(reveal music) >> We're kicking off with Deepak Rangaraj who's PowerEdge Security Product Manager at Dell Technologies. Deepak. Great to have you on the program. Thank you. >> Thank you for having me. >> So we're going through the infrastructure stack and in part one of this series, we looked at the landscape overall and how cyber has changed and specifically how Dell thinks about data protection in and security in a manner that both secures infrastructure and minimizes organizational friction. We also hit on the storage part of the portfolio. So now we want to dig into servers. So my first question is what are the critical aspects of securing server infrastructure that our audience should be aware of? >> Sure. So if you look at computing in general, right? It has rapidly evolved over the past couple of years especially with trends towards software defined data centers and with also organizations having to deal with hybrid environments, where they have private clouds public cloud, extra locations, remote offices and also remote workers. So on top of this, there's also an increase in the complexity of the supply chain itself, right? There are companies who are dealing with hundreds of suppliers as part of their supply chain. So all of this complexity provides a lot of opportunity for attackers because it's expanding the threat surface of what can be attacked. And attacks are becoming more frequent, more severe and more sophisticated. And this has also triggered around, in the regulatory and mandates around the security needs. And these regulations are not just in the government sector, right? So it extends to critical infrastructure. And eventually it will also get into the private sector. In addition to this organizations are also looking at their own internal compliance mandates and this could be based on the industry in which they're operating in or it could be their own security questions. And this is the landscape in which servers are operating in today. And given that servers are the foundational blocks of the data center it becomes extremely important to protect them, and given how complex the modern server platforms are, it's also extremely difficult and it takes a lot of effort. And this means protecting everything from the supply chain, to the manufacturing, and then eventually the assuring the hardware and software integrity of the platforms and also the operations. And there are very few companies that go to the lengths that Dell does in order to secure the server. We truly believe in the notion and the security mentality that, you know security should enable our customers to go focus on their business and proactively innovate on their business. And it should not be a burden to them. And we heavily invest to make that possible for our customers. >> So, this is really important because the premise that I set up at the beginning of this was really that I, as a security pro, I'm not a security pro, but if I were I wouldn't want to be doing all this infrastructure stuff because I now have all these new things I got to deal with. I want a company like Dell who has the resources to build that security in, to deal with the supply chain, to ensure the Providence et cetera. So I'm glad you hit on that but so given what you just said, what does cybersecurity resilience mean from a server perspective? For example, are there specific principles that Dell adheres to that are non-negotiable, let's say. How does Dell ensure that its customers can trust your server infrastructure? >> Yeah. Like when, when it comes to security at Dell, right it's ingrained in our product DNA. So that's the best way to put it. And security is non-negotiable, right? It's never an after thought where you come up with a design and then later on figure out how to go make it secure, right? With our security development life cycle, the products are being designed to counter these threats right from the beginning. And in addition to that, we are also testing and evaluating these products continuously to identify vulnerabilities. We also have external third party audits which supplement this process. And in addition to this Dell makes the commitment that we will rapidly respond to any mitigations and any vulnerabilities and exposures found out in the field and provide mitigations and patches for those in a timely manner. So this security principle is also built into our server life cycle, right? Every phase of it. So we want our products to provide cutting edge capabilities when it comes to security. So as part of that, we are constantly evaluating what our security model has done. We are building on it and continuously improving it. So till a few years ago, our model was primarily based on the NEST Framework of protect, detect, and regular. And it's still aligns really well to that framework. But over the past couple of years, we have seen how computers evolved, how the threats have evolved. And we have also seen the regulatory trends and we recognize the fact that the best security strategy for the modern world is a Zero Trust approach. And so now when we are building our infrastructure and tools and offerings for customers, first and foremost, they're cyber resilient, right? What we mean by that is they're capable of anticipating threats, withstanding attacks and rapidly recurring from attacks, and also adapting to the adverse conditions in which they're deployed. The process of designing these capabilities and identifying these capabilities, however is done through the Zero Trust Framework. And that's very important because now we are also anticipating how our customers will end up using these capabilities at their end to enable their own Zero Trust IT Environments and IT Zero Risk Deployments. We have completely adapted our security approach to make it easier for customers to work with us no matter where they are in their journey towards zero trust adoption. >> So thank you for that. You mentioned the NEST framework. You talked about Zero Trust. When I think about NEST I think as well about layered approaches. And when I think about Zero Trust, I think about if you don't have access to it, you're not getting access. You got to earn that access and you've got layers. And then you still assume that bad guys are going to get in. So you've got to detect that and you've got to response. So server infrastructure security is so fundamental. So my question is what is Dell providing specifically to for example, detect anomalies and breaches from unauthorized activity? How do you enable fast and easy or facile recovery from malicious incidents? >> Right, what that is, is exactly right. Breaches are bound to happen. Given how complex our current environment is it's extremely distributed and extremely connected, right? Data and users are no longer contained within offices where we can set up a parameter firewall and say, yeah, everything within that is good. We can trust everything within it. That's no longer true. The best approach to protect data and infrastructure in the current world is to use a Zero Trust approach which uses the principles, nothing is ever trusted, right? Nothing is trusted implicitly. You're constantly verifying every single user, every single device and every single access in your system at every single level of your IT environment. And this is the principle that we use on PowerEdge, right? But with an increased focus on providing granular controls and checks based on the principles of these privileged access. So the idea is that service first and foremost need to make sure that the threats never enter and they're rejected at the point of entry but we recognize breaches are going to occur. And if they do, they need to be minimized such that this fear of damage cost by attacker is minimized. So they're not able to move from one part of the network to something else, laterally or escalate their privileges and cause more damage, right? So the impact radius for instance, has to be reduced. And this is done through features like automated detection capabilities and automation, automated mediation capabilities. So some examples are, as part of our end to end boot resilience process we have what we call a system lockdown, right? We can lock down the configuration of the system and lock down the document versions and all changes to the system. And we have capabilities which automatically detect any drift from that lockdown configuration. And we can figure out if the drift was caused to do authorized changes or unauthorized changes. And if it is an unauthorized change can log it, generate security alerts. And we even have capabilities to automatically draw the firmware and roll those versions back to a known good version, and also the configurations, right? And this becomes extremely important because as part of Zero Trust, we need to respond to these things at machine speed, and we cannot do it at a human speed. And having these automated capabilities is a big deal when achieving that Zero Trust strategy. And in addition to this, we also have chassis intrusion detection where if the chassis, the box, the server box is opened up, it logs alerts and you can figure out, even later if there's an AC power cycle, you can go look at the logs to see that the boxes opened up and figure out if there was a, like an known authorized access or some malicious actor opening and changing something in your system. >> Great. Thank you for that. Lot of detail and appreciate that. I want to go somewhere else now because Dell has a renowned supply chain reputation. So what about securing the the supply chain and the server bill of materials? What does Dell specifically do to track the Providence of components it uses in its systems so that when the systems arrive a customer can be a hundred percent certain that that system hasn't been compromised. >> Right? And we talked about how complex the modern supply chain is, right? And that's no different for service. We have hundreds of components on the server and a lot of these require from where in order to be configured and run and these firmware competence could be coming from third party suppliers. So now the complexity that we are dealing with require the end to end approach. And that's where Dell pays a lot of attention into assuring the security of our supply chain. And it starts all the way from sourcing components, right? And then through the design and then even the manufacturing process where we are vetting the personal manufacturers and vetting the factories itself and the factories also have physical controls physical security controls built into them and even shipping, right? We have GPS tagging of packages. So all of this is built to ensure supply chain security but a critical aspect of this is also making sure that the systems which are built in the factories are delivered to the customers without any changes or any tamper. And we have a feature called the secure component verification, which is capable of doing this. What the feature does is when the system gets built in the factory, it generates an inventory of all the components in the system and it creates a cryptographic certificate based on the signatures presented to this by the competence. And this certificate is stored separately and sent to the customers separately from the system itself. So once the customers receive the system at their end they can run out to, it generates an inventory of the competence on the system at their end and then compare it to the golden certificate to make sure nothing was changed. And if any changes are detected we can figure out if there's an authorized change or an unauthorized change. Again authorized changes could be like, you know upgrades to the drives or memory and unauthorized changes could be any sort of tamper. So that's the supply chain aspect of it. And bill of materials is also an important aspect to guaranteeing security, right? And we provide a software bill of materials which is basically a list of ingredients of all the software pieces in the platform. So what it allows our customers to do is quickly take a look at all the different pieces and compare it to the vulnerability database and see if any of the vulnerable pieces which have been discovered out in the wild affect their platforms. So that's a quick way of figuring out if the platform has any known vulnerabilities and it has not been patched. >> Excellent. That's really good. My last question is, I wonder if you could, you know give us the sort of summary from your perspective. What are the key strengths of Dell server portfolio from a security standpoint? I'm really interested in, you know, the uniqueness and the strong suit that Dell brings to the table. >> Right? Yeah. We have talked enough about the complexity of the environment and how Zero Trust is necessary for the modern IT environment, right? And this is integral to Dell PowerEdge service. And as part of that, like, you know security stats with the supply chain, we have already talked about the second component verification which is a unique feature that Dell platforms have. And on top of it we also have a Silicon based platform mode of trust. So this is a key, which is programmed into the Silicon on the black server during manufacturing and can never be changed after. And this immutable key is what forms the anchor for creating the chain of trust. That is used to verify everything in the platform from the hardware and software integrity to the boot, all pieces of it. Right? In addition to that, we also have a host of data protection features, whether it is protecting data across in news or inflight, we have self encrypting drives which provides scalable and flexible encryption options. And this coupled with external key management provides really good protection for your data address. External key management is important because, you know somebody could physically steal the server, walk away but then the keys are not stored on the server. It's stored separately. So that provides your action layer security. And we also have dual layer encryption where we can compliment the hardware encryption on the secure encrypted drives with software encryption. In addition to this, we have identity and access management features like multifactor authentication, single sign on roles, scope, and time based access controls. All of which are critical to enable that granular control and checks for Zero Trust approach. So I would say like, you know, if you look at the Dell feature set, it's pretty comprehensive. And we also have the flexibility built in to meet the needs of all customers, no matter where they fall in the spectrum of, you know risk tolerance and security sensitivity. And we also have the capabilities to meet all the regulatory requirements and compliance requirements. So in a nutshell, I would say that, you know Dell PowerEdge service is cyber resilient infrastructure helps accelerate Zero Trust option for customers. >> Got it. So you've really thought this through, all the various things that you would do to sort of make sure that your server infrastructure is secure, not compromised, that your supply chain is secure, so that your customers can focus on some of the other things that they have to worry about, which are numerous. Thanks, Deepak, appreciate you coming on "The Cube" and participating in the program. >> Thank you for having me. >> You're welcome. In a moment, I'll be back to dig into the networking portion of the infrastructure. Stay with us for more coverage of a blueprint for trusted infrastructure and collaboration with Dell technologies on "The Cube". Your leader in enterprise and emerging tech coverage. (outro music)

>>And welcome to the DockerCon cube cover here on the main stage. So HIRA RA development manager at J Frogg. Welcome to the cube. You guys have been on many times, uh, with J Frogg on the cube, great product you guys are doing great. Congratulations on all the six. Thanks for coming on the cube. >>Thank you. Thank you for having >>Me. So I'm really interested in talking about the supply chain, uh, package management, supply chain, and software workflow, huge discussion. This is one of the hottest issues that's being solved on by, with, with in DevOps and DevSecOps in, in the planet. It's all over the, all over the news, a real challenge, open source, growing so fast and so successful with cloud scale and with automation, as you guys know, you gotta ha you gotta know what's trusted, so you gotta build trust into the, the product itself. So developers don't have to do all the rework. Everyone kind of knows this right now, and this is a key solve problem you guys are solving. So I gotta ask you, what is the package management issue? Why is it such an important topic when you're talking about security? >>Yeah. Uh, so if you look at, uh, look at how software is built today, about 80 to 90% of that is open source. And currently the way we, the way we pull those open source libraries, we just, we just have blind trust in, in repositories that are central, and we rely on whatever mechanism they have built to, to establish that trust, uh, with the developer who is building it. And from, from our experience, uh, we have learned that that is not sufficient, uh, that is not sufficient to tell us that that particular developer built that end product and, uh, whatever code that they build is actually coming out in the end product. So we need, we need something to bridge that gap. We need, we need a trustworthy mechanism there to bridge that gap. And there are, there are a few other, uh, elements to it. >>Um, all these center depositories are prone to, uh, single point of failures. And, you know, in, we have all experience what happens when one of those goes down and how it stops production and how it, how it stops just software, uh, development, right? And we, what we are working on is how do we build a system where we, we can actually have, uh, liquid software as a reality and just continue to build software, regardless of all these systems of being live all the time, uh, and also have a, an implicit, uh, way of mechanism to trust, uh, what is coming out of those systems? >>You know, we've talked with you guys in the past about the building blocks of software and what flows through the pipelines, all that stuff's part of what is automated these days and, and, and important. And what I gotta ask you because security these days is like, don't trust anything, you know, um, here it's, you're, you're trusting software to be in essence verified. I'm simplifying, obviously. So I gotta ask you what is being done to solve this problem, because states change, you know, you got data, you got software injections, and you got, we got containers and