not every company is adopting it so we're starting to see that we need to see more adoption of kubernetes seeing that happen it's going to decide who the winners are totally agree with that if you look at the data a lot of companies are and people are excited about kubernetes but they haven't taken the plunge to shifting over their stack or fully embracing it because of that complexity so I'm very curious to see what we learn this week about who those players might be moving forward how does it feel to be in Detroit when was the last time you were here I was there in 2007 was the last time I was in that town so uh we'll see what's like wow yeah but things have changed yeah the lions are good this year they've got great hockey goalies there so you know all right you've heard that sports fans let John know what you're thinking your Sports predictions for this season I love that who do you hope to get to meet while we're at the show I want to meet more end user customers we're gonna have Envoy again on the cube I think Red Hat was going to be a big sponsor this year they've been great um we're looking for end user project most looking for some editorial super cloud like um commentary because the cncf is kind of the developer Tech Community that's powering in my opinion this next wave of software development Cloud native devops is now Cloud native developers devops is kind of going away that's killed I.T in my opinion data and security Ops is the new kind of Ops the new it so it's good to see how devops turns into more of a software engineering meet supercloud so I think you're going to start to see the infrastructure become more programmable it's infrastructure as code so I think if anything I'm more excited to hear more stories about how infrastructure as code is now the new standard so if when that truly happens the super cloud model be kicking into high gear I love that let's you touched on it a little bit right there but I want to dig in a bit since you've been around since the beginning what is it that you appreciate or enjoy so much about the kubernetes community and the people around this I think there are authentic people and I think they're they're building they're also Progressive they're very diverse um they're open and inclusive they try stuff and um they can be critical but they're not jerks about it so when people try something um they're open-minded of a failure so it's a classic startup mentality I think that is embodied throughout the Linux Foundation but CNC in particular has to bridge the entrepreneurial and corporate Vibe so they've done an exceptional job doing that and that's what I like about this money making involved but there's also a lot of development and Innovation that comes out of it so the next big name and startup could come out of this community and that's what I hope to see coming out here is that next brand that no one's heard of that just comes out of nowhere and just takes a big position in the marketplace so that's going to be interesting to see hopefully we have on our stage there yeah that's the goal we're going to interview them all a year from now when we're sitting here again what do you hope to be able to say about this space or this event that we might not be able to say today I think it's going to be more of clarity around um the new modern software development techniques software next gen using AI more faster silicon chips you see Amazon with what they're doing the custom silicon more processing but I think Hardware matters we've been talking a lot about that I think I think it's we're going to shift from what's been innovative and what's changed I think I think if you look at what's been going on in the industry outside of crypto the infrastructure hasn't really changed much except for AWS what they've done so I'm expecting to see more Innovations at the physics level way down in the chips and then that lower end of the stack is going to be dominated by either one of the three clouds probably AWS and then the middle layer is going to be this where the abstraction is around making infrastructure as code really happen I think that's going to be Clarity coming out of this year next year we should have some visibility into the vertical applications and of the AI and machine learning absolutely digging in on that actually even more because I like what you're saying a lot what verticals do you think that kubernetes is going to impact the most looking even further out than say a year I mean I think that hot ones Healthcare fintech are obvious to get the most money they're spending I think they're the ones who are already kind of creating these super cloud models where they're actually changed over their their spending from capex to Opex and they're driving top line revenue as part of that so you're seeing companies that wants customers of the I.T vendors are now becoming the providers that's a big super cloud Trend we see the other verticals are going to be served by a lot of men in Surprise oil and gas you know all the classic versus Healthcare I mentioned that one those are the classic verticals retail is going to I think be massively huge as you get more into the internet of things that's truly internet based you're going to start to see a lot more Edge use cases so Telecom I think it's going to be completely disrupted by new brands so I think once that you see see how that plays out but all verticals are going to be disrupted just a casual statement to say yeah yeah no doubt in my mind that's great I'm personally really excited about the edge applications that are possible here and can't wait to see can't wait to see what happens next I'm curious as to your thoughts how based given your history here and we don't have to say number of years that you've been participating in in Cape Cod but