(upbeat music) >> Hello, everyone, from Palo Alto, Lisa Martin here. This is The Cube's coverage of CloudNativeSecurityCon, the inaugural event. I'm here with John Furrier in studio. In Boston, Dave Vellante joins us, and our guest, Liz Rice, one of our alumni, is joining us from Seattle. Great to have everyone here. Liz is the Chief Open Source officer at Isovalent. She's also the Emeritus Chair Technical Oversight Committee at CNCF, and a co-chair of this new event. Everyone, welcome Liz. Great to have you back on theCUBE. Thanks so much for joining us today. >> Thanks so much for having me, pleasure. >> So CloudNativeSecurityCon. This is the inaugural event, Liz, this used to be part of KubeCon, it's now its own event in its first year. Talk to us about the importance of having it as its own event from a security perspective, what's going on? Give us your opinions there. >> Yeah, I think security was becoming so- at such an important part of the conversation at KubeCon, CloudNativeCon, and the TAG security, who were organizing the co-located Cloud Native Security Day which then turned into a two day event. They were doing this amazing job, and there was so much content and so much activity and so much interest that it made sense to say "Actually this could stand alone as a dedicated event and really dedicate, you know, all the time and resources of running a full conference, just thinking about cloud native security." And I think that's proven to be true. There's plenty of really interesting talks that we're going to see. Things like a capture the flag. There's all sorts of really good things going on this week. >> Liz, great to see you, and Dave, great to see you in Boston Lisa, great intro. Liz, you've been a CUBE alumni. You've been a great contributor to our program, and being part of our team, kind of extracting that signal from the CNCF cloud native world KubeCon. This event really kind of to me is a watershed moment, because it highlights not only security as a standalone discussion event, but it's also synergistic with KubeCon. And, as co-chair, take us through the thought process on the sessions, the experts, it's got a practitioner vibe there. So we heard from Priyanka early on, bottoms up, developer first. You know KubeCon's shift left was big momentum. This seems to be a breakout of very focused security. Can you share the rationale and the thoughts behind how this is emerging, and how you see this developing? I know it's kind of a small event, kind of testing the waters it seems, but this is really a directional shift. Can you share your thoughts? >> Yeah I'm just, there's just so many different angles that you can consider security. You know, we are seeing a lot of conversations about supply chain security, but there's also runtime security. I'm really excited about eBPF tooling. There's also this opportunity to talk about how do we educate people about security, and how do security practitioners get involved in cloud native, and how do cloud native folks learn about the security concepts that they need to keep their deployments secure. So there's lots of different groups of people who I think maybe at a KubeCon, KubeCon is so wide, it's such a diverse range of topics. If you really just want to focus in, drill down on what do I need to do to run Kubernetes and cloud native applications securely, let's have a really focused event, and just drill down into all the different aspects of that. And I think that's great. It brings the right people together, the practitioners, the experts, the vendors to, you know, everyone can be here, and we can find each other at a smaller event. We are not spread out amongst the thousands of people that would attend a KubeCon. >> It's interesting, Dave, you know, when we were talking, you know, we're going to bring you in real quick, because AWS, which I think is the bellweather for, you know, cloud computing, has now two main shows, AWS re:Invent and re:Inforce. Security, again, broken out there. you see the classic security events, RSA, Black Hat, you know, those are the, kind of, the industry kind of mainstream security, very wide. But you're starting to see the cloud native developer first with both security and cloud native, kind of, really growing so fast. This is a major trend for a lot of the ecosystem >> You know, and you hear, when you mention those other conferences, John you hear a lot about, you know, shift left. There's a little bit of lip service there, and you, we heard today way more than lip service. I mean deep practitioner level conversations, and of course the runtime as well. Liz, you spent a lot of time obviously in your keynote on eBPF, and I wonder if you could share with the audience, you know, why you're so excited about that. What makes it a more effective tool compared to other traditional methods? I mean, it sounds like it simplifies things. You talked about instrumenting nodes versus workloads. Can you explain that a little bit more detail? >> Yeah, so with eBPF programs, we can load programs dynamically into the kernel, and we can attach them to all kinds of different events that could be happening anywhere on that virtual machine. And if you have the right knowledge about where to hook into, you can observe network events, you can observe file access events, you can observe pretty much anything that's interesting from a security perspective. And because eBPF programs are living in the kernel, there's only one kernel shared amongst all of the applications that are running on that particular machine. So you don't- you no longer have to instrument each individual application, or each individual pod. There's no more need to inject sidecars. We can apply eBPF based tooling on a per node basis, which just makes things operationally more straightforward, but it's also extremely performant. We can hook these programs into events that typically very lightweight, small programs, kind of, emitting an event, making a decision about whether to drop a packet, making a decision about whether to allow file access, things of that nature. There's super fast, there's no need to transition between kernel space and user space, which is usually quite a costly operation from performance perspective. So eBPF makes it really, you know, it's taking the security tooling, and other forms of tooling, networking and observability. We can take these tools into the kernel, and it's really efficient there. >> So Liz- >> So, if I may, one, just one quick follow up. You gave kind of a space age example (laughs) in your keynote. When, do you think a year from now we'll be able to see, sort of, real world examples in in action? How far away are we? >> Well, some of that is already pretty widely deployed. I mean, in my keynote I was talking about Cilium. Cilium is adopted by hundreds of really big scale deployments. You know, the users file is full of household names who've been using cilium. And as part of that they will be using network policies. And I showed some visualizations this morning of network policy, but again, network policy has been around, pretty much since the early days of Kubernetes. It can be quite fiddly to get it right, but there are plenty of people who are using it at scale today. And then we were also looking at some runtime security detections, seeing things like, in my example, exfiltrating the plans to the Death Star, you know, looking for suspicious executables. And again, that's a little bit, it's a bit newer, but we do have people running that in production today, proving that it really does work, and that eBPF is a scalable technology. It's, I've been fascinated by eBPF for years, and it's really amazing to see it being used in the real world now. >> So Liz, you're a maintainer on the Cilium project. Talk about the use of eBPF in the Cilium project. How is it contributing to cloud native security, and really helping to change the dials on that from an efficiency, from a performance perspective, as well as a, what's in it for me as a business perspective? >> So Cilium is probably best known as a networking plugin for Kubernetes. It, when you are running Kubernetes, you have to make a decision about some networking plugin that you're going to use. And Cilium is, it's an incubating project in the CNCF. It's the most mature of the different CNIs that's in the CNCF at the moment. As I say, very widely deployed. And right from day one, it was based on eBPF. And in fact some of the people who contribute to the eBPF platform within the kernel, are also working on the Cilium project. They've been kind of developed hand in hand for the last six, seven years. So really being able to bring some of that networking capability, it required changes in the kernel that have been put in place several years ago, so that now we can build these amazing tools for Kubernetes operators. So we are using eBPF to make the networking stack for Kubernetes and cloud native really efficient. We can bypass some of the parts of the network stack that aren't necessarily required in a cloud native deployment. We can use it to make these incredibly fast decisions about network policy. And we also have a sub-project called Tetragon, which is a newer part of the Cilium family which uses eBPF to observe these runtime events. The things like people opening a file, or changing the permissions on a file, or making a socket connection. All of these things that as a security engineer you are interested in. Who is running executables who is making network connections, who's accessing files, all of these operations are things that we can observe with Cilium Tetragon. >> I mean it's exciting. We've chatted in the past about that eBPF extended Berkeley Packet Filter, which is about the Linux kernel. And I bring that up Liz, because I think this is the trend I'm trying to understand with this event. It's, I hear bottoms up developer, developer first. It feels like it's an under the hood, infrastructure, security geek fest for practitioners, because Brian, in his keynote, mentioned BIND in reference the late Dan Kaminsky, who was, obviously found that error in BIND at the, in DNS. He mentioned DNS. There's a lot of things that's evolving at the silicone, kernel, kind of root levels of our infrastructure. This seems to be a major shift in focus and rightfully so. Is that something that you guys talk about, or is that coincidence, or am I just overthinking this point in terms of how nerdy it's getting in terms of the importance of, you know, getting down to the low level aspects of protecting everything. And as we heard also the quote was no software secure. (Liz chuckles) So that's up and down the stack of the, kind of the old model. What's your thoughts and reaction to that? >> Yeah, I mean I think a lot of folks who get into security really are interested in these kind of details. You know, you see write-ups of exploits and they, you know, they're quite often really involved, and really require understanding these very deep detailed technical levels. So a lot of us can really geek out about the details of that. The flip side of that is that as an application developer, you know, as- if you are working for a bank, working for a media company, you're writing applications, you shouldn't have to be worried about what's happening at the kernel level. This might be kind of geeky interesting stuff, but really, operationally, it should be taken care of for you. You've got your work cut out building business value in applications. So I think there's this interesting, kind of dual track going on almost, if you like, of the people who really want to get involved in those nitty gritty details, and understand how the underlying, you know, kernel level exploits maybe working. But then how do we make that really easy for people who are running clusters to, I mean like you said, nothing is ever secure, but trying to make things as secure as they can be easily, and make things visual, make things accessible, make things, make it easy to check whether or not you are compliant with whatever regulations you need to be compliant with. That kind of focus on making things usable for the platform team, for the application developers who deliver apps on the platform, that's the important (indistinct)- >> I noticed that the word expert was mentioned, I mentioned earlier with Priyanka. Was there a rationale on the 72 sessions, was there thinking around it or was it kind of like, these are urgent areas, they're obvious low hanging fruit. Was there, take us through the selection process of, or was it just, let's get 72 sessions going to get this (Liz laughs) thing moving? >> No, we did think quite carefully about how we wanted to, what the different focus areas we wanted to include. So we wanted to make sure that we were including things like governance and compliance, and that we talk about not just supply chain, which is clearly a very hot topic at the moment, but also to talk about, you know, threat detection, runtime security. And also really importantly, we wanted to have space to talk about education, to talk about how people can get involved. Because maybe when we talk about all these details, and we get really technical, maybe that's, you know, a bit scary for people who are new into the cloud native security space. We want to make sure that there are tracks and content that are accessible for newcomers to get involved. 'Cause, you know, given time they'll be just as excited about diving into those kind of kernel level details. But everybody needs a place to start, and we wanted to make sure there were conversations about how to get started in security, how to educate other members of your team in your organization about security. So hopefully there's something for everyone. >> That education piece- >> Liz, what's the- >> Oh sorry, Dave. >> What the buzz on on AI? We heard Dan talk about, you know, chatGPT, using it to automate spear phishing. There's always been this tension between security and speed to market, but CISOs are saying, "Hey we're going to a zero trust architecture and that's helping us move faster." Will, in your, is the talk on the floor, AI is going to slow us down a little bit until we figure it out? Or is it actually going to be used as an offensive defensive tool if I can use that angle? >> Yeah, I think all of the above. I actually had an interesting chat this morning. I was talking with Andy Martin from Control Plane, and we were talking about the risk of AI generated code that attempts to replicate what open source libraries already do. So rather than using an existing open source package, an organization might think, "Well, I'll just have my own version, and I'll have an AI write it for me." And I don't, you know, I'm not a lawyer so I dunno what the intellectual property implications of this will be, but imagine companies are just going, "Well you know, write me an SSL library." And that seems terrifying from a security perspective, 'cause there could be all sorts of very slightly different AI generated libraries that pick up the same vulnerabilities that exist in open source code. So, I think we're going to go through a pretty interesting period of vulnerabilities being found in AI generated code that look familiar, and we'll be thinking "Haven't we seen these vulnerabilities before? Yeah, we did, but they were previously in handcrafted code and now we'll see the same things being generated by AI." I mean, in the same way that if you look at an AI generated picture and it's got I don't know, extra fingers, or, you know, extra ears or something that, (Dave laughs) AI does make mistakes. >> So Liz, you talked about the education, the enablement, the 72 sessions, the importance of CloudNativeSecurityCon being its own event this year. What are your hopes and dreams for the practitioners to be able to learn from this event? How do you see the event as really supporting the growth, the development of the cloud native security community as a whole? >> Yeah, I think it's really important that we think of it as a Cloud Native Security community. You know, there are lots of interesting sort of hacker community security related community. Cloud native has been very community focused for a long time, and we really saw, particularly through the tag, the security tag, that there was this growing group of people who were, really wanted to work at that intersection between security and cloud native. And yeah, I think things are going really well this week so far, So I hope this is, you know, the first of many additions of this conference. I think it will also be interesting to see how the balance between a smaller, more focused event, compared to the giant KubeCon and cloud native cons. I, you know, I think there's space for both things, but whether or not there will be other smaller focus areas that want to stand alone and justify being able to stand alone as their own separate conferences, it speaks to the growth of cloud native in general that this is worthwhile doing. >> Yeah. >> It is, and what also speaks to, it reminds me of our tagline here at theCUBE, being able to extract the signal from the noise. Having this event as a standalone, being able to extract the value in it from a security perspective, that those practitioners and the community at large is going to be able to glean from these conversations is something that will be important, that we'll be keeping our eyes on. >> Absolutely. Makes sense for me, yes. >> Yeah, and I think, you know, one of the things, Lisa, that I want to get in, and if you don't mind asking Dave his thoughts, because he just did a breaking analysis on the security landscape. And Dave, you know, as Liz talking about some of these root level things, we talk about silicon advances, powering machine learning, we've been covering a lot of that. You've been covering the general security industry. We got RSA coming up reinforced with AWS, and as you see the cloud native developer first, really driving the standards of the super cloud, the multicloud, you're starting to see a lot more application focus around latency and kind of controlling that, These abstraction layer's starting to see a lot more growth. What's your take, Dave, on what Liz and- is talking about because, you know, you're analyzing the horses on the track, and there's sometimes the old guard security folks, and you got open source continuing to kick butt. And even on the ML side, we've been covering some of these foundation models, you're seeing a real technical growth in open source at all levels and, you know, you still got some proprietary machine learning stuff going on, but security's integrating all that. What's your take and your- what's your breaking analysis on the security piece here? >> I mean, to me the two biggest problems in cyber are just the lack of talent. I mean, it's just really hard to find super, you know, deep expertise and get it quickly. And I think the second is it's just, it's so many tools to deal with. And so the architecture of security is just this mosaic and a mess. That's why I'm excited about initiatives like eBPF because it does simplify things, and developers are being asked to do a lot. And I think one of the other things that's emerging is when you- when we talk about Industry 4.0, and IIoT, you- I'm seeing a lot of tools that are dedicated just to that, you know, slice of the world. And I don't think that's the right approach. I think that there needs to be a more comprehensive view. We're seeing, you know, zero trust architectures come together, and it's going to take some time, but I think that you're going to definitely see, you know, some rethinking of how to architect security. It's a game of whack-a-mole, but I think the industry is just- the technology industry is doing a really really good job of, you know, working hard to solve these problems. And I think the answer is not just another bespoke tool, it's a broader thinking around architectures and consolidating some of those tools, you know, with an end game of really addressing the problem in a more comprehensive fashion. >> Liz, in the last minute or so we have your thoughts on how automation and scale are driving some of these forcing functions around, you know, taking away the toil and the muck around developers, who just want stuff to be code, right? So infrastructure as code. Is that the dynamic here? Is this kind of like new, or is it kind of the same game, different kind of thing? (chuckles) 'Cause you're seeing a lot more machine learning, a lot more automation going on. What's, is that having an impact? What's your thoughts? >> Automation is one of the kind of fundamental underpinnings of cloud native. You know, we're expecting infrastructure to be written as code, We're expecting the platform to be defined in yaml essentially. You know, we are expecting the Kubernetes and surrounding tools to self-heal and to automatically scale and to do things like automated security. If we think about supply chain, you know, automated dependency scanning, think about runtime. Network policy is automated firewalling, if you like, for a cloud native era. So, I think it's all about making that platform predictable. Automation gives us some level of predictability, even if the underlying hardware changes or the scale changes, so that the application developers have something consistent and standardized that they can write to. And you know, at the end of the day, it's all about the business applications that run on top of this infrastructure >> Business applications and the business outcomes. Liz, we so appreciate your time talking to us about this inaugural event, CloudNativeSecurityCon 23. The value in it for those practitioners, all of the content that's going to be discussed and learned, and the growth of the community. Thank you so much, Liz, for sharing your insights with us today. >> Thanks for having me. >> For Liz Rice, John Furrier and Dave Vellante, I'm Lisa Martin. You're watching the Cube's coverage of CloudNativeSecurityCon 23. (electronic music)

(upbeat music) >> Hello, welcome everyone to "theCUBE" presentation of the AWS Startup Showcase, this is Season Two, Episode Four of the ongoing series covering exciting startups from the AWS ecosystem. Here to talk about Cyber Security. I'm your host John Furrier here joined by two great "CUBE" alumnus, Liz Rice who's the chief open source officer at Isovalent, and Mark Nunnikhoven who's the distinguished cloud strategist at Lacework. Folks, thanks for joining me today. >> Hi. Pleasure. >> You're in the U.K. Mark, welcome back to the U.S, I know you were overseas as well. Thanks for joining in this panel to talk about set the table for the Cybersecurity Showcase. You guys are experts out in the field. Liz we've had many conversations with the rise of open source, and all the innovations coming from out in the open source community. Mark, we've been going and covering the events, looking at all the announcements we're kind of on this next generation security conversation. It's kind of a do over in progress, happening every time we talk security in the cloud, is what people are are talking about. Amazon Web Services had reinforced, which was more of a positive vibe of, Hey, we're all on it together. Let's participate, share information. And they talk about incidents, not breaches. And then, you got Black Hat just happened, and they're like, everyone's getting hacked. It's really interesting as we report that. So, this is a new market that we're in. People are starting to think differently, but still have to solve the same problems. How do you guys see the security in the cloud era unfolding? >> Well, I guess it's always going to be an arms race. Isn't it? Everything that we do to defend cloud workloads, it becomes a new target for the bad guys, so this is never going to end. We're never going to reach a point where everything is completely safe. But I think there's been a lot of really interesting innovations in the last year or two. There's been a ton of work looking into the security of the supply chain. There's been a ton of new tooling that takes advantage of technology that I'm really involved with and very excited about called eBPF. There's been a continuation of this new generation of tooling that can help us observe when security issues are happening, and also prevent malicious activities. >> And it's on to of open source activity. Mark, scale is a big factor now, it's becoming a competitive advantage on one hand. APIs have made the cloud great. Now, you've got APIs being hacked. So, all the goodness of cloud has been great, but now we've got next level scale, it's hard to keep up with everything. And so, you start to see new ways of doing things. What's your take? >> Yeah, it is. And everything that's old is new again. And so, as you start to see data and business workloads move into new areas, you're going to see a cyber crime and security activity move with them. And I love, Liz calling out eBPF and open source efforts because what we've really seen to contrast that sort of positive and negative attitude, is that as more people come to the security table, as more developers, as more executives are aware, and the accessibility of these great open source tools, we're seeing that shift in approach of like, Hey, we know we need to find a balance, so let's figure out where we can have a nice security outcome and still meet our business needs, as opposed to the more, let's say to be polite, traditional security view that you see at some other events where it's like, it's this way or no way. And so, I love to see that positivity and that collaboration happening. >> You know, Liz, this brings up a good point. We were talking at our Super Cloud Event we had here when we were discussing the future of how cloud's emerging. One of the conversations that Adrian Cockcroft brought up, who's now retired from AWS, former with Netflix. Adrian being open source fan as well. He was pointing out that every CIO or CISO will buy an abstraction layer. They love the dream. And vendors sell the dream, so to speak. But the reality it's not a lot of uptake because it's complex, And there's a lot of non-standard things per vendor. Now, we're in an era where people are looking for some standardization, some clean, safe ways to deploy. So, what's the message to CSOs, and CIOs, and CXOs out there around eBPF, things like that, that are emerging? Because it's almost top down, was the old way, now as bottoms up with open source, you're seeing the shift. I mean, it's complete flipping the script of how companies are buying? >> Yeah. I mean, we've seen with the whole cloud native movement, how people are rather than having like ETF standards, we have more of a defacto collaborative, kind of standardization process going on. So, that things like Kubernetes become the defacto standard that we're all using. And then, that's helping enterprises be able to run their workloads in different clouds, potentially in their own data centers as well. We see things like EKS anywhere, which is allowing people to run their workloads in their data center in exactly the same way as they're running it in AWS. That sort of leveling of the playing field, if you like, can help enterprises apply the same tooling, and that's going to always help with security if you can have a consistent approach wherever you are running your workload. >> Well, Liz's take a minute to explain eBPF. The Berkeley packet filtering technology, people know from Trace Dumps and whatnot. It's kind of been around for a while, but what is it specifically? Can you take a minute to explain eBPF, and what does that mean for the customer? >> Yeah. So, you mentioned the packet filtering acronym. And honestly, these days, I tell people to just forget that, because it means so much more for. What eBPF allows you to do now, is to run custom programs inside the kernel. So, we can use that to change the way that the kernel behaves. And because the kernel has visibility over every process that's running across a machine, a virtual machine or a bare metal machine, having security tooling and observability tooling that's written using eBPF and sitting inside the kernel. It has this great perspective and ability to observe and secure what's happening across that entire machine. This is like a step change in the capabilities really of security tooling. And it means we don't have to rely on things like kernel modules, which traditionally people have been quite worried about with good reason. eBPF is- >> From a vulnerability standpoint, you mean, right? From a reliability. >> From a vulnerability standpoint, but even just from the point of view that kernel modules, if they have bugs in them, a bug in the kernel will bring the machine to a halt. And one of the things that's different with eBPF, is eBPF programs go through a verification process that ensures that they're safe to run that, but happens dynamically and ensures that the program cannot crash, will definitely run to completion. All the memory access is safe. It gives us this very sort of reassuring platform to use for building these kernel-based tools. >> And what's the bottom line for the customer and the benefit to the organization? >> I think the bottom line is this new generation of really powerful tools that are very high performance. That have this perspective across the whole set of workloads on a machine. That don't need to rely on things like a CCAR model, which can add to a lot of complexity that was perfectly rational choice for a lot of security tools and observability tools. But if you can use an abstraction that lives in the kernel, things are much more efficient and much easier to deploy. So, I think that's really what that enterprise is gaining, simpler to deploy, easier to manage, lower overhead set of tools. >> That's the dream they want. That's what they want. Mark, this is whether the trade offs that comes up. We were talking about the supercloud, and all kinds. Even at AWS, you're going to have supercloud, but you got super hackers as well. As innovation happens on one side, the hackers are innovating on the other. And you start to see a lot of advances in the lower level, AWS with their Silicon and strategies are continuing to happen and be stronger, faster, cheaper, better down the lower levels at the network lay. All these things are innovating, but this is where the hackers are going too, right? So, it's a double edge sword? >> Yeah, and it always will be. And that's the challenge of technology, is sort of the advancement for one, is an advancement for all. But I think, while Liz hit the technical aspects of the eBPF spot on, what I'm seeing with enterprises, and in general with the market movement, is all of those technical advantages are increasing the confidence in some of this security tooling. So, the long sort of anecdote or warning in security has always been things like intrusion prevention systems where they will look at network traffic and drop things they think bad. Well, for decades, people have always deployed them in detect-only mode. And that's always a horrible conversation to have with the board saying, "Well, I had this tool in place that could have stopped the attack, but I wasn't really confident that it was stable enough to turn on. So, it just warned me that it had happened after the fact." And with the stability and the performance that we're seeing out of things based on technologies like eBPF, we're seeing that confidence increase. So, people are not only deploying this new level of tooling, but they're confident that it's actually providing the security it promised. And that's giving, not necessarily a leg up, but at least that level of parody with that push forward that we're seeing, similar on the attack side. Because attackers are always advancing as well. And I think that confidence and that reliability on the tooling, can't be underestimated because that's really what's pushing things forward for security outcomes. >> Well, one of the things I want get your both perspective on real quick. And you kind of segue into this next set of conversations, is with DevOps success, Dev and Ops, it's kind of done, right? We're all happy. We're seeing DevOps being so now DevSecOps. So, CSOs were like kind of old school. Buy a bunch of tools, we have a vendor. And with cloud native, Liz, you mentioned this earlier, accelerating the developers are even driving the standards more and more. So, shifting left is a security paradigm. So, tooling, Mark, you're on top of this too, it's tooling versus how do I organize my team? What are the processes? How do I keep the CICD pipeline going, higher velocity? How can I keep my app developers programming faster? And as Adrian Cockcroft said, they don't really care about locking, they want to go faster. It's the ops teams that have to deal with everything. So, and now security teams have to deal with the speed and velocity. So, you're seeing a new kind of step function, ratchet game where ops and security teams who are living DevOps, are still having to serve the devs, and the devs need more help here. So, how do you guys see that dynamic in security? Because this is clearly the shift left's, cloud native trend impacting the companies. 