Kubernetes right here, helping all this is on the table now, but what is currently being done to solve the problem? Cause it's really hard. >>Yeah, it is. It is a really hard problem. And currently, right, when we develop software, we have a team, uh, which, which we work with and we trust whatever is coming out of the team. And we have, we have a, um, what do you call certified, uh, pro production mechanism to build that software and actually release it to our customers. And when it is done in house, it is easy because we are, we control all the pieces. Now what happens when, when we are doing this with open source, we don't have that chain. We need that chain, which is independent. We just independent of where the software was, you know, produced versus where it is going to be used. We need a way to have Providence of how it was built, which parts actually went in, uh, making, uh, making the end product. Uh, and, and what are the things that we see are, are, are, uh, continuing, uh, uh, continuing evidences that this software can be used. So if there is a vulnerability that is discovered now, that is discovered, and it is released in some database, and we need to do corrective action to say that this vulnerability associated with this version, and there is no, there's no automated mechanism. So we are working on an automated mechanism where, where you can run a command, which will tell you what has happened with this piece of, uh, software, this version of it, and whether it is production worthy or not. >>It's a great goal. I gotta say, but I'll tell you, I can guarantee there's gonna be a ton of skeptics on this security people. Oh, no, I don't. I doubt it's always a back door. Um, what's the relationship with Docker? How do you guys see this evolving? Obviously it's a super important mission. Um, it's not a trend that's gonna go away. Supply chain software is here to stay. Um, it's not gonna go away. And we saw this in hardware and everyone kind of knows kind of what happens when you see these vulnerabilities. Um, you gotta have trusted software, right? This is gonna be continuing what's the relationship with DockerCon? What are you guys doing with dock and here at DockerCon? >>So we, when we actually started working on this project, uh, both Docker and, uh, J frog had had similar ideas in mind of how, how do we make this, uh, this trust mechanism available to anyone, uh, who wants it, whether they're, whether they're in interacting with dock hub or, or regardless of that, right. And how do we actually make it a mechanism, uh, that just, uh, uh, that just provides this kind of, uh, this kind of trust, uh, without, without the developer having to do something. Uh, so what we worked with, uh, with Docker is actually integrating, um, integrating our solution so that anywhere there, uh, there is, uh, Docker being used currently, uh, people don't have to change those, uh, those behaviors or change those code, uh, those code lines, uh, right. Uh, because changing hand, uh, changing this a single line of code in hundreds of systems, hundreds of CI systems is gonna be really hard. Uh, and we wanted to build a seamless integration between Docker and the solution that we are building, uh, so that, so that you can continue to do Docker pro and dock push and, but get, uh, get all the benefits of the supply chain security solution that we have. >>Okay. So let's step back for a minute and let's discuss about the pro what is the project and where's the commercial J Frogg Docker intersect take that, break that apart, just step out the project for us. What's the intended goals. What is the project? Where is it? How do people get involved and how does that intersect with the commercial interest of JRO and Docker? >>Yeah. Yeah. My favorite topic to talk about. So the, the project is called Peria, uh, Peria is, uh, is an open source project. It is, it is an effort that started with JRO and, and Docker, but by no means limited to just JRO and dock contributing, we already have five companies contributing. Uh, we are actually building a working product, uh, which will demo during, uh, during our, uh, our talk. And there is more to come there's more to come. It is being built iteratively, and, and the solution is basically to provide a decentralized mechanism, uh, similar to similar to how, how you, uh, do things with GI, so that you have, you have the, uh, the packages that you are using available at your nearest peer. Uh, there is also going to be a multi load build verification mechanism, uh, and all of the information about the packages that you're going to use will be available on a Providence log. >>So you can always query that and find out what is the latest state of affairs, what ES were discovered and make, make quick decisions. And you don't have to react after the fact after it has been in the news for a while. Uh, so you can react to your customer's needs, um, uh, as quick as they happen. And we feel that the, our emphasis on open source is key here because, uh, given our experience, you know, 80 to 90% of software that is packaged, contains open source, and there is no way currently, which we, uh, or no engineering mechanisms currently that give us that, uh, that confidence that we, whatever we are building and whatever we are dependencies we are pulling is actually worthwhile putting it into production. >>I mean, you really, it's a great service. I mean, you think about like all that's coming out, open source, open source become very social, too. People are starting projects just to code and get, get in the, in the community and hang out, uh, and just get in the fray and just do stuff. And then you see venture capitals coming in funding those projects, it's a new economic system as well, not just code, so I can see this pipeline beautifully up for scale. How do people get involved with this project? Cause again, my, my questions all gonna be around integration, how frictionless it is. That's gonna be the challenge. You mentioned that, so I can see people getting involved. What's what's how do people join? What do they do? What can they do here at Docker con? >>Yeah. Uh, so we have a website, Percy, I P yr S I a.io, and you'll find all kinds of information there. Uh, we have a GI presence. Uh, we have community meetings that are open to public. We are all, we are all doing this under the, uh, under the umbrella limits foundation. We had a boots scrap project within Linux foundation. Uh, so people who have interest in, in all these areas can come in, just, just attend those meetings, uh, add, uh, you know, add comments or just attend our stand up. So we are running it like a, like a agile from, uh, process. We are doing stand up, we are doing retrospectives and we are, we are doing planning and, and we are, we are iteratively building this. So what you'll see at Dr. Conn is, is just a, a little bit of a teaser of what we have built so far and what you, what you can expect to, uh, see in, in future such events. >>So thanks for coming on the queue. We've got 30 seconds left, put a quick plug in for the swamp up, coming up. >>Yeah. Uh, so we, we will talk a lot more about Peria and our open source efforts and how we would like you all to collaborate. We'll be at swamp up, uh, in San Diego on May 26th, uh, May 24th to 26th. Uh, so hope to see you there, hope to discuss more about Peria and, and see what he will do with, uh, with this project. Thank you. >>All right. Thanks for coming on the back to the main stage. I'm John cube. Thanks for watching. >>Thank >>You.

>>Okay, welcome back to Docker. Main stage is the cube coverage of DockerCon 2022. I'm John FRA host of the cube. We're here with a special segment with sneak. We've been partnering with Docker going back to the early days, Nate cloud native container vulnerability scanning within Docker desktop in 2020. We' it Mick McCulley field strategist sneak Mick. Thanks for coming on the cube. >>Thanks for having me glad to glad to be here. Excited to have this, this, this conversation. >>Yeah, love the background. Got I. Big football fan myself, and love that little mention. There love the sneak logo too. Good, good plug there. Uh, but I want to get into that. The security you guys were of the first conversations when shift left was hot, when it just started to come and it's never going away, but now there's been a huge focus and an increase of concerns around vulnerabilities, uh, within and within the supply chain of security software. So in open source software. So what are you guys doing now? Cause this is a new focus in the industry. Everyone's talking about it, your company's making changes and mitigate that risk. What do you guys have? >>Yeah, that's, it's, it's a great question. And, and shift left is definitely a big focus of ours, right? It's it's what sort of our core foundation is what we based. Um, our whole approach to software supply chain definitely has made its way to the top of the spectrum as far as conversations. And I think it plays very well into our focus. Um, you know, one of the things that, uh, I believe a lot of organizations are focused on is trying to get a hold of understanding a lot of the implicit trust and risk associated with everything that goes into building any sort of modern application. And that's all of the components that are being used. Everything from the open source to the containers that are consumed to the process, into all of the ecosystem and tooling, that's consumed a lot of the trust layers in there. It's, it's extremely important to understand what that is. What's, what's the risk, right? And from a sneak perspective, taking that, that intelligence and trust and giving it back to the developers when they're making these decisions, is, is our focus like that, that whole concept of taking all of that security expertise and pushing it back to the individuals, making those decisions, I think is probably one of the more powerful ways that you can start to implement some more security controls and get some trust and understand your risk process, um, throughout that software supply chain. >>Okay. So you said trust three times, I'm gonna come back to that because shifting left is all about empowering developers, but what good at shifting left? If you gotta stop and then go back and research something that, that wasn't in your pipeline or something else happened. So open source obviously is growing like a weed it's continuing to exponentially grow and more people are doing it commercialization as well, but the word trust is not zero trust. You're hearing, people's use the word zero trust security, that's different, right? They're talking about developers looking for trusted code. So it's interesting, you got hackers and, and zero trust and you got developers and trust and you got software in between. This is kind of the, kind of the core issue here. Isn't it? >>It, it is, um, because of that using, I mean, there's, there's huge advantages with all of these new approaches, right? Leveraging the open source and the containers and the, and the software packages and these ecosystems to automate a lot of those software processes, but doing so means that you've got this implicit trust that's there. And so, um, taking and trying to identify and, and, and share those details with the developers when they're making those decisions, but it doesn't stop there, right? Like that's, that's one of the other important aspects of this is what organizations have to do is to not only provide that and help those individuals when they're making those decisions, but then constantly understand if that posture changes at any given time, right. And knowing where it's happening, what is it, how do I prove and have some of the Providence details of the origination of the information, how can I trust to make sure that the security was, uh, accounted for, for all the components that I'm actually leveraging and using, and then making sure that you have that visibility through that the entire life cycle. That's probably one of the other important areas. So it's not only sort of giving that information in details and trying to take advantage of all of that, that early detection response and decision making process. But it's also maintaining that understanding of what that is, and that trust plays into that, right? There's so much implicit trust associated with it. And the more that you can understand it, comprehend it, take control of it, the better your organization from a security posture's gonna be, >>Yeah. I mean, you got builders and attackers. I mean, it's clearly the spectrum and the builders want the a hundred percent trust. Um, and I think this is gonna be such an important game changing topic that has to be addressed. It's the only way with the scale you're seeing in the growth of software. And by the way, open source become much more than just open source it's community. It's social people kind of hang out and build code together and then ventures are being started over. So this is a nice progression. Makes a lot of sense. I have to ask you though, on what are some of the what's some of the data say on the attacks, is it increasing at what rate what's the complexity look like? What's it look like as it evolves, because, you know, even though it's zero geo trust on one side and trust on the other, the attackers also adjust too. >>Yeah. >>So >>What's, that's, I think it's the staff. >>It's >>A very, yeah, it's a very good question. I think that's what we're seeing is, um, and this is just a natural evolution. I think there's been, you know, an historic focus on a lot of the security associated with, with running applications and locking them down. And I was reading blog just by Docker the other day about how it's like this hardened sort of outside layer, but there's this soft squishy inside that soft squishy inside is all of those building components that are inside of there. And because of that hardened layer, it, it makes those attack vectors a little bit more difficult, right. When you're trying to, to, to penetrate those. And so what we've seen is this natural evolution is say, well, let's go find the weak link. Let's go understand if there's a way to actually bypass these security controls. And sometimes the ways to do that is to simply go into the process in which the application's being built. >>If I can go upstream and actually change some of those components and implement my attack inside of the application, it automatically gets embedded instead of trying to attack it directly. And so we're seeing that, and, and it's, what's banking a lot of the news and why some of the conversations around software supply chain are becoming very prominent, it's this ecosystem. And, um, unfortunately, you know, in a lot of organizations that, that I think some of that development area hasn't had that security focus as a lot of the traditional areas associated with applications and exposure of your organization, because of that it's left a little bit more exposed, right? That, that trust that we talked about in addition to the processes has to have a little bit more of that security ingrained inside of those processes to make sure that it's not being left open. It's not an open door, an open window that's giving sort of an easy route into the application. >>Yeah, totally. I totally see that in the next, in the last couple minutes we have left. I want to get into what you guys are doing with your customers and what our company's doing to mitigate the risks in the software supply chain. Obviously open source is not going away. It's only gonna be part of it what's going on with the customers. >>Yeah, it's, it's a great question. And a big focus of ours is to, um, help organizations understand all of those areas as much as possible, right. And to provide them that guidance. And part of this is not only the solution and how we deploy it and how we can deliver it, but it's some of the security intelligence associated with it instead of putting the burden on our customers of trying to stay on top of all of that risk. Right? What, what, where is all of these different moving parts and something changes from being completely fine one day to, you know, a high vulnerability and risk posture. How do you react to that? And so providing as much of that insight, guidance and prioritization and the details to those organizations in, in an actionable format, um, that's probably one of the more core elements to this. >>It's not just the, Hey, here's a whole list of all your problems. It's what do you do? Like how do you take all of that information, those details, those risks, how do you prioritize them? How do you then what, what's the steps that you take from an action perspective in order to address those, right. If I've got a container with some problems, what is sort of the recommended approach to solving that? What should I upgrade to? What is the guides associated with those? And so a lot of it is focused on providing not only the insight and the ability to react and understand that risk at any given time, but also more focused on what do you gotta do, right? How do you actually take steps to alleviate or remediate that risk as much as possible? Can't not, that's >>The point what's so I gotta have to ask you, what's the difference between getting it right and getting it wrong, or in other words, why do some, um, supply chain vulnerable remain fixed, uh, unfixed and, and deprioritize? What's the, why isn't it going faster? >>Yeah. And, and some of that there's there's reasons across the board, right? Some of it crossed from the perspective that there, there might not be fixes. And so in some of those cases, just being aware of what that risk is. So you can put in other mitigating controls in order to accommodate those. In other cases, it's, it's prioritizing where your risk is most important, right. And part of this also stems from the fact that I, if you fall into sort of that reactionary bucket, then, then you have to be in sort of that prioritization reactive mode. The more that you can push this back to that early process, the less that that has to occur, because you have the ability to actually make the best decision possible with the information you have during that early process. So some of it's just, you know, predicated on the fact that there's not always solutions to all of the problems. Um, and then a part of this too, is where in the, where in the phase are you actually starting to attack and handle it? >>All right, Mick. Thanks. So for coming on, really appreciate it. Business is good at sneak. Thanks for sharing your insights here on the, on the main stage. Okay. This is the queue back to the DockerCon main stage. We'll be back more. See you soon.