give them your history what's the evolution looked like from that Community perspective when you were all just starting out having that first drink did you anticipate that we would be here with thousands of people in Detroit you know I knew the moment was happening around um 2017-2018 Dan Coney no longer with us he passed away I ran into him randomly in China and it was like what are you doing here he was with a bunch of Docker guys so they were already investing in so I knew that the cncf was a great Steward for this community because they were already doing the work Dan led a great team at that time and then they were they were they were kicking ass and they were just really setting the foundation they dig in they set the architecture perfectly so I knew that that was a moment that was going to be pretty powerful at the early days when we were talking about kubernetes before it even started we were always always talking about if this this could be the tcpip of of cloud then we could have kind of a de facto interoperability and Lou Tucker was working for Cisco at the time and we were called it interclouding inter-networking what that did during the the revolution Cloud yeah the revolution of the client server and PC Revolution was about connectivity and so tcpip was the disruptive enable that created massive amounts of wealth created a lot of companies created a whole generation of companies so I think this next inflection point is kind of happening right now I think kubernetes is one step of this abstraction layer but you start to see companies like snowflake who's built on AWS and then moved to multiple clouds Goldman Sachs Capital One you're going to see insurance companies so we believe that the rise of the super cloud is here that's going to be Cloud 3.0 that's software 3.0 it's software three what do you want to call it it's not yesterday's Cloud lift and shift and run a SAS application it's a true Enterprise digital digital transformation so that's that's kind of the trend that we see riding in now and so you know if you're not on that side of the street you're going to get washed away from that wave so it's going to be interesting to see how how it all plays out so it's fun to watch who's on the wrong side it is very fun I hope you all are listening to this really powerful advice from John he's dropping some serious knowledge bombs on us well holding the back for kubecon because we've got we got all the great guests coming on and that's where all the content comes from I mean the best part of the community is that they're sharing yeah absolutely so just for old time's sake and it's because it's how I met your fabulous team last year Define kubernetes for the audience kubernetes is like what someone said it was a magical Christmas I heard that was a well good explanation with that when I heard that one um you mean the technical definition or like the business definition or maybe both you can give us an interpretive dance if you'd like I mean the simplest way to describe kubernetes is an orchestration layer that orchestrates containers that are containing applications and it's a way to keep things running and runtime assembly of like the of the data so if you've got you're running containers you can containerize applications kubernetes gives you that capability to run applications at scale which feeds into uh the development uh cycle of the pipelining of apps so if you're writing applications and you want to scale up it's a fast way to stand up massive amounts of scale using containers and kubernetes so a variety of other things that are in the in the in the system too so that was pretty good there's a lot more under the hood but that's the oversimplified version I think that's what we were going for I think it's actually I mean it's harder to oversimplify it sometimes in this case it connects it connects well it's the connective tissue between all the container applications yes last question for you John we are here at the cube we're very excited to be headed to Detroit very soon what can people expect from the cube at coupon this year so we'll be broadcasting Wednesday Thursday and Friday we'll be there early I'll be there Monday and Tuesday we'll do our normal kind of hanging around getting some scoop on the on the ground floor you'll see us there Monday and Tuesday probably in the in the lounge too um come up and say hi to us um again we're looking for more stories this year we believe this is the year that you're going to hear a lot more storytelling coming out of this community as people get more proof points so come up to us share your email your your handle give us yours give us your story we'll publish it we think we think this is going to be the year that cloud native developers start showing the signs of the of the rise of the supercloud that's going to come out of this this community so you know if you got something to say you know we're open to share stories so we're here all that speaking of John how can people say hi to you and the team on Twitter at Furrier at siliconangle at thecube thecube.net siliconangle.com LinkedIn Dave vellantis they were open on all channels all right signal Instagram WhatsApp perfect well pick your channel we really hope to hear from you John thank you so much for joining us for this preview session and thank you for tuning in my name is Savannah Peterson here in Palo Alto at thecube Studios looking forward to Detroit we can't wait to hear your thoughts do let us know in the comments and let us know if you're headed to Michigan cheers [Music] thank you