'Cause now it's not just shifting left for developers, it has a ripple effect into the organization and the security posture. >> We see a lot of organizations who now have what they would call a platform team. Which is something similar to maybe what would've been an ops team and a security team, where really their role is to provide that platform that developers can use. So, they can concentrate on the business function that they don't have to really think about the underlying infrastructure. Ideally, they're using whatever common definition for their applications. And then, they just roll it out to a cloud somewhere, and they don't have to think about where that's operating. And then, that platform team may have remit that covers, not just the compute, but also the networking, the common set of tooling that allows people to debug their applications, as well as securing them. >> Mark, this is a big discussion because one, I love the team, process collaboration. But where's the team? We've got a skills gap going on too, right? So, in all this, there's a lot of action happening. What's your take on this dynamic of tooling versus process collaboration for security success? >> Yeah, it's tough. And I think what we're starting to see, and you called it out spot on, is that the developers are all about dynamic change and rapid change, and operations, and security tend to like stability, and considered change in advance. And the business needs that needle to be threaded. And what we're seeing is sort of, with these new technologies, and with the ideas of finally moving past multicloud, into, as you guys call supercloud, which I absolutely love is a term. Let's get the advantage of all these things. What we're seeing, is people have a higher demand for the outputs from their tooling, and to find that balance of the process. I think it's acknowledged now that you're not going to have complete security. We've gotten past that, it's not a yes or no binary thing. It's, let's find that balance in risk. So, if we are deploying tooling, whether that's open source, or commercial, or something we built ourselves, what is the output? And who is best to take action on that output? And sometimes that's going to be the developers, because maybe they can just fix their architecture so that it doesn't have a particular issue. Sometimes that's going to be those platform teams saying like, "Hey, this is what we're going to apply for everybody, so that's a baseline standard." But the good news, is that those discussions are happening. And I think people are realizing that it's not a one size-fits-all. 10 years ago was sort of like, "Hey, we've got a blueprint and everyone does this." That doesn't work. And I think that being out in the open, really helps deliver these better outcomes. And because it isn't simple, it's always going to be an ongoing discussion. 'Cause what we decide today, isn't going to be the same thing in a week from now when we're sprint ahead, and we've made a whole bunch of changes on the platform and in our code. >> I think the cultural change is real. And I think this is hard for security because you got so much current action happening that's really important to the business. That's hard to just kind of do a reset without having any collateral damage. So, you kind of got to mitigate and manage all the current situation, and then try to build a blueprint for the future and transform into a kind of the next level. And it kind of reminds me of, I'm dating myself. But back in the days, you had open source was new. And the common enemy was proprietary, non-innovative old guard, kind of mainframe mini computer kind of proprietary analysis, proprietary everything. Here, there is no enemy. The clouds are doing great, right? They're leaning in open source is at all time high and not stopping, it's it's now standard. So, open is not a rebel. It's not the rebel anymore, it's the standard. So, you have the innovation happening in open source, Liz, and now you have large scale cloud. And this is a cultural shift, right? How people are buying, evaluating product, and implementing solutions. And I when I say new, I mean like new within the decades or a couple decades. And it's not like open source is not been around. But like we're seeing new things emerge that are pretty super cool in the sense that you have projects defining standards, new things are emerging. So, the CIO decision making process on how to structure teams and how to tackle security is changing. Why IT department? I mean, just have a security department and a Dev team. >> I think the fact that we are using so much more open source software is a big part of this cultural shift where there are still a huge ecosystem of vendors involved in security tools and observability tools. And Mark and I both represent vendors in those spaces. But the rise of open source tools, means that you can start with something pretty powerful that you can grow with. As you are experimenting with the security tooling that works for you, you don't have to pay a giant sum to get a sort of black box. You can actually understand the open source elements of the tooling that you are going to use. And then build on that and get the enterprise features when you need those. And I think that cultural change makes it much easier for people to work security in from the get go, and really, do that shift left that we've been talking about for the last few years. >> And I think one of the things to your point, and not only can you figure out what's in the open source code, and then build on top of it, you can also leave it too. You can go to something better, faster. So, the switching costs are a lot lower than a lock in from a vendor, where you do all the big POCs and the pilots. And, Mark, this is changing the game. I mean, I would just be bold enough to say, IT is going to be irrelevant in the sense of, if you got DevOps and it works, and you got security teams, do you really need IT 'cause the DevOps is the IT? So, if everyone goes to the cloud operations, what does IT even mean? >> Yeah, and it's a very valid point. And I think what we're seeing, is where IT is still being successful, especially in large companies, is sort of the economy of scale. If you have enough of the small teams doing the same thing, it makes sense to maybe take one tool and scale it up because you've got 20 teams that are using it. So, instead of having 20 teams run it, you get one team to run it. On the economic side, you can negotiate one contract if it's a purchase tool. There is still a place for it, but I think what we're seeing and in a very positive way, is that smaller works better when it comes to this. Because really what the cloud has done and what open source continues to do, is reduce the barrier to entry. So, a team of 10 people can build something that it took a 1000 people, a decade ago. And that's wonderful. And that opens up all these new possibilities. We can work faster. But we do need to rethink it at reinforce from AWS. They had a great track about how they're approaching it from people side of things with their security champion's idea. And it's exactly about this, is embedding high end security talent in the teams who are building it. So, that changes the central role, and the central people get called in for big things like an incident response, right? Or a massive auditor reviews. But the day-to-day work is being done in context. And I think that's the real key, is they've got the context to make smarter security decisions, just like the developers and the operational work is better done by the people who are actually working on the thing, as opposed to somebody else. Because that centralized thing, it's just communication overhead most of the time. >> Yeah. I love chatting with you guys because here's are so much experts on the field. To put my positive hat on around IT, remember the old argument of, "Oh, automation's, technology's going to kill the bank teller." There's actually more tellers now than ever before. So, the ATM machine didn't kill that. So, I think IT will probably reform from a human resource perspective. And I think this is kind of where the CSO conversation comes full circle, Liz and Mark, because, okay, let's assume that this continues the trajectory to open source, DevOps, cloud scale, hybrid. It's a refactoring of personnel. So, you're going to have DevOps driving everything. So, now the IT team becomes a team. So, most CSOs we talk to are CXOs, is how do I deploy my teams? How do I structure things, my investment in people, and machines and software in a way that I get my return? At the end of the day, that's what they live for, and do it securely. So, this is the CISO's kind of thought process. How do you guys react to that? What's the message to CISOs? 'Cause they have a lot of companies to look at here. And in the marketplace, they got to spend some money, they got to get a return, they got to reconfigure. What's your advice? Liz, what's your take? Then we'll go to Mark. >> That's a really great question. I think cloud skills, cloud engineering skills, cloud security skills have never been more highly valued. And I think investing in training people to understand cloud that there are tons of really great resources out there to help ramp people up on these skills. The CNCF, AWS, there's tons of organizations who have really great courses and exams, and things that people can do to really level up their skills, which is fantastic right from a grassroots level, through to the most widely deployed global enterprise. I think we're seeing a lot of people are very excited, develop these skills. >> Mark, what's your take for the CSO, the CXO out there? They're scratching their head, they're going, "Okay, I need to invest. DevOps is happening. I see the open source, I'm now got to change over. Yeah, I lift and shift some stuff, now I got to refactor my business or I'm dead." What's your advice? >> I think the key is longer term thinking. So, I think where people fell down previously, was, okay, I've got money, I can buy tools, roll 'em out. Every tool you roll out, has not just an economic cost, but a people cost. As Liz said, those people with those skills are in high demand. And so, you want to make sure that you're getting the most value out of your people, but your tooling. So, as you're investing in your people, you will need to roll out tools. But they're not the answer. The answer is the people to get the value out of the tools. So, hold your tools to a higher standard, whether that's commercial, open source, or something from the CSP, to make sure that you're getting actionable insights and value out of them that your people can actually use to move forward. And it's that balance between the two. But I love the fact that we're finally rotating back to focus more on the people. Because really, at the end of the day, that's what's going to make it all work. >> Yeah. The hybrid work, people processes. The key, the supercloud brings up the conversation of where we're starting to see maturation into OPEX models where CapEx is a gift from the clouds. But it's not the end of bilk. Companies are still responsible for their own security. At the end of the day, you can't lean on AWS or Azure. They have infrastructure and software, but at the end of the day, every company has to maintain their own. Certainly, with hybrid and edge coming, it's here. So, this whole concept of IT, CXO, CIO, CSO, CSO, I mean, this is hotter than ever in terms of like real change. What's your reaction to that? >> I was just reading this morning that the cost of ensuring against data breaches is getting dramatically more expensive. So, organizations are going to have to take steps to implement security. You can't just sort of throw money at the problem, you're going to actually have to throw people and technology at the problem, and take security really seriously. There is this whole ecosystem of companies and folks who are really excited about security and here to help. There's a lot of people interested in having that conversation to help those CSOs secure their deployments. >> Mark, your reaction? >> Yeah. I think, anything that causes us to question what we're doing is always a positive thing. And I think everything you brought up really comes down to remembering that no matter what, and no matter where, your data is always your data. And so, you have some level of responsibility, and that just changes depending on what system you're using. And I think that's really shifting, especially in the CSO or the CSO mindset, to go back to the basics where it used to be information security and not just cyber security. So, whether that information and that data is sitting on my desk physically, in a system in our data center, or in the cloud somewhere. Looking holistically, and that's why we could keep coming back to people. That's what it's all about. And when you step back there, you start to realize there's a lot more trade offs. There's a lot more levers that you can work on, to deliver the outcome you want, to find that balance that works for you. 'Cause at the end of the day, security is just all about making sure that whatever you built and the systems you're working with, do what you want them to do, and only what you want them to do. >> Well, Liz and Mark, thank you so much for your expert perspective. You're in the trenches, and really appreciate your time and contributing with "theCUBE," and being part of our Showcase. For the last couple of minutes, let's dig into some of the things you're working on. I know network policies around Kubernetes, Liz, EKS anywhere has been fabulous with Lambda and Serverless, you seeing some cool things go on there. Mark, you're at Lacework, very successful company. And looking at a large scale observability, signaling and management, all kinds of cool things around native cloud services and microservices. Liz, give us an update. What's going on over there at Isovalent? >> Yeah. So, Isovalent is the company behind Cilium Networking Project. Its best known as a Kubernetes networking plugin. But we've seen huge amount of adoption of cilium, it's really skyrocketed since we became an incubating project in the CNCF. And now, we are extending to using eBPF to not just do networking, but incredibly in depth observability and security observability have a new sub project called Tetragon, that gives you this amazing ability to see out of policy behavior. And again, because it's using eBPF, we've got the perspective of everything that's happening across the whole machine. So, I'm really excited about the innovations that are happening here. >> Well, they're lucky to have you. You've been a great contributor to the community. We've been following your career for very, very long time. And thanks for everything that you do, really appreciate it. Thanks. >> Thank you. >> Mark, Lacework, we we've following you guys. What are you up to these days? You know, we see you're on Twitter, you're very prolific. You're also live tweeting all the events, and with us as well. What's going on over there at Lacework? And what's going on in your world? >> Yeah. Lacework, we're still focusing on the customer, helping deliver good outcomes across cloud when it comes to security. Really looking at their environments and helping them understand, from their data that they're generating off their systems, and from the cloud usage as to what's actually happening. And that pairs directly into the work that I'm doing, the community looking at just security as a practice. So, a lot of that pulling people out of the technology, and looking at the process and saying, "Hey, we have this tech for a reason." So, that people understand what they need in place from a skill set, to take advantage of the great work that folks like Liz and the community are doing. 'Cause we've got these great tools, they're outputting all this great insights. You need to be able to take actions on top of that. So, it's always exciting. More people come into security with a security mindset, love it. >> Well, thanks so much for this great conversation. Every board should watch this video, every CSO, CIO, CSO. Great conversation, thanks for unpacking and making something very difficult, clear to understand. Thanks for your time. >> Pleasure. >> Thank you. >> Okay, this is the AWS Startup Showcase, Season Two, Episode Four of the ongoing series covering the exciting startups from the AWS ecosystem. We're talking about cybersecurity, this segment. Every quarter episode, we do a segment around a category and we go deep, we feature some companies, and talk to the best people in the industry to help you understand that. I'm John Furrier your host. Thanks for watching. (upbeat music)

>>from around the globe. It's the Cube with coverage of Coop Con and Cloud, Native Con Europe 2020 Virtual brought to You by Red Hat, The Cloud Native Computing Foundation and its ecosystem Partners. Hi, I'm stupid, man. And this is the Cube's coverage of Cube con Cloud Native Con Europe event, which, of course, this year has gone virtual, really lets us be able to talk to those guests where they are around the globe. Really happy to welcome back to the program. Liz Rice. First of all, she is the vice president of Open Source Engineering at Aqua Security. She's also the chair of the Technical Oversight Committee has part of Ah CN cf. Liz, it is great to see you. Unfortunately, it's remote, but ah, great to catch up with you. Thanks for joining. >>Yeah, Thanks for having me. Nice to see you if you know across the ocean. >>So, uh, you know, one of the one of the big things? Of course, for the Cube Con show. It's the rallying point for the community. There are so many people participating. One of the things we always love to highlight its not only the the vendor ecosystem. But there is a very robust, engaged community of end users that participate in it. And as I mentioned, you're the chair of that technology oversight committee. So maybe just give our audience a little bit of, you know, in case they're not familiar with the TOC does. And let's talk about the latest pieces there. >>Yes, say the TOC is really hit. C can qualify the different projects that want to join the CNC F. So we're assessing whether or not they're cloud native. We're assessing whether they could joined at sandbox or incubation or graduation levels. Which of the different maturity levels that we have for for project within the CN CF yeah, we're really there, Teoh also provide it steering around the What does cloud native mean and what does it mean to be a project inside the CN CF community? We're also a voice for all of the projects. We're not the only voice, but, you know, part >>of our role >>really is to make sure the projects are getting what they need in order to be successful. So it's it's really around the technology and the projects that we call cloud native >>Yeah, and and obliges Cloud Native because when people first heard of the show, of course, Kubernetes and Cube Con was the big discussion point. But as you said, Cloud native, there's a lot of projects there. I just glanced at the sandbox page and I think there's over 30 in the sandbox category on and you know they move along their process until they're, you know, fully mature and reach that, you know, 1.0 state, which is the stamp of approval that, you know, this could be used in production. I understand there's been some updates for the sandbox process, so help us understand you know where that is and what's the new piece of that? >>Yeah. So it's really been because of the growth off cloud native in general, the popularity off the CN CF and so much innovation happening in our space. So there's been so many projects who want Teoh become hard off the CNC f family on and we used to have a sponsorship model where members of the TOC would essentially back projects that they wanted to see joining at the sandbox level. But we ran into a number of issues with that process on and also dealing with the scale, the number of applications that have come in. So we've revamped the process. We made it much easier for projects to apply as much simpler form where really not making so much judgment we're really saying is it's a cloud native project and we have some requirements in terms off some governance features that we need from a project. And it's worth mentioning that when a project joins the CN CF, they are donating the intellectual property and the trademark off that project into the foundation. So it's not something that people should take lightly. But we have tried to make it easier and therefore much smoother. We're able Teoh assess the applications much more quickly, which I think everyone, the community, the projects, those of us on the TOC We're all pretty happy that we can make that a much faster process. >>Yeah, I actually, it brings up An interesting point is so you know, I've got a little bit of background in standards committees. A swell as I've been involved in open source for a couple of decades now some people don't understand. You know, when you talk about bringing a project under a foundation. You talked about things like trademarks and the like. There are more than one foundation out there for CN CF Falls under the Linux Foundation. Google, of course, brought Kubernetes in fully to be supported. There's been some rumblings I've heard for the last couple of years about SDO and K Native and I know about a month before the show there was some changes along SDO and what Google was doing there may be without trying to pass too many judgments in getting into some of the political arguments, help us understand. You know what Google did and you know where that kind of comparison the projects that sit in the CN cf themselves. >>Yeah, So I e I guess two years ago around two years ago, Stu was very much the new kid in the cloud native block. So much excitement about the project. And it was actually when I was a program co chair that we had a lot of talks about sdo at Cube Con cloud native bomb, particularly in Copenhagen, I'm recalling. And, uh, I think everyone I just saw a natural fit between that project on the CN, CF and There was an assumption from a lot of people across the community that it would eventually become part of the CNC f. That was it's natural home. And one of the things that we saw in recent weeks was a very clear statement from IBM, who were one off the Uh huh, yeah, big contributing companies towards that project that that was also their expectation. They were very much under the impression that Stu would be donated to the CN CF at an appropriate point of maturity, and unfortunately, that didn't happen. From my point of view, I think that has sown a lot of confusion amongst the community because we've seen so much. It's very much a project of fits. Service mesh designed to work with kubernetes is it really does. You're fit naturally in with the other CN CF projects. So it's created confusion for end users who, many of whom assume that it was called the CN CF, and that it has the neutral governance that the other projects. It's part of the requirements that we have on those projects. They have to have an open governance that they're not controlled by a single vendor, Uh, and we've seen that you know that confusion, Andi. Frustration around that confusion being expressed by more and more end users as well as other people across the community. And yeah, the door is still open, you know, we would still love to see SDO join the community. Clearly there are different opinions within the SD wan maintainers. I will have to see what happens. >>Yeah, lets you bring up some really good points. You know, absolutely some of some of that confusion out there. Absolutely. I've heard from customers that if they're making a decision point, they might say, Hey, maybe I'm not going to go down that maybe choose something else because I'm concerned about that. Um, you know, I sdo front and center k native, another project currently under Google that has, you know, a number of other big vendors in the community that aiding in that So hopefully we will see some progress on that, you know, going forward. But, you know, back to you talked about, You know, the TOC doesn't make judgements as to you know which project and how they are. One of the really nice things out there in the CN CF, it's like the landscape just for you to help, understand? Okay, here's all of these projects. Here's the different categories they fit in. Here is where they are along that maturity. There's another tool that I read. Cheryl Hung blogged about the technology radar. I believe for continuous delivery is the first technology radar. Help us understand how that is, you know, not telling customers what to do but giving them a little guidance that you know where some of these projects projects fit. In a certain segment, >>Yeah, the technology radar is a really great initiative. I'm really excited about it because we have increasing numbers or end users who are using these different projects it both inside the CN CF and projects that are outside of the CNC F family. Your end users are building stacks. They're solving real problems in the real world and with the technology radar. What Cheryl's been able to facilitate is having the end you to the end user community share with us. What tools? They're actually using what they actually believe are the right hammers for specific nails. And, you know, it's it's one thing for us as it's more on the developer or vendor side Teoh look at different projects and say what we think are the better solutions for solving different problems. Actually hearing from the horse's mouth from the end users who are doing it in the real world is super valuable. And I think that is a really useful input to help us understand. What are the problems that the end user is still a challenge by what are the gaps that we still need to fail more input we can get from the end user community, the more will be solving real problems and no necessarily academic problems that we haven't sorry discovered in >>the real world. Alright, well is, you know, teeing up a discussion about challenges that users still have in the world. If we go to your primary jobs, Main hat is you live in the security world and you know, we know security is still something, you know, front and center. It is something that has never done lots of discussion about the shared responsibility model and how cloud native in security fit together and all that. So maybe I know there's some new projects there, but love to just give me a snap shot as where we are in the security space. As I said, Overall, it's been, you know, super important topic for years. This year, with a global pandemic going on, security seems to be raised even more. We've seen a couple of acquisitions in the space, of course. Aqua Security helping customers along their security journey. So what do you seeing out there in the marketplace today and hear from your custom? >>Yeah, I Every business this year has, you know, look at what's going on and you know, it's been crazy time for everyone, but we've been pleasantly surprised at how, you know, in relative terms, our business has been able to. It's been strong, you know. And I think you know what you're touching on the fact that people are working remotely. People are doing so many things online. Security is evermore online. Cloud security's evermore part off what people need to pay attention to. We're doing more and more business online. So, actually, for those of us in the security business, it has bean, you know that there have been some silver linings to this this pandemic cloud? Um, yes. So many times in technology. The open source projects and in particularly defaults in kubernetes. Things are improving its long Bina thing that I've you know, I wished for and talked about that. You know, some of the default settings has always been the most secure they could be. We've seen a lot of improvements over the last 23 years we're seeing continuing to see innovation in the open source world as well as you know, on the commercial side and products that vendors like Akwa, you know, we continue to innovate, continue to write you ways for customers to validate that the application workloads that they're going to run are going to run securely in the cloud. >>Alright and lives. There's a new project that I know. Ah, you know, you Aqua are participating in Tell us a little bit about Starbird. You know what's what's the problem? It's helping solve and you know where that budget >>Yes, So stockholders, one of our open source initiatives coming out of my team are equal on, and the idea is to take security reporting information and turn it into a kubernetes native, uh, resources custom resources. And then that means the security information, your current security status could be queried over the kubernetes AP I, as you're querying the status or the deployment, say you can also be clearing to see whether it's passing configuration audits or it's passing vulnerability scans for the application containers inside that deployment. So that information is available through the same AP eyes through the queue control interface through dashboards like Octane, which is a nice dashboard viewer for kubernetes. And starboard brings security information not just from acquittals but from other vendor tools as well front and center into that kubernetes experience. So I'm really excited about Star Border. It's gonna be a great way of getting security visibility, Teoh more kubernetes use it >>all right. And we were talking earlier about just the maturity of projects and how they get into the sandbox. Is is this still pretty sandbox for >>this? OK, we're still very much in the early phases and you know it. I think in the open source world, we have the ability to share what we're doing early so that we can get feedback. We can see how it resonates with with real users. We've had some great feedback from partners that we've worked with and some actual customers who actually collaborated with When we're going through the initial design, some great feedback. There's still lots of work to do. But, yeah, the initial feedback has been really positive. >>Yeah, is usually the event is one of those places where you can help try toe, recruit some other people that might have tools as well as educate customers about what's going on. So is that part of the call to action on this is, you know, what are you looking for for kind of the rest of 2020 when it when it comes to this project? >>Yeah, absolutely. So internally, we're working on an operator which will automate some of the work that's double does in the background in terms off getting more collaboration. We would love to see integrations from or security tooling. We're talking with some people across the community about the resource definition, so we've come up with some custom resource definitions, but we'd love them to be applicable it to a variety of different tools. So we want to get feedback on on those definitions of people are interested in collaborating on that absolutely do come and talk to me and my team are reluctant. >>Great. Listen, and I'll give you the final word. Obviously, we're getting the community together while we're part So you know any other you know, engagement opportunities, you get togethers. Things that you want people to know about the European show this year. >>Well, it's gonna be really you know, I'm on tenterhooks to see whether or not we can recreate the same atmosphere as we would have in Q con. I mean, it won't be exactly the same, but I really hope that people will engage online. Do come and, you know, ask questions of the speakers. Come and talk to the vendors, get into slack channels with the community. You know, this is an opportunity to pretend we're in the same room. Let's let's let's do what we can Teoh recreate as close as we can. That community experience that you keep corn is famous for >>Yeah, absolutely. That whole way track is something that is super challenging to recreate. And there's no way that I am getting the Indonesian food that I was so looking forward to in Amsterdam just such a great culinary and cultural city. So hopefully sometime in the future will be able to be back there. Liz Rice. Always pleasure catching up with you. Thanks so much for all the work you're doing on the TOC. And always a pleasure talking to you. >>Thanks for having me. >>All right, Lots more coverage from Cube Con Cloud, Native con the European 2020 show, Of course. Virtual I'm stew minimum. And thank you for watching the Cube. Yeah, yeah, yeah, yeah.

