>> Live, from San Francisco, it's theCUBE covering IBM Think 2019. Brought to you by IBM. >> Hello everyone, welcome back to theCUBE's live coverage here in San Francisco for IBM Think 2019. I'm John Furrier, Stu Miniman with theCUBE. Stu, it's been a great day. We're on our fourth day of four days of wall to wall coverage. A theme of AI, large scale compute with Cloud and data that's great. Great topics. Got two great guests here. Rohit Badlaney, who's the director of IBM Z As a Service, IBM Systems. Real great to see you. And Nataraj Nagaratnam, Distinguished Engineer and CTO and Director of Cloud Security at IBM and Hybrid Cloud, thanks for joining us. >> Glad to be here. >> So, the subtext to all the big messaging around AI and multi-cloud is that you need power to run this. Horsepower, you need big iron, you need the servers, you need the storage, but software is in the heart of all this. So you guys had some big announcements around capabilities. The Hyper Protect was a big one on the securities side but now you've got Z As a Service. We've seen Linux come on Z. So it's just another network now. It's just network computing is now tied in with cloud. Explain the offering. What's the big news? >> Sure, so two major announcements for us this week. One's around our private cloud capabilities on the platform. So we announced our IBM Cloud Private set of products fully supported on our LinuxOne systems, and what we've also announced is the extensions of those around hyper-secure workloads through a capability called the Secure Services Container, as well as giving our traditional z/OS clients cloud consumption through a capability called the z/OS Cloud Broker. So it's really looking at how do we cloudify the platform for our existing base, as well as clients looking to do digital transformation projects on-premise. How do we help them? >> This has been a key part of this. I want to just drill down this cloudification because we've been talking about how you guys are positioned for growth. All the REORG's are done. >> Sure, yeah >> The table's all set. Products have been modernized, upgraded. Now the path is pretty clear. Kind of like what Microsoft's playbook was. Build the core cloudification. Get your core set of products cloudified. Target your base of customers. Grow that and expand into the modern era. This is a key part of the strategy, right? >> Absolutely right. A key part of our private cloud strategy is targeted to our existing base and moving them forward on their cloud journey, whether they're looking to modernize parts of their application. Can we start first with where they are on-premise is really what we're after. >> Alright, also you have the Hyper Protect. >> Correct. >> What is that announcement? Can you explain Hyper Protect? >> Absolutely. Like Rohit talked about, taking our LinuxOne capabilities, now that enterprise trusts the level of assurance, the level of security that they're dependent on, on-premise and now in private cloud. We are taking that further into the public cloud offering as Hyper Protect services. So these are set of services that leverage the underlyings of security hardening that nobody else has the level of control that you can get and offering that as a service so you don't need to know Z or LinuxOne from a consumption perspective. So I'll take two examples. Hyper Protect Crypto Service is about exposing the level of control. That you can manage they keys. What we call "keep your own keys" because encryption is out there but it's all about key management so we provide that with the highest level of security that LinuxOne servers from us offer. Another example is database as a service, which runs in this Hyper Secure environment. Not only encryption and keys, but leveraging down the line pervasive encryption capabilities so nobody can even get into the box, so to say. >> Okay, so I get the encryption piece. That's solid, great. Internet encryption is always good. Containers, there's been discussions at the CNCF about containers not being part of the security boundaries and putting a VMware around it. Different schools of thought there. How do you guys look at the containerization? Does that fit into Secure Protect? Talk about that dynamic because encryption I get, but are you getting containers? >> Great question because it's about the workload, right? When people are modernizing their apps or building cloud-native apps, it's built on Kubernetes and containers. What we have done, the fantastic work across both the IBM Cloud Private on Z, as well as Hyper Protect, underlying it's all about containers, right? So as we deliver these services and for customers also to build data services as containers or VM's, they can deploy on this environment or consume these as a compute. So fundamentally it's kubernetes everywhere. That's a foundational focus for us. When it can go public, private and multicloud, and we are taking that journey into the most austere environment with a performance and scale of Z and LinuxONE. >> Alright, so Rohit, help bring us up to date. We've been talking about this hybrid and multi-cloud stuff for a number of years, and the idea we've heard for many years is, "I want to have the same stack on both ends. I want encryption all the way down to the chip set." I've heard of companies like Oracle, like IBM say, "We have resources in both. We want to do this." We understand kubernetes is not a magic