>> Announcer: Live from Atlanta, Georgia, it's theCUBE, covering AnsibleFest 2019, brought to you by Red Hat. >> Okay, welcome back, everyone, it's CUBE's live coverage here in Atlanta, Georgia, for AnsibleFest 2019, and I'm John Furrier, with Stu Miniman, my co-host. Our next guest is Massimo Ferrari, product manager with Ansible Security. Welcome to theCUBE, thanks for coming on. >> Thanks very much. Thank you for having me. >> So, security, obviously, big part of the conversation in automation. >> Obviously. >> Making things more efficient, making security, driving a lot of automation, obviously, job performance, among other things. Red Hat's done a lot of automation in other areas outside of just configuration, network automation, now security looking kind of like the same thing, but security's certainly different and more critical. >> Massimo: It is, it's more time-sensitive-- >> Talk us through the security automation angle, what's going on? >> Well, basically, there are several things going on, right? I believe the main thing is that IT organizations are changing, well, honestly, IT organizations have been changing for the last, probably five years, 10 years, and as a consequence, the infrastructures to be protected are changing as well. And there are a couple of challenges that are kind of common to other areas. As you said, automation is all over the place, so clearly, there are some challenges that are common to IT operations, or network operations, something that is peculiar for the security space. What we are seeing, basically, is that if you think about, there's a major problem of scale, right? If you think about the adoption of technologies like containers, or private and public cloud, if you are a large organization, you are introducing those technologies side by side with, for example, your legacy applications on bare metal or your fantastic digital machines, but what they do actually is introducing a problem of size, a problem of scale, and a problem of complexity connected to that, and a problem of distribution which is just unmanageable without automation. And the other problem is just complexity, that I mentioned before, is, I wasn't specifically referring to the complexity of the infrastructure per se. If we think about adopting best practices or practices like microservices or adopting functions of service, we can easily imagine how an old-school three-tiers application can be re-engineered to become something like with made of 10 hundred components, and those are microcomponents, very focused on single things, but from a security perspective, those are ingress points. And what automation did, what automation proved to be able to do, is to manage complexity for other areas. So you can be successful in IT operations, in network, and clearly, it can be successful in security, but what is unique to security is that professionals are facing a problem of speed, which means different things, but to give you an example, what we are seeing is that more and more cyberattacks are using automation and artificial intelligence, and the result of that is that the velocity and impact of those attacks is so big that you can't cope with human operators, so we are in a classic situation of fighting fire with fire. >> So, this is a great example. We had the service guys on earlier talking about the Automation Platform, and one comment was, "You don't want to boil the ocean over. "Focus on some things you can break down "and show some wins." Security professionals have that same problem, they want to throw automation and AI at the problem, "It's going to solve everything." >> Of course. >> And so, it's certainly very valuable, managing configurations, open ports, S3 buckets, there's a variety of things that are entry points for hackers and adversaries to come in, take down networks. What's the best practice? How would you see customers applying automation? What's the playbook, if you will? What's the formula for a customer to look at security and say, "Okay, how do I direct Ansible "at my security problems, or opportunities, "to manage that?" >> Well, when you discuss security automation with customers, it really depends on the kind of audience that you have. As you know, security organizations tend to be fairly structured, right? And depending on the person you are talking to, they may have a slightly different meaning for security automation. It's a broader practice in general. What we are trying to do with Ansible Security Automation is we are targeting a very specific problem. There is a well-known issue in the security world, which is the lack of integration. What we know is that if you are any large organization, you buy tens, hundred sometime, of security solutions, and those are great, they protect whatever they have to protect, but there is little to no integration between them, and the result of that is that security teams have an incredible amount of manual work to do just to correlate data coming from different dashboards, or to perform an investigation across different perimeters, or at some point, they have to remediate something that is going on and they have to apply this remediation across groups of devices that are sparse. And what we are trying to do with Ansible Security Automation is to propose Ansible as an integrational layer, as a glue, between all those different technologies. On one hand it's a matter of become more efficient, streamline the process. On