(upbeat music) >> Hello, welcome to this Cube Conversation here in Palo Alto, California. I'm John Furrier, host of theCube. We have a returning Cube alumni, Ramesh Prabagan, who is the co-founder and CEO of Prosimo.io. Great to see you, Ramesh. Thanks for coming in to our studio, and welcome to the new layout. >> Thanks for having me here, John. After a series of Zoom conversations, it's great to be live and in the flesh! >> Great to be in person. We also got a new stage for our Supercloud event, which we've been opening up to the community, looking forward to getting your perspective on that soon as well. But I want to keep the conversation really about you guys. I want to get the story down. You guys came out of stealth, Multicloud, Supercloud is right in your wheelhouse. >> Exactly. >> You got to love Supercloud. >> Yeah. As I walked in, I saw Supercloud all over the place, and it just gives you a jolt of energy. >> Well, you guys are in the middle of the action. Your company, I want you to explain this in a minute, is in the middle of this next wave. Because we had the structural change I called Cloud One. Amazon, use case, developers, no need to build a data center, all that goodness happens, higher level service of abstractions are happening, and then Azure comes in. More PaaS, and then more install base, now they're nipping at the heels. So full on hyperscale, Cap Backs growth, great for everybody. Now comes new use cases. Cloud to cloud, app to app, you see Databricks, Snowflake, MongoDB, all doing extremely well by leveraging the Cap Backs, now it's an ops problem. >> Exactly. >> Now ops and security. >> Yeah. It's speed of applications. >> How are you guys vectoring into that? Explain what you guys do. >> Absolutely. So let me take kind of the customer pain point first, right? Because it's always easier to explain that, and then we explain what is it that we do. So, it's no surprise. Applications are moving into the cloud, or people are building apps in the cloud in masses. The infrastructure that's sitting in front of these applications, cutting across networking, security, the operational piece associated with that, does not move at the same speed. The apps sometimes get upgraded two, three times a day, the infrastructure gets touched one time a week at best. And so increasingly, the cloud platform teams, the developers are all like, "Hey, why? Why? Why?" Right? "I thought things were supposed to move fast in the cloud." It doesn't. Now, if you double click on that, really, it's two reasons. One, those that won't have consistency across the stack that they hired in the data center, they bring a virtual form factor of that stack and line it up in the cloud, and before you know it, it's cost, it's operation complexity, there are multiple single panes of glass, all the fun stuff associated... >> Just to interject real quick. It is fast in the cloud if you're a developer. >> Exactly. >> So it's kind of like, hurry up, slow down, wait. >> Correct. >> So the developers are shifting left, open source is booming. Things are fine for developers right now. If you're a developer, things are good. >> But the guy sitting in front of that... >> The ops guys, they've got to deal with things like lock-in, choice, security. >> Exactly. And those are really the key challenges. We've seen some that actually said, "Hey, know what, I don't want to bring my data center stack into the cloud. Let me go cloud-native. And they start to build it up. 14 services from AWS, 15 from iGR, 14 more from GCP, even if you are in a single cloud. They just keep it to that. I need to know how to put this together. Because all these services are great, but how do I put this together. And enterprises don't have just one application, they have hundreds of these applications. So the requirements of a database is different than a service mesh, different than a serverless application, different than a web application. And before you know it, "How do I put all these things together?" And so we looked at this problem, and we said, "Okay. We subscribe to the fact that cloud-native is the way to go, right, but something needs to be there to make this simple." Right? And so, first thing that we did was bring all these cloud-native services together, we help orchestrate that, and we said, "okay, know what, Mr. Enterprise? We got you covered." Right? But now, it doesn't stop there. That's like, 10% of the value, right? What do you really need? What do you care about now? Because the apps are in the center of the universe, and who's talking to it? It's another application sitting either in the same cloud, or in a different cloud, or it's a user connecting into the application. So now, let's talk about what are the networking security operational requirements required for these apps to talk to each other, or the user to talk to the application. That's really what we focus on. >> Yeah. And I think one of the things that's driving this opportunity for you, and I want to get your reaction to this, is that the modern application movement is all about cloud-native. Okay, they're obviously doing great. Now, kind of the kumbaya moment in enterprise is that the security team and ops teams have to play ball and be friends with the developer, and vice versa. So harmony's coming there. So the little harmony. And two, the business is driving apps. IT is transforming over. This is why the Supercloud idea is interesting to Dave and I. Because when we coined that term, multi-cloud was not a market. Everyone has multiple clouds, 'cause they have Microsoft Office, that's now in the cloud, they got SQL Server, I mean it's really kind of Microsoft Cloud. >> Exactly. >> So you have a cloud. But do you have ops teams building on the stack? What about the network layer? This is where the rubber meets the road. >> Absolutely, yeah. And if you look at the challenges there, if you just focus on networking and security, right? When applications need to talk to each other, you have a whole bunch of underlying services, but