>> Live from Barcelona, Spain it's theCUBE. Covering KubeCon + CloudNativeCon Europe 2019. Brought to you by Red Hat, the Cloud Native Computing Foundation and ecosystem partners. >> Welcome back to theCUBE here in Barcelona, Spain at the Fira, it's KubeCon + CloudNativeCon 2019. I'm Stu Miniman and my co-hosts for two days of live wall-to-wall coverage is Corey Quinn. Joining us back, we have two CUBE alums, Liz Rice, right to my right here who is a Technology Evangelist with Aqua security. Liz, thank you so much welcome back. >> Pleasure to be here. >> And Jeff Brewer, Vice President and Chief Architect, Small Business & Self-Employed Group, of Intuit. A CUBE alum since a few hours ago this morning. >> Yes, yes, thank you. >> Jeff, welcome back. >> Thank you. >> So, we've got you back with a different hat. Everybody in our industry can definitely recognize we wear lots of different hats we have lots of jobs thrown at us. Both of you are in the Technical Oversight Committee and Liz is not only a member but also the Chairperson, President. (people laughing) >> President is definitely a promotion. But, yeah, I'm Chair of the committee. >> Maybe, as it's known, the TOC. Liz, before we get there, your shirt says +1 binding. You have to explain for us and did not get a preview before the interview, so we'll see where this goes. >> It's one of the perks of being on the TOC. When we have something that comes to a vote we want to get input from the community so we ask anyone in the community to vote. But unless you're a member of the TOC your vote is non-binding. As a member of the committee, we have binding votes. And the traditional thing you write on the voting email is +1 binding. So, it's a nice surprise to get a t-shirt when I joined the TOC. >> Very nice. Can you just give us, our audience, that might not be familiar with the TOC, give us some of the key things about it. >> It's the Technical Oversight Committee for the CNCF. We are, really, the technical curation of the projects that come in to the CNCF. Which projects will get support and at what level because we have the sandbox experimentation stage then incubation and then finally graduation for the really established and kind of, de-risked projects. So, we're really evaluating the projects and kind of making a decision collaboratively on which ones we want the CNCF to support. >> All right. So Jeff, we had a great conversation with you about Intuit's cloud journey. Tell us how you got involved in the TOC. We always love the end users, not just using but participating in and helping to give some governance over what the community is doing. >> Yeah, so, about a year and a half ago we made a decision to acquire a small company called Applatix. Who was, actually, already in the end user community. And also contributors as well. Through that acquisition, I was part of that acquisition, I led that acquisition from the Intuit side and really got excited about the Kubernetes and the KubeCon story overall. Through the Kubernetes experts, I met them at a KubeCon and they introduced me to a whole lot more of the community. Just through some overall partnerships with AWS and also spending a lot of time with end-users that's how I really got to know the community a little bit. And then, was voted onto the CNCF as an end user representative in January. >> Wonderful. As far as you're concerned, as you go through this, do you find it challenging at times to separate your roles professionally from working for a large company, to whom many things matter incredibly. Again, as mentioned earlier, I am one of your customers. I care very much about technical excellence, coming out of Intuit, versus your involvement with the larger project. >> Yeah, so like most people in technology companies I'm extremely busy and I would love to spend, I would love to clone myself and spend more (laughing) more time. >> Everybody wants to submit a client project to the TOC we will prioritize that one. >> Exactly, exactly. >> The way I really balance it is that I make an explicit time carve out for those two activities. And most importantly, I attend the meetings. The TOC meetings that we have, those are extremely important. We get a lot of project reviews in those meetings. Liz chairs those meetings. That's where I always make sure that my schedule is cleared for that. >> Taking it, I guess, one step further. Do you find it challenging at all to separate out, in fact, when you're making decisions and making votes, for example, that are presumably binding, +1 binding as we've learned now, is the terminology. Do you find that you are often pulled between trying to advocate for your company and advocating for the community or are they invariably aligned in your mind? >> I mean, my job's the easiest because I come from an end user. So what I use and what I consume is likely what the community at large. There might be some niches and stuff like that. But I usually don't have that conflict. I don't know, as more of a vendor, you might have more of a conflict. >> It's something that I have be conscious of. I just try to mentally separate. I have a role with a company that pays my salary but when I'm doing open-source things if I feel conflicted about. This hasn't really come up yet, but if I do feel that there's some kind of conflict of interest I will always recuse myself. Actually, in my previous role, as the Co-Chair for the Program Committee for the KubeCon and CloudNativeCon Conference, on a couple of occasions we had competitors submit, and I would always just step back from those. Because it's the right thing to do. >> All right. So Liz, there's quite a few projects now, under the umbrella of CNCF. If I've go it right, it was like, 38 different ones. When Brian went on the stage this morning, 16 in the sandbox, 16 incubating and six have graduated now. How do you manage that? You know, there's some in the community they're like, oh my gosh, reminds us of like, big tent, from some initiatives. Some other things here, how much is too much? How do you balance that and what's the input of the TOC? >> Yeah, so one of the things that we're doing with the TOC is we've just established a thing called the SIGs, the special interest groups. Very much following the same model of Kubernetes SIGs. But the idea here is that we can, kind of formalize getting experts in the community to help us with particular kind of areas. So, we've already got a storage and security SIG set up. We expect there will be probably four to six more coming on board during the year. And that helps us with things like the project reviews and the due diligence to just be able to say, we would really appreciate some help. Those groups are also really enthusiastic about kind of sharing knowledge in the form of things like white papers. I think it will be really important for end-users to be able to navigate their way around these projects. Quite often there is more than one solution for a particular thing. And being able to, in a non-vendor way, in a neutral way, express why project X is good in one circumstance and project Y would be better in a different environment. There's work to be done there and I'm hoping to see that come out. >> This is one of my passions as the end user representative, is that trail map or that road map. That's one of the reasons why we really have invested at Intuit, in the Kubernetes technology and the Cloud Native technology. We didn't just roll them out as is. We actually curate them and create, really, a paved road for our developers to navigate that space. >> Yeah, and as we heard from your story it's not always, well, if there's some overlap you use SDO and Hellman. >> Yeah. >> That there's a fit for both of those in your environment, right. >> Yeah. >> From a, I guess, an end user perspective is there a waiting difference between someone like Intuit and someone like Twitter for pets, where there's a slight revenue scale, a slight revenue difference, like scale difference, like everything difference. >> Yes. >> Certainly, there is. I think that, but that's one of the beautiful things about the Cloud Native technologies. You can consume what you need and what you want, right. It's not one size fits all. A lot of people talk about, oh, there's a paradox of choice, there's so many projects, right. Actually, that's a benefit. Really, all you need is that road map to navigate your way through that, rather than just adopting a paved road that might not work for everybody. >> It almost feels, to some extent, almost like the AWS Service Catalog. Whenever you wind up looking at all the things they offer. It feels like going out to eat at the Cheesecake Factory. Where there is 80 pages of menu to flip through with some advertisements, great. And reminding yourself, at time, that they are not Pokemon, you do not need to catch them all. It's, sometimes, a necessary step, as you start to contextualize this. >> That's one of the great things about having over 80 members in the end user is. You can find a buddy, you can find a company like you. Talk to them, get connected with them and figure out what they're doing and learn from them. The community is broad enough to be able to do that. >> All right, so Liz, let's talk about security. >> Okay. (people laughing) >> You said there's a SIG that started up. Where are we, how are things going and you can you share about where we're going in the near future? >> The SIG came together from a group of people who really wanted to make it easier for end-users to roll out their Cloud Native stacks in a secure fashion. We don't always, as a community, speak the same language about security, we don't always have the most secure settings by default. They really came together around this common interest of just making it easier for people to secure. I think a big part of that will be looking at how the different projects, are they applying best practices from a security perspective? Is there more they should do to document how to operate their particular project more securely? I think that whole initiative and that group of people who've come together for SIG security, I'm so impressed and so pleased that they have come together with that enthusiasm to help on that front. >> Any commentary on what you're seeing in this space? >> Yeah, so as an almost, a fintech company, with a lot of fintech and, you know, we're not quite a bank, but we have a lot of the same security and compliance things. That SIG is so, so important to us. And having a roadmap. I found a education is really, really a big part of it of the security experts, right. Because this is somewhat newer technology. Even though it's been in use at Google for a long time the regulator's, the compliance people, don't totally understand it, right. So you have to have a way to explain to them what's going on. So things like, open policy agent, something that we've adopted, helps us explain what's going on in our system. Once they get it, they're like, this is awesome and our end users can now, really, our end users, meaning the people that use QuickBooks and TurboTax can really trust that we have those guardrails in place. >> At Aqua, it's a huge concern from a lot of our customers. Many of whom, coming from that kind of finance industry. That they're coming to us and saying, well, how can I be PCI compliant or GDPR. How do I manage these requirements with my container based stack, with my Cloud Native stack. That's why there is this huge ecosystem quite a lot of effort around security, compliance, policy. >> It feels very much like it's two problems rolled into one. First, how do you make sure that data is secure in these things? Secondly, how do you effectively and responsibly communicate that to a regulator, who expects to be taken on a tour of a data center when they show up on site? (people laughing) I checked, they won't let you. >> There are definitely two sets of security people in my experience. There are a set of people who care about how will I get attacked. How will breaches happen. And there are other people who go, I have a checklist and I need to check the boxes in the checklist, tell me how. Sometimes those two things overlap, but not always. >> All right, Liz, lot of updates, as always. Jeff, I really appreciate your commentary there. Well, there's the paradox of choice but we have a lot of customers out there and therefore we do. (people chuckling) Any highlights you want to share with our audience? >> I think one thing that happens every year is we see more. Well, we saw Kubernetes graduate, I think, early last year, end of the previous year. Now we've got six projects into graduation. From my perspective, that says something about how mature this whole set of projects, this whole platform is becoming. Because graduation is a pretty high bar. Not least in terms of the number of end users that have to be using it in production. This is solid technology. >> Yeah, any highlights from you? >> I think, like we might have touched on a little bit this morning. But I think that usually the technologies that where you're facing the big problems is pretty obvious which one to use, right. Like serverless, you're going to go look at something like Knative or whatnot. Functions as a service. There's some open fast projects, whatnot, like that. SDO services mesh is another one where it's getting mature and it's getting to the point where you can have these ubiquitous service meshes throughout it. So, those are the areas that we're most looking at right now. >> Great, all right. Well, Liz and Jeff, thank you so much for joining us. Thanks for all the work you do on the Oversight Committee and appreciate you sharing the updates with our community. >> Thank you for having us. >> Thank you. >> For Cory Quinn, I'm Stu Miniman. We'll be back more, with theCUBE here at KubeCon + CloudNativeCon 2019. Thanks for watching. (upbeat music)

>> Live from Seattle, Washington it's theCUBE covering KubeCon and CloudNativeCom North America 2018. Brought to you by Red Hat the cloud-native computing foundation and its ecosystem partner. >> Welcome back everyone, it's theCUBE's live coverage here in Seattle of KubeCon and CloudNativeCon 2018. I'm John Furrier, with Stu Miniman, host of theCUBE. Three days of live coverage. Wall to wall, 8000 people here. Doubled from the previous event in North America, expanding globally, we are here with Liz Rice, technology analyst, evangelist at Aqua Security and program co-chair here at KubeCon, CloudNativeCon. Liz, thanks for joining us. >> Thank you for having me. >> I know you had a busy day, keynotes and all. A lot of activity, a lot of hand shaking, walking around, very crowded. >> It is, we're packed. We're absolutely at capacity here and the event sold out and it's busy. >> A lot of energy, real quick, I know you guys did a lot of work, you guys always do a great job, exceptional performance again. >> Thank you. >> CNCF does a great job on the content programming. It's about the open source communities. That's fundamental, a lot of end users, both participating and consuming. Vendor list is expanding. Putting the program together gets challenging when you have these kind of numbers. What were the themes? How did you put it all together? What was resonating? What's the focus? >> Yeah, it was so hard, we had so many applications that we could only accept 13%, which makes it almost impossible some of the decisions you have to make. And some of the things that were coming out, were like Knative, a lot of submissions around Knative. Serverless in general obviously being quite a hot topic, I would say across our industry. Really great talks from end users and we've seen a few on the keynote stage. Where some brands that we're all aware of, people like Airbnb, sharing their stories of what they've done to make their deployments, their cloud-native deployments, their use of kubernetes successful. So it's not just working from the ties, and doing some experiments, they are telling us how they've done this for real. >> You had a very successful KubeCon in Copenhagen. And so how did you integrate from Copenhagen to here. What were some of the inefficiencies? Obviously, the bigger numbers here. You recently had China the success where, we've reported on SiliconANGLE, the open source consumption and contribution is off the charts. It's huge, it's growing and it's a new dynamic. So between China, and Copenhagen, here, interesting things happening. >> China was phenomenal for me. It was my first trip to China, so it was eye-opening in all sorts of respects. And one of the really interesting things there was the use of machine learning. The uses of kube flow, real life examples. Again I think there is something about how much data they've been able to collect in China. But we heard some really great stories of, for example, electricity companies using machine learning on kubernetes to predict demand. It was fascinating. >> It's a lot of adoption. >> Yes. >> They are at the front end, they are a mobile culture. IOT is booming over there, it's just massive. >> Absolutely. >> Alright here in Seattle, obviously Seattle home of AWS, and I was just talking to some folks here locally in Seattle, just this morning, they said they think this is the biggest conference of the year here in Seattle. Which is really telling where you guys have come from. Interesting dynamic. A lot of new ecosystem partners. What's happening? It seems to be energy, the buzz. There's a subtext here that's buzzing around the hallways. What's the most important thing that people should be taking away from this event this year? >> I think the scale of it is coming from real adoption and businesses that are moving their applications into the cloud. Public cloud and hybrid cloud and finding success through doing that with cloud native components. You mentioned the end users who want to be part of the community, and they actually wanted to contribute to the community. You can look around the hall and see booths from, like Uber's over there. They're really contributing to this community. It's not just a bunch of enthusiasts, it's for real. >> Problems being solved, real company end users. >> So Liz, one of the things we've been looking at this is not a monolith here. You've actually got a whole lot of communities. As I've been wandering the floor, if I'm talking to people. We had Matt come on to talk about Envoy and they had their own conference at the beginning of the week and they had 250 people. As I'm wandering around, you talk to a number and it's like oh, I'm here all about Helm. You know there's different service meshes all over the place that everybody is talking about. >> Yeah another big theme. >> You're heavily focused on the security aspects there. I believe you've got a project that Aqua has been involved in. It was kube-hunter if I've got it. Maybe before you talk about kube-hunter, maybe just talk about balancing, this isn't one community, it's gotten really big. Do we need to break this into a micro-services space show? We'll have the core, but lots of other things and spread it out all over the world. >> Sure, it's a real challenge as this community is growing so fast and trying to keep the community feel. Balancing what the contributors want to do and making sure they're getting value and having the conversations they want, but also enabling the vendors, and the end users, and every constituent part to get something good out of this conference. It's a challenge as this gets bigger. There's no kind of, if this doubles again, will it feel the same? That's hard to imagine. So we got to think carefully about how-- >> We've seen that happen and it would not, even from last year to this year was a big change for a lot of people. >> For sure. >> So kube-hunter tell us about that. >> Yeah, kube-hunter, yes, kube-hunter is one of our open source projects at Aqua. It's basically penetration testing for kubernetes clusters, so it's written in Python. It attempts to make network requests looking for things like the open ports. It will tell you if you got some misconfigurations, 'cause a lot of the security issues with kubernetes can come about through poor configuration. And the other thing you can do, you can run it from externally to your cluster. You can also run it inside a pod inside your cluster and then that's simulating what might happen if an attacker got into your cluster, what could they do from there. They compromised a pod which could happen to a software vulnerability. Once they're in the pod, how vulnerable are you? What's the blast radius of that attack? And kube-hunter can help you see whether it's a complete disaster or actually fairly contained. >> Alright, Liz how are we doing from a security standpoint? We've watched the rise of containers over the last few years. And it's like okay wait do I need to put in some kind of lightweight VM? Do I do something there? What can I trust? What do I do? At AWS Reinvent a couple of weeks ago, there's the whole container marketplace. Feels like we are making progress but still plenty of work to do. >> Right, right, container security has lots of parts to it as you go through the life cycle of a container. Actually at AWS Reinvent, Aqua was recognized as having, I think they called it competency. Which I think it's a bit better than competency in container security. >> That's a complement I believe. >> Yeah, really complement, really competent. I think as community on the open source level, there are lots of good things happening. For example, the defaults in kubernetes have been getting better and better. If you are an enterprise, and particularly if you're a financial user, or a media company, or a government organization, you have much stronger requirements from a security perspective and that's where the open source tooling on its own may not be sufficient, and you may need to plug in commercial solutions like Aqua to really beef that up. And also to provide that end to end security right from when you're building your image through to the run time protection which is really powerful. >> Security has got to be built in from the beginning. Let me get your thoughts on end user traction and the huge demand for what end users are doing. I know you guys are seeing on the program side, the Linux foundation, CNC was talking about trying to get more case studies. We're seeing the end users prominent here. You mentioned Uber, Apple's here. A bunch of other companies, they're here. So end users are not only just contributing, they are also consuming. How are the new enterprises that are coming in consuming and interacting and engaging with kubernetes? Where are they on the IQ, if you will, level and what are they engaging on? Kubernetes has matured a bit and ready. It's been deployed, people using it. People gathering around it, but now people are starting to consume and deploy it at different scales. What's the end user uptake? What's the hot areas? What do you see the most people digging in? >> Great question, so I think we are seeing a lot of, particularly, I want to say like mature start-ups, so the Ubers and the Airbnbs and the Lyfts. They've got these massive scaled technology problems, and kubernetes is giving them, and the whole cloud-native community around it, it's giving them the ability to do these kind of custom things that they need to do. The kind of weird and wonderful things. They can add whatever adaptations they need, that maybe they wouldn't get if they were in a traditional architecture. So they're kind of the prominent voices that we are hearing right now. But at Aqua we are seeing some of these, maybe what you might call more traditional businesses like banks. They want to replicate that. They want to shape functionality really quickly. They are seeing challenges from upstart and they want to compete. So they know they've got to shift functionality quickly. They've got to do continuous deployment. Containers enable that. The whole cloud-native world enables that and that's where the adoption's from. >> They can take the blueprints from the people who built it from the ground up, the large scale startups, cloud-native in the beginning, and kind of apply the traditional IT kind of approach with the same tooling and the same platform. >> And we are seeing some interesting things around making that easier. So things like the CNAB, the cloud-native application bundling, that is coming out at Microsoft and Docker are involved in that. I think that's all to do with making it easier for enterprises to just go, yeah, this is the application I want to run it in the cloud. >> So let me ask you a question around the customer end users that we see coming onboard, because you have the upstream kind of community, the downstream benefits are impacting certainly IT and then developers, right? The classic developers, IT is starting to reimagine their infrastructure. All the goodness with cloud, and machine learning, and application is being redefined. It's changing the investment. So in 2019, what's your view on how companies are shaping their investment strategy to IT investment or technology investment strategies with cloud-native? Because this is a real trend that you just pointed out. Okay I'm a big company and I've used the old way and now I want the new way. So there's a lot of okay, instant start. Turn the key, does it run? There's a lot of managed services here, so the new persona of customer. How does that impact their investment, IT investments in your mind? What are you seeing please share any color commentary around that? >> I'm sure we're all aware that we're seeing shifts away from the traditional data center into public cloud which has implications around opex rather than capex. And I guess following on from that people worrying about whether vendor lock-in is a thing. Should they be just adopting in one public cloud or perhaps putting their eggs across different baskets? Should they be using these managed platforms? We have all these different distributions, we have these different managed solutions for kubernetes, there's a lot of choice out there. I think it's going to be interesting to see how that shapes out over the next few years. Are all these different distributions going to find a niche or how's that going to work? >> Matt Klein had a great observation. He was on earlier today from Lyft. He says look to solve a problem, use the tech to solve a problem, and then iterate, build on that. It's iteration mull of dev, ops. I think that's a good starting point. There's no magic silver bullet here. There's no magic answer, I think it's more of just get in there and get it going. The other question I have for you is 2019 prediction for kubernetes. What's going to happen this coming year? We're seeing this picture now, 8000 people, diverse audience. >> Yeah. >> What's the prediction 2019 for kubernetes? >> Oh, great question. I think maybe broader than just kubernetes, but the kind of cloud-native. Because kubernetes is like Janet said in her keynote this morning it's essentially boring. It kind of does what it's supposed to do now. I think what's going to be interesting is seeing those other pieces around it and above it, the improved developer experiences making it easier for companies to adopt. Maybe some of these choices around things like what service mesh you're going to use. How you're going to implement your observability. How you're going to deploy all this stuff without needing to hire 20 super detailed experts. We've got all the experts in this stuff. They're kind of here. The early adopters, great. Maybe that next wave, how are they going to be able to take advantage of this cloud-native? >> I think the programmability is key. Well great to have-- >> I think a big part of that is actually is going to be serverless. The ease of using serverless rather than the flexibility you get out of-- >> The millisecond latency around compute, yeah it's great. Well thanks for coming on, really appreciate it. Final question for you, what surprised you this year? Is there one thing that jumped out at you that you didn't expect? Good, bad or ugly? Great show here, it was packed. The waiting list was like 1500. What was the surprise this year from a program standpoint? >> I think actually the nicest surprise was the contribution of Phippy and all those lovely characters from Phippy Goes to the Zoo and those characters being donated by Microsoft, Matt Butcher and Karen Chu's work, was terrific. And it's just beautiful, just lovely. >> That's awesome, thanks so much Liz. Appreciate Liz right here. Program co-chair at KubeCon, CloudNativeCon, also technology evangelist at Aqua Security. That's her day job and her other job, she's running the content programming which is very huge here. Congratulations, I know it's tough work, a great job. >> Thank you very much. >> It's theCUBE coverage, breaking down all the action here at KubeCon and CloudNativeCon. I'm John Furrier and Stu Miniman, stay with us. Three days of wall-to-wall coverage. We're only on day two, we've got a whole nother day. A lot of great stories coming out of here and great content. Stay with us for more after this short break. (upbeat music)