>>Welcome to the cubes dock, our main stage coverage here at DockerCon 2022. I'm John furrier, host of the cube. We're here with cube alumni, a partner scene, the senior director of product and the developer platform at Google cloud, a partner. Great to see you. It's been a while how's things >>Great to see you, John. Thanks for having me. >>So obviously we've covered a lot about the Google's history and open source. If you go back, I mean go back generation 2000, it all started, it continues to continue to thrive the SDO, all the different projects you guys are around the future of containers and serverless all there. Give us the update. Why are customers choosing Google cloud? We're here at Docker con what's the big update from Google cloud's perspective from a, from a developer perspective? >>Well, John, uh, Google cloud has been, uh, the early cloud on containers, um, and by all measures from, we can, from what we can see, you know, it is the preferred cloud for container native workloads. Um, I think why our customers choosing cloud there's a, there's a few different reasons. Um, definitely one of the reasons is because it is a flexible and open platform. And I think that that is, uh, distinctive about Google cloud, as you mentioned, uh, many, many open source projects coming from Google and Google cloud in particular over the last 20 years, um, spanning, um, languages, um, you know, obviously, uh, the go programming language all the way to of course, Kubernetes. Um, and then, uh, more recently Isto and, uh, K native and many more, uh Tecton is one of the leading projects as well. Um, in the C I C D space. >>So I think that, uh, history is something that really attracts the developer population. It's also very, very important for enterprises that are, uh, modernizing and looking to accelerate their, uh, developer productivity. So that's been one major reason. I think the second major reason is really the security aspect, um, of the developer tool chain and in particular related to open source secure well, and I think the third, uh, reason that comes out, um, quite frequently when we, when we talk to our enterprise customers is Google cloud is unique in the multi-cloud space. Um, you know, one of the first, I think probably the first and, uh, only cloud provider to have a very strong multi-cloud strategy, uh, and that stems from the open source roots, but also, you know, uh, bringing more than just, uh, compute, bringing many of our data services also, uh, to the multi-cloud space. I think that's, those are the three reasons why, uh, developers often choose Google cloud. >>Yeah. And you see the multi-cloud also in a distributed computing environment. It's, I mean, multi-cloud is basically distributed computing where you've got hyperscalers and then edges emerging very quickly. Of course, we've talked about that in the past, on previous interviews, how security at the edge software opensource all coming together. Again, Kubernetes launched by Google contributed to the open source world that everyone knows that, or may not know that. Um, but, but that's key. Where do you see the container position come in? Because at the end of the day, containers is standard and now you've got Kubernetes and other parts wrapped around it. Where's container technology going in the coming, coming in the future years. Is it gonna be invisible? Is it gonna be programmable? What's your vision on that? >>This is an excellent question. And you're exactly right. You're seeing containers become mainstream. And some of the latest, uh, state of the, the state of the cloud business report, you're seeing, you know, 80% of enterprises, um, having some form of a container program and I've been involved in this industry since the very early days. So this is something we've been predicting, um, and it is happening even faster than expected. So that's becoming very mainstream, which is extremely exciting for us. Now you ask, you know, what is the future and what is the evolution of it? Um, so, and, and I think, uh, this is the right question because, um, you're seeing a lot of the future actually on Google cloud. Um, we're, we've won the, uh, Gartner and Forester quadrants as far as leader quadrants in, uh, you know, container offerings. And that's not just Kubernetes, of course, uh, Google Kubernetes engine has been, has been the leading area, but there's a whole host of offerings around that. >>Um, in particular I'd like to point out serverless containers with cloud run, as well as the entire DevOps pipeline around containers. And that's a big topic in the industry right now. It brings in, uh, security as related to, uh, developers. And then of course, uh, you know, providing an automated, secure pipeline for DevOps, um, as it relates to containers, we've had several announcements and, and, and a lot of success in this space. Uh, I, I can go through some of these things with cloud run, which is our serverless container offering. We've seen, uh, four X growth in adoption and, uh, consumption of that service last year in 2021. And that is continuing, uh, so it's very, very healthy and it is very much the reason customers are adopting. It is because they don't need to learn a lot of the underlying infrastructure. They don't need to manage any of the underlying infrastructure. >>There isn't necessarily a cluster to manage all of that is taken care of, uh, for them. And they can focus on their application. They can actually use, uh, make use of the benefits of containers, such as, uh, you know, scalability, um, such as, um, application awareness, uh, and such as a lot of the integrated tool chain for, uh, delivery for application delivery, right from your source repository into production, and then being able to bring out new versions of your application, test them, and then roll over. So this is kind of the new, uh, uh, generation I think is very much tied to the pandemic and what's happening in the world post pandemic, where developers are extremely important, developer productivity and, and fact developer work, life balance is extremely >>Important. Yeah. And I, and I think also one of the things that we're seeing to piggyback on that last comment, as well as your other points is developers have always been pulled to the front lines even 10 years ago. You saw the trend towards getting more closer to the customer now with cloud and edge and with open source being the innovation equation where entrepreneurs are starting projects, companies are starting projects, then they gotta get commercialized. So supply chain is a big discussion. We're hearing at Docker con we're hearing about shifting left of security data as code. You start to see the developer on the front lines in all aspects of this, and they want, they want security, they want efficiency, they want things in the pipeline. They don't wanna have to shift left, then come back again. So again, they starting to see this kind of productivity drive the business behavior of the companies cuz that's their, the value partners. That's the application side of cloud native. What's your thoughts for the developers who are doing that? What's in it for them with Google cloud? Why, why are you important to them? >>Yeah, and I think, uh, John, this is where, uh, developers, uh, tend to prefer Google cloud. And there's a couple of reasons for that. One is, you know, we are very much, uh, centered around developers. Um, you know, my job is, uh, you know, Google cloud developer platform. And, uh, our goal is to provide ease of use the easiest cloud for developers. Something that is, um, you know, really allows them to get their work done quickly. Developers want to be exposed to the best technology. They want to be able to be exposed to it in a way that that integrates into their workflow that integrates into the tools that they're used to, um, and allows them to get their job done quickly. And so a lot of what we're doing in, in the developer space is providing an integrated stack. Um, you know, whether you're building a web application or you're building a mobile application, or you're trying to do data analytics, uh, Google cloud should be a place that you come to. >>That's easy for you to use, to get the job done. Um, and, and, and the security aspect is not something that developers like to deal with. They want that to be taken care of for them, um, troubleshooting as well, you know, troubleshooting and, and upgrading. And all of that is something that they wanna be taken care of. And so that is something that we're baking into the platform. And you'll see that in a lot of our tooling, um, you know, the build process, uh, we're providing salsa compliance, um, and, and build Providence for the security teams to be able to audit. But it's not something that the, that the developer needs to take care of. It's something that is just part of the, the build process built into, uh, say, uh, cloud run or GK built into our compute options for making >>It for them, making it easy, simple, and reduce the steps it takes to get the job done. So great stuff par, great to see you in the last 30 seconds, we have left. Just give a quick commercial for what the key projects are in open source. You're proud of that people should pay attention to, we got CubeCon coming up, uh, in, uh, Europe and north America. What are some of the successes that you like to point out? >>Well, I really encourage, uh, developers to go and take a look, a new look at, go go 1.8, add support for generics. It should open up a brand new set of applications. So I definitely encourage folks to, to take a look at that, um, of, of course ISEO and service mesh. As, as your container footprint grows, you have many microservices looking at service mesh, uh, extremely important, and it also allows you to get to that SRE type of, um, uh, DevOps model where, you know, you're securing your services. You're also, uh, being able to monitor and control, uh, service usage. And then the last one is of course Tecton and this is where secure software supply chain comes up. Part I'll >>Mention that. I wish I had 20 minutes. Love chatting with you. We'll catch up with you later on the cube we're here at DockerCon. Thanks for your time. Back to the DockerCon main stages of the cube. I'm John farrier, back to the main stage for more coverage.