layer, it takes care of a certain piece you know and we've been digging in that quite a bit. Super important, but there's more than that and there still are differences between what I'm doing in the private cloud and public cloud just naturally. Public cloud, I'm really limited to how many data centers, private cloud, everything's different. Help us understand what's the same, what's different. How do we sort that out in 2019? >> Sure, from a brand perspective we're looking at private cloud in our IBM Cloud Private set of products and standardizing on that from a kubernetes perspective, but also in a public cloud, we're standardizing on kubernetes. The key secret source is our Secure Services Container under there. It's the same technology that we use under our Blockchain Platform. Right, it brings the Z differentiation for hyper-security, lockdown, where you can run the most secure workloads, and we're standardizing that on both public and private cloud. Now, of course, there are key differences, right? We're standardizing on a different set of workloads on-premise. We're focusing on containerizing on-premise. That journey to move for the public cloud, we still need to get there. >> And the container piece is super important. Can you explain the piece around, if I've got multi-cloud going on, Z becomes a critical node on the network because if you have an on-premise base, Z's been very popular, LinuxONE has been really popular, but it's been for the big banks, and it seems like the big, you know, it's big ire, it's IBM, right? But it's not just the mainframe. It's not proprietary software anymore, it's essentially large-scale capability. >> Right. >> So now, when that gets factored into the pool of resources and cloud, how should customers look at Z? How should they look at the equation? Because this seems to me like an interesting vector into adding more head room for you guys, at least on the product side, but for a customer, it's not just a use case for the big banks, or doing big backups, it seems to have more legs now. Can you explain where this fits into the big picture? Because why wouldn't someone want to have a high performant? >> Why don't I use a customer example? I had a great session this morning with Brad Chun from Shuttle Fund, who joined us on stage. They know financial industry. They are building a Fintech capability called Digital Asset Custody Services. It's about how you digitize your asset, how do you tokenize them, how you secure it. So when they look at it from that perspective, they've been partnering with us, it's a classic hybrid workload where they've deployed some of the apps on the private cloud and on-premise with Z/LinuxONE and reaching out to the cloud using the Hyper Protect services. So when they bring this together, built on Blockchain under the covers, they're bringing the capability being agile to the market, the ability for them to innovate and deliver with speed, but with the level of capability. So from that perspective, it's a Fintech, but they are not the largest banks that you may know of, but that's the kind of innovation it enables, even if you don't have quote, unquote a mainframe or a Z. >> This gives you guys more power, and literally, sense of pretty more reach in the market because what containers and now these kubernetes, for example, Ginni Rometty said "kubernetes" twice in her keynote. I'm like, "Oh my God. The CEO of IBM said 'kubernetes' twice." We used to joke about it. Only geeks know about kubernetes. Here she is talking about kubernetes. Containers, kubernetes, and now service missions around the corner give you guys reach into the public cloud to extend the Z capability without foreclosing the benefits of Z. So that seems to be a trend. Who's the target for that? Give me an example of who's the customer or use case? What's the situation that would allow me to take advantage of cloud and extend the capability to Z? >> If you just step back, what we're really trying to do is create a higher shorten zone in our cloud called Hyper Protect. It's targeted to our existing Z base, who want to move on this enterprise out journey, but it's also targeted to clients like Shuttle Fund and DAX that Raj talked about that are building these hyper secure apps in the cloud and want the capabilities of the platform, but wanted more cloud-native style. It's the breadth of moving our existing base to the cloud, but also these new security developers who want to do enterprise development in the cloud. >> Security is key. That's the big drive. >> And that's the beauty of Z. That's what it brings to the table. And to a cloud is the hyper lockdown, the scale, the performance, all those characteristics. >> We know that security is always an on-going journey, but one of the ones that has a lot of people concerned is when we start adding IoT into the mix. It increased the surface area by orders of magnitude. How do those type of applications fit into these offerings? >> Great question. As a matter of fact, I didn't give you the question by the way, but this morning, KONE joined me on stage. >> We actually talked about it on Twitter. (laughs) >> KONE joined us on stage. It's about in the residential workflow, how they're enabling here their integration, access, and identity into that. As an example, they're building on our IoT platform and then they integrate with security services. That's the beauty of this. Rohit talked about