>> Announcer: Live from Copenhagen, Denmark, it's theCUBE. Covering KubeCon and CloudNativeCon Europe 2018. Brought to you by the Cloud Native Computing Foundation and its ecosystem partners. >> Hello, everyone. Welcome back to theCUBE's exclusive coverage here in Copenhagen, Denmark for KubeCon 2018, part of the CNCF Cloud Native Compute Foundation, which is part of the Linux Foundation. I'm John Furrier, your host. We've got two great guests here, we've got Liz Rice, the co-chair of KubeCon and CloudNativeCon, kind of a dual naming because it's Kubernetes and it's Cloud Native and also technology evangelist at Aqua Security. She's co-chairing with Kelsey Hightower who will be on later today, and CUBE alumni as well, and Janet Kuo who is a software engineer at Google. Welcome to theCUBE, thanks for coming on. >> Yeah, thanks for inviting us. >> Super excited, we have a lot of energy even though we've got interviews all day and it's kind of, we're holding the line here. It's almost a celebration but also not a celebration because there's more work to do with Kubernetes. Just the growth of the CNCF continues to hit some interesting good performance KPIs on metrics. Growth's up on the membership, satisfaction is high, Kubernetes is being called a de facto standard. So by all kind of general qualitative metrics and quantitative, it's doing well. >> Lauren: It's doing great. >> But it's just the beginning. >> Yeah, yeah. I talked yesterday a little bit in, in the keynote, about project updates, about how Kubernetes has graduated. That's a real signal of maturity. It's a signal to the end-user companies out there that you know, the risk, nothing is ever risk-free, but you know, Kubernetes is here to stay. It's stable, it's got stable governance model, you know, it's not going away. >> John: It's working. >> It's going to continue to evolve and improve. But it's really working, and we've got end users, you know, not only happy and using it, they're prepared to come to this conference and share their stories, share their learnings, it's brilliant. >> Yeah, and Janet also, you know, you talk about China, we have announcement that, I don't know if it's formally announced, but Shanghai, is it out there now? >> Lauren: It is. >> Okay, so Shanghai in, I think November 14th, let me get the dates here, 14th and 15th in Shanghai, China. >> Janet: Yeah. >> Where it's going to be presented in either English or in Chinese, so it's going to be fully translated. Give us the update. >> Yeah, it will be fully translated, and we'll have a CFP coming soon, and people will be submitting their talks in English but they can choose to present either in English or Chinese. >> Can you help us get a CUBE host that can translate theCUBE for us? We need some, if you're out there watching, we need some hosts in China. But in all seriousness, this is a global framework, and this is again the theme of Cloud Native, you know. Being my age, I've seen the lift and shift IT world go from awesome greatness to consolidation to VMwares. I've seen the waves. But this is a different phenomenon with Cloud Native. Take a minute to share your perspectives on the global phenomenon of Cloud Native. It's a global platform, it's not just IT, it's a global platform, the cloud, and what that brings to the table for end users. >> I think for end users, if we're talking about consumers, it actually is, well what it's doing is allowing businesses to develop applications more quickly, to respond to their market needs more quickly. And end users are seeing that in more responsive applications, more responsive services, improved delivery of tech. >> And the businesses, too, have engineers on the front lines now. >> Absolutely, and there's a lot of work going on here, I think, to basically, we were talking earlier about making technology boring, you know, this Kubernetes level is really an abstraction that most application developers don't really need to know about. And making their experience easier, they can just write their code and it runs. >> So if it's invisible to the application developer, that's the success. >> That's a really helpful thing. They shouldn't have to worry about where their code is running. >> John: That's DevOps. >> Yeah, yeah. >> I think the container in Kubernetes technology or this Cloud Native technology that brings developer the ability to, you know, move fast and give them the agility to react to the business needs very quickly. And also users benefit from that and operators also, you know, can manage their applications much more easily. >> Yeah, when you have that abstraction layer, when you have that infrastructure as code, or even this new abstraction layer which is not just infrastructure, it's services, micro-services, growth has been phenomenal. You're bringing the application developer into an efficiency productivity mode where they're dictating the business model through software of the companies. So it's not just, "Hey build me something "and let's go sell it." They're on the front lines, writing the business logic of businesses and their customers. So you're seeing it's super important for them to have that ability to either double down or abandon quickly. This is what agile is. Now it's going from software to business. This, to me, I think is the highlight for me on this show. You see the dots connecting where the developers are truly in charge of actually being a business impact because they now have more capability. As you guys put this together and do the co-chair, do you and Kelsey, what do you guys do in the room, the secret room, you like, "Well let's do this on the content." I mean, 'cause there's so much to do. Take us through the process. >> So, a little bit of insight into how that whole process works. So we had well over 1,000 submissions, which, you know, there's no, I think there's like 150 slots, something like that. So that's a pretty small percentage that we can actually accept. We had an amazing program committee, I think there were around 60 people who reviewed, every individual reviewer looked at a subset. We didn't ask them to look at all thousand, that would be crazy. They scored them, that gave us a kind of first pass, like a sort of an ability to say, "Well, anything that was below average, "we can only take the top 15%, "so anything that's below average "is not going to make the cut." And then we could start looking at trying to balance, say, for example, there's been a lot of talk about were there too many Istio talks? Well, there were a lot of Istio talks because there were a lot of Istio submissions. And that says to us that the community wants to talk about Istio. >> And then number of stars, that's the number one project on the new list. I mean, Kubeflow and Istio are super hot. >> Yeah, yeah, Kubeflow's another great example, there are lots of submissions around it. We can't take them all but we can use the ratings and the advice from the program committee to try and assemble, you know, the best talks to try and bring different voices in, you know, we want to have subject matter experts and new voices. We want to have the big name companies and start-ups, we wanted to try and get a mix, you know. A diversity of opinion, really. >> And you're a membership organization so you have to balance the membership needs with the content program so, challenging with given the growth. I mean, I can only imagine. >> Yeah, so as program co-chairs, we actually have a really free hand over the content, so it's one of the really, I think, nice things about this conference. You know, sponsors do get to stand on stage and deliver their message, but they don't get to influence the actual program. The program is put together for the community, and by doing things like looking at the number of submissions, using those signals that the community want to talk about, I hope we can carry on giving the attendees that format. >> I would just say from an outsider perspective, I think that's something you want to preserve because if you look at the success of the CNCF, one thing I'm impressed by is they've really allowed a commercial environment to be fostered and enabled. But they didn't compromise the technical. >> Lauren: Yeah. >> And the content to me, content and technical tracks are super important because content, they all work together, right? So as long as there's no meddling, stay in your swim lane, whatever, whatever it is. Content is really important. >> Absolutely, yeah. >> Because that's the learning. >> Yeah, yeah. >> Okay, so what's on the cut list that you wish you could have put back on stage? Or is that too risque? You'll come back to that. >> Yeah. >> China, talk about China. Because obviously, we were super impressed last year when we went to go visit Alibaba just to the order of magnitude to the cultural mindset for their thinking around Cloud Native. And what I was most impressed with was Dr. Wong was talking about artistry. They just don't look at it as just technology, although they are nerdy and geeky like us in Silicon Valley. But they really were thinking about the artistry 'cause the app side of it has kind of a, not just design element to the user perspective. And they're very mobile-centric in China, so they're like, they were like, "This is what we want to do." So they were very advanced in my mind on this. Does that change the program in China vis a vis Seattle and here, is there any stark differences between Shanghai and Copenhagen and Seattle in terms of the program? Is there a certain focus? What's the insight into China? >> I think it's a little early to say 'cause we haven't yet opened the CFP. It'll be opening soon but I'm fully expecting that there will be, you know, some differences. I think the, you know, we're hoping to have speakers, a lot more speakers from China, from Asia, because it's local to them. So, like here, we tried to have a European flavor. You'll see a lot of innovators from Europe, like Spotify and the Financial Times, Monzo Bank. You know, they've all been able to share their stories with us. And I think we're hoping to get the same kind of thing in China, hear local stories as well. >> I mean that's a good call. I think conferences that do the rinse and repeat from North America and just slap it down in different regions aren't as effective as making it localized, in a way. >> Yeah. >> That's super important. >> I know that a lot of China companies, they are pretty invested pretty heavily into Kubernetes and Cloud Native technology and they are very innovative. So I actually joined a project in 2015 and I've been collaborating with a lot of Chinese contributors from China remotely on GitHub. For example, the contributors from Huawei and they've been invested a lot in this. >> And they have some contributors in the core. >> Yeah, so we are expecting to see submissions from those contributors and companies and users. >> Well, that's super exciting. We look forward to being there, and it should be excellent. We always have a fun time. The question that I want to ask you guys now, just to switch gears is, for the people watching who couldn't make it or might watch it on YouTube on Demand who didn't make the trip. What surprised you here? What's new, I'm asking, you have a view as the co-chair, you've seen it. But was there anything that surprised you, or did it go right? Nothing goes perfect. I mean, it's like my wedding, everything happens, didn't happen the way you planned it. There's always a surprise. Any wild cards, any x-factors, anything that stands out to you guys? >> So what I see from, so I attend, I think around five KubeCons. So from the first one it's only 550 people, only the small community, the contributors from Google and Red Hat and CoreOS and growing from now. We are growing from the inner circle to the outside circle, from the just contributors to also the users of it, like and also the ecosystem. Everyone that's building the technology around Cloud Native, and I see that growth and it's very surprising to me. We have a keynote yesterday from CERN and everyone is talking about their keynote, like they have I think 200 clusters, and that's amazing. And they said because of Kubernetes they can just focus on physics. >> Yeah, and that's a testimonial right there. >> Yeah. >> That was really good stories to hear, and I think maybe one of the things that surprises me, it sort of continues to surprise me is how collaborative, it's something about this kind of organization, this conference, this whole kind of movement, if you like. Where companies are coming in and sharing their learnings, and we've seen that, we've seen that a lot through the keynotes. And I think we see it on the conference floor, we see it in the hallway chat. And I think we see it in the way that the different SIGs and working groups and projects are all, kind of, collaborating on problem solving. And that's really exciting. >> That's why I was saying earlier in the beginning that there's a celebration amongst ourselves and the community. But also a realization that this is just the beginning, it's not a, it's kind of like when you get venture funding if you're a start-up. That's really when it begins, you don't celebrate, but you take a little bit of a pause. Now my personal take only to all of the hundreds of events we do a year is that I that think this community here has fought the hard DevOps battle. If you go back to 2008 timeframe, and '08, '09, '10, '11, '12, those years were, those were hyper scale years. Look at Google, Facebook, all the original DevOps engineers, they were eating glass and spitting nails. It was hard work. And it was really build your own, a lot of engineering, not just software development. So I think this, kind of like, camaraderie amongst the DevOps community saying, "Look, this is a really big "step up function with Kubernetes." Everyone's had some scar tissue. >> Yeah, I think a lot of people have learned from previous, you know, even other open source projects that they've worked on. And you see some of the amazing work that goes into the kind of, like, community governance side. The things that, you know, Paris Pittman does around contributor experience. It's so good to see people who are experts in helping developers engage, helping engineers engage, really getting to play that role. >> There's a lot of common experiences for people who have never met each other because there's people who have seen the hard work pay with scale and leverage and benefits. They see it, this is amazing. We had Sheryl from Google on saying, "When I left Google and I went out into the real world, "I was like, oh my God, "they don't actually use Borg," like, what? "What do they, how do they actually write software?" I mean, so she's a fish out of water and that, it's like, so again I think there's a lot of commonality, and it's a super great opportunity and a great community and you guys have done a great job, CNCF. And we hope to nurture that, the principles, and looking forward to China. Thanks for coming on theCUBE, we appreciate it. >> Yeah. >> Okay we're here at CNCF's KubeCon 2018, I'm John Furrier, more live coverage. Stay with us, day two of two days of CUBE coverage. Go to thecube.net, siliconangle.com for all the coverage. We'll be back, stay with us after this short break.

>> Hey everyone. Welcome back to theCUBE's coverage day two of CloudNative Security CON 23. Lisa Martin here in studio in Palo Alto with John Furrier. John, we've had some great conversations. I've had a global event. This was a global event. We had Germany on yesterday. We had the Boston Studio. We had folks on the ground in Seattle. Lot of great conversations, a lot of great momentum at this event. What is your number one takeaway with this inaugural event? >> Well, first of all, our coverage with our CUBE alumni experts coming in remotely this remote event for us, I think this event as an inaugural event stood out because one, it was done very carefully and methodically from the CNCF. I think they didn't want to overplay their hand relative to breaking out from CUBE CON So Kubernetes success and CloudNative development has been such a success and that event and ecosystem is booming, right? So that's the big story is they have the breakout event and the question was, was it a good call? Was it successful? Was it going to, would the dog hunt as they say, in this case, I think the big takeaway is that it was successful by all measures. One, people enthusiastic and confident that this has the ability to stand on its own and still contribute without taking away from the benefits and growth of Kubernetes CUBE CON and CloudNative console. So that was the key. Hallway conversations, the sessions all curated and developed properly to be different and focused for that reason. So I think the big takeaway is that the CNCF did a good job on how they rolled this out. Again, it was very intimate event small reminds me of first CUBE CON in Seattle, kind of let's test it out. Let's see how it goes. Again, clearly it was people successful and they understood why they're doing it. And as we commented out in our earlier segments this is not something new. Amazon Web Services has re:Invent and re:Inforce So a lot of parallels there. I see there. So I think good call. CNCF did the right thing. I think this has legs. And then as Dave pointed out, Dave Vellante, on our last keynote analysis was the business model of the hackers is better than the business model of the industry. They're making more money, it costs less so, you know, they're playing offense and the industry playing defense. That has to change. And as Dave pointed out we have to make the cost of hacking and breaches and cybersecurity higher so that the business model crashes. And I think that's the strategic imperative. So I think the combination of the realities of the market globally and open source has to go faster. It's good to kind of decouple and be highly cohesive in the focus. So to me that's the big takeaway. And then the other one is, is that there's a lot more security problems still unresolved. The emphasis on developers productivity is at risk here, if not solved. You saw supply chain software, again, front and center and then down in the weeds outside of Kubernetes, things like BIND and DNS were brought up. You're seeing the Linux kernel. Really important things got to be paid attention to. So I think very good call, very good focus. >> I would love if for us to be able to, as the months go on talk to some of the practitioners that actually got to attend. There were 72 sessions, that's a lot of content for a small event. Obviously to your point, very well curated. We did hear from some folks yesterday who were just excited to get the community back together in person. To your point, having this dedicated focus on CloudNativesecurity is incredibly important. You talked about, you know, the offense defense, the fact that right now the industry needs to be able to pivot from being on defense to being on offense. This is a challenging thing because it is so lucrative for hackers. But this seems to be from what we've heard in the last couple days, the right community with the right focus to be able to make that pivot. >> Yeah, and I think if you look at the success of Kubernetes, 'cause again we were there at theCUBE first one CUBE CON, the end user stories really drove end user participation. Drove the birth of Kubernetes. Left some of these CloudNative early adopters early pioneers that were using cloud hyperscale really set the table for CloudNative CON. I think you're seeing that here with this CloudNative SecurityCON where I think we're see a lot more end user stories because of the security, the hairs on fire as we heard from Madrona Ventures, you know, as they as an investor you have a lot of use cases out there where customers are leaning in with getting the rolling up their sleeves, working with open source. This has to be the driver. So I'm expecting to see the next level of SecurityCON to be end user focused. Much more than vendor focused. Where CUBECON was very end user focused and then attracted all the vendors in that grew the industry. I expect the similar pattern here where end user action will be very high at the beginning and that will essentially be the rising tide for the vendors to be then participating. So I expect almost a similar trajectory to CUBECON. >> That's a good path that it needs to all be about all the end users. One of the things I'm curious if what you heard was what are some of the key factors that are going to move CloudNative Security forward? What did you hear the last two days? >> I heard that there's a lot of security problems and no one wants to kind of brag about this but there's a lot of under the hood stuff that needs to get taken care of. So if automation scales, and we heard that from one of the startups we've just interviewed. If automation and scale continues to happen and with the business model of the hackers still booming, security has to be refactored quickly and there's going to be an opportunity structurally to use the cloud for that. So I think it's a good opportunity now to get dedicated focus on fixing things like the DNS stuff old school under the hood, plumbing, networking protocols. You're going to start to see this super cloud-like environment emerge where data's involved, everything's happening and so security has to be re imagined. And I think there's a do over opportunity for the security industry with CloudNative driving that. And I think this is the big thing that I see as an opportunity to, from a story standpoint from a coverage standpoint is that it's a do-over for security. >> One of the things that we heard yesterday is that there's a lot of it, it's a pretty high percentage of organizations that either don't have a SOCK or have a very primitive SOCK. Which kind of surprised me that at this day and age the risks are there. We talked about that today's focus and the keynote was a lot about the software supply chain and what's going on there. What did you hear in terms of the appetite for organizations through the voice of the practitioner to say, you know what guys, we got to get going because there's going to be the hackers are they're here. >> I didn't hear much about that in the coverage 'cause we weren't in the hallways. But from reading the tea leaves and talking to the folks on the ground, I think there's an implied like there's an unlimited money from customers. So it's a very robust from the data infrastructure stack building we cover with the angel investor Kane you're seeing data infrastructure's going to be part of the solution here 'cause data and security go hand in hand. So everyone's got basically checkbook wide open everyone wants to have the answer. And we commented that the co-founder of Palo Alto you had on our coverage yesterday was saying that you know, there's no real platform, there's a lot of tools out there. People will buy anything. So there's still a huge appetite and spend in security but the answer's not going to more tool sprawling. It's going to more platform auto, something that enables automation, fix some of the underlying mechanisms involved and fix it fast. So to me I think it's going to be a robust monetary opportunity because of the demand on the business side. So I don't see that changing at all and I think it's going to accelerate. >> It's a great point in terms of the demand for the business side because as we know as we said yesterday, the next Log4j is out there. It's not a matter of if this happens again it's when, it's the extent, it's how frequent we know that. So organizations all the way up to the board have to be concerned about brand reputation. Nobody wants to be the next big headline in terms of breaches and customer data being given to hackers and hackers making all this money on that. That has to go all the way up to the board and there needs to be alignment between the board and the executives at the organization in terms of how they're going to deal with security, and now. This is not a conversation that can wait. Yeah, I mean I think the five C's we talked about yesterday the culture of companies, the cloud is an enabler, you've got clusters of servers and capabilities, Kubernetes clusters, you've got code and you've got all kinds of, you know, things going on there. Each one has elements that are at risk for hacking, right? So that to me is something that's super important. I think that's why the focus on security's different and important, but it's not going to fork the main event. So that's why I think the spin out was, spinout, or the new event is a good call by the CNCF. >> One of the things today that struck me they're talking a lot about software supply chain and that's been in the headlines for quite a while now. And a stat that was shared this morning during the keynote just blew my brains that there was a 742% increase in the software supply chain attacks occurring over the last three years. It's during Covid times, that is a massive increase. The threat landscape is just growing so amorphously but organizations need to help dial that down because their success and the health of the individuals and the end users is at risk. Well, Covid is an environment where everyone's kind of working at home. So there was some disruption to infrastructure. Also, when you have change like that, there's opportunities for hackers, they'll arbitrage that big time. But I think general the landscape is changing. There's no perimeter anymore. It's CloudNative, this is where it is and people who are moving from old IT to CloudNative, they're at risk. That's why there's tons of ransomware. That's why there's tons of risk. There's just hygiene, from hygiene to architecture and like Nick said from Palo Alto, the co-founder, there's not a lot of architecture in security. So yeah, people have bulked up their security teams but you're going to start to see much more holistic thinking around redoing security. I think that's the opportunity to propel CloudNative, and I think you'll see a lot more coming out of this. >> Did you hear any specific information on some of the CloudNative projects going on that really excite you in terms of these are the right people going after the right challenges to solve in the right direction? >> Well I saw the sessions and what jumped out to me at the sessions was it's a lot of extensions of what we heard at CUBECON and I think what they want to do is take out the big items and break 'em out in security. Kubescape was one we just covered. They want to get more sandbox type stuff into the security side that's very security focused but also plays well with CUBECON. So we'll hear more about how this plays out when we're in Amsterdam coming up in April for CUBECON to hear how that ecosystem, because I think it'll be kind of a relief to kind of decouple security 'cause that gives more focus to the stakeholders in CUBECON. There's a lot of issues going on there and you know service meshes and whatnot. So it's a lot of good stuff happening. >> A lot of good stuff happening. One of the things that'll be great about CUBECON is that we always get the voice of the customer. We get vendors coming on with the voice of the customer talking about and you know in that case how they're using Kubernetes to drive the business forward. But it'll be great to be able to pull in some of the security conversations that spin out of CloudNative Security CON to understand how those end users are embracing the technology. You brought up I think Nir Zuk from Palo Alto Networks, one of the themes there when Dave and I did their Ignite event in December was, of 22, was really consolidation. There are so many tools out there that organizations have to wrap their heads around and they need to be able to have the right enablement content which this event probably delivered to figure out how do we consolidate security tools effectively, efficiently in a way that helps dial down our risk profile because the risks just seem to keep growing. >> Yeah, and I love the technical nature of all that and I think this is going to be the continued focus. Chris Aniszczyk who's the CTO listed like E and BPF we covered with Liz Rice is one of the most three important points of the conference and it's just, it's very nerdy and that's what's needed. I mean it's technical. And again, there's no real standards bodies anymore. The old days developers I think are super important to be the arbiters here. And again, what I love about the CNCF is that they're developer focused and we heard developer first even in security. So you know, this is a sea change and I think, you know, developers' choice will be the standards bodies. >> Lisa: Yeah, yeah. >> They decide the future. >> Yeah. >> And I think having the sandboxing and bringing this out will hopefully accelerate more developer choice and self-service. >> You've been talking about kind of putting the developers in the driver's seat as really being the key decision makers for a while. Did you hear information over the last couple of days that validates that? >> Yeah, absolutely. It's clearly the fact that they did this was one. The other one is, is that engineering teams and dev teams and script teams, they're blending together. It's not just separate silos and the ones that are changing their team dynamics, again, back to the culture are winning. And I think this has to happen. Security has to be embedded everywhere in making it frictionless and to provide kind of the guardrail so developers don't slow down. And I think where security has become a drag or an anchor or a blocker has been just configuration of how the organization's handling it. So I think when people recognize that the developers are in charge and they're should be driving the application development you got to make sure that's secure. And so that's always going to be friction and I think whoever does it, whoever unlocks that for the developer to go faster will win. >> Right. Oh, that's what I'm sure magic to a developer's ear is the ability to go faster and be able to focus on co-development in a secure fashion. What are some of the things that you're excited about for CUBECON. Here we are in February, 2023 and CUBECON is just around the corner in April. What are some of the things that you're excited about based on the groundswell momentum that this first inaugural CloudNative Security CON is generating from a community, a culture perspective? >> I think this year's going to be very interesting 'cause we have an economic challenge globally. There's all kinds of geopolitical things happening. I think there's going to be very entrepreneurial activity this year more than ever. I think you're going to see a lot more innovative projects ideas hitting the table. I think it's going to be a lot more entrepreneurial just because the cycle we're in. And also I think the acceleration of mainstream deployments of out of the CNCF's main event CUBECON will happen. You'll see a lot more successes, scale, more clarity on where the security holes are or aren't. Where the benefits are. I think containers and microservices are continuing to surge. I think the Cloud scale hyperscale as Amazon, Azure, Google will be more aggressive. I think AI will be a big theme this year. I think you can see how data is going to infect some of the innovation thinking. I'm really excited about the data infrastructure because it powers a lot of things in the Cloud. So I think the Amazon Web Services, Azure next level gen clouds will impact what happens in the CloudNative foundation. >> Did you have any conversations yesterday or today with respect to AI and security? Was that a focus of anybody's? Talk to me about that. >> Well, I didn't hear any sessions on AI but we saw some demos on stage. But they're teasing out that this is an augmentation to their mission, right? So I think a lot of people are looking at AI as, again, like I always said there's the naysayers who think it's kind of a gimmick or nothing to see here, and then some are just going to blown away. I think the people who are alpha geeks and the industry connect the dots and understand that AI is going to be an accelerant to a lot of heavy lifting that was either manual, you know, hard to do things that was boring or muck as they say. I think that's going to be where you'll see the AI stories where it's going to accelerate either ways to make security better or make developers more confident and productive. >> Or both. >> Yeah. So definitely AI will be part of it. Yeah, definitely. One of the things too that I'm wondering if, you know, we talk about CloudNative and the goal of it, the importance of it. Do you think that this event, in terms of what we were able to see, obviously being remote the event going on in Seattle, us being here in Palo Alto and Boston and guests on from Seattle and Germany and all over, did you hear the really the validation for why CloudNative Security why CloudNative is important for organizations whether it's a bank or a hospital or a retailer? Is that validation clear and present? >> Yeah, absolutely. I think it was implied. I don't think there was like anyone's trying to debate that. I think this conference was more of it's assumed and they were really trying to push the ability to make security less defensive, more offensive and more accelerated into the solving the problems with the businesses that are out there. So clearly the CloudNative community understands where the security challenges are and where they're emerging. So having a dedicated event will help address that. And they've got great co-chairs too that put it together. So I think that's very positive. >> Yeah. Do you think, is it possible, I mean, like you said several times today so eloquently the industry's on the defense when it comes to security and the hackers are on the offense. Is it really possible to make that switch or obviously get some balances. As technology advances and industry gets to take advantage of that, so do the hackers, is that balance achievable? >> Absolutely. I mean, I think totally achievable. The question's going to be what's the environment going to be like? And I remember as context to understanding whether it's viable or not, is to look at, just go back 13 years ago, I remember in 2010 Amazon was viewed as an unsecure environment. Everyone's saying, "Oh, the cloud is not secure." And I remember interviewing Steve Schmidt at AWS and we discussed specifically how Amazon Cloud was being leveraged by hackers. They made it more complex for the hackers. And he said, "This is just the beginning." It's kind of like barbed wire on a fence. It's yeah, you're not going to climb it so people can get over it. And so since then what's happened is the Cloud has become more secure than on premises for a lot of either you know, personnel reasons, culture reasons, not updating, you know, from patches to just being insecure to be more insecure. So that to me means that the flip the script can be flipped. >> Yeah. And I think with CloudNative they can build in automation and code to solve some of these problems and make it more complex for the hacker. >> Lisa: Yes. >> And increase the cost. >> Yeah, exactly. Make it more complex. Increase the cost. That'll be in interesting journey to follow. So John, here we are early February, 2023 theCUBE starting out strong as always. What year are we in, 12? Year 12? >> 13th year >> 13! What's next for theCUBE? What's coming up that excites you? >> Well, we're going to do a lot more events. We got the theCUBE in studio that I call theCUBE Center as kind of internal code word, but like, this is more about getting the word out that we can cover events remotely as events are starting to change with hybrid, digital is going to be a big part of that. So I think you're going to see a lot more CUBE on location. We're going to do, still do theCUBE and have theCUBE cover events from the studio to get deeper perspective because we can then bring people in remote through our our studio team. We can bring our CUBE alumni in. We have a corpus of content and experts to bring to table. So I think the coverage will be increased. The expertise and data will be flowing through theCUBE and so Cube Center, CUBE CUBE Studio. >> Lisa: Love it. >> Will be a integral part of our coverage. >> I love that. And we have such great conversations with guests in person, but also virtually, digitally as well. We still get the voices of the practitioners and the customers and the vendors and the partner ecosystem really kind of lauded loud and clear through theCUBE megaphone as I would say. >> And of course getting the clips out there, getting the highlights. >> Yeah. >> Getting more stories. No stories too small for theCUBE. We can make it easy to get the best content. >> The best content. John, it's been fun covering CloudNative security CON with you with you. And Dave and our guests, thank you so much for the opportunity and looking forward to the next event. >> John: All right. We'll see you at Amsterdam. >> Yeah, I'll be there. We want to thank you so much for watching TheCUBES's two day coverage of CloudNative Security CON 23. We're live in Palo Alto. You are live wherever you are and we appreciate your time and your view of this event. For John Furrier, Dave Vellante, I'm Lisa Martin. Thanks for watching guys. We'll see you at the next show.

