(upbeat music) >> Hey, everyone. Welcome back to theCUBE's day one coverage of Cloud Native SecurityCon 2023. This has been a great conversation that we've been able to be a part of today. Lisa Martin with John Furrier and Dave Vellante. Dave and John, I want to get your take on the conversations that we had today, starting with the keynote that we were able to see. What are your thoughts? We talked a lot about technology. We also talked a lot about people and culture. John, starting with you, what's the story here with this inaugural event? >> Well, first of all, there's two major threads. One is the breakout of a new event from CloudNativeCon/KubeCon, which is a very successful community and events that they do international and in North America. And that's not stopping. So that's going to be continuing to go great. This event is a breakout with an extreme focus on security and all things security around that ecosystem. And with extensions into the Linux Foundation. We heard Brian Behlendorf was on there from the Linux Foundation. So he was involved in Hyperledger. So not just Cloud Native, all things containers, Kubernetes, all things Linux Foundation as an open source. So, little bit more of a focus. So I like that piece of it. The other big thread on this story is what Dave and Yves were talking about on our panel we had earlier, which was the business model of security is real and that is absolutely happening. It's impacting business today. So you got this, let's build as fast as possible, let's retool, let's replatform, refactor and then the reality of the business imperative. To me, those are the two big high-order bits that are going on and that's the reality of this current situation. >> Dave, what are your top takeaways from today's day one inaugural coverage? >> Yeah, I would add a third leg of the stool to what John said and that's what we were talking about several times today about the security is a do-over. The Pat Gelsinger quote, from what was that, John, 2011, 2012? And that's right around the time that the cloud was hitting this steep part of the S-curve and do-over really has meant in looking back, leveraging cloud native tooling, and cloud native technologies, which are different than traditional security approaches because it has to take into account the unique characteristics of the cloud whether that's dynamic resource allocation, unlimited resources, microservices, containers. And while that has helped solve some problems it also brings new challenges. All these cloud native tools, securing this decentralized infrastructure that people are dealing with and really trying to relearn the security culture. And that's kind of where we are today. >> I think the other thing too that I had Dave is that was we get other guests on with a diverse opinion around foundational models with AI and machine learning. You're going to see a lot more things come in to accelerate the scale and automation piece of it. It is one thing that CloudNativeCon and KubeCon has shown us what the growth of cloud computing is is that containers Kubernetes and these new services are powering scale. And scale you're going to need to have automation and machine learning and AI will be a big part of that. So you start to see the new formation of stacks emerging. So foundational stacks is the machine learning and data apps are coming out. It's going to start to see more apps coming. So I think there's going to be so many new applications and services are going to emerge, and if you don't get your act together on the infrastructure side those apps will not be fully baked. >> And obviously that's a huge risk. Sorry, Dave, go ahead. >> No, that's okay. So there has to be hardware somewhere. You can't get away with no hardware. But increasingly the security architecture like everything else is, is software-defined and makes it a lot more flexible. And to the extent that practitioners and organizations can consolidate this myriad of tools that they have, that means they're going to have less trouble learning new skills, they're going to be able to spend more time focused and become more proficient on the tooling that is being applied. And you're seeing the same thing on the vendor side. You're seeing some of these large vendors, Palo Alto, certainly CrowdStrike and fundamental to their strategy is to pick off more and more and more of these areas in security and begin to consolidate them. And right now, that's a big theme amongst organizations. We know from the survey data that consolidating redundant vendors is the number one cost saving priority today. Along with, at a distant second, optimizing cloud costs, but consolidating redundant vendors there's nowhere where that's more prominent than in security. >> Dave, talk a little bit about that, you mentioned the practitioners and obviously this event bottoms up focused on the practitioners. It seems like they're really in the driver's seat now. With this being the inaugural Cloud Native SecurityCon, first time it's been pulled out of an elevated out of KubeCon as a focus, do you think this is about time that the practitioners are in the driver's seat? >> Well, they're certainly, I mean, we hear about all the tech layoffs. You're not laying off your top security pros and if you are, they're getting picked up very quickly. So I think from that standpoint, anybody who has deep security expertise is in the driver's seat. The problem is that driver's seat is pretty hairy and you got to have the stomach for it. I mean, these are technical heroes, if you will, on the front lines, literally saving the world