>>From our studios in the heart of Silicon Valley. Palo Alto, California myth is a cute conversation. >>Hello and welcome to the cube studios in Palo Alto, California. For another cube conversation. We go in depth with thought leaders driving innovation across the tech industry. I'm your host, Peter Burris. It's a well known fact of life at this point in time. We're going to the cloud in some manner, way, shape or form. Every business that intends to undertake a digital transformation is going to find themselves in a situation where they are using cloud resources to build new classes of applications and accelerate their opportunities to create new markets that are more profitable. What folks haven't fully internalized yet though is what it means to govern those activities. What does it mean to use data that is in the cloud in a compliant and reliable way? What does it mean to allow rapid innovation while at the same time ensuring that our businesses are not compromised by new classes of risk, new classes of compliance issues as a result of making certain liberties, uh, with how we handle governance. So that's what we're going to talk about today and we've got a great conversation for you. Toby Knapp is a co founder and CTO of day two IQ and Charlie Betts is the principal analyst at Forrester. Toby. Charlie, welcome to the cube theater. All right, so Charlie, I'm going to start with you. I kind of outline the overall nature of the problem, but let's get it very specific. What is the problem that enterprises face today as they try to accelerate their use of technology in a way that doesn't compromise the risk and compliance concerns? >>Well, we are hearing the same story over and over again. Peter, uh, companies are starting on the cloud native journey and perhaps a dev ops journey. You know, there's some similarities there. You know, one leads to the other in many cases and they S they do a proof of concept and they do a pilot and they like the results. But both of those efforts had what from monopoly, we would call it a get out of jail free card. You know, they had a pass to bypass certain regulatory or governance or compliance controls. Now they want to scale it. They want to roll it out across the enterprise and you can't give every team a get out of jail free card. >>Well, let me dig into this because is it that the speed with which we're trying to create new things, is that the key issue? Is it that the new technologies like Coobernetti's lend themselves to new style that doesn't necessarily bring good governance along with it? What is, what are those factors that are driving this problem? >>I think the central factor, Peter, is the movement from stage gated governance to governance of continuous flow. We could unpack this in various ways, but really if you look at so many governance models and people ship them to us and we comb through them and it's getting, you know, doing a lot of out lately, what we see is over and over again, this idea that delivery pauses experts come in from their perspective with a checklist they go through, they check the delivery against the checklist, and then the Greenlight is given to move on. And this is how we've run digital systems for a long time now. But now we're moving towards continuous flow, continuous iteration, >>agile, agile, DevOps, >>dev ops, all the rest. And these methods are well suited to be supported by architectures like Coobernetti's. And there are certain things you can do with automation that are very beneficial in cloud native systems, but you're up against, you know, decades of policy that assume this older model is based on older guidance like ITIL and PIM, Bach and, and COBIT and all the rest. COBIT 2019 is still based on a plan build run model, >>which is not, is not necessarily a bad thing in the grand scheme of things, but it doesn't fit into a month long sprint. >>It doesn't fit. And more and more what we're seeing when I say stage Gates are going away, what we're seeing is that the life cycle becomes internalized to the team. You still plan, build, run. But it's not something that you can put controls >>on at the high level. And so the solution seems to be is that we need to be able to foster this kind of speedy acceleration that encourages the use of agile, uh, leads to a dev ops orientation. And somehow fold good solid governance practices right into the mix. What do you think the, let's take a look at 2025, what's it going to look like? And uh, even if we're not ready for it yet? >>Well, I think you were going to govern a lot more at the level of the outcome. You're going to govern what not how as much, but there are a lot of things that still are essential and just basic solid good practice such as not having 15 different ways or a hundred different ways to configure major pieces of infrastructure. You know, there's a, in the, some of the reports, uh, the state of DevOps report that came out, there was a, uh, a note in there or a finding in there that it was best to let the developers have a lot of choice. And I understand that developer autonomy is very important, but every time a development team chooses a new technology or a new way to configure an ex, an existing technology, that's an expansion of attack surface. And I'm very concerned about that, especially as we see things like Equifax with the, uh, the struts exploit, you