the other hand is an idea of having, truly, a way to plan, use the automation as your action plan, because security is obiously is time-critical, and so, automation becomes, in this context, become even more important. >> Massimo, with the launch of the Ansible Automation Platform, we see a real enhancement of how the ecosystem's participating here. Where does security fit into the collections that are coming from the partner ecosystem of Ansible? >> Well, in one way, we have been building over the shoulders of our friends in Network Automation. They did an amazing job over four years. They did two major things. The first one is that they expanded for the first time the footprint of Ansible outside the traditional IT operations space. That was amazing. And we did kind of the same thing, and we started working with some vendors that were already working with us for slightly different use cases, and we helped them to identify the right use cases for security, and expand even more what they were capable of doing through Ansible. And what we are doing now is basically working with customers, we have lighthouse customers, we call them, that guide us to understand which is the next step that we are supposed to perform, and we are gathering together a security community around Ansible. Because surprisingly, we all know that the security community has always been there, always been super vocal, but open-sourcing security's a fairly new thing, right? And so we have this ability, the important thing is that we all know that Red Hat is not a security vendor, right? We don't want to be a security vendor. That's not the ambition that we have. We are automation experts, in the case of Ansible, and we are open-source experts across the board. So what we are doing with them, we are helping them to get there, to cooperate in the open-source world. And for security, proven to be very interesting the adoption of collection, because in some way allows them to deliver the content that they want to deliver in a very, I would say, focused way, and since security relies on, again, is a matter of time to market or time to solve the problem, through collection, they have more independence, they are capable to deliver whatever they want to deliver, when they want to deliver, according to their staff needs. >> You know, one of the things you mentioned, glue layer, integration layer, and open source, your expertise on automation. It's interesting, and I want to get your reaction to this, 'cause we did a survey of CISOs in our community prior to the Amazon Web Services re:Inforce conference this past summer. It was their first, inaugural, cloud security, so, yeah, cloud security was a big part of it. But with on-premise and hybrid and multi-cloud here, being discussed, this notion of what cloud and role of enterprise is interesting to the CISOs, chief information security officer. And the trend on the survey was is that CISOs are re-hiring internal development teams to build stacks onsite in their own organizations, investing in their stack, and they're picking a cloud, and then a secondary cloud. So as that development team picks up, that seems to be a trend, one, do you agree with that? And if people want to have their own developers in-house, for security purposes, how does Ansible fit into that glue layer? Because if it's configuring all the gear and all the pipes and plumbing, it makes sense to kind of think about that. So this might be a trend that's helping you? >> So, the trend, there is a general trend in the corporate enterprise world hat more technical people are coming into traditionally, in areas that are traditionally under the purview of other people or domains, right? So, more technical people coming into business lines. We are seeing more developers coming into security, that's certainly a trend. It is a matter of managing scale and complexity. You need to have technical people there. So, in one hand, that help us to create a more efficient and more pervasive community around security. You have developers there, which means that you need to serve that corner case that you are not targeted at the moment, you have talented people that can cooperate with us and build those kinds of things. >> John: And use the open-source software. (laughs) >> Exactly, but that's the entire purpose, right? You want to drive people to contribute. They get the value back, we get the value back, they get the value back, that's the entire purpose. >> So you do see the trend of more developers being hired by enterprises in-house? >> It certainly is, and it's been going on for about, probably three to five years I've seen that, in other areas, mainly in the business area, because they want to gain that agility and want to be self-contained, in some way. Business want to be self-contained, and security, in some sense, is going the same direction. That fits clearly one angle of Ansible, so you have more contribution in the community. On the other hand, what we are trying to make sure is that we support the traditional security teams. Traditional security teams are not super developmental yet, so they want to consume the content. >> Well, DevOps is always, as infrastructure as code implies that the infrastructure has been coded, and if you look at all of the security breaches that have been big, a lot of them have been basic stuff. An exposed S3 bucket, is that Amazon's fault, or is that the operator's fault? Or patches that aren't deployed. You guys are winning with Ansible in these area. This seems to be a nice spot for you guys to come in. I mean, can you elaborate on those points, and is that true, you guys winning in those areas? 