>>Welcome to this cube conversation. I'm Dave Nicholson and we're having this conversation in advance of cube con cloud native con north America, 2021. Uh, we are going to be talking specifically about a subject near and dear to my heart, and that is security. We have a very special guest from red hat, the security lead from the office of the CTO. New kinds. Welcome. Welcome to the cube Luke. >>Oh, it's great to be here. Thank you, David. Really looking forward to this conversation. >>So you have a session, uh, at a CubeCon slash cloud native con this year. And, uh, frankly, I look at the title and based on everything that's going on in the world today, I'm going to accuse you of clickbait because the title of your session is a secure supply chain vision. Sure. What other than supply chain has is in the news today, all of these things going on, but you're talking about the software supply chain. Aren't you tell, tell us about, tell us about this vision, where it came from Phyllis in. >>Yes, very much. So I do agree. It is a bit of a buzzword at the moment, and there is a lot of attention. It is the hot topic, secure supply chains, thanks to things such as the executive order. And we're starting to see an increase in attacks as well. So there's a recent statistic came out that was 620%. I believe increase since last year of supply chain attacks involving the open source ecosystem. So things are certainly ramping up. And so there is a bit of clickbait. You got me there. And um, so supply chains, um, so it's predominantly let's consider what is a supply chain. Okay. And we'll, we'll do this within the context of cloud native technology. Okay. Cause there's many supply chains, you know, many, many different software supply chains. But if we look at a cloud native one predominantly it's a mix of people and machines. >>Okay. So you'll have your developers, uh, they will then write code. They will change code and they'll typically use our, a code revision control system, like get, okay, so they'll make their changes there. Then push those changes up to some sort of repository, typically a get Harbor or get level, something like that. Then another human will then engage and they will review the code. So somebody that's perhaps a maintain will look at the code and they'll improve that a code. And then at the same time, the machine start to get involved. So you have your build servers that run tests and integration tests and they check the code is linted correctly. Okay. And then you have this sort of chain of events that start to happen. These machines, these various actors that start to play their parts in the chain. Okay. So your build system might generate a container image is a very common thing within a cloud native supply chain. >>Okay. And then that image is typically deployed to production or it's hosted on a registry, a container registry, and then somebody else might utilize that container image because it has software that you've packaged within that container. Okay. And then this sort of prolific expansion of use of coasts where people start to rely on other software projects for their own dependencies within their code. Okay. And you've got this kind of a big spaghetti of actors that are dependent on each other and feed him from each other. Okay. And then eventually that is deployed into production. Okay. So these machines are a lot of them non open source code. Okay. Even if there is a commercial vendor that manages that as a service, it's all based on predominantly open source code. Okay. And the security aspects with the supply chain is there's many junctures where you can exploit that supply chain. >>So you can exploit the human, or you could be a net ferrous human in the first place you could steal somebody's identity. Okay. And then there's the build systems themselves where they generate these artifacts and they run jobs. Okay. And then there are the production system, which pulls these down. Okay. And then there's the element of which we touched upon around libraries and dependencies. So if you look at a lot of projects, they will have approximately around a hundred, perhaps 500 dependencies that they all pull in from. Okay. So then you have the supply chains within each one of those, they've got their own set of humans and machines. And so it's a very large spaghetti beast of, of, of sort of dependence and actors and various identities that make up. >>Yeah. You're, you're describing a nightmarish, uh, scenario here. So, uh, so, so I definitely appreciate the setup there. It's a chain of custody nightmare. Yeah. >>Yes. Yeah. But it's also a wonderful thing because it's allowed us to develop in the paradigms that we have now very fast, you know, you can, you can, you can prototype and design and build and ship very fast, thanks to these tools. So they're wonderful. It's not to say that they're, you know, that there is a gift there, but security has arguably been left as a bit of an afterthought essentially. Okay. So security is always trying to it's at the back of the race. It's always trying to catch up with you. See what I mean? So >>Well, so is there a specific reason why this is particularly timely? Um, in, you know, when we, when we talk about deployment of cloud native applications, uh, something like 75% of what we think of is it is still on premesis, but definitely moving in the direction of what we loosely call cloud. Um, is why is this particularly timely? >>I think really because of the rampant adoption that we see. So, I mean, as you rightly say, a lot of, uh, it companies are still running on a, sort of a, more of a legacy model okay. Where deployments are more monolithic and statics. I mean, we've both been around for a while when we started, you would, you know, somebody would rack a server, they plug a network cable and you'd spend a week deploying the app, getting it to run, and then you'd walk away and leave it to a degree. Whereas now obviously that's really been turned on its head. So there is a, an element of not everybody has adopted this new paradigm that we have in development, but it is increasing, there is rapid adoption here. And, and many that aren't many that rather haven't made that change yet to, to migrate to a sort of a cloud type infrastructure. >>They certainly intend to, well, they certainly wished to, I mean, there's challenges there in itself, but it, I would say it's a safe bet to say that the prolific use of cloud technologies is certainly increasing as we see in all the time. So that also means the attack vectors are increasing as we're starting to see different verticals come into this landscape that we have. So it's not just your kind of a sort of web developer that are running some sort of web two.site. We have telcos that are starting to utilize cloud technology with virtual network functions. Uh, we have, um, health banking, FinTech, all of these sort of large verticals are starting to come into cloud and to utilize the cloud infrastructure model that that can save them money, you know, and it can make them, can make their develop more agile and, you know, there's many benefits. So I guess that's the main thing is really, there's a convergence of industries coming into this space, which is starting to increase the security risks as well. Because I mean, the security risks to a telco are a very different group to somebody that's developing a web platform, for example. >>Yeah. Yeah. Now you, you, uh, you mentioned, um, the sort of obvious perspective from the open source perspective, which is that a lot of this code is open source code. Um, and then I also, I assume that it makes a lot of sense for the open source community to attack this problem, because you're talking about so many things in that chain of custody that you described where one individual private enterprise is not likely to be able to come up with something that handles all of it. So, so what's your, what's your vision for how we address this issue? I know I've seen in, um, uh, some of the content that you've produced an allusion to this idea that it's very similar to the concept of a secure HTTP. And, uh, and so, you know, imagine a world where HTTP is not secure at any time. It's something we can't imagine yet. We're living in this parallel world where, where code, which is one of the four CS and cloud security, uh, isn't secure. So what do we do about that? And, and, and as you share that with us, I want to dive in as much as we can on six store explain exactly what that is and, uh, how you came up with this. >>Yes, yes. So, so the HTTP story's incredibly apt for where we are. So around the open source ecosystem. Okay. We are at the HTTP stage. Okay. So a majority of code is pulled in on trusted. I'm not talking about so much here, somebody like a red hat or, or a large sort of distributor that has their own sign-in infrastructure, but more sort of in the, kind of the wide open source ecosystem. Okay. The, um, amount of code that's pulled in on tested is it's the majority. Okay. So, so it is like going to a website, which is HTTP. Okay. And we sort of use this as a vision related to six store and other projects that are operating in this space where what happened effectively was it was very common for sites to run on HTTP. So even the likes of Amazon and some of the e-commerce giants, they used to run on HTTP. >>Okay. And obviously they were some of the first to, to, uh, deploy TLS and to utilize TLS, but many sites got left behind. Okay. Because it was cumbersome to get the TLS certificate. I remember doing this myself, you would have to sort of, you'd have to generate some keys, the certificate signing request, you'd have to work out how to run open SSL. Okay. You would then go to an, uh, a commercial entity and you'd probably have to scan your passport and send it to them. And there'll be this kind of back and forth. Then you'll have to learn how to configure it on your machine. And it was cumbersome. Okay. So a majority just didn't bother. They just, you know, they continue to run their, their websites on protected. What effectively happened was let's encrypt came along. Okay. And they disrupted that whole paradigm okay. >>Where they made it free and easy to generate, procure, and set up TLS certificates. So what happened then was there was a, a very large change that the kind of the zeitgeists changed around TLS and the expectations of TLS. So it became common that most sites would run HTTPS. So that allowed the browsers to sort of ring fence effectively and start to have controls where if you're not running HTTPS, as it stands today, as it is today is kind of socially unacceptable to run a site on HTTP is a bit kind of, if you go to HTTP site, it feels a bit, yeah. You know, it's kind of, am I going to catch a virus here? It's kind of, it's not accepted anymore, you know, and, and it needed that disruptor to make that happen. So we want to kind of replicate that sort of change and movement and perception around software signing where a lot of software and code is, is not signed. And the reason it's not signed is because of the tools. It's the same story. Again, they're incredibly cumbersome to use. And the adoption is very poor as well. >>So SIG stores specifically, where did this, where did this come from? And, uh, and, uh, what's your vision for the future with six? >>Sure. So six door, six doors, a lockdown project. Okay. It started last year, July, 2020 approximately. And, uh, a few people have been looking at secure supply chain. Okay. Around that time, we really started to look at it. So there was various people looking at this. So it's been speaking to people, um, various people at Purdue university in Google and, and other, other sort of people trying to address this space. And I'd had this idea kicking around for quite a while about a transparency log. Okay. Now transparency logs are actually, we're going back to HTTPS again. They're heavily utilized there. Okay. So when somebody signs a HTTPS certificate as a root CA, that's captured in this thing called a transparency log. Okay. And a transparency log is effectively what we call an immutable tamper proof ledger. Okay. So it's, it's kind of like a blockchain, but it's different. >>Okay. And I had this idea of what, if we could leverage this technology okay. For secure supply chain so that we could capture the provenance of code and artifacts and containers, all of these actions, these actors that I described at the beginning in the supply chain, could we utilize that to provide a tamper resistant publicly or DePaul record of the supply chain? Okay. So I worked on a prototype wherever, uh, you know, some, uh, a week or two and got something basic happening. And it was a kind of a typical open source story there. So I wouldn't feel right to take all of the glory here. It was a bit like, kind of, you look at Linux when he created a Linux itself, Linus, Torvalds, he had an idea and he shared it out and then others started to jump in and collaborate. So it's a similar thing. >>I, um, shared it with an engineer from Google's open source security team called Dan Lawrence. Somebody that I know of been prolific in this space as well. And he said, I'd love to contribute to this, you know, so can I work this? And I was like, yeah, sure though, you know, the, the more, the better. And then there was also Santiago professor from Purdue university took an interest. So a small group of people started to work on this technology. So we built this project that's called Rico, and that was effectively the transparency log. So we started to approach projects to see if they would like to, to utilize this technology. Okay. And then we realized there was another problem. Okay. Which was, we now have a storage for signed artifacts. Okay. A signed record, a Providence record, but nobody's signing anything. So how are we going to get people to sign things so that we can then leverage this transparency log to fulfill its purpose of providing a public record? >>So then we had to look at the signing tools. Okay. So that's where we came up with this really sort of clever technology where we've managed to create something called ephemeral keys. Okay. So we're talking about a cryptographic key pair here. Okay. And what we could do we found was that we could utilize other technologies so that somebody wouldn't have to manage the private key and they could generate keys almost point and click. So it was an incredibly simple user experience. So then we realized, okay, now we've got an approach for getting people to sign things. And we've also got this immutable, publicly audited for record of people signing code and containers and artifacts. And that was the birth of six store. Then. So six store was created as this umbrella project of all of these different tools that were catering towards adoption of signing. And then being able to provide guarantees and protections by having this transparency log, this sort of blockchain type technology. So that was where we really sort of hit the killer application there. And things started to really lift off. And the adoption started to really gather steam then. >>So where are we now? And where does this go into the future? One of the, one of the wonderful things about the open source community is there's a sense of freedom in the creativity of coming up with a vision and then collaborating with others. Eventually you run headlong into expectations. So look, is this going to be available for purchase in Q1? What's the, >>Yeah, I, I will, uh, I will fill you in there. Okay. So, so with six door there's, um, there's several different models that are at play. Okay. I'll give you the, the two predominant ones. So one, we plan, we plan to run a public service. Okay. So this will be under the Linux foundation and it'll be very similar to let's encrypt. So you as a developer, if you want to sign your container, okay. And you want to use six door tooling that will be available to you. There'll be non-profit three to use. There's no specialties for anybody. It's, it's there for everybody to use. Okay. And that's to get everybody doing the right thing in signing things. Okay. The, the other model for six stories, this can be run behind a firewall as well. So an enterprise can stand up their own six store infrastructure. >>Okay. So the transparency log or code signing certificates, system, client tools, and then they can sign their own artifacts and secure, better materials, all of these sorts of things and have their own tamper-proof record of everything that's happened. So that if anything, untoward happens such as a key compromise or somebody's identity stolen, then you've got a credible source of truth because you've got that immutable record then. So we're seeing, um, adoption around both models. We've seen a lot of open source projects starting to utilize six store. So predominantly key, um, Kubernetes is a key one to mention here they are now using six store to sign and verify their release images. Okay. And, uh, there's many other open-source projects that are looking to leverage this as well. Okay. And then at the same time, various people are starting to consider six door as being a, sort of an enterprise signing solution. So within red hat, our expectations are that we're going to leverage this in open shift. So open shift customers who wish to sign their images. Okay. Uh, they want to sign their conflicts that they're using to deploy within Kubernetes and OpenShift. Rather they can start to leverage this technology as open shift customers. So we're looking to help the open source ecosystem here and also dog food, this, and make it available and useful to our own customers at red hat. >>Fantastic. You know, um, I noticed the red hat in the background and, uh, and, uh, you know, I just a little little historical note, um, red hat has been there from the beginning of cloud before, before cloud was cloud before there was anything credible from an enterprise perspective in cloud. Uh, I, I remember in the early two thousands, uh, doing work with tree AWS and, uh, there was a team of red hat folks who would work through the night to do kernel level changes for the, you know, for the Linux that was being used at the time. Uh, and so a lot of, a lot of what you and your collaborators do often falls into the category of, uh, toiling in obscurity, uh, to a certain degree. Uh, we hope to shine light on the amazing work that you're doing. And, um, and I, for one appreciate it, uh, I've uh, I've, I've suffered things like identity theft and, you know, we've all had brushes with experiences where compromise insecurity is not a good thing. So, um, this has been a very interesting conversation. And again, X for the work that you do, uh, do you have any other, do you have any other final thoughts or, or, uh, you know, points that we didn't cover on this subject that come to mind, >>There is something that you touched upon that I'd like to illustrate. Okay. You mentioned that, you know, identity theft and these things, well, the supply chain, this is critical infrastructure. Okay. So I like to think of this as you know, there's, sir, they're serving, you know, they're solving technical challenges and, you know, and the kind of that aspect of software development, but with the supply chain, we rely on these systems. When we wake up each morning, we rely on them to stay in touch with our loved ones. You know, we are our emergency services, our military, our police force, they rely on these supply chains, you know, so I sort of see this as there's a, there's a bigger vision here really in protecting the supply chain is, is for the good of our society, because, you know, a supply chain attack can go very much to the heart of our society. You know, it can, it can be an attack against our democracies. So I, you know, I see this as being something that's, there's a humanistic aspect to this as well. So that really gets me fired up to work on this technology., >>it's really important that we always keep that perspective. This isn't just about folks who will be attending CubeCon and, uh, uh, uh, cloud con uh, this is really something that's relevant to all of us. So, so with that, uh, fantastic conversation, Luke, it's been a pleasure to meet you. Pleasure to talk to you, David. I look forward to, uh, hanging out in person at some point, whatever that gets me. Uh, so with that, uh, we will sign off from this cube conversation in anticipation of cloud con cube con 2021, north America. I'm Dave Nicholson. Thanks for joining us.