somebody needs to put this thing on top. Because what you care about is "can these group of users talk to these class of applications." Or, "these group of applications, can they talk to each other," right? This whole notion of connectivity is just table stakes. Everybody just assumes it's there, right? It's the next layer up, which is, "how do I bring Zero Trust access? How do I get the observability?" And observability is not just a bunch of pretty donut chats. I have had people look to me in my previous company, the start-up, and said, "okay, give me all these nice donut chats, but so what? What do you want me to do with this?" And so you have to translate that into real actions, right? "How do I bring Zero Trust capabilities? How do I bring the observability capabilities? How do I understand cloud-native and networking and bring those things together so that you can help solve for the problem." >> It's interesting, one of the questions I had here to ask you was "what does it mean to be cloud-native, and why now?" And you brought up Zero Trust, trust and verify, these are security concepts. But if you look at what's going on at KubeKon and CNCF and Linux Foundation, software supply chain's a huge issue, where trust is the issue. They want trust there, so you got Zero Trust here. What is it? Zero Trust or trust? I mean, what's there? Is one hardware based, perimeter, networking? That kind of perimeter's dead, ton of... >> No, the whole- >> Trust or Zero Trust. >> The whole concept of Zero Trust is don't trust what is underlying, just trust what you're talking to. So if you and I talking to each other, John, you need to trust me, I need to trust you, and be able to have this conversation. >> You've been verified. >> Exactly, right? But in the application world, if you talk about two apps that are talking to each other, let's say there is a web application in one AWS region talking to a database in a different region, right? Now, do you want to make sure you are able to build that trust all the way from the application to the application? Or do you want to move the trust boundary to the two entities that are talking to each other so that irrespective of what they go on underneath the covers, you can be always sure that these two things are trusted. >> So, Ramesh, I was on LinkedIn yesterday, I wrote a comment, Dave Vallante wrote a post on Supercloud, we're talking about it, and I wrote, "Cloud as a commodity," question, and then a bunch of other stuff that we're going to talk about, and Keith Townsend jumped on that, and got on Twitter, put a poll, "Is cloud a commodity? Source: me." So, it started a big thread. And the reaction was interesting. And my point was to be provocative on "Cloud isn't commodity, but there's commodity elements." EC2 and S3, you can look at that and say, "that's commodity IaaS," but Amazon Web Services has done an amazing job for higher level services. Okay, so how does that translate into the use cases that you see that you guys are going after and solving, because it's the same kind of concept. IaaS and SaaS have to work together to solve problems, but that's in an integrated environment, say, in a native-cloud. How does that work across clouds? >> Yeah, no, you bring up a great point, John. So, let's take the simple use case, right? Let's keep the user to app thing to the side. Let us say two apps need to talk to each other, right? There are multiple ways in which you can solve this problem. You can build highways. That's what our customers call it. I'll build highways. I don't care what goes on those highways, I'll just build highways. You bring any kind of application workload on it, I just make sure that the highways are good, right? That's kind of the lowest common denominator. It's the path to least resistance. You can get stuff done, but it's not going to move the needle, right? Then you have really modern, kind of service networking, where, okay, I'm looking at every single HTTP, API, n:point, whatnot, and I'm optimizing for that. Right? Great if you know what you're doing, but, like, if you have thousands of these applications, it's not going to be really feasible to do that. And so, what we have seen customers do, actually, is employ a mixed approach, where they say, "I'm going to build these highways, the highways are going to make sure that I can go from one place to another, and maybe within regions, across clouds, whatnot, but then, I have specific requirements that my business needs, that actually needs tweaking, right? And so I'm going to tweak those things. That's why, what we call as like, full stack transit, is exactly that, right, which is, I'll build you the guts of it so that hey, you know what, if somebody screams at you, "Hey, why is my application not accessible?" You don't have that problem. It is always accessible. But then, the requirements for performance, the requirements for Zero Trust, the requirements for segmentation, and all of that are things that... >> That's a hard problem. >> That's a hard problem to solve. >> And you guys are solving that? >> Absolutely, exactly. >> So, let me throw this at you. So, okay, I get that. And by the way, that's exactly what we're seeing. Dave and I were also debating about multi-cloud as what it is. Now, the nirvana definition is, "Well, I have a workload, that's going to work the same, and just magically just shift to Azure." (Ramesh laughs) >> Like, 'cause there's better resources. >> There is no magic there. >> So, but this brings up the point of operations. Now, Databricks and Snowflake, they're building their software to run on multi-cloud seamlessly. Now they can do that, 'cause it's their application. What is the multi-cloud use case, so that's a Supercloud use case in your mind, because right now it's not yet there. What is the