from criminals and nation-states. And so yes, I think Lisa they have been in the driver's seat for a while, but it it takes a unique person to drive at those speeds. >> I mean, the thing too is that the cloud native world that we are living in comes from cloud computing. And if you look at this, what is a practitioner? There's multiple stakeholders that are being impacted and are vulnerable in the security front at many levels. You have application developers, you got IT market, you got security, infrastructure, and network and whatever. So all that old to new is happening. So if you look at IT, that market is massive. That's still not transformed yet to cloud. So you have companies out there literally fully exposed to ransomware. IT teams that are having practices that are antiquated and outdated. So security patching, I mean the blocking and tackling of the old securities, it's hard to even support that old environment. So in this transition from IT to cloud is changing everything. And so practitioners are impacted from the devs and the ones that get there faster and adopt the ways to make their business better, whether you call it modern technology and architectures, will be alive and hopefully thriving. So that's the challenge. And I think this security focus hits at the heart of the reality of business because like I said, they're under threats. >> I wanted to pick up too on, I thought Brian Behlendorf, he did a forward looking what could become the next problem that we really haven't addressed. He talked about generative AI, automating spearphishing and he flat out said the (indistinct) is not fixed. And so identity access management, again, a lot of different toolings. There's Microsoft, there's Okta, there's dozens of companies with different identity platforms that practitioners have to deal with. And then what he called free riders. So these are folks that go into the repos. They're open source repos, and they find vulnerabilities that developers aren't hopping on quickly. It's like, you remember Patch Tuesday. We still have Patch Tuesday. That meant Hacker Wednesday. It's kind of the same theme there going into these repos and finding areas where the practitioners, the developers aren't responding quickly enough. They just don't necessarily have the resources. And then regulations, public policy being out of alignment with what's really needed, saying, "Oh, you can't ship that fix outside of Germany." Or I'm just making this up, but outside of this region because of a law. And you could be as a developer personally liable for it. So again, while these practitioners are in the driver's seat, it's a hairy place to be. >> Dave, we didn't get the word supercloud in much on this event, did we? >> Well, I'm glad you brought that up because I think security is the big single, biggest challenge for supercloud, securing the supercloud with all the diversity of tooling across clouds and I think you brought something up in the first supercloud, John. You said, "Look, ultimately the cloud, the hyperscalers have to lean in. They are going to be the enablers of supercloud. They already are from an infrastructure standpoint, but they can solve this problem by working together. And I think there needs to be more industry collaboration. >> And I think the point there is that with security the trend will be, in my opinion, you'll see security being reborn in the cloud, around zero trust as structure, and move from an on-premise paradigm to fully cloud native. And you're seeing that in the network side, Dave, where people are going to each cloud and building stacks inside the clouds, hyperscaler clouds that are completely compatible end-to-end with on-premises. Not trying to force the cloud to be working with on-prem. They're completely refactoring as cloud native first. And again, that's developer first, that's data first, that's security first. So to me that's the tell sign. To me is if when you see that, that's good. >> And Lisa, I think the cultural conversation that you've brought into these discussions is super important because I've said many times, bad user behavior is going to trump good security every time. So that idea that the entire organization is responsible for security. You hear that all the time. Well, what does that mean? It doesn't mean I have to be a security expert, it just means I have to be smart. How many people actually use a VPN? >> So I think one of the things that I'm seeing with the cultural change is face-to-face problem solving is one, having remote teams is another. The skillset is big. And I think the culture of having these teams, Dave mentioned something about intramural sports, having the best people on the teams, from putting captains on the jersey of security folks is going to happen. I think you're going to see a lot more of that going on because there's so many areas to work on. You're going to start to see security embedded in all processes. >> Well, it needs to be and that level of shared responsibility is not trivial. That's across the organization. But they're also begs the question of the people problem. People are one of the biggest challenges with respect to security. Everyone has to be on board with this. It has to be coming from the top down, but also the bottom up at the same time. It's challenging to coordinate. >> Well, the training thing I think is going to solve itself in good time. And I think in the fullness of time, if I had to predict, you're going to see managed services being a big driver on the front end, and then as companies realize where their IP will be you'll see those managed