>>Yeah. >>From the Cube Studios in Palo Alto and Boston. It's the Cube covering IBM. Think brought to you by IBM. >>Welcome back to IBM. Think Digital 2020. This is the Cube, and we're really excited to have two great guests on Michael Jordan is the distinguished engineer with IBM Z Security. Michael, good to see you again. Welcome back. >>Thank you. It's good to be back. >>And, Matt, what Born is the program director and offering lead for Z 15. Good to see that. >>Thank you for having me, >>guys. Easy. Easy is a good place to be. Great corner, 61% growth. You got to love it. Regulations. It'll be feeling pretty good. I mean, other than what we're going through. But from a business standpoint, Z powered through, didn't it? >>It did. I mean, we're really pleased with the contribution that Z continues to make for our clients. Especially right now, given everything that's going on, business continuity, scale, resilient security. They're just so important for our clients in the platform. >>Yes. So we're gonna We're gonna talk a lot about this. Maybe Matt could start with you just in terms of, you know, you talk about. Ah, cyber resiliency. Hear that a lot? Um, e I think it may be. Means a lot of different things to a lot of different people. What does it mean? Busy? >>Yeah, for us. I mean, you know, we kind of start in many ways with, like that, this definition on that which talks about the ability to anticipate, withstand, recover, adapt all of these adverse conditions, might face or stresses compromises in attacks in your systems and your just cyber results. It's so it's a really important top of mind talking point from other clients who are thinking about this both from, I guess, the resilience when it comes to the systems and also the data as well. From our standpoint, you know, Z has been at the forefront of resilience for many, many generations. Now, whether that's the scale that systems we're able to provide, the ability to tap into more capacity is needed, whether on a temporary or permanent basis, cause you never know when a when a spike might be occurring on day, especially with clients going through digital transformation as well. The fact that we can talk about solutions being designed for seven nines of availability on. But the reason why clients like Tesco or alliances for their resilient banking platform or Department of Treasury in Puerto Rico depend on us or for a highly available solution. So it's never been more important for by us. >>So, Michael, from a technical standpoint, um, I mean, I go back to the rack f days and and I I used to ask, why is it that, you know, the mainframe had, you know, such good security, and it was explained to me years ago? Well, cause you knew everything that went on who touched what? You know, there was a clear understanding of that clear visibility of that. Um, but maybe you could explain just for laypeople from just from a technical standpoint. Why is it that Z has such strong cyber resiliency? >>Sure. So So some of it, I think, is there's 22 aspects that I want to mention first is, you know, culture, right? You know, the IBM Z, you know, development team and broader, you know, design team. We have in our culture to build systems that are secure and robust, that that's kind of part of our DNA. And so it's that mindset when you look at, you know, technologies like parallel system, flex and geographic geographically dispersed, parallel, parallel suspects, GPS. You know, those are ingrained in those technologies, but the other capability that we have or I should say, um, you know, benefit that we we have is we own the whole stack, right? We own, you know, the hardware we own the firmware, um, and we own the software that sits on top of there in the middle, where and so whether it's resiliency or whether it's security when we want to design and build solutions, you know, to make optimal solutions, you know any of those spaces we can actually design and architect the solutions, you know, both at the right point in the stack and across the stack as needed to really deliver on these capabilities. >>So, Matt, one of our partners, ET are holds these CEO roundtables, and one of the CEO said we really weren't ready from a resiliency standpoint. We're too focused on on er and kind of missed the boat on business continuity to narrow focus. I presume you're hearing a lot of that these days. I wonder if you could just tell us about some of the things that you're seeing with clients, Maybe the conversations you're having and how you're helping Sort of broaden that capability. >>Yeah, sure. I mean, to your point. I mean, nobody really could have quite predicted. You know what we're dealing with right now, but, you know, we have had over many generations of the Z platform, you know, clients deeply partnered with us to try and make sure they have a a highly available environment for business continuity. And, you know, just thinking about things from a Dell perspective. You know what they can do to fortify and make their solution sort of more resilient on the day by day basis. I mean, one of the things you might be talking about, some of the inherent capabilities we have a hassle. The fact that we build, you know, our systems with the additional capacity kind of baked in. Which means that for so many of our clients, you know, in the first in the first quarter, where they were seeing the huge amounts of peak workload kind of coming in, that they needed to be able to deal with the fact that we design our systems to be able to just kind of gobble up that work. With that we call dark capacity to be turned on at the drop of a hat. It's tremendously important because not only need to be offsite, just resilient in terms of the applications, but you need to get a deal with growth. You're going through that. The other aspect, which is a new capability with the 15 that kind of builds on what we could do with that dark past thing is this concept of instant recovery. But what we're actually helping clients do there in terms of fortifying and making their environment more resilient, is letting them attack into that dark capacity when they're going through restart activities of partitions, not just thinking about unplanned scenarios, but actually planned out just as well. So what that really helps with is because you always have to do planned maintenance. You know, when your systems, you know when you're partitions your your system because the environment. So what we're doing is saying when you're going through that restart sort of process, whether it's the shutdown, whether it's to bring up of the partition or the middleware or even in fact, actually helping you catch up. Kind of for what? You what you lost one weren't sort of processing workflow. We turn on that extra capacity in the system automatically for this boost window that were that we're helping our clients with. Not only we do that. Mike's point about owning a stack means that we can deliver that in a way that there's no increase in IBM software cost a reliever. So we're always kind of looking about what we can do to kind of move the ball forward to make a client's environment even more resilient as well. >>I've always, I learned from my mainframe days many, many years ago. And what when a vendor comes in and shows a new product, they always ask you what happens when something goes wrong? It's all about recovery that's always been one of the main frame strength. Mike, I want to ask you about data protection. I mean, it's a topic that again means a lot of things to a lot of people you know doesn't mean backup. There's data privacy. There's data Providence. There's data sovereignty. We talk about data protection from a Z prism. >>Sure, so So our point of view on data protection is is we view it as a as a multi layered proposition. It's not. It's not just one thing. In effect, we viewed the lens of a broader, you know, layered cybersecurity strategy where you know, data protection. And, you know, in this case, you know, talking about encryption and being another encrypt data on a massive scale is the foundation for, you know, a layered cyber security strategy, um, and providing capabilities for appliance. Do you protect data at the disk level with the 15? We also introduced the ability of actually being able to protect the data as it flows through their storage area network through something we call fibre channel endpoint security and then layering on top of that, you know, host based encryption capabilities, you know, in the operating system, whether it's, you know, buy or or data set level encryption and you know, then on top of that, they can layer additional capabilities for things like multi factor authentication to protect your privileged identities from being compromised or being able to do damage to your system and then, you know, building and layering. On top of that things like security, intelligence and being able to monitor and understand You know what, what's happening across the system. >>So I was talking with Developer the other day in cloud app pretty, you know, non mission critical. But ask them to use encryption and he said, Yeah, we could, but we don't cause it slows us down a little bit. So I'm wondering how you deal with that trade off performance versus Protection Z. How does he deal with that? >>Sure, So that's that. That's a great That's a great question. And that actually goes back to you know what we did with with our Z 14 so that the generation before and I think we've we've improved that with with the 15 and then I'll get to that in a bit. But one of the barriers that we recognized is exactly what you said is the You know, the cost of doing encryption is prohibitive, Um, and what we did is we have, ah, a cryptographic accelerator that's integrated into our micro processor that's capable of encrypting so each or it's capable of encrypting up to 14 gigabytes of data per second. And if you multiply that by the number of cores that you have. You know, a fully configured you nosy 15 met. What does it have any cores? Do we have in that 100 >>90 with >>190 So So do the math right? 190 times, you know, 14 gigabytes per second. It's an encryption powerhouse, and that can all be done synchronously with extremely low latency. So we have the horsepower to do encryption on a very broad scale with very, very low overhead. And that's what our clients are leveraging and taking advantage of. And with the Zy 15. That being we announced it and made available last year. We actually have now compression that's built into the micro processor so you can actually compress the data, Um, first and then encrypted. And there's a twofold benefits that first is now. I have less data to encrypt, so I have lowered my encryption overhead, and at the same time I've managed to preserve my storage efficiency. So it's a It's a twofold benefit there, >>you know. People talk off about Z, they talk about it, it's open. It's kind of all started back when you guys brought in Lennox. And now, of course, it's It's much more than that. Um, but I'm wondering how open plays into this notion of cyber resiliency in some respects there. Counter poised. But But how do you sort of square that circle for me? >>Yeah, I mean, it's kind of look at it is when it comes to openness and digital transformation, it's kind of doing it without compromise on. That's kind of the way I look at the Z platform because you're right. I mean the fact that we have the likes of open shift support on the seat platform or you can use, you know, answerable for for doing automation. I mean, were always looking to try and make sure that we support from A from a management standpoint or development standpoint. We'll use whichever tool frameworks languages are appropriate on the platform and integrated to a hyper cloud wherever you want to go. That's why when we look at it from the perspective of what it really means to have mission critical applications and why, it's why that is the key point about banks. Insurance companies, etcetera continue to trust. Z is there is the home for their system of record because they want to get the benefits. You know, the best of both worlds. So they want to be able to have the security, the resilience and the scale of the platform. But the same time they want to have flexibility to be able to use cloud native technologies to be able to deploy them on our platform. And then this micro sort of talking about the exciting thing for us is even going one step further. That says, if you do want your data to move around your hybrid cloud for very good reasons for certain scenarios, being able to have that capability to protect the data, not just encrypted that manage the privacy over the data as it flows out and see to kind of take those characteristics into the hybrid cloud is something that a lot of that clients been really, really excited to take advantage of it. It's >>about this conference. You might get certain >>charting Matt into a security guide. You see that? >>Yeah, >>I think everybody's got to be a security person these days. I want to ask about zero trust. You know, that term is thrown around a lot of, uh, you know, you can get kind of buzz, wordy. You see, people always have substance. I want to ask you guys what zero trust means the Io. >>So So I think there's, you know, my view of zeros where we're at from an industry from from zero. Trust is is very similar to where we're at with cloud, you know, going back a handful of years where if you ask 10 different people what you know, cloud was you get 10 different answers. Um, and none of them were probably wrong. And so I think, you know, we're very similar state in terms of our understanding and, you know, market maturity around zero trust. But there's, you know, at its for, you know, the the the The idea is, you know, we've been focused on protecting, you know, our environments using a castle and moat of approach. Um, and, you know, you know, protecting the perimeter. Yeah, and then trusting everything inside of inside of that. You know that that mode, if you will, um and what the zero trust is a recognition that that's not sufficient. And, you know, and then if you look at that in the context of our evolving and changing in environment and moving to hybrid multi clouds where, um, the notion of a perimeter is gone. You know that that strategy and approach for protection, it doesn't hold up. And so we need to evolve that, um And we need to have, you know, you know, move from the notion of, um, operational trust to a notion of technical trust and building, you know, building more sophisticated mechanisms for doing authentication, understanding broader what's happening across the environment and feeding that into, you know, decisions that are made in terms of who gets to access. What data. So, >>yeah, good, Matt, bring us home overnight. You know, this pandemic has really heightened our awareness of cyber resiliency. Business continuity have changed our our mindset and definition of those two things. But give us your final thoughts on this top. >>I think it's probably just been into sharp focus, really what? It what it means to have mission critical applications that are right at the heart of your of your business. And, you know, you come to realize very quickly. But if those services are not available to your clients, I mean it can have such a long lasting implications So I think people embittering you know their strategy when it comes to, you know, millions off applications with infrastructure and all of that in the context of business continuity, I think people are gonna gonna have a much sharper focus in the future to really see, you know, what is what does it mean? And it's the lifeblood of their business is not able todo operate and serve their clients. And probably as well, more and more applications that maybe weren't considered mission critical in the past will be considered mission critical now because it's not just the back end services, but it's the way the community a reply. It's so a lot of that, I think, is going to play out the way that people think about their business continuity strategy in the future. >>Yeah, you're right. Video conferencing has become mission critical, isn't it? Guys, thanks so much for coming on the Cube again. You know, keep up the good work. Uh, I really appreciate your time and your insights. Always, always great talking, talking Z. So thanks again. >>Thank you. >>All right. Thank you for watching. Everybody. This is Dave Volante for the Cube. Our wall to wall coverage of the think 2020 digital event experience. Keep right there. Right back after this short break. >>Yeah, yeah, yeah.