know, we, we have to keep our environment secure, well patched up to date. And if you only have one or two ways that things are configured, that means your staff are more likely to do the right thing as opposed to, you know, infinite levels of variation, you know, on a hundred different ways of configuring. Coobernetti's >>well, presumably we don't want the infinite levels of variation to be revealed at the business level and not down at the infrastructure level. I think one of the things that folks mean or folks aren't intending or hope to be able to do with digital business you're alluding to this is creating a digital asset, a software based asset because ultimately it's going to be more integratable, but you lose the opportunity to integrate those things if you're increasing the transaction costs by introducing a plethora of discordant governance models. Is that what you're seeing as well, Toby? >>Absolutely. And I think, uh, you know, some aspects of cloud native that make this problem a lot bigger is actually, you know, cloud native encourages sort of a self service model for infrastructure. And also we're seeing our shift, um, off, uh, power and decision making towards developers, right? So you have developers introducing a lot of these new stacks, often in a very, you know, sort of bottoms up, um, organic way. So very quickly and enterprise finds themselves with, you know, 10, 15 different ways to provision infrastructure to provision communities, clusters. Um, and often, you know, the teams that are in charge of governance aren't even aware of these things, right? Yes. So, uh, I think it starts actually with that and you know, how can we find, uh, this balance of giving developers the flexibility they want, uh, you know, having them leverage the benefits of cloud native, but at the same time making the folks that are in charge of governance, uh, aware of what's going on in, in their enterprise, uh, making them aware of the different stacks that are provisioned. Uh, and then finding the right balance between that flexibility and enforcing governance. Uh, there's ways to do that. Um, you know, there what we see a lot is, is, uh, waste, uh, people building one stack on cloud provider, a different stack on cloud provider B, a third stack, you know, at the edge or in their data center. And so when it comes to patching, security issues, upgrading versions, you know, you, you're doing three, five times the, the amount of work. >>Well, let me ask you a question because we can see that the problem is this explosion in innovation at the digital level, uh, that is running into this, uh, the, the stricture of historical practices. And as a result, people are in running governance. What is it, I mean, if I think about this, it sounds to me like the developer tooling is getting better, faster than the governance tooling. Where are we in the marketplace in terms of thinking about technologies that can improve the productivity on the governance side so that we can bring governance models to the developers so they don't have to make decisions at that level? >>Right. I think where we are in the market is, um, so obviously cloud native and Kubernetes specifically has seen rapid adoption Indiana price, right? And I think, um, you know, the governance and tools are just now catching up. Right? Right. Um, so the typical journey we see is, uh, you know, folks try out Kubernetes, they try out cloud native technologies to have a very good first experience. It's easy. And so they kind of, uh, you know, forget some of the best practices that we've learned over the years for how to secure a production stack, how to make it upgradable, maintainable, how to govern workloads and versions, um, because they'll still, schools just simply didn't exist. Uh, so far we're now seeing these tools emerge. Um, and, and really it's the same approaches that have worked for us in the past for, for running these types of infrastructure. It's, um, you're having a central pane of class for visibility. What versions am I running? Uh, you know, first being aware of what's out there and then you'll centralizing management of these, of these stacks. Um, how do I, you know, lifecycle manage my, my Kubernetes clusters and all the related technologies. Those are the tools that are just now showing up in the market, >>but it's also got to be, I presume that, uh, a degree of, uh, presuming that the tooling itself does bring forward good governance practices into a modern world. If I got that right. >>Yeah, absolutely. I think this is one of the key things that the updated INO team, uh, the infrastructure and operations and our, our view is that these become platform teams. So we've maybe relieved the INO term behind we go with the platform teams. This is one thing that they should be doing is creating reference implementations. You know, the, you know, here's your hello world stack and it's perfectly compliant. Go solve your business problem and leave the undifferentiated heavy lifting to us. You know, and this is I think, uh, going should be a welcome message. Uh, assuming that the stack is providing all the services that the developer expects. >>Well it certainly suggests that there is a reasonable and rational separation of duties and function within a business. So the people that are close to the business of building the function that the business needs