'Cause, I mean, I could see automation just solving a lot of those problems. >> Well, I will say something that's not super popular, but as a security community, we've always been horrible at the basics, right? Like any other technical people, we're chasing the latest and greatest, the fun stuff, the basics, we always been bad at that. Automation is a fairly new thing in security, And what we all know that automation does is providing you consistency and reduce human error. Most of this stuff is because somebody forgot to configure something, someone forgot to rotate a secret or something like that. >> They didn't bring their playbook to the game. (laughs) >> So, I'm not trying to guide the priorities here, but the point is that the same benefits that we get from automation-- >> There's just no excuse. If you have automation, you can basically-- >> Exactly. >> Load that patch, or configure that port properly, because a playbook exists. This only helps. >> Absolutely, but those are the basic values of automation. You're communicating a slightly different way to security, because they use different language, and for them, automation is still a new thing. But what you heard during the keynote, so, the entire purpose of the platform is to help different areas in the IT organization to cooperate with each other. As we know, security is not a problem of IT security anymore. It's a broader problem and needs to have a common tool to be solved. >> In the demo in the keynote this morning, I thought that they did a good job showing how the various stakeholders in the organization can all collaborate and work together. I want you to explain how security fits into that discussion, and also, they hadn't added the hardening piece in there, but I would expect for many companies that, I want to flag when I'm creating this image, that it's going to say, "Hey, "have you put the right security policies on top of it," not something that they just, "Oh, it's one of the steps that I do." How do we make sure that everybody follows those corporate edicts that we have? >> Well, it's mainly a matter, I don't want to play the usual card of cultural change, but the fact is that in security, especially, we are looking at two major shifts, and one of these shifts is that pretty much everyone, I would say private organization and government, kind of acknowledge that security, cybersecurity, is not an IT problem anymore, it's a business problem, right? Being a business problem, that means that the stakeholders involved are in all different parts of the organization, and that requires a different level of collaboration. Collaboration starts with training, and enablement of people to understand where the problems are, and understand that they are part of the same process. We used to have security as an highly specialized function of IT, right now, what happens is that, if you think about a data breach, a data breach could be caused by an IT problem, but most of the impact is on the business, right? So right now, a lot of security processes are shifting to give responsibility to the business owners, and if the government is involved, I live in London, and in Europe, for another month, I guess, we have this fantastic thing that you know, it's called GDPR. GDPR forces you to have what is called a data breach notification process, which means that now, if you're investigating a cyberthreat, you want to have legal there to make sure that everything is fine, and if this data breach could become a media thing, you want to have PR there, because you want to have a plan to mitigate whatever kind of impact you may have on your corporate image. You may also want to have there, I don't know, customer care, just to handle the calls from the customer worried for the data. So the point is that this is becoming a process that need to involve people. People needs to be aware that they are part of this process, and what we can do, as an automation provider, we are trying to enable, through the platform, the IT organizations to cooperate with each other. Having workflows, having the ability to contribute to the same process allows you to be responsible for your piece. >> Massimo, the new security track here at the show this year, for those that didn't get to come, or maybe that didn't get to see all of it, some of the highlights you want to share with the audience? >> So, this year, the general message this year is that it's the first time that we have this fantastic security track, and this is not a security conference, it is never going to be a security conference. So what we are trying to do is to enable security teams to talk with the automation experts to introduce automation in that space. So the general message that we have this year is, well, the desire is to create a bridge between the Ansible practitioners, the Ansible heroes, whatever you want to call them, to understand what the problem is, what the problem could be, and have a sort of a common language they can use to communicate. So the message that we have this year is, go back home, and sit down at the same table with your security folks, and make sure that they are aware that there's a new possibility, and you can help them, that you now have a common tool