Supercloud use case that's going to allow this seamless management or workloads. What's your view? >> Yeah, so if you take enterprise, right? Large enterprise in particular. They invariably have some workloads that are on, let's say, if the primary cloud is AWS, there are some workloads in Azure. Maybe they have acquired a new company, maybe a start-up that uses GCP, whatnot. So they have sprinkles of workloads in other clouds. >> So that's the breed kind of thing. >> Yeah, exactly. That's not what causes anybody to wake up in the morning and say, "I need to have a Supercloud strategy." That's not the thing, right? But now, increasingly you're seeing "pick the right cloud for the appropriate workload." That is going to change quite a bit. Because I have my infrastructure heavy workloads in AWS. I have quite a bit of like, analytics and mining type of applications that are better on GCP. I have all of my package applications work well on Azure, right? How do I make sure all of this. And it's not apps of this kind. Even simple things like VDI. VDI always used to be, "I have this instance I run up" and whatnot. Now every single cloud provider is giving you their own flavor of virtual desktop. And so, how do you make sure all of these things work together, right? And once again, what we have seen customers do is they settle on one cloud as their primary, but then you always have sprinkles of workloads across all of the clouds. Now, you could also go down the path, and you're increasingly seeing this, you could go down the path of, "Hey, I'm using cloud as backbone," right? Cloud providers have invested massive amounts of dollars to make sure that the infrastructure reaches there. Literally almost to the extent that every user in a metro city is ten milliseconds from the public cloud. And so they have allowed for that. Now, you can actually use cloud backbones to get the availability, the liability and whatnot. So these are some new use cases that we have seen actually blew up in customers. I was just doing an interview, and the topic was the innovator's dilemma. And one of the panelists said, "It's not the innovator's dilemma, it's the integrator dilemma." Because if you have commodity, and you have choices on, say, backbones and whatnot for transit, the integration is the key glue now. What's your reaction to that? >> Absolutely. And we have seen, we used to spend quite a bit of time in kind of what is the day zero problem, right? Like, how do I put this together? Conversations are moved past that, because there are multiple ways in which you can do that right now, right? Conversations are moving to kind of, "this is more of an operational problem for me." It's not just operations in the form of "Hey, I need to find out where the problem is, troubleshoot it, and so forth. But I need to make like really high quality decisions." And those decisions are going to be guided by data. We have enterprise customers that acquire new companies. Or they have a new site that they open up. >> It's a mishmash. >> Yeah, exactly. It's a New York based company and they acquire a team out in Sidney, Australia, right? Does your cloud tell you today that you have new users, or new applications that are in Sidney, and naturally just extend? No, it doesn't. Somebody has to look at the macro problem, look at "Where are all my workloads?" Do a bunch of engineering to make that work, right? We took it upon ourselves to say "Hey, you know what, twenty-four hours later, you're going to get a recommendation in the platform that says, 'okay, you have new set of applications, a new set of users coming from Sidney, Australia, what have you done about it?' Click a button, and then you expand on it. >> It's kind of like how IT became the easy way to run the data center. Before IT you had to be a PhD, and roll out, I mean, you know how it was, right? So you're kind of taking that same approach. Okay, well, Ramesh, great stuff. I want to do a followup, certainly with you on this. 'Cause you're in the middle of where this wave is going, this structural change, and certainly can participate in that Supercloud conversation. But for your company, what's going on there? Give us an update, customer activity, what's it like, you guys came out of stealth, what's been the reaction, give a plug for the company, who you going to hire, take a minute to plug it. >> Oh, wonderful, thank you. So, primary use cases are really around cloud networking. How do you go within the cloud, and across clouds, and to the cloud, right? So those are really the key use cases. We go after large enterprises predominantly, but any kind of mid enterprise that is extremely cloud oriented, has lot of workloads in the cloud, equally applicable, applicable there. So we have about 60 of the Fortune 500s that we are engaged in right now. Many of them are paying customers as well. >> How are they buying, service? Is it... >> Yeah. So we provide software that actually sits inside the customer's own administrative control, delivered as a service, that they can use to go- >> So on-premise hosting or in the cloud? >> Entirely in the cloud, delivered as a service, so they didn't need to take care of the maintenance and whatnot, but they just consume it from the cloud directly, okay? And so, where we are right now is essentially, I have a branch of repeatable use cases that many customers are employing us for. So again, building highways, many different ways to build highways, at the same time take care of the micro-segmentation requirements, and then importantly, this whole NetDevOps, right? This whole NetDevOps is a cultural shift that we have seen. So if you are a network engineer, NetDevOps seems like it's a foreign term, right? But if you are an operational engineer, then NetDevOps, you know exactly what to do. So