are out there doing it. Meanwhile, we've got infrastructure developers that are capable of building a platform that serves as multitude of purposes with the specificity required for each workload and in compliance with the overall organization. >>There's a key message that I want to reinforce with the audience as we think about the future of INO. I, we've been thinking a lot about it at Forester. What is the future of the traditional INO organization? If I say infrastructure that implies application and I'm talking about a stack that doesn't go away, you know, there will always be a stack, a layered architecture. What is being challenged is, when I say operations, that implies dev and I'm talking now about a life cycle. That's what's merging together. And so well, the life cycle becomes something that is held internally within your feature or component team and is no longer a suitable topic of governance. Absolutely. In terms of the layered infrastructure, this is where we, it's still a thing, you know, because yes, we will platform teams, component teams, feature teams facing the business or the end user. >>Well, it's all back to the idea that a resource is a reasonably well bound, but nonetheless with the appropriate separation, uh, of, of function that delivers some business outcome. And that's gonna include both infrastructure at a software level, an application at a software level. So look, we, you spent a lot of time talking to customers about these issues when they come back to you. Uh, where are you seeing successes most obviously and why? >>Yeah, so where we see successes is where, um, you know, organizations, um, figure out a way to give developers what they want, which is in the cloud native spaces. Every development team wants to own their own communities cluster. They want to, it is their sandbox. They want to install their own applications on there. They don't want to talk to different team when they install applications. So how can you give them that while at the same time enforcing the standards that you need to, right? How do you make sure those clusters follow a certain blueprint that have the right access control rules? Um, you know, sensitive information like, like credentials are distributed in the right way. The right versions of workloads are available. Organizations that figure out how to do that, uh, they are successful at this. So the government from a central place, they have um, you know, essential pane of glass. >>Um, you know, like our product commander where they essentially set up blueprints for teams. Um, each individual team can have their own cluster. It gets provisioned with this blueprint. And then from the central place I can say, all right, here is what my production clusters should look like. Right? Here are the secrets that should be available. Here are the access control rules that need to be set. And so you find the right balance that way, right? You can enforce your governance standards while at the same time giving developers their individual clusters that development their staging of production clusters. >>And here's the options and what is an edible option and what is not. Right. Yeah. So it seems to me as if I, I mentioned this earlier, if I think about digital business, it's the opportunity to not only turn process, we're increasingly digitized process, but the real promise also is to then find ways of bringing these things together, integrate the business in response to new opportunities or new, uh, competitive factors or regulatory factors, whatever else it might be, and literally reconfigure the business quickly. That has to be more difficult if we have a wide array of, of governance models and operational principles. Trolley is, you think about customer success, uh, what does it mean for the future to be able to foster innovation with governance so that the whole thing can come together when it needs to come together? >>Well, I think that we need to move to governing again, as I said earlier, governing >>what not. How uh, >>I believe that, uh, you know, teams should be, should be making certain promises and there's a whole idea of the theory that's out there. A guy named Mark Burgess who is, you know, well known in certain certain infrastructure as code circles. So what are the promises that the team makes within the larger construct of the team of teams and is that team being accountable to those promises? And I think this is the basis of some of the new operating models we're seeing like Holacracy and teal. I think we're in very early days of looking at this. But you know, yeah, you will be held accountable for you know, objectives and key results. But how you get there, you have more degrees of freedom and yet at an infrastructure level, this is also bounded by the fact that if this is a solved problem, if this is not interesting to the business, you shouldn't be burning brain power on solving it. You know, and maybe it was interesting, you know, a couple of years ago and there was a need to explore new technologies, but really the effort should be spent solving the customer's problems. Charlie Betts, principal analyst at Forrester, Toby not co founder and CTO of D to IQ. Thanks very much for being on the cube. Thank you. Thank you, Peter, and thank you for joining us for another cube conversation. Once again, I'm Peter Burris. See you next time..