service either be a core competency of their business and then still leverage. So I'm a big believer in managed services. So you're seeing Kubernetes, for instance, a lot of managed services. You'll start to see more, get the ball going, get that rolling, then build. So Dave mentioned bottoms up, middle out, that's how transformation happens. So I think managed services will win from here, but ultimately the business model stuff is so critical. >> I'm glad you brought up managed services and I want to add to that managed security service providers, because I saw a stat last year, 50% of organizations in the US don't even have a security operations team. So managed security service providers MSSPs are going to fill the gap, especially for small and midsize companies and for those larger companies that just need to augment and compliment their existing staff. And so those practitioners that we've been talking about, those really hardcore pros, they're going to go into these companies, some large, the big four, all have them. Smaller companies like Arctic Wolf are going to, I think, really play a key role in this decade. >> I want to get your opinion Dave on what you're hoping to see from this event as we've talked about the first inaugural standalone big focus here on security as a standalone. Obviously, it's a huge challenge. What are you hoping for this event to get groundswell from the community? What are you hoping to hear and see as we wrap up day one and go into day two? >> I always say events like this they're about educating, aspiring to action. And so the practitioners that are at this event I think, I used to say they're the technical heroes. So we know there's going to be another Log4j or a another SolarWinds. It's coming. And my hope is that when that happens, it's not an if, it's a when, that the industry, these practitioners are able to respond in a way that's safe and fast and agile and they're able to keep us protected, number one and number two, that they can actually figure out what happened in the long tail of still trying to clean it up is compressed. That's my hope or maybe it's a dream. >> I think day two tomorrow you're going to hear more supply chain, security. You're going to start to see them focus on sessions that target areas if within the CNCF KubeCon + CloudNativeCon area that need support around containers, clusters, around Kubernetes cluster. You're going to start to see them laser focus on cleaning up the house, if you will, if you can call it cleaning up or fixing what needs to get fixed or solved what needs to get solved on the cloud native front. That's going to be urgent. And again, supply chain software as Dave mentioned, free riders too, just using open source. So I think you'll see open source continue to grow, but there'll be an emphasis on verification and certification. And Docker has done a great job with that. You've seen what they've done with their business model over hundreds of millions of dollars in revenue from a pivot. Catch a few years earlier because they verify. So I think we're going to be in this verification blue check mark of code era, of code and software. Super important bill of materials. They call SBOMs, software bill of materials. People want to know what's in their software and that's going to be, again, another opportunity for machine learning and other things. So I'm optimistic that this is going to be a good focus. >> Good. I like that. I think that's one of the things thematically that we've heard today is optimism about what this community can generate in terms of today's point. The next Log4j is coming. We know it's not if, it's when, and all organizations need to be ready to Dave's point to act quickly with agility to dial down and not become the next headline. Nobody wants to be that. Guys, it's been fun working with you on this day one event. Looking forward to day two. Lisa Martin for Dave Vellante and John Furrier. You're watching theCUBE's day one coverage of Cloud Native SecurityCon '23. We'll see you tomorrow. (upbeat music)

why from Boston Massachusetts it's the queue covering Red Hat summit 2019 watch you bye Red Hat well good morning welcome back to our live coverage here in Boston with the BCC and we're at Red Hat summit 2019 you're watching exclusive coverage here on the cube this is day three of three great days here at the summit's two minimun John wall's and we're joined now by Paul Cormier who's the president of products and technologies at Red Hat good morning Paul morning how are you doing I'm doing great great so are we a wonderful job on the on the keynote stage yesterday and we're gonna jump into that a little bit but I wanted to run something by you here a great man once said every great achievement begins with a bold goal I heard that I'm looking at that man yeah so one of the many statements that I thought really jumped out yesterday let's talk about that in terms of just the Red Hat philosophy what's happened with rl8 where you've gone with openshift for and just how that is embedded in your mind to how red hat goes about its business well you know we've we've we've been in the enterprise space for 17 plus years and prior to that red had you know we were basically through the retail through the retail channel but first and foremost Red Hat started as an open source company that's where they started not as an enterprise company once we decided with the bold goal that we're gonna get this into the enterprise that's what we really set you know really transformed into what you've maybe heard before from out of my mouth is where we're we're not