developers, right? So when developers build it, our mission is to make it simple for a developer to build secure applications. With security skill shortage, you can't expect every developer to be a security geek, right? So we're making it simple, so that you can kind of connect your IoT to your business process and your back-end application seamlessly in a multi-cloud and hybrid-cloud fashion. That's where both from a cloud native perspective comes in, and building some of these sensitive applications on Hyper Protect or Z/LinuxONE and private cloud enables that end to end. >> I want to get you guys take while you're here because one of the things I've observed here at Think, which is clearly the theme is Cloud AI and developers all kind of coming together. I mean, AI, Amazon's event, AI, AI, AI, in cloud scale, you guys don't have that. But developer angle is really interesting. And you guys have a product called IBM Cloud Private, which seems to be a very big centerpiece of the strategy. What is this product? Why is it important? It seems to be part of all the key innovative parts that we see evolving out of the thing. Can you explain what is the IBM Cloud Private and how does it fit into the puzzle? >> Let me take a pass at it Raj. In a way it is, well, we really see IBM Cloud Private as that key linchpin on-premise. It's a Platform as a Service product on-premise, it's built on kubernetes and darker containers, but what it really brings is that standardized cloud consumption for containerized apps on-premise. We've expanded that, of course, to our Z footprint, and let me give you a use case of clients and how they use it. We're working with a very big, regulated bank that's looking to modernize a massive monolithic piece of WebSphere application server on-premise and break it down into micro-services. They're doing that on IBM Cloud Private. They've containerized big parts of the application on WebSphere on-premise. Now they've not made that journey to the cloud, to the public cloud, but they are using... How do you modernize your existing footprint into a more containerized micro-services one? >> So this is the trend we're seeing, the decomposition of monolithic apps on-premise is step one. Let's get that down, get the culture, and attract the new, younger people who come in, not the older guys like me, mini-computer days. Really make it ready, composable, then they're ready to go to the cloud. This seems to be the steps. Talk about that dynamic, Raj, from a technical perspective. How hard is it to do that? Is it a heavy lift? Is it pretty straight-forward? >> Great question. IBM, we're all about open, right? So when it comes to our cloud strategy open is the centerpiece offered, that's why we have banked on kubernetes and containers as that standardization layer. This way you can move a workflow from private to public, even ICP can be on other cloud vendors as well, not just IBM Cloud. So it's a private cloud that customers can manage, or in the public cloud or IBM kubernetes that we manage for them. Then it's about the app, the containerized app that can be moved around and that's where our announcements about Multicloud Manager, that we made late last year come into play, which helps you seamlessly move and integrate applications that are deployed on communities across private, public or multicloud. So that abstraction venire enables that to happen and that's why the open... >> So it's an operational construct? Not an IBM product, per say, if you think about it that way. So the question I have for you, I know Stu wants to jump in, he's got some questions. I want to get to this new mindset. The world's flipped upside down. The applications and workloads are dictating architecture and programmability to the DevOps, or infrastructure, in this case, Z or cloud. This is changing the game on how the cloud selection is. So we've been having a debate on theCUBE here, publicly, that in some cases it's the best cloud for the job decision, not a procurement, "I need multi-vendor cloud," versus I have a workload that runs best with this cloud. And it might be as if you're running 365, or G Suite as Google, Amazon's got something so it seems to be the trend. Do you agree with that? And certainly, there'll be many clouds. We think that's true, it's already happened. Your thoughts on this workload driving the requirements for the cloud? Whether it's a sole purpose cloud, meaning for the app. >> That's right. I'll start and Rohit will add in as well. That's where this chapter two comes into play, as we call Chapter Two of Cloud because it is about how do you take enterprise applications, the mission-critical complex workloads, and then look for the enablers. How do you make that modernization seamless? How do you make the cloud native seamless? So in that particular journey, is where IBM cloud and our Multicloud and Hybrid Cloud strategy come into play to make that transition happen and provide the set of capabilities that enterprises are looking for to move their critical workloads across private and public in bit much more assurance and performance and scale, and that's where the work that we are doing with Z, LinuxONE set of as an underpinning to embark on the journey to move those critical workloads to their cloud. So you're absolutely right. When they look at which cloud to go, it's about capabilities, the tools, the management orchestration layers that a cloud