together. We had a couple of very interesting tracks. We have partners, a lot of partners are contributing to security space, we mentioned that before, and most of them have tracks here, and they are showing what they built with us, what are the possibilities of those tools. We have a couple of customer stories that are extremely interesting. I just came out from a session presenting one of our customer stories. And in general, we are trying to show also how you can integrate security in all the broader processes, like the mythical DevSecOps process. >> What's been the feedback from customers specifically around the talk, and the security conversations here at AnsibleFest? >> It wasn't unexpected, but it's going particularly well. We have very good feedbacks. And we have, we kind of-- >> John: What are they saying? >> Well, they are saying some, okay, the best quote that I can give you, the customer told me, "Oh, this year, I learned something new. "I learned that we can do something "in this space that we never thought about." Which is a good feedback to have at a conference. And a lot of people are attending these sessions. We have quite a lot of security professionals, that was kind of unexpected, so all the sessions are pretty full, but we also are seeing people that are just, they're just curious, they're coming in, and they are staying, they are paying attention. So there is the real opportunity, they see the same opportunity that we see, and hopefully, they will bring the message home. >> Massimo, thank you for coming on theCUBE and sharing your insights. Certainly, security is a main driver for automation, one of the key four bullet points that we outlined in our opening. Thanks for coming on, and sharing your insights. >> Thank you very much for having me. >> It's theCUBE coverage here at AnsibleFest 2019, where Red Hat's announced their Ansible Automation Platform. I'm John Furrier, with Stu Miniman. Stay with us for more after this short break. (upbeat music)

(bright music) >> Well, hi everybody. John Walls here on theCUBE, continuing our coverage of AnsibleFest 2021 with Tom Anderson, the Vice President of Product Management at Red Hat. And Tom, you've been the answer, man, for theCUBE here over the last a week, 10 days or so. Third cube appearance, I hope we haven't worn you out. >> No, you haven't John, I love it, I love doing it. So that's great to have you have you at the event. >> Thank you for letting us be a part of that. It's been a lot of fun. Let's let's go and look at the event now. As far as big picture here, major takeaways that you think that have been talked about, that you think you'd like people, customers to go home with. If you will, though, a lot of this has been virtual obviously, but when I say go home, I made that figuratively, but what, what do you want people to remember and then apply to their businesses? >> Right. So being a product guy, I want to talk about products usually, right? So the big kind of product announcements from this year's event have been the rollout, and really, the next generation of the Ansible automation platform, which is really a rearchitecture turning it into a cloud native application an automation application itself that scales to our customer needs. So a lot of big announcements around that. And so what does that do for customers? That's really bringing them the automation platform that they can scale from the data center, to the cloud, to the Edge and everywhere in between, across a single platform with a single easy to use automation language. And then secondly, on that, as automation starts to shift left, we always talk about technology shifting left towards the developer, as automation is also shifting left towards the developer and other personas in an organization we're really happy about the developer tools and the tooling that we're providing to the customers with the new automation platform too, that brings development of content automation content. So the creation, the testing, the deployment and the management of that content across an enterprise far easier than it's ever been. So it's really kind of, it's a little bit about the democratization of automation. We see that shifting left, if you will. And I know I've said that already, but we see that shifting left of automation into other parts of the organization, beyond the domain experts, the network engineers or the storage experts, et cetera, pushing that automation out into the hands of other personas in the organization has been a big trend that we've seen and a lot of product announcements around that. So really excited about the product announcements in particular, but also the involvement and the engagement of our ecosystem, our upstream community. So important to our product and our success, our ecosystem partners, and obviously last but not least our customers and our users. >> So you hit a lot of big topics there. So let's talk about the Edge. You know, that seems to be a, you know, a fairly significant trend at this point, right? 