an open source company although everything we do is open source for an enterprise software company with an open source development model that was kind of the beginning of the first bold goal let's get Linux to the enterprise and so that's sort of how we've thought about it from day one is let's take it one step at a time you know as I said get Linux in the enterprise make make rel the operating system in the enterprise now let's take on virtualization versus n then KVM and then as that all happens so much innovation happened around Linux that all these other pieces came you know Hadoop kubernetes all the other pieces so we just kept growing with that because it's all intertwined with Linux that's one step at a time so Paul before we get off this place I want you to put a fine point on it for our audience because you look out there you know open source is not a community it's lots of communities and it's not you know one thing it's many things out there and today people will look at there's certain companies how do I create IP and monetize what we're doing and you know where the project and the company are you know sometimes intertwined and licensing models changing you know Red Hat has a very simple philosophy on it and it's not something that's necessarily easily replicatable yeah I mean there's simple simple philosophy is it so it's it's upstream first that that's that's our philosophy yes we are a business and certainly making our products successful is is is important number number number one goal number zero goal before that is make the project successful our products can't be successful unless we're we're built on a successful project and it's not something that we even think about because it's just ingrained it's it's it's in our DNA so I mean I'll give you examples you know even kubernetes we didn't start the project Google started the project but we knew in order if we were going to incorporate that in a big way into our products that we had to be prominent in the community so that's what we did first and then it rolled out into the products it's just ingrained it's in the DNA yeah so let's talk a little bit about kubernetes openshift you've now got over a thousand customers congratulations on that and openshift for we spent a bunch of time talking with the team but let's start a little bit higher level because you know there's dozens of you know kubernetes options out there people look at is there interoperability between them you know in the early days customers would just spin their own pieces and on you know today every cloud provider has at least one option if not multiple options and there's all the independent how does this play out you know where are we along the maturity and how do all these pieces fit together or do they I mean if you look if you look at kubernetes I mean the thing here's the the good news the good news is open source has become so prominent in in everywhere we wear now ourselves included we make this mistake ourselves we've confused projects with products so kubernetes is a project it's a development project and we all talk about that like it's a product the same it's the same thing with Linux so I'll give you an example with the Linux kernel where all you know all the commercial vendors and everyone else is in that same upstream development tree with the Linux kernel but when the commercial guys like ourselves when we go to build a product we make choices of which file systems we're going to support which installers we're going to support you know what we're gonna do for management what we're gonna support for storage and for many reasons we all make different decisions so that's why at the end of the day when we come down to our products even though they're all completely open you know rel is different from Susu which is different from a bun too which is different from all the others it's the same exact thing with kubernetes we all develop here but now we bring that down into a platform like open shift that kubernetes touches userspace api's it such as kernel a api's and so unless you you integrate those and they all move forward in the lifecycle of that platform at the same time we get out of sync with each other and that's one of the reasons why it's a product and they don't necessarily work across each other with you know with all the other products it's the same exact principle that made rel and at the same exact principle how linux works right so what advice do you give to customers is how they look at this because they're like oh wait there's now azure an open shift this jointly offered solution but do I use that or Duty as the native you know aks solution out there you've got partnership to the AWS you know where does open shift versus anthos on google fit it's it definitely is a little bit fragmented well the other thing that's happened around the cloud one of the things that happened in early in the cloud a lot of the cloud providers said every applications going to the cloud tomorrow I think that was ten years ago and the last number I thought sorry we're about 20 percent there and so and that's great we think that's great but customers still have on-premise applications and they have a running on-premise either bare metal virtual machine they have their own private clouds in many cases and now they want to go across clouds every customer I talked to and it's not just for lock-in that's definitely an issue they want to go across clouds because this cloud provider might have a better service here than that cloud provider and vice versa so what customers want to do is they want one common