provider or a cloud vendor provide and it's not only just about IBM Public Cloud, but it's about enabling the enterprises to provide them the choice and then offer. >> So it's not multicloud for multicloud sake, it's multicloud, that's the reality. Workload drives the functionality. >> Absolutely. We see that as well. >> Validated on theCUBE by the gurus of IBM. The cloud for the job is the best solution. >> So I guess to kind of put a bow on this, the journey we're having is talking about distributed architectures, and you know, we're down on the weeds, we've got micro-services architectures, containerization, and we're working at making those things more secure. Obviously, there's still a little bit more work to do there, but what's next is we look forward, what are the challenges customers have. They live in this, you know, heterogeneous multicloud world. What do we have to do as an industry? Where is IBM making sure that they have a leadership position? >> From my perspective, I think really the next big wave of cloud is going to be looking at those enterprise workloads. It's funny, I was just having a conversation with a very big bank in the Netherlands, and they were, of course, a very big Z client, and asking us about the breadth of our cloud strategy and how they can move forward. Really looking at a private cloud strategy helping them modernize, and then looking at which targeted workloads they could move to public cloud is going to be the next frontier. And those 80 percent of workloads that haven't moved. >> An integration is key, and for you guys competitive strategy-wise, you've got a lot of business applications running on IBM's huge customer base. Focus on those. >> Yes. >> And then give them the path to the cloud. The integration piece is where the linchpin is and OSSI secure. >> Enterprise out guys. >> Love encryption, love to follow up more on the secure container thing, I think that's a great topic. We'll follow-up after this show Raj. Thanks for coming on. theCUBE coverage here. I'm John Furrier, Stu Miniman. Live coverage, day four, here live in San Francisco for IBM Think 2019. Stay with us more. Our next guests will be here right after a short break. (upbeat music)

>> Live from San Francisco, it's theCUBE! Covering IBM Think 2019! Brought to you by IBM. >> We're back at IBM Think 2019 Dave Vellante with Stu Miniman and Lisa Martin is also here. John Furey will be up tomorrow. We're here at Moscone North. Stop by and see us. Raj Nagaratnam is here. He's a distinguished engineer, CTO and director of cloud security for IBM hybrid cloud. Raj good to see you again and thanks for coming on. >> Good to see you. Yeah absolutely. >> So you're in all the hot places. Security, cloud, hybrid cloud. A lot going on in your world. >> Absolutely! Lots going on. I mean I think we see a lot of enterprises moving to cloud and like IBM says there's a lot more to move, right. Just 20% is out there. But security is top of mind so you're right it's a sweet spot. >> What is cloud to people? You know. Because you guys define as sort of a what I would say a cloud experience, not a place, but sort of how you operate. But what do customers think of when they think of cloud and hybrid cloud? >> Definitely. So in terms of our customers from them anything that they can consume as a service is a cloud. So it's from a sass perspective. We do have IBM and others have sass properties. But in this context of discussion, my area of focus is as enterprises build applications, it could be enterprise applications, it could be their consumer facing applications. So as they look at that landscape, how do they take advantage of cloud and cloud platform where they can build it on maybe on premise with a private cloud or they can take advantage of a set of services and seamlessly integrate into a public cloud or a multicloud. So ultimately toward their applications how they leverage the benefit. >> Security was always a big concern especially in the early days of cloud. You mentioned that we're in the next phase of the journey. We've hit the 20%. The low-hanging fruit so to speak. But even then early on especially, security was a major, major concern. Won't those concerns heighten as you start moving more mission-critical workloads into the cloud? >> They do, they do. Like you said rightfully, over the last couple of years, I mean definitely early on because even if you go back like two decades back, when web came along and people need to expose what they had in their data centers as a web application, it was a journey. Now we have crossed that point where everything becomes web application. So that's kind of the journey for cloud that's taking place where it was a concern, it continues to be a concern, but not so much. There are risks there are controls that people have put in place to come over the risk and the trust providers like IBM and others because we do a lot more controls in place, and we have an army. If you look at how we host many customer applications and help them, then it's better than many times what a particular company can do just for their application. So from that viewpoint, security concern is kind of they've gotten over it but viewpoint in chapter two, it becomes a lot more. So how do enterprises, enterprise risk, the data becomes kind of the core part. >> Raj, I think you're hitting it dead on. Five years ago it was like oh wait I'm not sure if I'll do