'Cause trying to get the automation out there where the data besides, and that's where the apps are. Right? So where the data is, that's where things are happening out there on the Edge. So maybe just dive into that a little bit and about how you're trying to facilitate that need. >> Yeah. So a couple of trends around the Edge, obviously it's the architecture itself with lower capacity or lower capability devices and compute infrastructure at the Edge. And whether that's at the far edge with very low capacity devices, or even at near edge scenarios where you don't have, you know, data center, IT people out there to support those environments. So being able to get at those low capability, low capacity environments remotely Ansible is a really good fit for that because of our agentless architecture, the agentless architecture of Ansible itself allows you to drive automation out into the devices and into the environments where there isn't a high capacity infrastructure. And the other thing that the other theme that we've seen is one of the commonalities that no matter where the compute is taking place and the users are, there always has to be network. So we see a lot of network automation use cases out at the Edge and Ansible is, you know, the defacto network automation solution in the market. So we see a lot of our customers driving Ansible use cases out into their Edge devices. >> You know, you talk about development too, and just kind of this changing relationship between Ansible and DevOps and how that has certainly been maturing and seems to be really taking off right now. >> Yeah. So for, you know, what we've seen a lot of, as you know, is becoming frictionless, right? How do we take the friction out of the system that frees developers up to be more productive for organizations to be more agile, to roll out applications faster? How do we do that? We need to get access to the infrastructure and the resources that developers need. We need to get that access into their hands when they need it. And in our frictionless sort of way, right? So, you know, all of the old school, traditional ways of developers having to get infrastructure by opening a help desk ticket to get servers built for them and waiting for IT ops to build the servers and to deploy them and to send them back a message, all that is gone now. These, you know, subsystem owners, whether that's compute or cloud or network or storage, their ability to use Ansible to expose their resources for consumption by other personas, developers in this case, makes developers happy and more efficient because they can just use those automation playbooks, those Ansible playbooks to deploy the infrastructure that they need to develop, test and deploy their applications on. And the actual subsystem owners themselves can be assured that the usage of those environments is compliant with their standards because they've built and shared the automation with those developers to be able to consume when they want. So we're making both sides happy, agile, efficient developers and happy infrastructure owners, because they know that the governance and compliance around that system usage is on point with what they need and what they want. >> Yeah. It's a big win-win and a very good point. I always like it when we kind of get down to the nitty-gritty and talk about what a customer is really doing. Yeah. And because if we could talk about hypotheticals and trends and developing and maturity rates and all those kinds of things, but in terms of actual customers, you know, what people really are doing, what do you think have been a few of the plums that you'd like to make sure people were paying attention to? >> Yeah. I think from this year's event, I was really taken by the JP Morgan Chase presentation. And it really kind of fits into my idea of shifting left in the democratization of automation. They talked about, I think the number was around 7,000 people, associates inside that organization that are across 22 countries. So kind of global consumption of this. Building automation playbooks and sharing those across the organization. I mean, so gone are the days of, you know, very small teams of people doing, just automating the things that they do and it's grown so big. And, so pervasive now, I think JP Morgan Chase really kind of brings that out, tease that out, that kind of cultural impacts that's had on their organization, the efficiencies that have been able to draw off from that their ability to bring the developers and their operations teams together to be working as one. I think their story is really fantastic. And I think this is the second year. I think this is the second year that JP Morgan Chase has been presenting at Fest and this years session was fantastic. I really, really enjoyed that. So I would encourage, I would encourage anybody to go back and look at the recording of that session and there's game six groups, total other end of the spectrum, right? Financial services, JP Morgan Chase, global company to Gamesis, right? These people who are rolling out new games and need to be able to manage capacity really well. When a new game hits, right? Think about a new game hits and the type of demand and consumption there is for that game. And then the underlying infrastructure to support it. And Gamesis did a really great presentation around being able to scale out automation to scale up and down automation, to be able to spin up clusters and deploy infrastructure, to run their games on an as-needed basis. So kind of that business agility and how automation is driving that, or business agility is driving the need for automation in these organizations. So that that's just a couple of examples, but there was a good ones from another financial services that talked about the cultural impacts of automation, their idea of extreme automation. In fact, one of