operating environment both of the applications developer in the operators they can't afford to have five different silos because just like the example I used with Linux distributions being different every one of these kubernetes distributions is different and so anthos for example if you're gonna have all your applications including bare metal applications on Google Linux then that's good because your operators have one operating environment you developers have one development environment but that's impractical and that's why that's that's not gonna work I mean the reason why I think Microsoft is one of our best partners here is they understand this which is why they've embraced openshift so so deeply even though they have aks in their stable and the reason why I think they understand this is because they like us have been in the enterprise space for a long time this is how enterprise computing works and I think that's the model that our customers they don't have no choice to deploy they just can't afford to have five different you know operating environments it's like the UNIX days it's like the UNIX days all over again and you know when you had one vertical stack and you know customers started to roll out a common fact that's why Rell succeeded because we gave them that commonality and they couldn't afford five different silos to try to manage and develop their applications to you know is there a different rhythm or unique rhythm to the open source community in terms of development in terms of new products that might be a little different than then old older models because you know if I'm saying if I if there's an interest that focuses maybe in one area and the interests of ER you know or momentum shifts over to a different direction and and maybe this standard or this old way kind of loses a little bit of its impetus or its force I mean what that creates decision challenges on customer sign but but absolutely and and that's why as they said even with kubernetes we didn't jump in full force exactly right away you know we sort of we sort of worked in many of it with many container orchestration technologies out there most of which besides kubernetes are gone by the wayside a bit now and you know we sort of sort of look at that and see where this plays out well we get involved but we also try to make make the best technical decision as well kubernetes now it's got way too much momentum in in in the in with open source because it's got so much momentum that's where the innovation is happening and at the end of the day customers even though they have confused many projects with products they still want they still want the right technology to solve their business business problems right and so cuckoo Bernays has so much momentum around it that's where the innovation is happening so that's that's that's the plot that's the big part of the platform right now and so I think that's the other thing I think that a lot of people that try to jump into this space miss is if you're gonna base your enterprise product on an upstream project you better have good influence in that upstream project because when your customers ask you to address an issue or or take it in a direction or help take it in the direction if you don't have that influence you can't satisfy your customers so we learned very very early on that upstream is is not a bolt-on for us it's an integral part that starts even before the product starts so Paul I've heard many people often call Red Hat the Switzerland of IT you know being where you sit in the community and you know for years at this show we've interviewed you know all of the hardware players and everything like that sorry sorry I'm taking important calls it's no worries you know live audience can wait we'll show you the clip of John Cleese when we got interrupted on a program once we won't think was my admin telling me I needed to come here you're good but so you know with Red Hat starting as that as that Switzerland when I look at the multi cloud world its you've got interesting combination you know Satya Nadella up on stage is not something that we would have thought of right five years ago so you know VMware supporting OpenShift announced today is not something that many people will look at and be like oh geez you know that seems surprising to me because you know we have you know fights over virtualization or various piece of the stack what do you see in kind of the software and multi cloud world today that's maybe a little different than it was five or ten years ago I think I mean to VMware's credit they're trying to satisfy their customers and their customers are saying I want OpenShift and so we we work with trying to satisfy our customers to the Microsoft arrangement I mean as you guys probably well know we weren't the best of friends you know five six seven eight years ago and I think Satya said it on stage and they our customers got us together literally we had a set of big customers that almost took us in a room and said you guys need to talk and and frankly I think they're one of our best partners right now I'm not sure it could have happened without Satya but they're one of our best partners because we're both interested in satisfying our customers in and as I said I think Microsoft really understands the enterprise world and that's why we're going in the common direction we almost when we get in the room with their engineers we almost complete each other's sentences of you know when we start talking about what we need to do you know there's been an announcement early in the week ahead of a global economic