cloud because security. Now I understand. Cloud is an opportunity for me to change security but absolutely security is such a huge concern you know at least in the companies we talked to today, nobody feels safe. It's not a question of if but when you're going to be attacked and how you're going to deal with this. So give us a little bit. How do we make sure that enterprises, you know, can live in today's security climate and not be totally paranoid all the time? >> That's right. Security is not a binary thing, right? It's not like you're secure or un-secure. Is it secure enough from a risk perspective, right? So when you look at data, say are you dealing with sensitive data, private data or mission-critical data and how do you protect it? And are you taking the right steps. Like you rightfully said cloud is an opportunity to do security right. Many times in the past, app teams will build apps and throw it over the wall for the security team to secure it. That has changed. We need to put security up front as part of the entire process. As we think about it as Dev and Ops now it is more important to be security risk part of it where you have DevSecOps so that right from as you design it, build applications and build and operate, so that application teams have equal responsibility and accountability as you operate cloud. Not just hey I'm going to throw it away, and I get a security team to do it. So that collaborative model between a line of business and an application team on one end and the security team and operations team on another end, kind of a classic IT, come together and cloud makes it possible. >> What's the role of the line of business in that equation, Raj? Is it sort of to set the risk profile, the value of the data? Talk about that a little bit. >> Yeah. Line of business thinks about, obviously from their perceptive what data they deal with, what business they are in. It may be retail banking on one end or it could be payment processing on another end. So they are looking at how fast they need to reach the data or bring the applications to the cloud for the consumers to reach a digital transformation that they are going through, right? So on one end they are going through digital transformation. On the other end, the security team, from a typical security officer perspective, sets policies. If there are sudden regulations that you need to follow, what kind of data can be put in cloud or if you put it, what kind of controls and protection you need. So the policy from a security and risk perspective comes from the security team. Line of business looks at it and says this is what we need to do faster to go to market, expand your business. And now they need to look at and say how do we bring these things together? What risk? Am I willing to take the risk? Or what controls and security capabilities I need to protect my app and data with to mitigate the risk? So that's the model that they are in discussions about. >> Raj, one of the areas we've talked to IBM a lot about is what's happening in the container space, what's happening in Kubernetes. What role is IBM helping to the industry as a whole and IBM's products specifically to be more secure in that space? >> So it is about helping customers build secure applications and deploy it. It is a responsibility model. From that perspective, you brought a very important point. When you look at Cloud-Native and Kubernetes as an example, it provides (mumbles) opportunity. So the way we are build our (mumbles) service, we have built security in. More importantly, also we are providing security services. So let me simplify this, right? From a elevated perceptive, when you deploy an application, you need to think about how do you manage access to your application? Oh, that may be (mumbles) to an attack so how do you protect against network trash? We have a capability called cloud internet services to protect against it. Okay you are letting the good guys in now how do you know who it is? So you need to authenticate the person, right? So if we have a service called Lap ID that integrate seamlessly because developers don't need to care about the security, the (mumbles) technology details. We make it simple so developers focus on business logic. So that's about manage access. Next things is the application now need to protect the data. So how do you protect data of an application? So you may put in a Cloud-Native data base or a object store, right? In the new models these things evolve. And the first things companies try to do is you need to protect, encrypt them. As some people would say, encryption is for amateurs, key management is for professions. So ultimately it comes down to how do you manage your keys? And ultimately customers want more control of they keys so what we have, in the industry what we tell them is bring your own key, right? So customer controls they key even the encryption happens in the cloud. So we provide the capability with our key protect service so all our data bases are already integrated. Our object store is integrated. Our virtual servers are integrated, right? So these capabilities, this way whenever you encrypt the data it's provided. But given IBM's history, we understand like risk and financial teams go together. We are introducing a new paradigm. We are announcing this week. It's just not bring your keys. Keep your own keys. This way it's not only about how do you control the