>> John Furrier: Hello, welcome back to theCUBE's coverage of Cloud Native Security Con 2023 North America the inaugural event. I'm John Furrier, host of theCUBE, along with Dave Alonte and Lisa Martin covering from the studio. But we have on location Emmy Eide, who is with Red Hat, director of Supply Chain Security. Emmy, great to have you on from location. Thanks for joining us. >> Emmy Eide: Yeah, thank you. >> So everyone wants to know this event is new, it's an aural event, cloud native con, coup con. Very successful. Was this event successful? They all want to know what's going on there. What's the vibe? What's the tracks like? Is it different? Why this event? Was it successful? What's different? >> Yeah, I've really enjoyed being here. The food is wonderful. There's also quite a few vendors here that are just some really cool emerging technologies coming out and a lot from open source, which is really cool to see as well. The talks are very interesting. It's really, they're very diverse in subject but still all security related which is really cool to see. And there's also a lot of different perspectives of how to approach security problems and the people behind them, which I love to see. And it's very nice to hear the different innovative ideas that we can go about doing security. >> We heard from some startups as well that they're very happy with the, with the decision to have a dedicated event. Red Hat is no stranger to open source. Obviously coup con, you guys are very successful there in cloud native con, Now the security con. Why do you think they did this? What's the vibe? What's the rationale? What's your take on this? And what's different from a topic standpoint? >> For non-security specific like events? Is that what you mean? >> What's different from coup con, cloud native con, and here at the cloud native security con? Obviously security's the focus. Is it just deeper dives? Is it more under the hood? Is it root problems or is this beyond Kubernetes? What's the focus, I guess. People want to know, you know, why the new event? >> I mean, there's a lot of focus on supply chain security, right? Like that's the hot topic in security right now. So that's been a huge focus. I can't speak to the differences of those other conferences. I haven't been able to attend them. But I will say that having a security specific conference, it really focuses on the open community and how technology is evolving, and how do you apply security. It's not just talking about tools which I think other conferences tend to focus on just the tools and you can really, I think, get lost in that as someone trying to learn about security or trying to even implement security, but they talk about what it takes to implement those tools, What's behind the people behind implementing those tools? >> Let's get into some of the key topics that we've identified and get your reaction. One, supply chain security, which I know you'll give a lot of commentary on 'cause that's your focus. Also we heard, like, Liz Rice talking about the extended Berkeley packet filtering. Okay, that's big. You know, your root kernel management, that's big. Developer productivity was kind of implied around removing the blockers of security, making it, you know, more aligned with developer first mentality. So that seems to be our takeaway. What's your reaction to those things? You see the same thing? >> I don't have a specific reaction to those things. >> Do you see the same thing happening on the ground there? Are they covering supply? >> Oh, yeah. >> Those three things are they the big focus? >> Yeah. Yeah, I think it's all of those things kind of like wrapped into one, right? But yeah, there's... I'm not sure how to answer your question. >> Well, let's jump into supply chain for instance. 'Cause that has come up a lot. >> Sure. >> What's the focus there on the supply chain security? Is it SBOMs? Is it the container security? What's the key conversations and topics being discussed around supply chain security? >> Well, I think there's a lot of laughter around SBOM right now because no one can really define it, specifically, and everyone's talking about it. So there's, there's a lot more than just the SBOM conversation. We're talking about like full end-to-end development process and that whole software supply chain that goes with it. So there's everything from infrastructure, security, all the way through to like signing transparency logs. Really the full gambit of supply chain, which is is really neat to see because it is such a broad topic. I think a lot of folks now are involved in supply chain security in some way. And so just kind of bringing that to the surface of what are the different people that are involved in this space, thinking about, what's on the top of their mind when it comes to supply chain security. >> How would you scope the order of magnitude of the uptick in supply chain attacks? Is it pretty heavy right now or is it, you know, people with the hair on fire or is it... What's the, give us the taste of the temperature in the room on the supply chain attacks? >> I think most of the folks who are involved in the space understand just that it's increasing. I mean, like, what is it? A 742% increase average annual year, year over year in supply chain attacks. So the amount of attacks increasing is a little daunting, right, for most of us. But it is what it is. So I think most of us right now are just trying to come together to say, "What are you doing that works? This is what I'm doing that works." And in all the different facets of that. 'cause I think we try to throw, we try to throw tools at a lot of problems and this problem is so big and broad reaching that we really are needing to share best practices as a community and as a security community. So this has been, this conference has been really great for that. >> Yeah, I've heard that a lot. You know, too many tools, not enough platform thinking, not enough architecture, needs some structure. Are you seeing any best practice around frameworks and structure around how to start getting in and and building out more of a better approach or posture? I mean, what's that, what's the, what's the state of the union for supply chain, how to handle that? >> Well, I talked about that a little bit in my my keynote that I gave, actually, which was about... And I've heard other other leaders talk about it too. And obviously it keyed my ear just because I'm so passionate about it, about partnership. So you know, empathetic security where the security team that's enforcing the policies, creating the policies, guidelines is working with the teams that are actually doing the production and the development, hand-in-hand, right? Like I can sit there and tell you, "Hey, you have all these problems and here's your security checklist or framework you need to follow." But that's not going to do them any good and it's going to create a ton of holes, right? So actually partnering with them helping them to understand the risks that are associated with their very specific need and use case, because every product has a different kind of quirk to it, right? Like how it's being developed. It might use a different tool and if I sit there and say, "Hey, you need to log on to this, you need to like make your tool work this platform over here and it's not compatible." I'm going to have to completely reframe how I'm doing productization. I need to know that as a security practitioner because me disrupting productization is not something that I should be doing. And I've heard a couple a couple of folks kind of talking about that, the people aspect behind how we implement these tools, the frameworks and the platforms, and how do we draw out risk, right? Like how do we talk about risk with these teams and really make them understand so it's part of their core culture in their understanding. So when they go back to their, when they go back and having to make decisions without me in the room they know they can make those business decisions with the risk as part of that decision. >> I love that empathetic angle because that's really going to, what needs to happen. It's not just, "Hey, that's your department, see you later." Or not even having a knowledge of the information. This idea of team construction, team management is a huge cultural shift. I'm sure the reaction was very positive. How do you explain that to an organization that's out there? Like how do you... what's the first three steps you got to take? Is there anything that you can share for advice people watch you saying, "Yeah we need to we need to change how our teams operate and interact with each other." >> Yeah, I think the first step is to take a good hard look at yourself. And if you are standing there on an ivory tower with a clipboard, you're probably doing it wrong. Check the box security is never going to be any way that works long term. It's going to take you a long time to implement any changes. At Red Hat, we did not look ourselves. You know, we've been doing a lot of great things in supply chain security for a while, but really taking that look and saying, "How can we be more empathetic leaders in the security space?" So we looked at that, then you say, "Okay, what is my my rate of change going to happen?" So if I need to make so many security changes explaining to these organizations, you're actually going to go faster. We improved our efficiency by 2000% just by doing that, just by creating this more empathetic. So why it seems like it's more hands-on, so it's going to be harder, it's easy to send out an email and say, "Hey, meet the security standard, right?" That might seem like the easy way 'cause you don't have time to engage. It's so much faster if you actually engage and share that message and have a a common understanding between the teams that like, "I'm here to deliver a product, so is the security team. The security team's here to deliver that same product and I want to help you do it in a trusted way." Right? >> Yeah. Dave Alonte, my co-host, was just on a session. We were talking together about security teams jumping on every team and putting a C on their jersey to be like the captain of the intramural team, and being involved, and it goes beyond just like the checklist, like you said, "Oh, I got the SBOM list of materials and I got a code scanning thing." That's not enough, is what we're hearing. >> No. >> Is there a framework or a methodology to go beyond that? You got the empathetic, that's really kind of team issue. You got to go beyond some of the tactical things. What's next beyond, you got the empathy and what's that framework structure when you say where you say anything there? >> So what do you do after you have the empathy, right? >> Yeah. >> I would say Salsa is a good place to start, the software levels. Supply chain levels for software artifacts. It's a mouthful. That's a really good maturity framework to start with. No matter what size organization you have, they're just going to be coming out here soon with version one. They release 0.1 a few months back. That's a really good place to give yourself a gut check of where you are in maturity and where you can go, what are best practices. And then there's the SSDF, which is the Secure Software Development framework. I think NIST wrote that one. But that is also a really, a really good framework and they map really well to each other, actually, When you work through Salsa, you're actually working through the SSDF requirements. >> Awesome. Well, great to have you on and great to get that that knowledge. I have to ask you like coup con, I remember when it started in Seattle, their first coup con events, right? Kind of small, similar to this one, but there's a lot of end user activities. Certainly the CNCF kind of was coming together like right after that. What's the end user activity like there this week? That seems to always been the driver of these events. It's a little bit organic. You got some of the key experts coming together, focus. Have you observed any end user activity in terms of contributions, participation? What's the story on the end user piece there? Is it heavy? Is it light? What's the... >> Um, yeah... It seems moderate. I guess somewhere in the middle. I would say largely heavy, but there's definitely participation. There is a lot of communing and networking happening between different organizations to partner together, which is important. But I haven't really paid attention much to like the Twitter side of this. >> Yeah, you've been busy doing the keynotes. How's Red Hat doing all this? You guys have been great positioned with the cloud native movement. Been following the Red Hat's moves since OpenStack days. Really good, good line of product, good open source, Mojo, of course. Good product mix, right, and relevant. Where's the security focus here? Obviously, you guys are clearly focused on security. How's the Red Hat story going on over there? >> There was yesterday a really good talk that explains that super well. It was given by a Red Hatter, connecting all of the open source projects we've been a part of and kind of explaining them. And obviously again, I'm keying in 'cause it's a supply chain kind of conversation, but I'd recommend that anyone who's going to go back and watch these on YouTube to check that one out just to see kind of how we're approaching the security space as well as how we contribute back to the community in that way. >> Awesome. Great to have you on. Final word, I'll give you the final word. What's the big buzz on supply chain? How would you peg the progress there? Feeling good about where things are? What's the current progress on supply chain security? >> I think that it has opened up a lot of doors for communication between security organizations that have tended to be closed. I'm in product security. Product securities, information securities tend to not speak externally about what we're doing. So you don't want to, you know, look bad or you don't want to expose any risk that we have, right? But it is, I think, necessary to open those lines of communication, to be able to start tackling this. It's a big problem throughout all of our industries, and if one supply chain is attacked and those products are used in someone else's supply chain, that can continue, right? So I think it's good. We have a lot of work to do as an industry and the advancements in technology is going to make that a little bit more complicated. But I'm excited for it. >> You can just throw AI at it. That's the big, everyone's doing AI. Just throw AI at it, it'll solve it. Isn't that the new thing? >> I do secure AI though. >> Super important. I love what you're doing there. Supply chain, open source needs, supply chain security. Open source needs this big time. It has to be there. Thank you for the work that you do. Really appreciate you coming on. Thank you. >> Yeah, thanks for having me. >> Yeah, good stuff. Supply chain, critical to open source growth. Open source is going to be the key to success in the future with automation and AI right around the corner. And that's important. This theCUBE covers from cloud native con, security con in North America, 2023. I'm John Furrier. Thanks for watching.

(upbeat music) >> Hey everyone and welcome to theCUBE's coverage day one of CloudNativeSecurityCon '23. Lisa Martin here with John Furrier and Dave Vellante. Dave and John, great to have you guys on the program. This is interesting. This is the first inaugural CloudNativeSecurityCon. Formally part of KubeCon, now a separate event here happening in Seattle over the next couple of days. John, I wanted to get your take on, your thoughts on this being a standalone event, the community, the impact. >> Well, this inaugural event, which is great, we love it, we want to cover all inaugural events because you never know, there might not be one next year. So we were here if it happens, we're here at creation. But I think this is a good move for the CNCF and the Linux Foundation as security becomes so important and there's so many issues to resolve that will influence many other things. Developers, machine learning, data as code, supply chain codes. So I think KubeCon, Kubernetes conference and CloudNativeCon, is all about cloud native developers. And it's a huge event and there's so much there. There's containers, there's microservices, all that infrastructure's code, the DevSecOps on that side, there's enough there and it's a huge ecosystem. Pulling it as a separate event is a first move for them. And I think there's a toe in the water kind of vibe here. Testing the waters a little bit on, does this have legs? How is it organized? Looks like they took their time, thought it out extremely well about how to craft it. And so I think this is the beginning of what will probably be a seminal event for the open source community. So let's listen to the clip from Priyanka Sharma who's a CUBE alumni and executive director of the CNCF. This is kind of a teaser- >> We will tackle issues of security together here and further on. We'll share our experiences, successes, perhaps more importantly, failures, and help with the collecting of understanding. We'll create solutions. That's right. The practitioners are leading the way. Having conversations that you need to have. That's all of you. This conference today and tomorrow is packed with 72 sessions for all levels of technologists to reflect the bottoms up, developer first nature of the conference. The co-chairs have selected these sessions and they are true blue practitioners. >> And that's a great clip right there. If you read between the lines, what she's saying there, let's unpack this. Solutions, we're going to fail, we're going to get better. Linux, the culture of iterating. But practitioners, the mention of practitioners, that was very key. Global community, 72 sessions, co-chairs, Liz Rice and experts that are crafting this program. It seems like very similar to what AWS has done with re:Invent as their core show. And then they have re:Inforce which is their cloud native security, Amazon security show. There's enough there, so to me, practitioners, that speaks to the urgency of cloud native security. So to me, I think this is the first move, and again, testing the water. I like the vibe. I think the practitioner angle is relevant. It's very nerdy, so I think this is going to have some legs. >> Yeah, the other key phrase Priyanka mentioned is bottoms up. And John, at our predictions breaking analysis, I asked you to make a prediction about events. And I think you've nailed it. You said, "Look, we're going to have many more events, but they're going to be smaller." Most large events are going to get smaller. AWS is obviously the exception, but a lot of events like this, 500, 700, 1,000 people, that is really targeted. So instead of you take a big giant event and there's events within the event, this is going to be really targeted, really intimate and focused. And that's exactly what this is. I think your prediction nailed it. >> Well, Dave, we'll call to see the event operating system really cohesive events connected together, decoupled, and I think the Linux Foundation does an amazing job of stringing these events together to have community as the focus. And I think the key to these events in the future is having, again, targeted content to distinct user groups in these communities so they can be highly cohesive because they got to be productive. And again, if you try to have a broad, big event, no one's happy. Everyone's underserved. So I think there's an industry concept and then there's pieces tied together. And I think this is going to be a very focused event, but I think it's going to grow very fast. >> 72 sessions, that's a lot of content for this small event that the practitioners are going to have a lot of opportunity to learn from. Do you guys, John, start with you and then Dave, do you think it's about time? You mentioned John, they're dipping their toe in the water. We'll see how this goes. Do you think it's about time that we have this dedicated focus out of this community on cloud native security? >> Well, I think it's definitely time, and I'll tell you there's many reasons why. On the front lines of business, there's a business model for security hackers and breaches. The economics are in favor of the hackers. That's a real reality from ransomware to any kind of breach attacks. There's corporate governance issues that's structural challenges for companies. These are real issues operationally for companies in the enterprise. And at the same time, on the tech stack side, it's been very slow movement, like glaciers in terms of security. Things like DNS, Linux kernel, there are a lot of things in the weeds in the details of the bowels of the tech world, protocol levels that just need to be refactored. And I think you're seeing a lot of that here. It was mentioned from Brian from the Linux Foundation, mentioned Dan Kaminsky who recently passed away who found that vulnerability in BIND which is a DNS construct. That was a critical linchpin. They got to fix these things and Liz Rice is talking about the Linux kernel with the extended Berkeley Packet Filtering thing. And so this is where they're going. This is stuff that needs to be paid attention to because if they don't do it, the train of automation and machine learning is going to run wild with all kinds of automation that the infrastructure just won't be set up for. So I think there's going to be root level changes, and I think ultimately a new security stack will probably be very driven by data will be emerging. So to me, I think this is definitely worth being targeted. And I think you're seeing Amazon doing the same thing. I think this is a playbook out of AWS's event focus and I think that's right. >> Dave, what are you thoughts? >> There was a lot of talk in, again, I go back to the progression here in the last decade about what's the right regime for security? Should the CISO report to the CIO or the board, et cetera, et cetera? We're way beyond that now. I think DevSecOps is being asked to do a lot, particularly DevOps. So we hear a lot about shift left, we're hearing about protecting the runtime and the ops getting much more involved and helping them do their jobs because the cloud itself has brought a lot to the table. It's like the first line of defense, but then you've really got a lot to worry about from a software defined perspective. And it's a complicated situation. Yes, there's less hardware, yes, we can rely on the cloud, but culturally you've got a lot more people that have to work together, have to share data. And you want to remove the blockers, to use an Amazon term. And the way you do that is you really, if we talked about it many times on theCUBE. Do over, you got to really rethink the way in which you approach security and it starts with culture and team. >> Well the thing, I would call it the five C's of security. Culture, you mentioned that's a good C. You got cloud, tons of issues involved in cloud. You've got access issues, identity. you've got clusters, you got Kubernetes clusters. And then you've got containers, the fourth C. And then finally is the code itself, supply chain. So all areas of cloud native, if you take out culture, it's cloud, cluster, container, and code all have levels of security risks and new things in there that need to be addressed. So there's plenty of work to get done for sure. And again, this is developer first, bottoms up, but that's where the change comes in, Dave, from a security standpoint, you always point this out. Bottoms up and then middle out for change. But absolutely, the imperative is today the business impact is real and it's urgent and you got to pedal as fast as you can here, so I think this is going to have legs. We'll see how it goes. >> Really curious to understand the cultural impact that we see being made at this event with the focus on it. John, you mentioned the four C's, five with culture. I often think that culture is probably the leading factor. Without that, without getting those teams aligned, is the rest of it set up to be as successful as possible? I think that's a question that's- >> Well to me, Dave asked Pat Gelsinger in 2014, can security be a do-over at VMWorld when he was the CEO of VMware? He said, "Yes, it has to be." And I think you're seeing that now. And Nick from the co-founder of Palo Alto Networks was quoted on theCUBE by saying, "Zero Trust is some structure to give to security, but cloud allows for the ability to do it over and get some scale going on security." So I think the best people are going to come together in this security world and they're going to work on this. So you're going to start to see more focus around these security events and initiatives. >> So I think that when you go to the, you mentioned re:Inforce a couple times. When you go to re:Inforce, there's a lot of great stuff that Amazon puts forth there. Very positive, it's not that negative. Oh, the world is falling, the sky is falling. And so I like that. However, you don't walk away with an understanding of how they're making the CISOs and the DevOps lives easier once they get beyond the cloud. Of course, it's not Amazon's responsibility. And that's where I think the CNCF really comes in and open source, that's where they pick up. Obviously the cloud's involved, but there's a real opportunity to simplify the lives of the DevSecOps teams and that's what's critical in terms of being able to solve, or at least keep up with this never ending problem. >> Yeah, there's a lot of issues involved. I took some notes here from some of the keynote you heard. Security and education, training and team structure. Detection, incidents that are happening, and how do you respond to that architecture. Identity, isolation, supply chain, and governance and compliance. These are all real things. This is not like hand-waving issues. They're mainstream and they're urgent. Literally the houses are on fire here with the enterprise, so this is going to be very, very important. >> Lisa: That's a great point. >> Some of the other things Priyanka mentioned, exposed edges and nodes. So just when you think we're starting to solve the problem, you got IOT, security's not a one and done task. We've been talking about culture. No person is an island. It's $188 billion business. Cloud native is growing at 27% a year, which just underscores the challenges, and bottom line, practitioners are leading the way. >> Last question for you guys. What are you hoping those practitioners get out of this event, this inaugural event, John? >> Well first of all, I think this inaugural event's going to be for them, but also we at theCUBE are going to be doing a lot more security events. RSA's coming up, we're going to be at re:Inforce, we're obviously going to be covering this event. We've got Black Hat, a variety of other events. We'll probably have our own security events really focused on some key areas. So I think the thing that people are going to walk away from this event is that paying attention to these security events are going to be more than just an industry thing. I think you're going to start to see group gatherings or groups convening virtually and physically around core issues. And I think you're going to start to see a community accelerate around cloud native and open source specifically to help teams get faster and better at what they do. So I think the big walkaway for the customers and the practitioners here is that there's a call to arms happening and this is, again, another signal that it's worth breaking out from the core event, but being tied to it, I think that's a good call and I think it's a well good architecture from a CNCF standpoint and a worthy effort, so I give it a thumbs up. We still don't know what it's going to look like. We'll see what day two looks like, but it seems to be experts, practitioners, deep tech, enabling technologies. These are things that tend to be good things to hear when you're at an event. I'll say the business imperative is obvious. >> The purpose of an event like this, and it aligns with theCUBE's mission, is to educate and inspire business technology pros to action. We do it in theCUBE with free content. Obviously this event is a for-pay event, but they are delivering some real value to the community that they can take back to their organizations to make change. And that's what it's all about. >> Yep, that is what it's all about. I'm looking forward to seeing over as the months unfold, the impact that this event has on the community and the impact the community has on this event going forward, and really the adoption of cloud native security. Guys, great to have you during this keynote analysis. Looking forward to hearing the conversations that we have on theCUBE today. Thanks so much for joining. And for my guests, for my co-hosts, John Furrier and Dave Vellante. I'm Lisa Martin. You're watching theCUBE's day one coverage of CloudNativeSecurityCon '23. Stick around, we got great content on theCUBE coming up. (upbeat music)