bringing all those principles together, making sure that the networking teams are empowered to essentially embrace the cloud that I created, the single biggest thing that we have done, I would say done well, is we have built very well on top of the cloud provider. So we don't go against cloud-native services. They have done that really, really well. It makes no sense to go say, "I have a better transit gateway than you." No. Hands down, an AWS transit gateway, or an Azure V1 and whatnot, are some of the best services that they have provided. But what does that mean? >> How do you build software into it? >> Exactly, right? And so how can you build a layer of software on top, so that when you attach that into the applications, right, that you can actually get the experience required, you can get the security requirements and so forth. So that's kind of where we are. We're also humbled by essentially some of the mega partners that have taken a bet on us, sometimes to the extent that, we're a 70% company, and some of the partners that we are talking to actually are quite humbling, right? >> Hey, lot more resource. >> Exactly, yeah. >> And how many rounds of financing have you done? >> So we have done two rounds of financing, we have raised about 55,000,000 in capital, again, really great set of investors backing us up, and a strong sense of conviction, on kind of where we are going. >> Do you think you're early, or not? 'Cause, that's always probably the biggest scary, I can see the smile, is that what keeps you up at night? >> So, yeah, exactly, I go through these phases internally in my head. >> The vision's right on the money, no doubt about it. >> So when you win an opportunity, and we have like, a few dozen of these, right, when you win an opportunity, you're like, "Yes, absolutely, this is where it is," right, and you go for a week and you don't win something, and you're like, "Hey man, why are we not seeing this?" Right, and so you go through these cycles, but I'll tell you with conviction, the fact that customers are moving workloads into the public cloud, not in dozens but in like, the hundreds and the thousands, essentially means that they need something like this. >> And the cloud-native wave is driving big time. >> Exactly, right. And so, when the customer as a conversation with AWS, Azure, GCP, and they are privy to all the services, and we go in after that and talk about, "How do I put this together and help you focus on your outcomes?" That mentally moves them. >> It's a day zero opportunity, and then you got headroom beyond that. >> Exactly. So that's the positive side of it, and enterprises certainly are sometimes a little cautious about when they're up new technologies and so forth. It's a natural cycle. Fortunately, again we are humbled by the fact that we have a few dozen of the pioneering customers that are using our platform. That gives you the legitimacy for a start-up. >> You got great pedigree on clients. Real quick, final question. 30 seconds. What's the pain point, for people watching, when do they call you in? What's their environment look like, what are some of the things that give the signals that you guys got to get the call? >> If you have more than, let's say five or ten VPCs in the cloud, and you have not invested in building a networking platform that gives you the connectivity, the security, the observability, and the performance requirements, you absolutely have to do that, right? Because we have seen many, many customers, it goes from 5 to 50 to 100 within a week, and so you don't want to be caught essentially in the midst of that. >> One more final final question. Since you're a seasoned entrepreneur, you've been there, done that previous times, >> Yeah, I've got scars. (laughs) >> Yes, we've all got scar tissue. We've been doing theCube for 12 years, we've seen a lot of stuff. What's the difference now in this market that's different than before? What's exciting you? What's the big change? What's, in your opinion, happening now that's really important that people should pay attention to? >> Absolutely. A lot of it is driven by one, the focus on the cloud itself, right? That's driving a sense of speed like never before. Because in the infrastructure world, yeah you do it today, oh, you do it six months from now, you had some leeway. Here, networking security teams are being yelled at almost every single day, by the cloud guy saying, "You guys are not moving fast enough, fast enough, fast enough." So that thing is different. So it helps, going to shrink the sale cycle for us. So second big one is, nobody knows, essentially, the new set of use cases that are coming about. We are seeing patterns emerge in terms of new use cases almost every single day. Some days it's like completely on the other end of the spectrum. Like, "I'm only serverless and service mesh." On the other end, it's like, "I have a package application, I'm moving it to the cloud." Right? And so, we're learning a lot as well. >> A great time for Supercloud. >> Exactly. >> Do the cloud really well, make it super, bring it to other use cases, stitch it all together, make it easy to use, reduce the complexity, it's just evolution. >> Yeah. And our goal is essentially, enterprise customers should not be focused so much on building infrastructure this way, right? They should focus on users, application services, let vendors like us worry about the nitty-gritty underneath. >> Ramesh, thank you for this conversation. It's a great Cube conversation. In the middle of all the action, Supercloud, multi-cloud, the future is going to be very much cloud-based, IaaS, SaaS, connecting environments. This is the cloud 2.0, Superclouds. And this is what people are going to be working on. I'm John Furrier with theCube, thanks for watching. (soft music)