key, but in cryptography land, the keys get managed and protected by a HSM, a Hardware Security Module. We give the entire module that they can control. The HSM can be controlled by the customer along with the key. This is a shift because now customers can gain more confidence with that, so this service is called Hyper Protect Crypto service that we are bringing to market. Built on IBM's top level security capabilities. If you can imagine banks running on our mainframe and security being kind of the, whenever you talk in movies you look at security people say oh it's mainframe. They didn't hack but they get in to this system. That's a level of security. The top level of security we have. We are bringing that to cloud to make the data secure. And another thing that we are working on and announcing this week is it's not about whether the data is in the database or it's in cryptic form. It's also when it's processed an application in memory. Imagine you have a payment service, a credit card payment, and some one logs into the system and dumps the memory, Voila you get the credit card, right? Now we can protect it. With working with Intel, we are partnered with and launching a capability where when the data goes into memory, we can protect it. So end-to-end we are looking at manage access, protect data, and now you can't protect what you don't see, so we provide visibility. Who has accessed my services through access logs? Are there threats? So we are infusing machine learning and AI to detect malicious behavior on network. So bringing it to a single dashboard called security advisor, looking this piece. So manage access, protect data, gain visibility. More importantly, all of this in the context of developers, developer focus, developer experience, so that in a single click in an automated way, they can protect their apps. That's our goal. That's where our customers what to go. And we are addressing that with these capabilities. It's a journey. >> Yeah so I wanted to ask you how customers, what's best practice for scaling and automating all this and I think you've touched upon several things. It's design security in. Don't bolt it on. DevSecOps for example. It's scaling the key management and automating that key management. Those are at least a couple of the components that I've heard. Maybe you could, you know, follow through and add some color to that. >> Definitely. So when you look at the DevSecOps, right? So from a developer perspective, as they build automation tool, it goes through a pipeline. You have to take an application in order to deploy it. Let's take (mumbles) as an example. In the past or in a traditional IT world, that may be (mumbles) in the system so you need to patch them. Then there becomes tension between an IT operations team saying oh I need to patch these things, whereas a security team saying no, no I got to patch it. In the new world, why patch it? Why don't they spin up a new container that's now the most protected one. As you find availabilities, pin up a new image and spawn it on, right? In that context as you look at a developer integrating these things. So how do I deploy an application for manage access? You can integrate with out internet services so that any attack can be protected. You deploy it in a way. You can integrate your services where with identity can be authenticated. So those kind of build into the application. And then as you put this through the pipe, variabilities are being scanned. You can set your policy to say if you have a lot of variabilites, don't deploy protection. That's part of your DevOps policy that you can set. And then as you work with your security team, you can say hey guys you can manage the keys but tell me which data base and which key to use. So the management may be the security guy's responsibility. Application team looks at is saying which data base which key, let me configure it. So that moves towards what if a policy management configuration problem. So it's about DevTools integrating security into the design and into the develop and automation end-to-end that brings a collaborative culture because it's not a technology problem. It's a cultural problem. Organizational challenge that these kind of capabilities help customers. >> Why IBM? Give us the commercial. >> (laughs) Well IBM it's a trusted provider from a costumer's prospective. We know enterprises. For all these years, for lots, many, many decades, we have run enterprise systems, banking, most critical data, workloads. And with our expertise that's technology on one end. So when you look at IBM cloud built in. IBM security. World-leading enterprise security set of capabilities from IBM security, you have one plus one equal to three. Not to mention our expertise. We know our services capabilities, (mumbles), helping customers understand complainants, how to work with security or even manage security services. So that brings technology, expertise and capabilities with years worth of experience that we bring to the table. >> Stu I would say IBM does hard well, and security's hard so Raj thanks so much for coming on theCUBE and sharing with us some of the progress that IBM's making. Congratulations. >> Absolutely. Thank you very much. >> Alright you're welcome. Keep it right there, buddy. Stu and I will be back with Lisa Martin. We're here at IBM Think day one of theCUBE. Right back right after this short break. (electronic theme music)