the sessions I interviewed Joe Mills, a gentlemen from this card services, financial services company, and he talked about extreme automation there and how they're using automation guilds in communities of practice in their organization to get over the cultural hurdles of adopting automation and sharing automation across an organization. >> Hm. So a wide array obviously of customer uses and all very effective, I guess, and, you know, and telling their own story. Somewhat related to that, and you, as you put it out there too, if you want to go back and look, these are really great case studies to take a look at. For those who, again, who maybe couldn't attend, or haven't had a chance to look at any of the sessions yet, what are some of the kinds of things that were discussed in terms of sessions to give somebody a flavor of what was discussed and maybe to tease them a little bit for next year, right? And just in case that you weren't able to participate and can't right now, there's always next year. So maybe if you could give us a little bit of flavor of that, too. >> Yeah. So we kind of break down the sessions a little bit into the more kind of technical sessions and then the sort of less technical sessions, let's put it that way. And on the technical session front, certainly a couple of sessions were really about getting started. Those are always popular with people new to Ansible. So there's the session that aired on the 29th, which has been recorded and you can rewatch it. That's getting started Q and A with the technical Ansible experts. That's a really, really great session 'cause you see that the types of questions that are being asked. So you know, you're not alone. If you're new to Ansible, the types of questions are probably the questions that you have as well. And then the, obviously the value of the tech Ansible experts who are answering this question. So that was a great session. And then for a lot of folks who may want to get involved in the community, the upstream community, there's a great session that was also on the 29th. And it was recorded for rewatching, around getting started with participation in the Ansible community and a live Q and A there. So the Ansible community, for those who don't know is a large, robust, vibrant, upstream community of users, of software companies, of all manners of people that are contributing and contributing upstream to the code and making Ansible a better solution for them and for everybody. So that's a great session. And then last but not least, almost always the most popular session is the roadmap sessions and Massimo Ferrari, gentleman on my team did a great session on the Ansible roadmap. So I do a search on roadmap in the session catalog, and you can see the recording of that. So that's always a big deal. >> Yeah, roadmaps were great, right? Because especially for newcomers, they want to know how I'm down here at 0.0. And, I've got a destination in mind, I want to go way out there. So how do I get there? So, to that point for somebody who is beginning their journey, and maybe they have, you know, they're automated with the ability to manually intervene, right? And now you've got to take the hands off the wheel and you're going to allow for full automation. So how, what's the message you want to get across to those people who maybe are going to lose that security blanket they've been hanging on to, you know, for a long time and you take the wheels off and go. >> No John, that's a great question. And that's usually a big apprehension of kind of full automation, which is, you know, that kind of turning over the reins, if you will, right to somebody else. If I'm the person who's responsible for this storage system, if I'm the person responsible for this network elements, these routers, these firewalls, whatever it might be, I'm really kind of freaked out about giving controls or access to those things, from a configuration standpoint, to people outside of my organization, who don't have the same level of expertise that I do, but here's the deal that in a well implemented well architected Ansible automation platform environment, you can control the type of automation that people do. Who does that against what managing that automation as code. So checking in, checking out, version control, deployment access. So there's a lot of controls that can be put in place. So it isn't just a free-for-all automated. Everybody automating everything. Organizations can roll out automation and have access to different kinds of automation, can control and manage what their organizations can use and see and do with Ansible. So there's lots of controls built-in for organizations to put in place and to make those subsystem owners give them confidence that how people are accessing their subsystems using Ansible automation can be controlled in a way that makes them comfortable and assures compliance and governance around those resources. >> Well, Tom, we appreciate the time. Once again, I know you've been a regular here on theCUBE over the course of the event. We'll give you a little bit of time off and let you get back to your day job, but we do appreciate that and I wish you success down the road. >> Thank you very much. And we'll see you again next year. >> You bet. Thank you, Tom Anderson, joining us Vice President of Product Management at Red Hat, talking about AnsibleFest, 2021. I'm John Walls, and you're watching theCUBE. (lively instrumental music)