(upbeat music) >> Hello, and welcome back to AWS Startup Showcase, I'm John Furrier, your host. This is the Hero panel, the AWS Heroes. These are folks that have a lot of experience in Open Source, having fun building great projects and commercializing the value and best practices of Open Source innovation. We've got some great guests here. Liz Rice, Chief Open Source Officer, Isovalent. CUBE alumni, great to see you. Brian LeRoux, who is the Co-founder and CTO of begin.com. Erica Windisch who's an Architect for Developer Experience. AWS Hero, also CUBE alumni. Casey Lee, CTO Gaggle. Doing some great stuff in ed tech. Great collection of experts and experienced folks doing some fun stuff, welcome to this conversation this CUBE panel. >> Hi. >> Thanks for having us. >> Hello. >> Let's go down the line. >> I don't normally do this, but since we're remote and we have such great guests, go down the line and talk about why Open Source is important to you guys. What projects are you currently working on? And what's the coolest thing going on there? Liz we'll start with you. >> Okay, so I am very involved in the world of Cloud Native. I'm the chair of the technical oversight committee for the Cloud Native Computing Foundation. So that means I get to see a lot of what's going on across a very broad range of Cloud Native projects. More specifically, Isovalent. I focus on Cilium, which is it's based on a technology called EBPF. That is to me, probably the most exciting technology right now. And then finally, I'm also involved in an organization called OpenUK, which is really pushing for more use of open technologies here in the United Kingdom. So spread around lots of different projects. And I'm in a really fortunate position, I think, to see what's happening with lots of projects and also the commercialization of lots of projects. >> Awesome, Brian what project are you working on? >> Working project these days called Architect. It's a Open Source project built on top of AWSM. It adds a lot of sugar and terseness to the SM experience and just makes it a lot easier to work with and get started. AWS can be a little bit intimidating to people at times. And the Open Source community is stepping up to make some of that bond ramp a little bit easier. And I'm also an Apache member. And so I keep a hairy eyeball on what's going on in that reality all the time. And I've been doing this open-source thing for quite a while, and yeah, I love it. It's a great thing. It's real science. We get to verify each other's work and we get to expand and build on human knowledge. So that's a huge honor to just even be able to do that and I feel stoked to be here so thanks for having me. >> Awesome, yeah, and totally great. Erica, what's your current situation going on here? What's happening? >> Sure, so I am currently working on developer experience of a number of Open Source STKS and CLI components from my current employer. And previously, recently I left New Relic where I was working on integrating with OpenTelemetry, as well as a number of other things. Before that I was a maintainer of Docker and of OpenStack. So I've been in this game for a while as well. And I tend to just put my fingers in a lot of little pies anywhere from DVD players 20 years ago to a lot of this open telemetry and monitoring and various STKs and developer tools is where like Docker and OpenStack and the STKs that I work on now, all very much focusing on developer as the user. >> Yeah, you're always on the wave, Erica great stuff. Casey, what's going on? Do you got some great ed techs happening? What's happening with you? >> Yeah, sure. The primary Open Source project that I'm contributing to right now is ACT. This is a tool I created a couple of years back when GitHub Actions first came out, and my motivation there was I'm just impatient. And that whole commit, push, wait time where you're testing out your pipelines is painful. And so I wanted to build a tool that allowed developers to test out their GitHub Actions workflows locally. And so this tool uses Docker containers to emulate, to get up action environment and gives you fast feedback on those workflows that you're building. Lot of innovation happening at GitHub. And so we're just trying to keep up and continue to replicate those new features functionalities in the local runner. And the biggest challenge I've had with this project is just keeping up with the community. We just passed 20,000 stars, and it'd be it's a normal week to get like 10 PRs. So super excited to announce just yesterday, actually I invited four of the most active contributors to help me with maintaining the project. And so this is like a big deal for me, letting the project go and bringing other people in to help lead it. So, yeah, huge shout out to those folks that have been helping with driving that project. So looking forward to what's next for it. >> Great, we'll make sure the SiliconANGLE riders catch that quote there. Great call out. Let's start, Brian, you made me realize when you mentioned Apache and then you've been watching all the stuff going on, it brings up the question of the evolution of Open Source, and the commercialization trends have been very interesting these days. You're seeing CloudScale really impact also with the growth of code. And Liz, if you remember, the Linux Foundation keeps making projections and they keep blowing past them every year on more and more code and more and more entrance coming in, not just individuals, corporations. So you starting to see Netflix donates something, you got Lyft donate some stuff, becomes a project company forms around it. There's a lot of entrepreneurial activity that's creating this new abstraction layers, new platforms, not just tools. So you start to see a new kickup trajectory with Open Source. You guys want to comment on this because this is going to impact how fast the enterprise will see value here. >> I think a really great example of that is a project called Backstage that's just come out of Spotify. And it's going through the incubation process at the CNCF. And that's why it's front of mind for me right now, 'cause I've been working on the due diligence for that. And the reason why I thought it was interesting in relation to your question is it's spun out of Spotify. It's fully Open Source. They have a ton of different enterprises using it as this developer portal, but they're starting to see some startups emerging offering like a hosted managed version of Backstage or offering services around Backstage or offering commercial plugins into Backstage. And I think it's really fascinating to see those ecosystems building up around a project and different ways that people can. I'm a big believer. You cannot sell the Open Source code, but you can sell other things that create value around Open Source projects. So that's really exciting to see. >> Great point. Anyone else want to weigh in and react to that? Because it's the new model. It's not the old way. I mean, I remember when I was in college, we had the Pirate software. Open Source wasn't around. So you had to deal under the table. Now it's free. But I mean the old way was you had to convince the enterprise, like you've got a hard knit, it builds the community and the community manage the quality of the code. And then you had to build the company to make sure they could support it. Now the companies are actually involved in it, right? And then new startups are forming faster. And the proof points are shorter and highly accelerated for that. I mean, it's a whole new- >> It's a Cambrian explosion, and it's great. It's one of those things that it's challenging for the new developers because they come in and they're like, "Whoa, what is all this stuff that I'm supposed to figure out?" And there's no right answer and there's no wrong answer. There's just tons of it. And I think that there's a desire for us to have one sort of well-known trot and happy path, that audience we're a lot better with a more diverse community, with lots of options, with lots of ways to approach these problems. And I think it's just great. A challenge that we have with all these options and all these Cambrian explosion of projects and all these competing ideas, right now, the sustainability, it's a bit of a tricky question to answer. We know that there's a commercialization aspect that helps us fund these projects, but how we compose the open versus the commercial source is still a bit of a tricky question and a tough one for a lot of folks. >> Erica, would you chime in on that for a second. I want to get your angle on that, this experience and all this code, and I'm a new person, I'm an existing person. Do I get like a blue check mark and verify? I mean, these are questions like, well, how do you navigate? >> Yeah, I think this has been something happening for a while. I mean, back in the early OpenStack days, 2010, for instance, Rackspace Open Sourcing, OpenStack and ANSU Labs and so forth, and then trying, having all these companies forming in creating startups around this. I started at a company called Cloudccaling back in late 2010, and we had some competitors such as Piston and so forth where a lot of the ANSUL Labs people went. But then, the real winners, I think from OpenStack ended up being the enterprises that jumped in. We had Red Hat in particular, as well as HP and IBM jumping in and investing in OpenStack, and really proving out a lot of... not that it was the first time, but this is when we started seeing billions of dollars pouring into Open Source projects and Open Source Foundations, such as the OpenStack Foundation, which proceeded a lot of the things that we now see with the Linux Foundation, which was then created a little bit later. And at the same time, I'm also reflecting a little bit what Brian said because there are projects that don't get funded, that don't get the same attention, but they're also getting used quite significantly. Things like Log4j really bringing this to the spotlight in terms of projects that are used everywhere by everything with significant outsized impacts on the industry that are not getting funded, that aren't flashy enough, that aren't exciting enough because it's just logging, but a vulnerability in it brings every everything and everybody down and has possibly billions of dollars of impact to our industry because nobody wanted to fund this project. >> I think that brings up the commercialization point about maybe bringing a venture capital model in saying, "Hey, that boring little logging thing could be a key ingredient for say solving some observability problems so I think let's put some cash." Again then we'd never seen that before. Now you're starting to see that kind of a real smart investment thesis going into Open Source projects. I mean, Promethease, Crafter, these are projects that turned off companies. This is turning up companies. >> A decade ago, there was no money in Dev tools that I think that's been fully debunked now. They used to be a concept that the venture community believed, but there's just too much evidence to the contrary, the companies like Cash Court, Datadog, the list goes on and on. I think the challenge for the Open Source (indistinct) comes back to foundations and working (indistinct) these developers make this code safe and secure. >> Casey, what's your reaction to all of this? You've got, so a project has gained some traction, got some momentum. There's a lot of mission critical. I won't say white spaces, but the opportunities in the big cloud game happening. And there's a lot of, I won't say too many entrepreneurial, but there's a lot of community action happening that's precommercialization that's getting traction. How does this all develop naturally and then vector in quickly when it hits? >> Yeah, I want to go back to the Log4j topic real quick. I think that it's a great example of an area that we need to do better at. And there was a cool article that Rob Pike wrote describing how to quantify the criticality. I think that's sort of quantifying criticality was the article he wrote on how to use metrics, to determine how valuable, how important a piece of Open Source is to the community. And we really need to highlight that more. We need a way to make it more clear how important this software is, how many people depend on it and how many people are contributing to it. And because right now we all do that. Like if I'm going to evaluate an Open Source software, sure, I'll look at how many stars it has and how many contributors it has. But I got to go through and do all that work myself and come up with. It would be really great if we had an agreed upon method for ranking the criticality of software, but then also the risk, hey, that this is used by a ton of people, but nobody's contributing to it anymore. That's a concern. And that would be great to potential users of that to signal whether or not it makes sense. The Open Source Security Foundation, just getting off the ground, they're doing some work in this space, and I'm really excited to see where they go with that looking at ways to stop score critically. >> Well, this brings up a good point while we've got everyone here, let's take a plug and plug a project you think that's not getting the visibility it needs. Let's go through each of you, point out a project that you think people should be looking at and talking about that might get some free visibility here. Anyone want to highlight projects they think should be focused more on, or that needs a little bit of love? >> I think, I mean, particularly if we're talking about these sort of vulnerability issues, there's a ton of work going on, like in the Secure Software Foundation, other foundations, I think there's work going on in Apache somewhere as well around the bill of material, the software bill of materials, the Secure Software supply chain security, even enumerating your dependencies is not trivial today. So I think there's going to be a ton of people doing really good work on that, as well as the criticality aspect. It's all like that. There's a really great xkcd cartoon with your software project and some really big monolithic lumps. And then, this tiny little piece in a very important point that's maintained by somebody in his bedroom in Montana or something and if you called it out. >> Yeah, you just opened where the next lightening and a bottle comes from. And this is I think the beauty of Open Source is that you get a little collaboration, you get three feet in a cloud of dust going and you get some momentum, and if it's relevant, it rises to the top. I think that's the collective intelligence of Open Source. The question I want to ask that the panel here is when you go into an enterprise, and now that the game is changing with a much more collaborative and involved, what's the story if they say, hey, what's in it for me, how do I manage the Open Source? What's the current best practice? Because there's no doubt I can't ignore it. It's in everything we do. How do I organize around it? How do I build around it to be more efficient and more productive and reduce the risk on vulnerabilities to managing staff, making sure the right teams in place, the right agility and all those things? >> You called it, they got to get skin in the game. They need to be active and involved and donating to a sustainable Open Source project is a great way to start. But if you really want to be active, then you should be committing. You should have a goal for your organization to be contributing back to that project. Maybe not committing code, it could be committing resources into the darks or in the tests, or even tweeting about an Open Source project is contributing to it. And I think a lot of these enterprises could benefit a lot from getting more active with the Open Source Foundations that are out there. >> Liz, you've been actively involved. I know we've talked personally when the CNCF started, which had a great commercial uptake from companies. What do you think the current state-of-the-art kind of equation is has it changed a little bit? Or is it the game still the same? >> Yeah, and in the early days of the CNCF, it was very much dominated by vendors behind the project. And now we're seeing more and more membership from end-user companies, the kind of enterprises that are building their businesses on Cloud Native, but their business is not in itself. That's not there. The infrastructure is not their business. And I think seeing those companies, putting money in, putting time in, as Brian says contributing resources quite often, there's enough money, but finding the talent to do the work and finding people who are prepared to actually chop the wood and carry the water, >> Exactly. >> that it's hard. >> And if enterprises can find peoples to spend time on Open Source projects, help with those chores, it's hugely valuable. And it's one of those the rising tide floats all the boats. We can raise security, we can reduce the amount of dependency on maintain projects collectively. >> I think the business models there, I think one of the things I'll react to and then get your guys' comments is remember which CubeCon it was, it was one of the early ones. And I remember seeing Apple having a booth, but nobody was manning. It was just an Apple booth. They weren't doing anything, but they were recruiting. And I think you saw the transition of a business model where the worry about a big vendor taking over a project and having undue influence over it goes away because I think this idea of participation is also talent, but also committing that talent back into the communities as a model, as a business model, like, okay, hire some great people, but listen, don't screw up the Open Source piece of it 'cause that's a critical. >> Also hire a channel, right? They can use those contributions to source that talent and build the reputation in the communities that they depend on. And so there's really a lot of benefit to the larger organizations that can do this. They'll have a huge pipeline of really qualified engineers right out the gate without having to resort to cheesy whiteboard interviews, which is pretty great. >> Yeah, I agree with a lot of this. One of my concerns is that a lot of these corporations tend to focus very narrowly on certain projects, which they feel that they depend greatly, they'll invest in OpenStack, they'll invest in Docker, they'll invest in some of the CNCF projects. And then these other projects get ignored. Something that I've been a proponent of for a little bit for a while is observability of your dependencies. And I don't think there's quite enough projects and solutions to this. And it sounds maybe from lists, there are some projects that I don't know about, but I also know that there's some startups like Snyk and so forth that help with a little bit of this problem, but I think we need more focus on some of these edges. And I think companies need to do better, both in providing, having some sort of solution for observability of the dependencies, as well as understanding those dependencies and managing them. I've seen companies for instance, depending on software that they actively don't want to use based on a certain criteria that they already set projects, like they'll set a requirement that any project that they use has a code of conduct, but they'll then use projects that don't have codes of conduct. And if they don't have a code of conduct, then employees are prohibited from working on those projects. So you've locked yourself into a place where you're depending on software that you have instructed, your employees are not allowed to contribute to, for certain legal and other reasons. So you need to draw a line in the sand and then recognize that those projects are ones that you don't want to consume, and then not use them, and have observability around these things. >> That's a great point. I think we have 10 minutes left. I want to just shift to a topic that I think is relevant. And that is as Open Source software, software, people develop software, you see under the hood kind of software, SREs developing very quickly in the CloudScale, but also you've got your classic software developers who were writing code. So you have supply chain, software supply chain challenges. You mentioned developer experience around how to code. You have now automation in place. So you've got the development of all these things that are happening. Like I just want to write software. Some people want to get and do infrastructure as code so DevSecOps is here. So how does that look like going forward? How has the future of Open Source going to make the developers just want to code quickly? And the folks who want to tweak the infrastructure a bit more efficient, any views on that? >> At Gaggle, we're using AWS' CDK, exclusively for our infrastructure as code. And it's a great transition for developers instead of writing Yammel or Jason, or even HCL for their infrastructure code, now they're writing code in the language that they're used to Python or JavaScript, and what that's providing is an easier transition for developers into that Infrastructure as code at Gaggle here, but it's also providing an opportunity to provide reusable constructs that some Devs can build on. So if we've got a very opinionated way to deploy a serverless app in a database and do auto-scaling behind and all stuff, we can present that to a developer as a library, and they can just consume it as it is. Maybe that's as deep as they want to go and they're happy with that. But then they want to go deeper into it, they can either use some of the lower level constructs or create PRs to the platform team to have those constructs changed to fit their needs. So it provides a nice on-ramp developers to use the tools and languages they're used to, and then also go deeper as they need. >> That's awesome. Does that mean they're not full stack developers anymore that they're half stack developers they're taking care of for them? >> I don't know either. >> We'll in. >> No, only kidding. Anyway, any other reactions to this whole? I just want to code, make it easy for me, and some people want to get down and dirty under the hood. >> So I think that for me, Docker was always a key part of this. I don't know when DevSecOps was coined exactly, but I was talking with people about it back in 2012. And when I joined Docker, it was a part of that vision for me, was that Docker was applying these security principles by default for your application. It wasn't, I mean, yes, everybody adopted because of the portability and the acceleration of development, but it was for me, the fact that it was limiting what you could do from a security angle by default, and then giving you these tuna balls that you can control it further. You asked about a project that may not get enough recognition is something called DockerSlim, which is designed to optimize your containers and will make them smaller, but it also constraints the security footprint, and we'll remove capabilities from the container. It will help you build security profiles for app armor and the Red Hat one. SELinux. >> SELinux. >> Yeah, and this is something that I think a lot of developers, it's kind of outside of the realm of things that they're really thinking about. So the more that we can automate those processes and make it easier out of the box for users or for... when I say users, I mean, developers, so that it's straightforward and automatic and also giving them the capability of refining it and tuning it as needed, or simply choosing platforms like serverless offerings, which have these security constraints built in out of the box and sometimes maybe less tuneable, but very strong by default. And I think that's a good place for us to be is where we just enforced these things and make you do things in a secure way. >> Yeah, I'm a huge fan of Kubernetes, but it's not the right hammer for every nail. And there are absolutely tons of applications that are better served by something like Lambda where a lot more of that security surface is taken care of for the developer. And I think we will see better tooling around security profiling and making it easier to shrink wrap your applications that there are plenty of products out there that can help you with this in a cloud native environment. But I think for the smaller developer let's say, or an earlier stage company, yeah, it needs to be so much more straightforward. Really does. >> Really an interesting time, 10 years ago, when I was working at Adobe, we used to requisition all these analysts to tell us how many developers there were for the market. And we thought there was about 20 million developers. If GitHub's to be believed, we think there is now around 80 million developers. So both these groups are probably wrong in their numbers, but the takeaway here for me is that we've got a lot of new developers and a lot of these new developers are really struck by a paradox of choice. And they're typically starting on the front end. And so there's a lot of movement in the stack moved towards the front end. We saw that at re:Invent when Amazon was really pushing Amplify 'cause they're seeing this too. It's interesting because this is where folks start. And so a lot of the obstructions are moving in that direction, but maybe not always necessarily totally appropriate. And so finding the right balance for folks is still a work in progress. Like Lambda is a great example. It lets me focus totally on just business logic. I don't have to think about infrastructure pretty much at all. And if I'm newer to the industry, that makes a lot of sense to me. As use cases expand, all of a sudden, reality intervenes, and it might not be appropriate for everything. And so figuring out what those edges are, is still the challenge, I think. >> All right, thank you very much for coming on the CUBE here panel. AWS Heroes, thanks everyone for coming. I really appreciate it, thank you. >> Thank you. >> Thank you. >> Okay. >> Thanks for having me. >> Okay, that's a wrap here back to the program and the awesome startups. Thanks for watching. (upbeat music)

>> From around the globe, it's theCUBE, with coverage of KubeCon and CloudNativeCon Europe 2020 virtual. Brought to you by Red Hat, the Cloud Native Computing Foundation and ecosystem partners. >> Welcome back I'm Stu Miniman. And this is theCUBE coverage of KubeCon CloudNativeCon 2020, the Europe virtual edition. Happy to welcome back to the program, fresh off the keynote stage, Priyanka Sharma. She's the general manager of the CNCF. Priyanka, thanks so much for joining us. Great to see you. And we all get to be together even while we're apart. >> That's absolutely right. Thank you so much for having me Stu and great energy in the interwebs today with my keynote and everybody engaging and attending KubeCon. So, very happy to be here. >> All right, so I want to dig into your keynote a little bit. I had a bunch of key themes, a lot of pieces, and of course, community at the heart of it. When I spoke with you when you first took the job, of course, you've got strong background, you know this community really well. We've loved covering it for the last five years, but you talked about the foundation of doers and how that's powering the end user driven open tour. So talk to us a little bit about that, how is this community different from everything else. You know, open source always is community, but this feels a little bit special. >> Well, I'm glad to hear you say that, it is special. Yes, so when you think about the Cloud Native Ecosystem, right? There's so many people who've come together to create this amazing field that we all get to create. The awesome technology that people use to be part of this whole technology creation and deployment process. Those people are the end users first and foremost, they utilize the technology every day. And as time has grown, as time has gone by, they have played a bigger and bigger role. Over time they've become very sophisticated, they're contributing their own projects such as you know, I mean, you all know Envoy and a Jaeger came from Lyft and Uber respectively, but there's many more like Spotify and Wayfair, the furniture company. They have all submitted projects for the sandbox. So there was a lot of momentum, but not only are they creating their own technologies very needed and donating them. They're becoming the guider. They're becoming the guidance for the project that exists. They're giving feedback, they're sharing requirements. It's a very collaborative process and that's what is end-user-driven open source. Now this end user-driven-open source cannot happen by one contributor alone by one maintainer or alone by one company. No, it takes a lot of people. I mean, CNCF, as you know, has invested in its global community since day one. That's why we have the KubeCon EU, we have China events, we have North America. And just the other day I was speaking on a virtual Brazil event. There's just the geographic diversity is amazing. And by being able to reach out to a very large ecosystem and by especially having a formal role for end users, by having an end user member program with their own special interest groups and working groups, we've created a safe space where there is a neutral IP zone, open governance, and also a clear directive and shared partnership with the end users. So that ends up being a large group of people who are all doers, everybody's collaboration matters, and together they create end user-driven-open source. >> Well, Priyanka, I'm not sure that that most people understand really the full charter of what the CNCF does. So maybe you could talk a little bit about, obviously there's all the projects involved. You just brought up some of the end users and how you get engaged. There's also help along career development, when you talk to the individual developers and participants. So help us understand beyond the big events that we gather people at any given time with the smaller events, just, you know, what the CNCF its charter as these days. >> Absolutely, so as some of you know, the CNCF stands for Cloud Native Computing Foundation. And our objective is to host and proliferate technologies that support development, infrastructure development that is cloud native. Now what does cloud native mean, cloud native is when you develop, when you utilize cloud computing, which is the big clouds you must have heard of such as, Alibaba cloud, AWS, Google cloud platform, Azure, IBM, all these hyperscalers. They provide these offerings by which you don't need to have your own server farm, and you can buy compute from them and run your applications on that. When you do that, the way you develop software changes, it should change in order to maximize the value you get. So you started developing with micro services, containerization happens once that happens you need to orchestrate the containers, which is where Kubernetes our founding project comes in. And then you go from there because you have different complexities and observability, you have different complexities and storage and all the cloud native tech comes together to support you in that journey. So from a technology perspective that's what we do. As we have been so fortunate to develop this large ecosystem that so many people joining in of all kinds, we believe it is part of our responsibility to support this community in skill development and always like knowledge sharing. So knowledge sharing community empowers education. And that's how we talked about the events, right? Like KubeCon et cetera. But also these days, we are focusing a lot on our programs with the certifications we offer such as a CKA, which stands for a Certified Kubernetes Admin and CKAD, which stands for Certified Kubernetes Application Developer. To date, 15,000 plus people have taken these certifications successfully. So we have more and more people joining in these ranks. And we are here to support people as they build their careers, as they get more knowledgeable on cloud native, from in formal ways, such as training edX and in informal ways, such as KubeCon and the Meetups and the Webinars, you name it, and we're here for you. >> Well, you used a word that I want to touch on, responsibility, obviously in 2020, there's a lot going on Priyanka. So first of all, you talk about the global pandemic. Some of my favorite interviews I've done for this shows and others talking about how open source and communities are contributing to it. One of the interviews I have coming up for the KubeCon show is out of the Pronto area with how's my flattening, which uses data and visualization, really phenomenal to see how, you know, Kubernetes and collaboration allowed people to rally fast and share data and get information from the right people. The other piece is social justice. You announced a new working group for racial terminology, talk about, how's the CNCF dealing with, all the changes and all the things that are happening in 2020. And how are you helping the community get engaged and participate? >> Absolutely. 