>> Live from Orlando, Florida, it's theCUBE covering Microsoft Ignite brought to you by Cohesity and theCUBE's Ecosystem partners. >> Welcome back, everyone to theCUBE's live coverage of Microsoft Ignite here in Orlando, Florida. I'm your host, Rebecca Knight, along with my co-host Stu Miniman. We are joined by Chris Menard, he is the lead storage administrator at Brown University. Thanks so much for coming on theCUBE, Chris. >> Thanks for having me. >> So in your role, you would do storage, backup recovery, and disaster recovery. I mean, I think our viewers, we have a sense of what you would do at a large Fortune 500, But what do you at an Ivy League University? What kinds of things are you working on? >> So from disaster recovery we're doing things to protect all of the data that the university has. So research data, academic data, business data. So we're making sure that if something were to happen in Providence itself, we would be covered and have access to our data, our applications. If our data center were to go away. >> So in a way your constituents are a lot larger because you're also thinking, is it student data as well? So student data, research data? >> Yes, so student data, research data, administrative data, faculty data. Any kind of data that gets generated by pretty much anybody that either works or attends the university. >> Chris, wonder if we step back for a second. We're here at Microsoft Ignite, I know that Microsoft has a strong connection with higher education. But have you been to this show before? What's the relationship between the university and Microsoft that you have interactions with? >> So this is my first time coming to Ignite with Brown. I've been to Ignite when it used to be called TechEd, so a long time ago. But we do have a pretty good relationship with Microsoft. Obviously, we have everything from Windows Operating Systems all the way up to cloud services with Azure. Something that we just kind of started delving into this year. So we're looking at running things like Remote app in the cloud. We have some of our disaster recovery data in the Azure cloud as well. And I'm sure they'll be more to come as we learn more about what we can put there and how that can help us. >> Yeah, Microsoft really sits at the center of this multi-cloud discussion. As you've said, they've got SaaS offerings. They've got public cloud. >> Yep. >> They're in your data center. How does Brown look at, kind of, cloud overall? And you said starting to look at some of the public cloud offerings. So maybe give us a little bit of what you can about this strategy today. >> Right, so, we are doing a lot with secondary backups, secondary data for our backups going to the cloud. So for disaster recovery, hopefully in the future we'll be able to use that data for test and dev or maybe moving workloads from one place to another place. We're looking at putting some actual workloads in Azure, in the cloud for bursting capabilities, things like that. >> Yeah, you look at data in a multi-cloud world, tell us, what are you looking for when you talk about how you manage your data in a multi-cloud world? Even we talk about, some people when they went to SaaS they were like, "Oh, I don't need to worry about things like "security and data protection." Well, those people might have had to learn faster or they'd be out of a job. So what do you look and how do you use? >> Right, so security is definitely one of the main concerns. So, I mean, we have a whole security team that that's all they do is look at these projects and look at what we're trying to do and say, "Wait a second, what's the security around it?" As far as the tools that we're using for security. >> Data protection. >> Data protection we're using Cohesity. We just started using them at the beginning of this year. We switched off, we were a long time Legacy backup infrastructure. So a lot of moving parts. We decided that we wanted to find something that was more streamlined and was looking to the future with the way that they did data protection and disaster recovery. >> And where do you use the Cohesity solutions? Is it in your data center, public cloud, which offerings? >> So we have a Cohesity Appliances in our data center. We protect all of our virtual machines and physical machines using Cohesity. We tier that off into Azure cloud as a secondary copy, so then we have flexibility on what we can do with that data now that it's been virtualized and sent off to the cloud. >> Great, and are you realizing any cost savings? I mean, I know it's still early yet, you've only recently gone to Cohesity. But what's the... >> We have realized a lot of cost savings. Probably about 50% reduction in costs, CapEx style costs. And we also have reduced some of our year-to-year maintenance with licensing. >> All right, maybe talk about the operational side of things too. How many people did you have managing these kind of environment before? What's it look like after? What's that change mean? >> We have the same amount of people still managing the same environment. The only difference is now we're not spending as much time. So we kind of manage it across different teams within our environment. So our systems teams will do recoveries of virtual machines or data, whereas my team will actually manage the backups and adding clients and troubleshooting and things like that. Our team probably saves 10 or 15 hours a week. And the other teams about the same, with not having to troubleshoot things that just weren't working in the old platform compared to the new platform. >> Yeah, it was actually one of the things in the keynote this morning Satya Nadella was talking about business productivity. You always say it's nice if I could shave off an hour here, five hours there. There's always fear in IT, it's like, "Oh, wait, "they're going to put me out of a job." But the reality is you've always got more projects to work on and more things to do. >> There's always something else for us to do, which we're finding there's plenty of work for everyone to do. So we don't have to spend that time doing things that we shouldn't have been doing. >> I'm curious about how you stay on the cutting edge. I mean, typically you think about academia in general as being a little slow to adopt the latest and greatest technologies. And yet, this is where the research gets done, so much of it at these top universities. So what's the balance in your experience, and how do you stay abreast of all the new gizmos? >> We're pretty lucky because we're more of the central IT for the university even though we do work with researchers in different departments. So we are always constantly out there looking for, how can we do what we're doing now better, more efficiently, maybe cheaper, maybe not? But we're constantly looking for, what's the best way we can deliver the service that all of our users need. And it's a pretty broad base of users. Like you said, from students to researchers to just regular admins. They're all very different workloads and different users. >> All right, so, Chris, as you've rolled out Cohesity and you're starting to adopt Azure, what learnings have you had? If you're sitting down with one of your peers, and you hear them said, "I'm looking at this." What was the experience? What can I do to make it a little faster, save the team some heartburn maybe? >> I would say the biggest thing is just to do your homework. Go out and look and see what are your pain points today. And talk to people like Cohesity and say, "Honestly, here's my pain points, what can "you do to help me?" Cohesity's sat with us from the very beginning and they were very open to, "We can help "you with this, this, and this. We can't do that, "but we can get it into the product down the road." And they've done with with a lot of things that we've asked for to help us with whatever our needs might have been. >> Yeah, anything particular that you're asking of Microsoft, Cohesity, or others in the ecosystem that would help you do your job better? >> Not at this exact moment. Since we started with Cohesity, we have put in some requests with them over the first couple of months. And the product has evolved, maybe not because of stuff that we only asked for. I mean, it could have been a whole hundred other customers that asked for the same thing. I'm not sure. But they're very quick to put those things into the system, and they roll out updates very, very quickly and keep it going. >> Yeah, so we talk about education might be slow to adopt things. You've got a storage group, storage is not known as the latest and greatest. How do you manage things like upgrades? I was standing in line waiting and joking, it's like, "We're in a Microsoft event, remember Patch Tuesdays?" Yeah, how do you look at the, kind of, cloud on-demand, always on the latest generation versus balancing to make sure that things are trusted, secured, and tested? >> You're exactly right. In the storage world you might only do an upgrade once or twice a year at most. With Microsoft you're doing them once a month, maybe. With Cohesity, if they tell me there's a new upgrade or a patch, I'm ready to install it on a moment's notice. It's non-disruptive and the support team they have is so very good and quick that even if something were to go wrong, I am very confident they would have it fixed in very short order. So the confidence level with doing upgrades is very high. >> In terms of one of the big buzz words we hear, at this conference as well as at other technology conferences is "digital transformation." What does that mean to Brown University? Or does it mean anything? >> Well, it does. Our CIO had put out in his last year that we were going to start working on digital transformation as one of our big projects. What that exactly means for like my group is just what we have to do to support whatever the other groups are going to do to support moving toward a digital transformation. So if that means buying some new storage, or adding more storage to what we have, or talking to them about what apps are being added and how can we back that up and how can we perform disaster recovery services for those? That's the kind of things that our group would be worried about. More so than, what's the actual digital transformation itself. So it is something that is on our plate, but it's not the actual transformation itself. >> Well, Chris, thank you so much for coming on theCUBE. It was a lot of fun talking to you. >> Thank you for having me. >> I'm Rebecca Knight for Stu Miniman, we will have more from theCUBE's live coverage of Microsoft Ignite in just a little bit. (upbeat techno music)

>> Narrator: Live from Las Vegas, it's theCUBE! Covering IBM Think 2018. Brought to you by IBM. >> Welcome back to IBM Think 2018, you're watching theCUBE, the leader in live tech coverage, my name is Dave Vellante, I'm here with my co-host Peter Burris. Gene Chao is here as the Global VP of IBM Automation and Jason Kelley, Cube Alum, is the GM of Blockchain Services. Gentlemen, welcome back to theCUBE. >> Thank you much. >> Great to see you. >> You guys, I call you heat-seeking inefficiency missiles, so, Jason's... Just a shout-out, take it from there. What are you guys up to, what are you doing? How are you helping businesses? >> Well, we're driving trust into transactions. The elusive things that we've been trying to-- >> Gene: Whoops, there goes heat-seeking. (laughing) >> Exactly. Or we're seeking the heat. It's coming after us, as soon as we say trust, someone wants to attack you. And so what we're bringing into business is that thought that, if I can add trust into transactions, I don't need a third-party to validate it. I can now say, look, you are who you are. We both know each other. All that we do, we go way back. We know each other, and what we're about to exchange is known as well. So if I can keep that validation from happening, I'm going to remove cost, labor, time, out of it. And I'm also going to then maybe avail new market opportunities of those who could not enter the system before because we didn't trust their identities. Or we didn't trust that their goods were their goods, and they were trying to exchange it. So think of that heat-seeking missile, we're trying to bring that capability and that heat is the energy in the system now going bigger, better, faster because there's trust. >> And your role is to bring those Blockchain services to market, is that right? >> That's correct, bringing the services as a whole, because see, Blockchain isn't a product. Blockchain, you know, I don't have under the table a bucket of Blockchain. >> Dave: Let me see your Blockchain. >> Sorry, no Blockchains here. So, if in fact, we're bringing this capability to the market, there's all types of services from what's the business value design? First, what's your outcome? Why say Blockchain? Believe it or not, it says it on my chest, so it means I get paid to do it, but maybe you don't need this? And so, quite simply, maybe you need to do something else. So the first thing is, let's understand the outcome that your business is running toward, and then let's understand if it's a Blockchain, and then can we bring some automation with Gene and team? >> Okay, that's the set-up for you Gene, so you're the automation piece of the puzzle. Explain. >> So, I love the commentary around the better, faster, but we're also bringing more scale. So automation has scale. What does that mean? We're really focused on two things, guys, the first thing is around taking advantage of the new technologies to enable what I'll call software-based labor. So there's a new concept of the digital workforce model that enables how transactions or how work gets done. Coupled with that is how that workflow or process, business process, IT process, whatever it is, how does that workflow fundamentally change through these technologies. Why that's important is as we look at Blockchain, as an example, as a pivot point for trusted transactions, I need to build trusted automation around it. Trusted ways to leverage these technologies in that workflow so those transactions are easily scalable, works at machine time, and runs through very quickly. >> This is fascinating stuff, 'cause look. The way that we like to characterize the big change in the industry is we say, for the first 50 years of computing, there was no process, accounting, HR, et cetera, on known technology. How do we implement? What technology do you choose to implement? The implementation choices are becoming clear. Cloud, et cetera. What's less known is the process. The unknown process, unknown technology. Now it's unknown process, known technology. And what you guys are talking about is one of the challenges when you think about processes. Who does what? Can we verify that we've done it? Did they do it right? Did they meet to do what they said they were doing? Et cetera, the whole range of issues. And the contracting process is extremely complex, but if you set it up in a Blockchain form, you've got a simple contract, a simple definition of who is trusted, simple definitions of roles, and now we can dramatically accelerate new process creation and then automate it. Have I got that right? >> I think you got it, when you think about dramatically, dramatically accelerated, you say that it means something different to everyone. But let's think about my friend Frank Yiannas at Wal-Mart, for example, where they're working on food trust. They're trying to make sure that from farm to fork, we know where that food came from. One-third of all food that's processed goes to waste. Because we lack food trust. Food is guilty until proven innocent, right? To keep that from being-- >> Spoiled. >> Spoiled, I'm... The humor is killing me. (laughing) So, no pun intended, food trust, right? So, Frank and team wanted to understand how fast they could move this thought of tracking, tracing, with transparency, this food through the system. Just as you said, there's certain contrast, think of the handshakes from getting, in their case, a mango from a farm all the way to your home, Well, it used to take them seven days. Actually, six days, twenty-some hours, in order to figure out that process. Put it on the Blockchain? 