study done IDC came up with this huge number right 10 trillion dollar impact that Linux is having globally speaking just if you would just curious about your perspective on that what kind of a statement that is and and the dollar values that are achieved or the incremental values that are achieved in terms of applying these technology I think it's a couple things I think I think it's a statement that this is the innovation most so open-source is the innovation model going forward period end of story full stop and I think as I said in my keynote yesterday you know leading up to the the biggest acquisition ever for a software company not an open-source software coming a software company that happened to be an open-source software company I don't think there's any doubt that that open source has one here here today it and it's because of the pace of innovation I mean yes I mean we've been at rel for 17 plus years well we probably spent the first third or so without 17 plus years trying to convince the world that Linux was secure and it was stable and it was ready for the enterprise once we got through that hurdle it was just off to the races from there and kubernetes what you know I said yesterday containers came on the scene although they've been here technically for a long time they came on the scene in 14 herba Nettie's in 15 it's only 2019 it's really not that far downstream where were as you said we've got a thousand commercial customers and the keynote this morning talking about some of the use cases that we're solving with with OpenShift I mean Boston Children's Hospital is just unbelievable of what they can do in a matter of a week that used to take them a matter of a month to do right that's because of the innovation model we have dr. Ellen Grant on yesterday by the way so if you haven't watched that yet go back to the cube net and check that interview out yeah I mean fascinating kind of customer conversation we've had about transformation but want to get your take on the only constant in our industry which is change I wrote right after the the announcement of the acquisition and meeting with your changes Red Hat the one thing that they've actually built themselves for is to deal with the massive amounts of change you know you could tell better than more how fast the Linux kernel is changing you know a third of the codes changed in the last two years and kubernetes is actually not as many lines of code as Linux but it's massive amounts of change I heard you know we relate out to about five years of development on that I heard the the pace going forward will only get faster every three years you're gonna have a major release every six months right a minor release so how do you get the team in the community and all these things you know ever keeping up and even turning it up to 11 that day that's that's probably the one of the biggest parts of our job our customers can't deal with that change you know frankly I think in the bidding beginning of OpenStack one of the one of the mistakes that we as a community did for our customers was there were some vendors out there trying to tell customers you need to stay close to the head to the upstream head you need to stay close to the head and we really all try to get things out in six months that's great to try to start to evaluate innovation and how what you can do with that it's not great for necessarily running a stable business on and that's what and that's what I think our job is is to help our customers consume open-source developed technologies in a way that they can continue to run their business and that was the goal that was the audacious goal of rel from the beginning is that the model of rel it's in it's no I it's it's not necessarily about the bits because they're free it's about the life cycle of that and how we can help our customers consume that and that's what we do that frankly it to the core well just to follow up on that if you ask your customer and you say hey you're using Azure what version you are using they're like Microsoft patches and updates that constantly as opposed to the traditional you know Patch Tuesday in Windows so you know we seem to be closing that gap a little but it's challenging between the stuff I control and the stuff that I consume well we'll look at even OpenShift for we used I mean I know ashesh was on yesterday talking about that but we used a lot of the great technology we got from core OS to start to bring that model bet on to even on premise if you so choose with open shift because there's so many of the components that are that are intertwined with each other you know you've got kubernetes with talking the user space talking the kernel user space talking to the kernel talking the storage talking to networking so now automating that for our customers for that updates is is is what they want because that's how they consume it in the cloud I remember when we first started rel we used to put the the features on the side of the box and the first thing was what version of the kernel it was that quickly went away - they don't want to have to worry about that because they don't have the expertise to do to be added' eyewire themselves well congratulations Paul great week thank you very much again well done now on the keynote stage yesterday fascinating stuff this morning - so well done on the program inside and we wish you look down the road and don't forget to check your voicemail no I will thank you guys very much might be important all right always a pleasure back with more here from Red Hat summit 2019 you're watching us live here on the Q [Music]