2020s is a very unique year. It's had very unique challenges. We've all been through it out together as a global community. So in that way, it has brought us all together, but the fissures and cracks that maybe were overlooked before have gotten deeper this year. And we are committed to bringing the open source cloud native way to help support this full global push to overcome 2020 as a year. (laughs) So part of that as you said, we have a working group to eradicate racially charged tech, sorry, I am really not speaking well to that. So part of our initiatives is a working group to eradicate racially charged terminology from code we're working on it, not just on the CNCF level, but on the entire Linux foundation level, by bringing together various folks, such as companies projects, regardless of where they stand, they don't need to be an LF project or a CNCF project, but we're sharing best practices on What should be the terminology we agree upon? What is the change management look like? And soon we want to really encourage the people who are making these positive steps with and enablement and incentive programs, such as prizes, et cetera. So I'm very committed to this. I think anyone and everyone has a home in open source. This cannot be, you know, the take ground of one type of person or one type of community. And we're going to do our very best to welcome each and every one. This world of technology has been built by the blood, sweat, and tears off many people, and we honor them all. And we also open our arms to more and more of you, no matter how few of people from your ecosystem or community you see in open source, join in, we welcome you.. we are here for you and this working group and this initiative hopes to voice exactly just that. >> Well, yeah, the KubeCons absolutely. I can speak from the event I've gone to, you know, strong diversity. We've really appreciated being able to hear those voices. When you talk about the collaboration, the community activity, we'd love when we can help support those from our team's standpoint, when we can, we want to be able to help those nonprofits, help those communities get their messages and do their call to actions. All right, Priyanka so much to cover. This week when I look at all the breakouts, when I look at the interviews and the technologies, there's a lot of emerging themes also in edge computing has been something we've been talking about for the last year or two, of course, IOT, DevSecOps, what are some of the hot technologies that you're seeing and making sure that the show covers. >> Well, you send them all. (laughs) No, but these are the key themes. Yes, absolutely. As you know, devices are proliferating across the globe. So many people have cell phones, with the coming of 5G things will be even more rocket ship. And these folks need to go cloud native to support development as this change happens, and Kubernetes and CNCF is here to support. We have projects such as KubeEdge. We have k3s from Rancher and the sandbox, all these are meant for edge deployment. So there's that focus that we have. There's always going to be DevSecOps. The minute there is this complexity, the minute there's this growth, new security vulnerabilities, pop up, new interfaces become exposed. And so we have to be on a constant watch. So DevSecOps is a theme that we are going to see a lot of innovation and development in. For anyone who may not be familiar with DevSecOps, DevSecOps does for security, what DevOps did for operations, which is shifted left into the application developers workflow, so that things have got faster so that there is a better collaboration between security teams and application development team. So these are absolutely trans, I think a trend we briefly touched upon is, end-user-driven open source. I think the voice of end users is going to grow bigger and more louder and just that much more critical. The ship has left the dock. And now it's just going to gain steam and gain steam. I think we're going to see more technology contributions from them. We're going to see much more utilization of cloud native from them. And we also will get lots of feedback and advice from them. And there'll be interwoven into the fabric of cloud native in a way like never before. >> Yeah, Priyanka, you've known this community, but now you're very steeped into it. You had to work with a lot of people. I'm curious, does anything, especially from those end users, you know, a big focus of what you've been talking about. Absolutely, it's so important that they not just use the technology, but are participate in it. It's been one of those big waves we've been watching in the open source community for a number of years. So any insight you can give us as to why it is so important to those end users, what is encouraging them, not just to, use these projects, but, you know, assigned people and sponsor events and have much deeper integration with this community. >> They don't integrate with this community. They are part of this community. That's one key thing to remember. I would say, when we all, like, I mean, CNCF is relatively young, it started end of 2015. I started working on a project in it in 2016. And back then we were talking about things like, what are microservices? How to do a lift and shift to the cloud, or what are containers, things like that, right? And there was maybe a bit of a gap in the knowledge that people had to acquire to get good at deploying containers, that's using microservices, et cetera, et cetera. Now, in the last four years, huge leaps have been made by an users just because they were in the trenches, they were doing the work, right? So now their knowledge level has gone really up. And they've also started like knowing where the gaps are, what they need, because they're doing the building, they're the doers here. And so in that environment, it is a natural thing that they will have the best sense of where things should go next. They will have the best sense of what their own requirements are. And so it's an evolution of the end user community. It's an evolution of the doers. And I think that's why this trend is going to continue. And I would like to take like, not a credit, but I would say a tiny shoutout to the CNCF ecosystem program, which is run by Cheryl on my team. She's done a phenomenal job having been a developer herself to bring people and create safe spaces where the enhancers or the vendors are not like necessarily breathing down their neck and they can discuss amongst each other, the topics that matter. And I think that's gone a really long way. >> Yeah. There's, Cheryl's been doing some great work. I know I'm having a conversation with Liz Rice to talk about some of the new pooling, helping customers understand. It's such a broad ecosystem out there that, you know, we didn't even touch on. We're going to talk in many of the other interviews I have Priyanka. There's so many projects, new ways for sandbox and incubation and everything like that. It is definitely a challenge for everybody to look at this space. Want to give you the final word though. What do you want people to have as their takeaway from the event this time? >> Absolutely. Hi everybody. I am so happy. You all took the time and engaged with the community you joined in and attended KubeCon EU virtual, stay with us, partnering with us, come to our events, give us feedback, share ideas. We're all a foundation of doers. We're all team cloud native, and we're in this together. We will go through 2020, we'll come out strong. And this is just the beginning. >> Well, Priyanka, thank you so much. We love the partnership with the CNCF and definitely happy to be able to participate in the event again this year. >> Absolutely. Thank you so much Stu. >> All right, and stay tuned. Lots of coverage here from KubeCon, CloudNativeCon 2020 Europe the virtual edition. I'm Stu Minimam. And thank you as always for watching theCUBE. (upbeat music)

>> From around the globe, it's theCUBE! With coverage of KubeCon and CloudNativeCon Europe 2020, virtual. Brought to you by Red Hat, the Cloud Native Computing Foundation, and ecosystem partners. >> Hi, I'm Stu Miniman and welcome to theCUBE's coverage of KubeCon CloudNativeCon 2020 in Europe. Of course the event this year was supposed to be in the Netherlands, I know I was very much looking forward to going to Amsterdam. This year of course it's going to be virtual, I'm really excited theCUBE's coverage, we've got some great members of the CNCF, we've got a bunch of end users, we've got some good thought leaders, and I'm also bringing a little bit of the Netherlands to help me bring in and start this keynote analysis, happy to welcome back to the program my cohost for the show, Joep Piscaer, who is an industry analyst with TLA. Thank you, Joep, so much for joining us, and we wish we could be with you in person, and check out your beautiful country. >> Absolutely, thanks for having me Stu, and I'm still a little disappointed we cannot eat the (indistinct foreign term) rijsttafel together this year. >> Oh, yeah, can we just have a segment to explain to people the wonder that is the fusion of Indonesian food and the display that you get only in the Netherlands? Rijsttafel, I seriously had checked all over the US and Canada, when I was younger, to find an equivalent, but one of my favorite culinary delights in the world, but we'll have to put a pin in that. You've had some warm weather in the Netherlands recently, and so many of the Europeans take quite a lot of time off in July and August, but we're going to talk about some hardcore tech, KubeCon, a show we love doing, the European show brings good diversity of experiences and customers from across the globe. So, let's start, the keynote, Priyanka Sharma, the new general manager of the CNCF, of course, just some really smart people that come out and talk about a lot of things. And since it's a foundation show, there's some news in there, but it's more about how they're helping corral all of these projects, of course, a theme we've talked about for a while is KubeCon was the big discussion for many years about Kubernetes, still important, and we'll talk about that, but so many different projects and everything from the sandbox, their incubation, through when they become fully, generally available, so, I guess I'll let you start and step back and say when you look at this broad ecosystem, you work with vendors, you've been from the customer side, what's top of mind for you, what's catching your attention? >> So, I guess from a cloud-native perspective, looking at the CNCF, I think you hit the nail on the head. This is not about any individual technology, isn't about just Kubernetes or just Prometheus, or just service mesh. I think the added value of the CNCF, and the way I look at it at least, looking back at my customer perspective, I would've loved to have a organization curate the technology world around me, for me. To help me out with the decisions on a technology perspective that I needed to make to kind of move forward with my IT stack, and with the requirements my customer had, or my organization had, to kind of move that into the next phase. That is where I see the CNCF come in and do their job really well, to help organizations, both on the vendor side as well as on the customer side, take that next step, see around the corner, what's new, what's coming, and also make sure that between different, maybe even competing standards, the right ones surface up and become the de facto standard for organizations to use. >> Yeah, a lot of good thoughts there, Joep, I want to walk through that stack a little bit, but before we do, big statement that Priyanka made, I thought it was a nice umbrella for her keynote, it's a foundation of doers powering end user driven open-source, so as I mentioned, you worked at a service provider, you've done strategies for some other large organizations, what's your thought on the role of how the end users engage with and contribute to open-source? One of the great findings I saw a couple years ago, as you said, it went from open-source being something that people did on the weekend to the sides, to many end users, and of course lots of vendors, have full-time people that their jobs are to contribute and participate in the open-source communities. >> Yeah, I guess that kind of signals a maturity in the market to me, where organizations are investing in open-source because they know they're going to get something out of it. So back in the day, it was not necessarily certain that if you put a lot of effort into an open-source project, for your own gain, for your own purposes, that that would work out, and that with the backing of the CNCF, as well as so many member organizations and end user organizations, I think participating in open-source becomes easier, because there's more of a guarantee that what you put in will kind of circulate, and come out and have value for you, in a different way. Because if you're working on a service mesh, some other organization might be working on Prometheus, or Kubernetes, or another project, and some organizations are now kind of helping each other with the CNCF as the gatekeeper, to move all of those technology stacks forward, instead of everyone doing it for themselves. Maybe even being forced to reinvent the wheel for some of those technology components. >> So let's walk through the stack a little bit, and the layers that are out there, so let's start with Kubernetes, the discussion has been Kubernetes won the container orchestration battles, but whose Kubernetes am I going to use? For a while it was would it be distributions, we've seen every platform basically has at least one Kubernetes option built into it, so doesn't mean you're necessarily using this, before AWS had their own flavor of Kubernetes, there was at least 15 different ways that you could run Kubernetes on top of it, but now they have ECS, they have EKS, even things like Fargate now work with EKS, so interesting innovation and adoption there. But VMware baked Kubernetes into vSphere 7. Red Hat of course, with OpenShift, has thousands of customers and has great momentum, we saw SUSE buy Rancher to help them move along and make sure that they get embedded there. One of the startups you've worked with, Spectro Cloud, helps play into the mix there, so there is no shortage of options, and then from a management standpoint, companies like Microsoft, Google, VMware, Red Hat, all, how do I manage across clusters, because it's not going to just be one Kubernetes that you're going to use, we're expecting that you're going to have multiple options out there, so it sure doesn't sound boring to me yet, or reached full maturity, Joep. What's your take, what advice do you give to people out there when they say "Hey, okay, I'm going to use Kubernetes," I've got hybrid cloud, or I probably have a couple things, how should they be approaching that and thinking about how they engage with Kubernetes? >> So that's a difficult one, because it can go so many different ways, just because, like you said, the market is maturing. Which means, we're kind of back at where we left off virtualization a couple years ago, where we had managers of managers, managing across different data centers, doing the multicloud thing before it was a cloud thing. We have automation doing day two operations, I saw one of the announcements for this week will be a vendor coming out with day two operations automation, to kind of help simplify that stack of Kubernetes in production. And so the best advice I think I have is, don't try to do it all yourself, right, so Kubernetes is still maturing, it is still fairly open, in a sense that you can change everything, which makes it fairly complex to use and configure. So don't try and do that part yourself, necessarily, either use a managed service, which there are a bunch of, Spectro Cloud, for example, as well as Platform9, even the bigger players are now having those platforms. Because in the end, Kubernetes is kind of the foundation of what you're going to do on top of it. Kubernetes itself doesn't have business value in that sense, so spending a lot of time, especially at the beginning of a project, figuring that part out, I don't think makes sense, especially if the risk and the impact of making mistakes is fairly large. Like, make a mistake in a monitoring product, and you'll be able to fix that problem more easily. But make a mistake in a Kubernetes platform, and that's much more difficult, especially because I see organizations build one cluster to rule them all, instead of leveraging what the cloud offers, which is just spin up another cluster. Even spin it up somewhere else, because we can now do the multicloud thing, we can now manage applications across Kubernetes clusters, we can manage many different clusters from a single pane of glass, so there's really no reason anymore to see that Kubernetes thing as something really difficult that you have to do yourself, hence just do it once. Instead, my recommendation would be to look at your processes and figure out, how can I figure out how to have a Kubernetes cluster for everything I do, maybe that's per team, maybe that's per application or per environment, per cloud, and they kind of work from that, because, again, Kubernetes is not the holy grail, it's not the end state, it is a means to an end, to get where we're going with applications, with developing new functionality for customers. >> Well, I think you hit on a really important point, if you look out in the social discussion, sometimes Kubernetes and multicloud get attacked, because when I talk to customers, they shouldn't have a Kubernetes strategy. They have their business strategy, and there are certain things that they're trying to, "How do I make sure everything's secure," and I'm looking at DevSecOps, I need to really have an edge computing strategy because that's going to help my business objectives, and when I look at some of the tools that are going to help and get me there, well, Kubernetes, the service meshes, some of the other tools in the CNCF are going to help me get there, and as you said, I've got managed services, cloud providers, integrators are going to help me build those solutions without me having to spend years to understand how to do that. So yeah, I'd love to hear any interesting projects you're hearing about, edge computing, the security space has gone from super important to even more important if that's possible in 2020. What are you hearing? >> Yeah, so the most interesting part for me is definitely the DevSecOps movement, where we're basically not even allowed to call it DevOps anymore. Security has finally gained a foothold, they're finally able to shift lift the security practices into the realm of developers, simplifying it in a way, and automating it in a way that, it's no longer a trivial task to integrate security. And there's a lot of companies supporting that, even from a Kubernetes perspective, integrating with Kubernetes or integrating with networking products on top of Kubernetes. And I think we finally have reached a moment in time where security is no longer something that we really need to think about. Again, because CNCF is kind of helping us select the right projects, helping us in the right direction, so that making choices in the security realm becomes easier, and becomes a no-brainer for teams, special security teams, as well as the application development teams, to integrate security. >> Well, Joep, I'm glad to hear we've solved security, we can all go home now. That's awesome. But no, in all seriousness, such an important piece, lots of companies spending time on there, and it does feel that we are starting to get the process and organization around, so that we can attack these challenges a little bit more head-on. How 'about service mesh, it's one of those things that's been a little bit contentious the last couple of years, of course ahead of the show, Google is not donating Istio to the foundation, instead, the trademark's open. I'm going to have an interview with Liz Rice to dig into that piece, in the chess moves, Microsoft is now putting out a service mesh, so as Corey Quinn says, the plural of service mesh must be service meeshes, so, it feels like Mr. Meeseeks, for any Rick and Morty fans, we just keep pressing the button and more of them appear, which may cause us more trouble, but, what's your take, do you have a service mesh coming out, Kelsey Hightower had a fun little thing on Twitter about it, what's the state of the state? >> Yeah, so I won't be publishing a service mesh, maybe I'll try and rickroll someone, but we'll see what happens. But service meshes are, they're still a hot topic, it's still one of the spaces where most discussion is kind of geared towards. There is yet to form a single standard, there is yet a single block of companies creating a front to solve that service mesh issue, and I think that's because in the end, service meshes are, from a complexity perspective, they're not mature enough to be able to commoditize into a standard. I think we still need a little while, and maybe ask me this question next year again, and we'll see what happens. But we'll still need a little while to kind of let this market shift and let this market innovate, because I don't think we've reached the end state with service meshes. Also kind of gauging from customer interest and actual production implementations, I don't think this has trickled down from the largest companies that have the most requirements into the smaller companies, the smaller markets, which is something that we do usually see, now Kubernetes is definitely doing that. So in terms of service meshes, I don't think the innovation has reached that endpoint yet, and I think we'll still need a little while, which will mean for the upcoming period, that we'll kind of see this head to head from different companies, trying to gain a foothold, trying to lead a market, introduce their own products. And I think that's okay, and I think the CNCF will continue to kind of curate that experience, up to a point where maybe somewhere in the future we will have a noncompeting standard to finally have something that's commoditized and easy to implement. >> Yeah, it's an interesting piece, one of the things I've always enjoyed when I go to the show is just wander, and the things you bump into are like "Oh my gosh, wow, look at all of these cool little projects." I don't think we are going to stop that Cambrian explosion of innovation and ideas. When you go walk around there's usually over 200 vendors there, and a lot of them are opensource projects. I would say many of them, when you have a discussion with them, I'm not sure that there's necessarily a business behind that project, and that's where you also see maturity in spaces. A year or so ago, in the observability space, open tracing helped pull together a couple of pieces. Storage is starting to mature. Doesn't mean we're going to get down to one standard, there's still a couple of storage engines out there, I have some really good discussions this week to go into that, but it goes from, "Boy, storage is a mess," to "Oh, okay, we have a couple of uses," and just like storage in the data center, there's not a box or a protocol to do anything, it's what's your use case, what performance, what clouds, what environments are you living on, and therefore you can do that. So it's good to see lots of new things added, but then they mature out and they consolidate, and as you said, the CNCF is help giving those roadmaps, those maps, the landscapes, which boy, if you go online, they have some really good tools. Go to CNCF, the website, and you can look through, Cheryl Hung put one, I'm trying to remember which, it's basically a bullseye of the ones that, here's the one that's fully baked, and here's the ones that are making its way through, and the customer feedback, and they're going to do more of those to help give guidance, because no one solution is going to fit everybody's needs, and you have these spectrums of offerings. Wild card for you, are there any interesting projects out there, new things that you're hearing about, what areas should people be poking around that might not be the top level big things? >> So, I guess for me, that's really personal because I'm still kind of an infrastructure geek in that sense. So one of the things that really surprised me was a more traditional vendor, Zerto in this case, with a fantastic solution, finally, they're doing data protection for Kubernetes. And my recommendation would be to look at companies like Zerto in the data protection space, finally making that move into containers, because even though we've completed the discussion, stateful versus stateless, there's still a lot to be said for thinking about data protection, if you're going to go all-in into containers and into Kubernetes, so that was one that really provoked my thoughts, I really was interested in seeing, "Okay, what's Zerto doing in this list of CNCF members?" And for that matter, I think other vendors like VMware, like Red Hat, like other companies that are moving into this space, with a regained trust in their solutions, is something that I think is really interesting, and absolutely worth exploring during the event, to see what those more traditional companies, to use the term, are doing to innovate with their solutions, and kind of helping the CNCF and the cloud data world, become more enterprise-ready, and that's kind of the point I'm trying to make, where for the longest time, we've had this cloud-native versus traditional, but I always thought of it like cloud-native versus enterprise-ready, or proven technology. This is kind of for the developers doing a new thing, this is for the IT operations teams, and we're kind of seeing those two groups, at least from a technology perspective, being fused into one new blood group, making their way forward and innovating with those technologies. So, I think it's interesting to look at the existing vendors and the CNCF members to see where they're innovating. >> Well, Joep, you connected a dotted line between the cloud-native insights program that I've been doing, you were actually my first guest on that. We've got a couple of months worth of episodes out there, and it is closing that gap between what the developers are doing and what the enterprise was, so absolutely, there's architectural pieces, Joep, like you, I'm an infrastructure geek, so I come from those pieces, and there was that gap between, I'm going to use VMs, and now I'm using containers, and I'm looking at things like serverless too, how do we built applications, and is it that bottom-up versus top-down, and what a company's needs, they need to be able to react fast, they need to be able to change along the way, they need to be able to take advantage of the innovation that ecosystems like this have, so, I love the emphasis CNCF has, making sure that the end users are going to have a strong voice, because as you said, the big companies have come in, not just VMware and Red Hat, but, IBM and Dell are behind those two companies, and HPE, Cisco, many others out there that the behemoths out there, not to mention of course the big hyperscale clouds that helped start this, we wouldn't have a lot of this without Google kicking off with Kubernetes, AWS front and center, and an active participant here, and if you talk to the customers, they're all leveraging it, and of course Microsoft, so it is a robust, big ecosystem, Joep, thank you so much for helping us dig into it, definitely hope we can have events back in the Netherlands in the near future, and great to see you as always. >> Thanks for having me. >> All right, stay tuned, we have, as I said, full spectrum of interviews from theCUBE, they'll be broadcasting during the three days, and of course go to theCUBE.net to catch all of what we've done this year at the show, as well as all the back history. Feel free to reach out to me, I'm @Stu on Twitter, and thank you, as always, for watching theCUBE. (calm music)