12 seconds. And then once they cured the lag and the technology, 2.2 seconds. So think of that. Now you're shrinking this to seconds versus days, what does that do to the process? What do you do when you say, now my system can go that fast. My people can go that fast. What do you do? Think of the automation that you're bringing in now, and things that you will now have to automate, out of not just necessity, but things you will say, wow, we've opened up a whole new ecosystem of possibilities in order to do business in a different way. >> Well, so let me build on that for a second. 'Cause one of the things that potentially means is that because you can handle more complex, newly designed, process, better, faster, more automated, that you can start to expand the scope of participants in a transaction? The range of characteristics of the transaction, or the type of work? That's how you build up to new businesses and new business models, right? >> Sure. >> Right, right. >> If I can jump in on that one. There's a concept in this one, and this is where Jason and I are connected at the hip. You know, we think in terms of a smarter product, we think in terms of a smarter contract, or transaction, that the guiding principle that we're using is the old way of thinking, and I carry this narrative all over with me is, the old way of thinking is you have people following your creating process, supported by that technology. So the things that you talked about, unknown technology, unknown process, continuously sourced by people? Fundamentally changed. We're now working in a world where the process is run by the technology and supported by the people. It's not that the people are going away, it's a fundamental retooling of the skills and understanding of how to support it, but that scalability, the ability to get to that exponential growth, is because the process is the king. At the top of the food chain, now. And that technology lets it expand. >> But we could do levels of complexity in that process and the number of participants in that process, unheard of! It's scale and scope. >> Yes. >> But doesn't that force... Look, we've had some conversations, Dave and I have had some conversations, with a number of big user organizations about this stuff and we keep coming back to the issue of that they can't just look at the technology, they have to focus on the design. That one of the most crucial features of this process is the design of the Blockchain. We got that right? >> You heard me use the phrase at the very beginning, if you didn't, I'll say it again, I said, business value design. Because in fact, that design is not just a UI or UX, but let's make sure that the business and technology are doing the right thing to get to the outcome. As we say, design doesn't stop until the problem is solved. And guess what, the problem's never solved. So design happens... Many people say, "Oh we're going to do some "design thinking at the beginning. "We did that," check the block, and then they run off and do something else. For us, design's like an infinity loop. You continue to do it. From the beginning all the way to the end, and then, what you're able to do, and hint-hint, this is something that we do in our services, we start with our clients, we get them started so they understand, then we help them accelerate, and then innovate. Three steps: start, accelerate, innovate. And that's a design process in and of itself. So if you start at, you know, the days of Blockchain tourism were a couple years ago, everybody wanted to kick the tires, and then last year was PoC PoV, this year's the year of production. And people are quick in saying, "How do I quickly start "production and keep moving?" >> So let's talk about some other examples. You mentioned Wal-Mart, we heard Plastic Mag this morning, I introduced somebody, I think Evercorp was the name of the company, Diamond Providence. Others that you're excited about, that have made a business impact. >> Well, I'd be remiss if I didn't mention Mike White and others at our JV with Maersk. And you know, you think of that, where you have the classic thought of a supply chain, this linear steps in the process, you know, these handshakes that have to happen. Now what we have is we have this process of thinking how we can bring transparency into all of that, and it's not just a supply chain, but a value chain. So you have where 80% of whatever you all are touching or have owned right now, with the shipping line. But not only through a shipping line, but then there was also ground and air, and ultimately to a retail location. Then you consumed it. Well, think of all of those processes now having the transparency where you can see from point of consumption all the way back to origin. Think of the supply chain visibility, that elusive thing called supply chain optimization. Now you can do that, but not only the supply chain, but the value chain. Someone's paying invoices under that big thing called a value chain. Someone's doing trade promotion management in that value chain. Now, if you have that visibility, what do you enable? How many more packages can go through the system? How much more shipping? And the estimate is 5% increase in GDP if we're able to get all of this shipping into the Blockchain. You start talking GDP? It opens eyes. >> Right now you're talking growth, right? >> Yes. >> Real growth. >> So, it's 20% of the four trillion associated with shipping? Is bound up in paperwork? >> Yes. >> So we're talking about 800 billion dollar change. >> And returning capital into the system. Returning capital. You think of this thought of opening up new opportunity, And I'll throw another example, another client, so we're not just talking, but you think of what's happening with We.Trade. Nine banks in Europe who compete. You think of Santander Bank and a Deustche Bank and those are now, they're all coming together, saying "How do we now share data and information "so that we can let small to medium size enterprises "into the system?" So now you're getting not just savings of cost and time, but now you're opening up markets. Getting greater throughput. High waters raise all boats. And that's what we're seeing in a lot of these examples with, it's not just taking out those old things, you're thinking of new processes running the business a different way. >> And Jason's a great lead guy. You asked for an example, our friends at DBS Bank. They are fundamentally looking at changing the business models within the bank across all different divisions of the bank, whether it's credit transactions, mortgages, personal wealth, and the way they approached it was, we know these new technologies are going to allow us to fundamentally look at the workflow and change it. But here's the question: Who will be looking at changing these things? What's going to enable these model changes, the workflow changes may not be human capital. It may be working alongside this sort of man plus machine element or formula-- >> Peter: Patterns. >> Right, to allow the technology to tell you where your efficiencies could be gained. Allow the technologies to make the correlations in those disparate business models, to fundamentally change how you do business. So that's happening today. >> So, phase one is what is this, phase two, POC, now you're sort of in real production, but you obviously doing a lot more POCs, you're scaling out. Where do you see this going over the next three or four years? >> Well, I think last year was a year of the PoC PoV. I think this year's a year of production. And when you think of some of the examples that we've given, we've talked about consumer trade with Wal-Mart, we talk about shipping trade with Maersk, we talk about trade finance with We.Trade. Each of those individual networks, where do we see it going? We see these networks becoming a network of networks. Where each one of them have their own ecosystems and they come together. And they come together with trusted data, with trusted information, access that's unparalleled. So that's where we see it heading. And you have to say then, okay, it sounds really simple in the way you've just described it, so where's the challenge? The challenge is going to be doing this from a business and technology perspective. There's a lot of things that have to be figured out here. How are you going to make those processes work at that speed? What do you rightfully automate and what things don't you automate? That's more than just a technology. You can't plug a technology in and solve this. It takes an end to end capability. And that's what we're seeing, becoming more of a differentiating capability for our teams, where they can say, "Gene, Jason, "can your teams talk to us together?" 'Cause, of course, they work together. That's a differentiating effect of moving at scale and at speed, and that's where we see it going. Scale and speed. >> So what Jason and the Blockchain frame does for us, is it's an accelerant. Okay, we talk about knowledge worker, automation, we talk about different areas of software-based labor, but that accelerant is doing one big thing, is it's forcing us into what I'll call vertically integrated processes or workflow. Gone are the days of segmentation of, "Oh, that's back office," or "That's front office." We now have to take that workflow and pivot that to vertical integration. Why? That accelerant is moving at the speed of light for trusted transactions, I have to make the systems supporting that. The process, the people, I have to keep up with that pace of change. If I don't vertically integrate those processes inter and intracompany? This doesn't work. It falls down. So that's our marriage. >> Tough to go to market. How do you go to market? >> How do we go to market? We go to market as fast as we can, and we go joined at the hip, with clear and simple understanding. >> Where's the Blockchain for going to market? >> Yeah, right? >> And is there partner ecosystem that... >> Absolutely. So we talk about a Blockchain, Blockchain's a team sport. And it is a true demonstration of Metcalfe's Law, you know, the network drives the value. And so we do. We go to market with this thought of, who's going to play in that network? And we have networks where its obvious value may have a founder network, like Wal-Mart, where you say look, we see the ecosystem, we have the ecosystem, we're the founding partner, or you have a consortium such as We.Trade, where they come in and they say, "Look, let's pull all this together "'cause we see the value." So we go to market with that ecosystem, knowing that they have to partner, they have to work together. >> Outstanding. >> There's three distinct chapters in our go to market strategy. One is the services architecture, the second one is software ecosystem, and the third is around platforms, like a Blockchain. So when we start-- >> No design? >> Sorry, say again? >> No design? >> No, there is absolutely design. Absolutely design. So at a service architecture's perspective, there is fundamental workflow design happening. At a platform level, that's an even further advancement of design, because of the frameworks and blueprints happening inside a Blockchain, inside the different next-gen technologies happening. So I have to be two things, I have to be an automation-led environment where I'm providing the way to do these things, differences in RPA versus other technologies, but I also have to be an automation-attached. I have to be attached into the Blockchain framework to make sure we're coupled in the different elements of that framework. So that's how we jointly go to market. >> Peter: RPAs, I'm sorry? >> I'm sorry, Robotic Process Automation companies, so these are the relatively new technologies that enable software-based labor components. They're replicating human activity. >> Software robots? >> Software robots. >> You have a path to automation anyway. >> Exactly right. Exactly right. >> And it's funny when you ask, you know, no design. Design's in there. And this is the way we work at IBM, I mean, we're past that calling it out. So if someone's calling it out, it's like you're going to buy a phone and say, "Oh yeah, we included the battery." Like, it's there now, right? So that's how we run. So is it in there? You mention IBM, anything that you're going to consume from us? Includes IBM design. By practice. >> Wow, you guys, today was Blockchain day. I mean, you must have been thrilled to see all the main tech-- >> You mean every day's not Blockchain day? >> Dave: Well, at IBM, thinks every day... >> Okay, alright, I was just checking. >> You guys sucked all of the air out of the morning. And we heard-- >> And by the way, I certainly hope not. (laughing) >> You hope not what? >> That every day is Blockchain day. >> I hope so. Jason here. >> Makes me not have to buy a new wardrobe. >> If every day's Blockchain day, it ain't working. This is going to be one of those technologies, the less we know about it, the more successful it's been. >> I agree, I agree. >> Well, gentlemen, thanks very much for coming on theCUBE. Always a pleasure. >> Thank you guys. >> Thanks very much. >> Appreciate it. >> Alright, keep it right there, buddy. We'll be back with our next guest right after this short break. You're watching theCUBE live from IBM Think 2018. Be right back.