>> Announcer: Live from Copenhagen, Denmark, it's the CUBE, covering KubeCon and Cloud Native Con Europe 2018. Brought to you by the Cloud Native Computing Foundation and its ecosystem partners. (busy music) >> Welcome back, everyone, live here in Copenhagen, Denmark, it's the CUBE's coverage of KubeCon 2018. I'm John Furrier, the host of the CUBE, along with Lauren Cooney, who's the founder of Spark Labs. She's been co-host with me two days, two days of wall to wall coverage. Stephan Fabel, Product Strategy Lead at Canonical, is here inside the CUBE, and from San Francisco. Again, welcome to the CUBE, thanks for coming. >> Thank you, thanks so much for having me. >> I've got to, you guys have been around the block, you know about open source software platforms, you get and do it for a while. Interesting time here at KubeCon. Kubernetes, Istio, Kubeflow, Cloud Native, they've still got the brand name CloudNativeCon and KubeCon. Modern application architecture's now in play. I see this notion of an interoperability model coming in that's certainly going to be a de facto standard. People are already kind of declaring it a de facto standard. It really shows a path to multi-cloud, but also frees up developers from a lot of the heavy lifting. Lou Tucker from Cisco was saying they don't want to do networking. Let's just have that be infrastructure as code, that's DevOps, that's what we want. >> Stephan: That is exactly right. >> What are you guys doing here? What's the story with Canonical and how does that fit into the megatrends? >> Yeah, I mean, there's a couple of things that we at Canonical always believe to be one of the core sort of tenets in our distribution of Kubernetes. As you know, we've been very active in this space fairly early on, and have been an active distributor of Kubernetes and a certified distributor of our version of Kubernetes. Pure upstream, remain conformant to the main public clouds, such as to enable that workload migration and mobility from on prem up to any of the other providers to accommodate all kinds of use cases, right. >> You guys made a bet on Kubernetes, obviously, good call. >> Stephan: Right. >> Right. What's the progress now, what's next? Because that's, the bets are paying off. I saw Red Hat had a great bet with what they did with Kubernetes, changed what OpenShift became. You guys had a bet in Kubernetes, what has that become for Canonical? >> Yeah, so based on the pure upstream distribution that we have, we really feel that enabling the ecosystem in a standards compliant way so that all of the landscape projects that are part of the CNCF can be deployed on top of Kubernetes, on top of our distribution of Kubernetes in just the same way that they would be developed or deployed in any of the large containers of service offerings that are out there is one of the big benefits that our customers would gain from using our Kubernetes. >> What's your differentiator for the distribution of Kubernetes that you have versus others? >> Well, there's two. The first one, I think, is the notion that deploying Kubernetes on premise is something that you want to do in a repeatable fashion, operationally efficient with the right capex opex mix, so we believe that there is a place for Kubernetes as a product, just deploy it, it works on any substrate that you've got available to you. But then also, for mainstream America, right, you may want to have a managed service on top of Kubernetes as well. We offer that, too, just a way to get started and kick the tires and see where that takes you as far as the developers are concerned. Now, on prem, you will find that there are a couple of challenges when deploying Kubernetes that are really the key differentiator. The first one, I would say, is things like integration into the storage that's local, integration into the network that's local, and integration into all of those services that should be available in the Cloud Native microservices architecture platform, such as low bouncers, right, elasticity, object store, etc. The second, and most importantly, because it is a key enabler for those next generation workloads, is the GPGPU enablement work that we're doing with partners such as NVIDIA. When you deploy the Canonical distribution of Kubernetes, you actually get the NVIDIA acceleration out of the box the way that NVIDIA envisions this on top of Kubernetes and the way that it is, by the way, being deployed on the public clouds. >> You bring a lot of your goodness to the table inside the Kubernetes distribution. OK, what are some customers doing? Give some use cases of some customers' Kubernetes, what are some of the things that they're doing with it, what's the early indication? What's the feedback? >> Sure. We have a ton of customers that are using our version of Kubernetes to do the machine learning applications and the AI of the next gen workloads in use cases such as smart cities or connected cars, where, when you look at self-driving cars, right, as the next gen that's coming out of the valley, they put in 300,000, 150,000, 400,000 miles a year on the road these days just optimizing the models that are being used to actually take over one day. Enabling those kinds of workloads in a distributed fashion requires DevOps expertise. Now, the people who are actually writing those applications are not DevOps people, they're data scientists, right. They shouldn't have to learn how to deploy Kubernetes, how to create a container and all those things. They should just be able to deploy the application on top an attractive substrate that actually supports that distributed application use case, and so that is where we come in. >> This is interesting, because what you're basically doing is making an application developer a DevOps developer overnight. >> Stephan: That's exactly right. >> That's really important. I was just talking with the co-chair of CNCF. We're talking about, Liz Rice and I were talking about why everyone's so, like, excited here. One of the things I said was, because people who are doing DevOps were hardcore, and they had to build everything from scratch, and all the scar tissue. But the benefits, once you got through the knothole there, the benefits were amazing, right. You go, okay, you don't want to do that again, but now there's a way to make it easier. There's kind of a shared experience even though no one's met each other, so there's kind of a joint community. >> I agree. I think it is increasingly about enabling developers who are experts in their field to actually leverage Kubernetes and the advantages that it brings in a more intuitive fashion. Just take it up a notch. >> How did the Kubernetes vibe integrate in with Canonical? I'm sure, given the background of the company, it probably was a nice fit, people embraced it. You guys were early. >> Stephan: Yeah. >> What's the internal scuttlebutt on the vibe with Kubernetes? >> Oh, we love Kubernetes as a technology. Ubuntu was always close to the developer and close to where the innovation happens. It was a natural fit to actually support all that workflow now in this new world of Kubernetes. We embraced OpenStack for the same reason, and in a similar fashion, Kubernetes has really driven the point home, containerist applications with a powerful orchestration framework such as Kubernetes are the next step for all the developers that are out there, and so as a consequence, this was a perfect match. >> It's also a no-brainer if you think about it, software methodology moving to the next level. This is total step up function for productivity for developers. That's really a key thing. What's your observation of that trend? Because at the end of the day, there's now Kubernetes, which does a lot of great things, but one of the hottest areas is Istio service meshes, and then you've got Kubeflow orchestration, a lot of other things that are happening around Kubernetes. What are you guys seeing that's important for Canonical's customers, what you're doing product wise. Where's the order of operations, what's next? What are you guys focused on, what's the priorities? >> Well, our biggest priority right now is enabling things like Kubeflow, which, by the way, are also using Istio internally, right, to actually enable those data scientists who actually deploy their I workload. We work very closely with Google to try and enable this in an on prem fashion out of the box which is something you can actually do today. >> John: You guys are doing this now inside this. >> We're doing this right now. This is also where we're going to double and triple down. >> This is actually your best practice, too, if you think about it, you want to take it in house, and then get a feel for it. What's the internal vibe on that, positive? >> Oh, absolutely. I mean, we always saw infrastructure as code and actually as intelligent infrastructure as something that we wanted to build our conceptual framework around, so very concretely, right. We've always had this notion of composable building blocks adding up to, sum of one being greater than two, right, like those types of scenarios. Actually using things like Kubernetes as an effective building block to then build out web applications that use things like machine learning algorithms underneath, that's a perfect use case for a next gen workload, and also something that we might use ourselves internally. >> Well, hey, that whole building block thing, it's happening. >> Stephan: Yeah. >> News flash. >> Stephan: Exactly, right? >> I mean, it's almost a pinch me moment for the people in the industry like, oh my god, it's going to go to a whole other level. How do you guys envision that next level going? Beyond the building blocks, is it, I mean, what's the vision that you guys have? Obviously, infrastructure as code programmability, but now, you're talking about infrastructure as code was great, but now you've got microservices growth coming on top of it, it's a services market now. >> It is, it is. I think that the biggest challenge will be the distribution of the workloads, right. You have edge compute coming along in the telco space, you have, like I said, smart cities, right, the sensors will be everywhere, and they will feed data back, and how do you manage that at scale, right? How do you manage that across various different hardware perspectives? We have hardware platforms such as ARM 64 picking up, right, and actually playing a very significant role at the edge, and increasingly, even in the core. We've always believed that providing that software and the distribution of IS such as Kubernetes and others on top of those additional architectures would make a huge difference, and that is clearly paying off. What we see is, the increased need of managing hybrid workloads across multi-cloud scenarios that could be composed of different architectures, not just x86, the future is not homogeneous at all. It'll be all over the place. All those use cases and all those particular situation require that building block principle, like all the way from the OS up to the application. >> John: That's a great use case for containers. Kubernetes, Istio, Kubeflow. >> Absolutely. >> All stacking in line beautifully from an evolution standpoint. I've got to ask you a personal question. I mean, I was at Canonical, great company, I want to thank Canonical for being a sponsor of the CUBE over the years. We've had Mark Shuttleworth on the CUBE had an OpenStack going way back when. You guys are a great participant in the community as a company and the people there been phenomenal. You're new. >> I'm new. >> What attracted you to Canonical? What was the motivating force? What drew you in? You're now running Products, a big job. You've got a lot in front of you. Obviously, it's a great market, so you're a great company. Just share, just color and why Canonical, what attracted you there? >> I've always been a user of Ubuntu, I've been a user since the first hour. I've used Ubuntu in my research. I did robotics based on Ubuntu way before it was cool. I built all kinds of things on top of Ubuntu throughout my entire career. Working for Canonical, which is a company that always exhibited great vision into the future and great predictions into trends that would prove to become true was just, for me, something that was very attractive. >> Their leadership has a good eye on the prize. They had good 20 mile stare, as we say, they can see the roadmap ahead and then make either course corrections or tweaks. >> Yeah. >> Great, awesome. Well, I mean, what's new there? What's your, take a minute to explain what's new at Canonical, role here at KubeCon, what are some of the conversations you're having? >> Yeah, so I mean, for us at KubeCon, it's always been an important part of our outreach to the community, great opportunity for us to have great conversations with our partners in the field. I think it is really about enabling the ecosystem in a more straightforward way. There's no better place to have those types of conversations than here, where everybody comes together and really establishes those relationships. For us, it is about, again, enabling the developer and really staying close to that innovation and supporting that in an optimal way. Yes, I mean, that, to us, is the role that we play. You've got a lot of end users here who are building stuff. >> Oh, absolutely, yeah. They, I mean, I had a talk today about Kubeflow with Google, and after the talk, lots of folks came up to me and said, hey, how can I use this at home, right? >> Sometimes with, whether it's timing, technology, all the above, Kubernetes really hit it strong with the timing, industry was ready for it. Containers had a nice gestation period. People know about containers. >> Stephan: Absolutely. >> Engineers know containers, know about those kinds of concepts. Now we're at a whole other operating environment. >> Stephan: Absolutely. >> You guys are at the forefront. Thanks for coming on the CUBE. >> Oh, thank you, I appreciate it. >> Stephan sharing the perspective, Stephan Fabel. Running Product and Strategy for Canonical, building stuff, this is what's going on in Kubernetes in KubeCon, end users are actually building and orchestrating workloads. Multi-cloud is what people are talking about and the tech to make it happen is here. I'm John Furrier with the CUBE. Stay with us for more live coverage here at KubeCon 2018, part of the CNCF CUBE coverage. We'll be right back after this short break. (busy music)

>> Narrator: From Copenhagen, Denmark, it's theCUBE, covering KubeCon, and CloudNativeCon Europe 2018. Brought to you by the Cloud Native Computing Foundation, and its ecosystem partners. >> Okay, welcome back, everyone, live coverage here in theCUBE, in Europe, at Copenhagen, Denmark for KubeCon Europe 2018. This is theCUBE. We have the CNCF, at the Cloud Native Computing Foundation, part of the Linux Foundation. I'm John Furrier, co-host of theCUBE, with Lauren Cooney, the founder of SparkLabs, new venture around open source and innovation. Our analysts here, today with theCUBE, and our two guests are Michael Hausenblas, who's the direct developer advocate at Red Hat. Diane Meuller's the director of community development at Red Hat, talking about OpenShift, Red Hat, and just the rise and success of OpenShift. It's been really well-documented here on theCUBE, but certainly, in the industry, everyone's taking notice. Great to see you again, welcome to theCUBE, good to see you. >> Thank you. >> And wonderful to be here again. >> So, first of all, a lot of big news going on. CoreOS is now part of Red Hat, so that's exciting. I haven't had a chance to talk to you guys about that yet here on theCUBE, but great, great puzzle piece from the industry there for you guys, congratulations. >> Yeah, it's been a wonderful collaboration, having the CoreOS team as part of the Red Hat, and the OpenShift team, it's just a perfect fit. And the team from CoreOS, they've always been my favorite people. Alright, and Brandon Philips and the team over there are just awesome. And to have the expertise from Tectonics, the operator framework, which you'll hear more about here at KubeCon EU this week, to have Quay under the wings of Red Hat now, and Quay is a registry with OpenShift or with any other Kubernetes, you know, the stuff that they brought to the table, and the expertise, as well as the wonderful culture that they had, it was such a perfect fit with OpenShift. >> And you know, you guys bring a lot to the table, too. And I was, I mean, I've been kind of critical of CoreOS in the past, in a good way, 'cause I love those guys. I had good chats with them over the years, but they were so pure open-source guys, like Red Hat. >> Diane: Well, there's nothing wrong with being pure open-source. (laughing) >> No, no, I'm cool with that, but you guys have perfected the business more, you have great customers. So one of the things that they were always strong at was the open-source piece but when you start to monetize, and you start to get into the commercialization, it's hard for a start-up to be both, pure open-source and to monetize. You guys now have it together, >> Yeah. >> Great fit. >> So, it's a wonderful thing. We, on the OpenShift side, we have the OpenShift Commons, which is our open-source community, and we've sort of flipped the model of community development and that's at Red Hat. And one of the things is, they've been really strong, CoreOS, with their open-source projects, whether etcd, or you know, a whole myriad of other things. >> Well, let's double down on that. I want to get your thoughts. What is this OpenShift Commons? Take a minute to talk about what you guys had. You had an event Monday. It was the word on the streets, here in the hallways, is very positive. Take a minute to explain what happened, what's going on with that program? >> So OpenShift Commons is the open-source community around OpenShift Origin, but it also includes all the upstream projects that we collaborate with, with everybody from the Kubernetes world, from the Promytheus, all the CNCF project leads, all kinds of people from the upstream projects that are part of the OpenShift Ecosystem, as well as all the service providers and partners, who are doing wonderful things, and all the hosts, like Google, and you know, Microsoft Azure folks are in there. But, we've kind of flipped the model of community development on its head. In the past, if you were a community manager, which is what I started out as, you were trying to get people to contribute to your own code base. And here, because there's so much cross-community collaboration going on, we've got people working on Kubernetes. We got Kubernetes people making commits to Origin. We work on the OCI Foundation, trying to get the container stuff all figured out. >> So when you say you flipped the model, you mean there's now multiple-project contributions going on, or? >> Yeah, we've got our fingers in lots of pies now, and we have to, the collaboration has to be open, and there has to be a lot of communication. So the OpenShift Commons is really about creating those peer-to-peer networks. We do a lot of stuff virtual. I host my own OpenShift Commons briefings twice a week, and I could probably go to three or four days a week, and do it, because there's so much information. There's a fire hose of new stuff, new features, new releases, and stuff. Michael just did one on FAS. You did one before for the machine-learning Saigon OpenShift on Callum. >> Hold on, I want to just get your thoughts, Michael, on this, because what came up yesterday on theCUBE, was integration glue layers are really important. So I can see the connection here. Having this Commons model allows people to kind of cross-pollenate, one. Two, talk about integration, because we've got Promytheus, I might use KubeFlow. So there's new things happening. What does this mean for the integration piece? Good for it, or accelerating it? What's your thoughts? >> Right, right, right. So, I mainly work upstream which means when it is KubeFlow and other projects. And for me, these kind of areas where you can bring together both, the developers, and the end users, which is super important for us to get the feedback to see where we really are struggling. We hear a lot from those people that meet there, what their pinpoints are. And that is the best way to essentially shape the agenda, to say, well, maybe let's prioritize this over this other feature. And as you mention, integration being one big part, and Functions and Service being, could be considered as the visual basics of applications for Cloud Native Computing. It can act as this kind of glue between different things there. And I'm super excited about Commons. That's for me a great place to actually meet these people, and talk with them. >> So the Commons is almost a cross-pollination of folks that are actually using the code, building the code, and they see other projects that makes sense to contribute to, and so it's an alignment where you allow for that cross-pollination. >> It's a huge series of conversations, and one of the things that is really important to all of the projects is, as Michael said, is getting that feedback from production deployments. People who are working on stuff. So we have, I think we're at around 375 organizational members, so there's... >> John: What percentage of end-user organizations, do you think? >> It's probably about 50/50. You know, you can go to Commons.OpenShift.org, and look up the participants list. I'm behind a little bit in getting everybody in there, but-- >> John: So it's a good healthy dose of end-users? >> It's a good healthy dose of end-users. There's some special interest groups. Our special interest groups are more around used cases. So, we just hosted a machine-learning reception two nights ago, and we had about 200 people in the room. I'd say 50% of them were from the KubeFlow community, and the other 50% were users, or people who are building frameworks for our people to run on OpenShift. And so our goal, as always, is to make OpenShift the optimal, the best place to run your, in this case, machine-learning workloads, or-- >> And I think that's super critical, because one of the things that I've been following a little bit, and you know, I have your blog entry in front of me, is the operator framework, and really what you're trying to do with that framework, and how it's progressing, and where it's going, and really, if you can talk a little bit about what you're doing there, I think that would be great for our viewers. >> So what I'm going to do is I'm going to make sure you get Brandon Philips here, on your KubeFlow, sometime this week, 'cause I don't want to steal the thunder from his keynote tomorrow morning-- >> Lauren: Well, drop a couple hints. (laughs) >> John: Share a little bit, come on. >> So the operator stuff that CoreOS, and they brought it to the table, so it's really their baby. They had done a lot of work to make sure that they had first-class access to be able to inject things into Kubernetes itself, and make it run. And they're going to do a better technical talk on it than I am, and make things run. And so that what they've done is they've opened up and created an STK for operators, so other people can build more. And we think, this is a tipping point for Kubernetes, and I really don't want to steal any thunder here, or get in over my head, is the other part of it, too. >> I think Brandon is the right person to talk about that. >> Brandon, we'll drag Brandon over here. >> I'm super excited about it, but let's-- >> Yeah, let's talk about why you're super excited about it. Is there anything you can kind of tell us in terms of what? >> Enables people to run any kind of workload in communities, in a reliable automated fashion. So you bring the experience that human operators have into software. So you automate that application, which makes it even more suitable to run your enterprise application that so far might have not been the best place to run. >> Lauren: That's great, yeah. >> And yeah, I'm also looking forward to Brandon explaining the details there. >> So I think it's great hearing about that, and we talk a lot about how it's great for users. It's great, you know, operators, developers, how they're building things out, and things along those lines. But one of the things that we are not hearing a ton about here, and we want to hear more about, is security. Security is increasingly important. You know, we're hearing bits and pieces but nothing's really kind of coming together here and what're your thoughts on that? >> Security, I was recently, when I blogged about it, and people on Twitter said, well, is that really true that, you know, couldn't this secure body fall? It's like, well, all the pieces are there. You need to be aware of it. You need to know what you're doing. But it is there, right? All the defaults might not be as you would expect it, but you can enable it. And I think we did a lot of innovations there, as well. With our back, and security context, and so on. And, actually, Liz Rice and myself are working on putting the security cookbook, and for a variety that will come out later this year. We're trying to document the best practice, because it is early days, and it's quite a range of things. From building container images in a secure way, to excess control, and so on, so there's a lot of stuff (mumbles). >> What're some of the end-user feedback sessions, or feedback data that you're getting from these sessions? What is some of the things you guys are hearing? What's the patterns? What's the things that are boiling up to the top? >> Well, there's so many. I mean, this conference is one of those ones where it's a cornucopia of talks, and trying to, I just wrote a little blog post called, The Hitchhiker's Guide to KubeCon. It's on blog.openshift.com. And because, you could spend all of your time here in a different track, and never leave it, like Security 1, or in Operations 1, or-- >> John: There's a lot of great content. >> I think the Istio stuff is probably the hottest thing I'm hearing people going to. There was a great deep-dive training session, hands-on on Monday, here, that got incredible feedback. IBM and Google did that one. We had a lot of customer talks and hands-on training sessions on Monday. Here, there are pretty much, there's a great talk coming up this afternoon, on Kube Controllers that Magic... I think that's at 11:45-ish. There are a lot of the stuff around Service Fish, and service brokers, is really kind of the hot thing that people are looking for to get implemented. And we've got a lot of people from Red Hat working on that. There's, oh man, there's etcd updtes, there's a bazillion things going-- >> John: It's exploding big time here. >> Yeah. >> No doubt about it. >> The number one thing that I'm seeing last couple of months, being onsite with customers, and also here, is that given that Kubernetes is now the defective standard of container authorization, people are much more willing to go all-in, you know? >> Yeah. >> A lot of folks were on the fence, for a couple of years, going like, which one's going to make it? Now, it's kind of like, this is a given. You couldn't, you know, just as Linux is everywhere on the servers, that's the same with Kubernetes, and people are now happy to really invest, to like, okay, let's do it now, let's go all in. >> Yeah, and, what we're hearing, too, just stepping back and looking at the big picture is we see the trend, kind of hearing and connecting the dots, as the number of nodes is going to expand significantly. I mean, Sterring was on stage yesterday, and we heard their, and still small, not a lot of huge, not a lot on a large scale. So, we think that the scale question is coming quickly. >> Well, I think it already came, alright? In the machine-learning reception that we had at night, one of the gentleman, Willem Bookwalter, from Microsoft, and Diane Feddema, from Red Hat, and a whole lot of people are talking about how do we get, because machine-learning workloads, have such huge work, you know, GPU, and Google has their TPU requirements to get to scale, to run these things, that people are already pushing the envelope on Kubernetes. Jeremy Eater from Red Hat has done some incredible performance management work. And on the CNCF blog, they've posted all of that. To get the optimal performance, and to get the scale, is now, I think, one of the next big things, and there's a lot of talks that are on that. >> Yeah, and that's Istio's kind of big service mesh opportunity there, is to bring that to the next level. >> To the next level, you know, there's going to be a lot of things that people are going to experience trying to get the most out of their clusters, but also, I think we're still at the edge of that. I mean, someone said something about getting to 2,500 nodes. And I'm like, thinking, that's just the beginning, baby. >> Yeah, it's going to be more, add a couple zeroes. I got to ask you guys, I got to put you both on the spot here, because it's what we do on theCUBE. You guys are great supporters of theCUBE. We appreciate that, but we've had many conversations over the years with OpenShift, going back to OpenStacks, I don't know what year it was, maybe 2012, or I don't know. I forget what year it was. Now, the success of OpenShift was really interesting. You guys took this to a whole 'nother level. What's the reaction? Are you, as you look back now on where you were with OpenShift and where you are today, do you pinch yourself and say, damn? Or what's your view? >> Red Hat made a big bet on Kubernetes three years ago, three and a half years ago, when people thought we were crazy. You know, they hadn't seen it. They didn't understand what Google was trying to open-source, and some of the engineers inside of Red Hat, Clayton Coleman, Matt Hicks, a lot of great people, saw what was coming, reached out, worked with Google. And the rest of us were like, well, what about Ruby and Rails, and Mongo DB, and you know, doing all this stuff? And like, we invested so much in gears and cartridges. And then, once they explained it, and once Google really open-sourced the whole thing, making that bet as a company, and pivoting on that dime, and making version 3.0 of OpenShift and OpenShift Origin, as a Kubernetes-based platform, as a service, and then, switching over to being a container platform, that was a huge thing. And if you had talked to me back then, three years ago, it was kind of like, is this the right way to go? But, then, you know, okay. >> Well, it's important to history to document that point, because I remember we talked about it. And one of the things, you guys made a good bet, and people were scratching their head, at that time. >> Oh yeah. >> Big time. But also, you've got to give credit to the community, because the leaders in the community recognized the importance of Kubernetes early on. We've been in those conversations, and said, hey, you know, we can't screw this up, because it was an opportunity. People saw the vision, and saw it as a great opportunity. >> I think, as much as I like the technical bits, as an engineer, the API being written and go, and so on, I really think the community, that is what really makes the difference. >> Yeah, absolutely does. >> If you compare it with others, they're also successful. But here with CNCF, all the projects, all the people coming together, and I love the community, I really-- >> It's a case study of how to execute, in my opinion. You guys did a great job in your role, and the people didn't get in the way and try to mess it up. Great smart people understood it, shepherded it through, let it grow. >> And it really is kudos to the Kubernetes community, and the CNCF, for incubating all of this wonderful cross-community collaboration. They do a great job with their ambassadors program. The Kubernetes community does amazing stuff around their SIGs, and making sure that projects get correctly incubated. You know, they're not afraid to rejig the processes. They've just done a wonderful thing, changing the way that new projects come into the Kubernetes, and I think that willingness to learn, learn from mistakes, to evolve, is something that's really kind of unique to the whole new way of thinking about open-source now, and that's the change that we've seen. >> And open-source, open movements, always have a defining moment. You know, the OSI model, remember? That stack never got fully standardized but it stopped at a really important point. PCPIP, IP became really important. The crazy improbability world, CISCO, as we know, and others. This is that kind of moment where there's going to be a massive wealth creation, value creation opportunity because you have people getting behind something, as a de facto standard. And then, there's a lot of edge work around it that can be innovated on. I think, to me, this is going to be one of those moments we look back on. >> Yeah, and I think it's that willingness to adjust the processes, to work with the community, and you know, that Kubernetes, the ethos that's around this project, we've learned from a lot of other foundations' mistakes. You know, not that they're better or worse, but we've learned that you could see the way we're bringing in new projects, and adding them on. We took a step back as a community, and said okay, this is, we're getting too many, too soon, too fast. And maybe, this is not quite the right way to go. And rather than doing the big tent umbrella approach, we've actually starting doing some really re-thinking of our processes, and the governing board and the TOC of the CNCF, have done an awesome job getting that done. >> When you got lightning in a bottle, you stop and you package it up, and you run with it, so congratulations. Red Hat Summit next week, we'll be there, theCUBE. >> Oh yeah. >> Looking forward to going deep on this. >> Well, the OpenShift Commons Gathering is the day before Red Hat Summit. We've completely sold out, so sorry, there's a waitlist. We've gone from being, our first one, I think we had 150 people come. There's over 700 people now coming to the Gathering one, and 25 customers with production deployments speaking. This is the day before Red Hat Summit. And I lost count of how many OpenShift stories are being told at Red Hat Summit. It's going to be a crazy, jetlag-y week, next week, so-- >> Congratulations, you guys got a spring in your step, well done. OpenShift going to the next level, certainly the industry and Kubernetes, a service mesh as Istio. Lot of great coverage here in theCUBE, here in Europe for KubeCon 2018 in Copenhagen, Denmark. I'm John Furrier, and Lauren Cooney, the founder of SparkLabs. I'm with theCUBE, we'll be back with more live coverage. Stay with us! Day Two, here at KubeCon, we'll be right back. (upbeat techno music)