>> Voiceover: Live from Boston, Massachusetts, it's the Cube covering Red Hat Summit 2017. Brought to you by Red Hat. >> Hi, I'm Stu Miniman and welcome back to the three days of live coverage here at Red Hat Summit 2017. The sixth key note of the week just wrapped up. Everybody's streamin' out. We've got a couple more segments. Happy to welcome back to the program a couple gentlemen we had on actually the Open Stack Summit. John Allessio, who'd the vice president of - And Nick Hopman, who's the senior director of Emerging Technology Practices, both with Red Hat. Gentlemen, great to see you again. >> Great to see you again Stu, good afternoon. >> Yeah, so a year ago you guys launched this idea of the Open Innovation Labs. We're opening these labs this year. You've got some customers. We actually had Optum on earlier in the week. We're going to have the easiER AG guys on, I should say - I was corrected earlier this week. I shouldn't say guys, actually I think it's two doctors, a man and a woman that are on. >> Andre and Dorothy. Andre and Dorothy - so really amazing customer testimonials for working through. So John, why don't you start with, you know, give us the update on the innovation lab program. Open and innovation get, you know, discussed a lot. Give us the real meat of what happens. >> So, just maybe a quick recap. >> Yeah. >> So Stu, we had about oh a year and a half ago or so, our strategic advisory board tell us, Red Hat, we really are looking for you to help show us the way in how to develop software, but also kind of help us leverage this culture that Red Hat has and developing software the Red Hat way. And so we worked with about a dozen clients across the globe, got a lot of great feedback on what they were looking for. We created an offering and then we launched it, as you said in Austin at Open Stack Summit. And now we've done many engagements in Europe and in North America across multiple different industries. We had here at the Summit this week actually two clients talk on the main stage, both Optum and easiER AG. And both of them have been through innovation lab engagements. Very different industries, very different clients, but what it has proven in both cases is it's really been a great way and a great catalyst to kind of spark innovation, whether it's within an existing IT infrastructure or building out some capability in particular customer environments, like we did with Optum, or kind of taking some ideas. And I'll let Dorothy and Andre tell their story when they come on and work with you. I don't want to take their thunder. But a great way to show you how we can work with a start up and really help them kind of take their vision and make it reality in an application. >> Yeah, Nick, you know, we've done so many interviews about the various pieces, lots of interesting business. It reminds me of that kind of pipelining that you talk about. One of the announcements this week was Open Shift IO, which it helps with kind of the application modernization. Can you maybe help us, you know, put together how the products that Red Hat does and what you're doing in the Open Innovation Labs, how do those go together and mesh and new stuff come in? >> It's actually kind of at the core of what we do anyway. So, we are building on top of the foundation, the technologies at Red Hat's core platform. But in a residency with Open Innovation Labs we are tying in other technologies, other things outside of the Stack. But with like Open Shift IO, what we've created was what we called the push button infrastructure. How are we showing with the process and everything to innovate on top of the Red Hat technology? How do we accelerate that journey? And so we created what was called the push button infrastructure to show that foundational acceleration, and Open Shift IO is actually now kind of part of that core. And adding in other components, other technologies that Red Hat has, whether it's our ISV partners, things in Open Shift commons, all those things to accelerate the application development experience. And so I think with Open Shift IO and as Red Hat continues to evolve in the development kind of tooling landscape, you're going to see how we are helping our customers do cloud data of application development more so than ever before. >> Yep, and maybe to add to that too, Nick, we were talking to a client this morning about some of their challenges and their priorities for this current physical year, And that particular client was talking about Jenkins and a number of non-Red Hat technologies as well because at the end of the day, our customers have Red Hat products, have non-Red Hat products. I think the great thing that maybe you can mention is when you look at that push button infrastructure that we've built, it's not really a Red Hat thing, although it clearly is tied to the Red Hat technology. But it's even bigger than that. And I think that would be important for the team to understand. >> Yeah so we actually have online is what we call our text stack, and it allows the customer to kind of select the current technologies that we've currently got integrated into our push button infrastructure, and it's always evolving. So I think what we're trying to bring to the table from a technology perspective is our more prescriptive approach. But it's always changing, always evolving. So if customers are wanting to use x or y technology, we're able to integrate with that. But even more so, if you take that technology to the foundation, put a couple of droplets of the Red Hat DNA and the culture is really where that innovation and that inspiration kind of where it's - it's culminating on top of it. So they're building out the applications, like the easiER AG examples. >> John: Yeah, excellent. >> It's great, I always love - By the time we get to the end here, oh I see some of the common threads. You know, for example, Ansible's acquired a year and a half ago, boy we've seen Ansible you know weave it's way into a lot of products. >> Nick: Sure. >> Was talking to Ashush just a sort while ago. And the Open Stack commons, which reflected what you were just talking about is customers are coming, they're sharing their stories. And it's not all Red Hat pieces. One thing I think, I go to a lot of technology shows, and it's usually, "Oh, well we want to talk about solutions." But by these pieces, and Red Hat at it's core it's all open source, and therefore there's always going to be other pieces that tie in. How do you extend as to how much of this is driven by the Red Hat business versus you know the problems of the customer? I'm sure those mesh together pretty well, but maybe some learning you've had over the last year that you could share on that. >> Sure. I think one of the great starting points Stu is what we try and do in every case is start with what we call is a discovery session. So it's one of our consultants, or one of our solution architects really going into the client and having a discussion around what is the business problem we're trying to solve, or what is the business opportunity we're trying to capitalize upon. And from there, you know we have a half day to a day kind of discussion around what these priorities are, and then we come back to them with the deliverable that says okay, here's how we could solve that problem. Now there will be areas that we of course think we have Red Hat technology that absolutely is a perfect fit. We're going to put it in and make that as a recommendation. But there's going to be other technologies that we're also going to recommend as well. And I think that's what we've learned in these Innovation Lab engagements. Because often it's a discussion with IT of course, but also a discussion with line of business. And sometimes what happens in these discovery sessions is sometimes it's the line of business and IT perhaps connecting for the first time on this particular topic. And so we'll come back with that approach and it'll be an approach that's tailored to that customer environment. >> One thing kind of pivots a little bit from the topic of the technology, but I mean the culture and how we're doing this. I mean we are working with ISV's and things of how they could come through the residency to get things spun up into Open Shift commons and get their technology in the Stack or integrated with Red Hat's technical solutions. But on the other hand, you know really when they come in and they work with us, they're driving forward with looking at you know changes of their culture. They're trying to do digital transformation. They're trying to do these different types of things, but working with that cross-functional team. They're coming up with, oh wow, we were solving the problems the wrong way. And that's kind of just the point of the discovery session, figuring out what those business challenges are is really kind of what we're bubbling up with that process. >> Yeah, I'm curious. When I think to just open innovation, even outside of the technology world, sometimes we can learn a lot from people that aren't doing the same kind of things that we've been doing. I know you've got a couple of case studies here, customers sharing their stories, but how do we allow the community to learn more? When they get engaged in the innovation lab are customers sharing a little bit more? We know certain industries are more open to sharing than others, but what are they willing to share? What don't they share? How do you balance that kind of security if you will of their own IP as separate from the processes that they're doing? >> John: Sure. >> It's actually kind of interesting, we had a story this week, we have an engagement going on in our London space, which will be launching in a week and a half. But they're going on right now. And there was a customer that was kind of coming through for a regular executive briefing if you will. And we walked him through the space. And they saw the teams working in there and they were before in the sales kind of meaning, they were a little bit close-minded and close-sourced if you will. Trying to not want to share some of their core nuggets of their IP if you will. And once they saw kind of the collaborative landscape, and this is not even technology based, but just the culture of an open conversation. You know I hate to overuse - you know the sticky notes everywhere, the dev ops. I mean they were really doing a conversation with the customer that was engaging. And all of a sudden the customer that was there on the sales conversation goes, "I want to do this session, I want to go through this discovery session with you guys." And so I think customers are trying to do that. And the other thing is, in our spaces and in our locations, like Boston, we are actually having two team environments, and we've designed it to try and create collisions. So they're basically on two sides, but there's also a common area in the middle where we're trying to create those collisions to inspire that open conversation with our clients as well. Some may be comfortable with it, some might not be as comfortable with it, but we're going to challenge them. >> Nick, I love that term collisions. There's a small conference I go to in Providence. Haven't made it every year, but a few times. It's an innovation conference. And they call it the random collision of unusual suspects. It's the things we can learn from the people we don't know at all. Unfortunately, we're too much. You know, we know the people we know. We know a lot of the same information that we know. If somebody outside of the like three degrees of separation that you might find, that next really amazing thing that will help us move to the next piece, it brings me to my next point. You mentioned London and Boston, how do you decide where you're building your next centers, what's driving that kind of piece of it? And, you know, bring us up to speed as the two new locations, one of which if we had a good arm we might be able to throw a baseball and hit. >> Excellent, so let me just start by first of all saying, you know part of what we're doing here is it's this experiential residency is what it is. And that residency can happen at a client location, at a Red Hat location, or even a pop-up you know kind of third party location. And quite frankly, over the course of the last year, we've done all three of those scenarios. So all three of them are valid. As far as it relates to a Red Hat facility, what we try and do is find a location if we can that's either co-located with a large percentage of Red Hat clients, and or maybe Red Hat engineering. Because oftentimes we'll want to bring some of the engineers into these sessions. So, Mountain View, where we have a center today was a natural 'cause we have some engineering capability out on the west coast. And Boston is of course very natural as well because we have a very large engineering presence here in Boston. In fact, I'll let you talk a little bit about the Boston center 'cause that's going to be our next one that opens here in just a few weeks. So maybe Nick, talk a bit about you know what we're doing in the Boston center, which will be, if you will, our world wide hub for Red Hat innovation. It's not just going to be the Boston center, it's also going to be our world wide hub. >> No pun intended that it's in the hub that is Boston. >> You got it, you got it! >> Excellent. >> So you know, what are we doing in the innovation center, and the engineering center, and the customer briefing center all co-located in Boston. >> Yeah so it's actually going back to the collisions. We've even try and create collisions in our own organization. So it's actually an eight-shaped building. We've got four floors, or two floors on each side. So kind of effectively four floors. Engineering on one side on two floors, and an EBC on a floor above the Open Innovation Labs, and the Open Innovation Labs on the third floor if you will. And there's actually floor cut-outs, so people you know if they're coming in from an executive briefing, they can see down, see what's going on there. And then engineering on the other side. And the point there is that open culture just even within our organization, working with the engineers across the board, getting them over into our space, working with us to solving the problems. And showing, you know, I think the key point that I would hit on there is really trying to inspire customers what it's like to work in a community. So community powered innovation. All those types of things. And so the space is trying to do that. The collisions, the openness obviously, flexibility, but also what we're trying to do is create a platform or a catalyst of innovation. And whether or not it's in the location or pop-up location, we're trying to show the customer some of these principals that we're seeing that's effectively allowing Red Hat to drive the innovation, and how they can take that back into their own. So, you know the locations are great for driving a conversation from a sales perspective, and just overall showcasing it. But the reality is we've got this concept to innovate anywhere. We want to be able to take our technology, our open culture, everything you would want to use and go be able to take that back into your organization. 'Cause our immersive experience is only you know, it's kind of camp for coders or camp for the techies if you will. So you know that's working well, but that's not long term. Long term we have to show them how they can drive it forward, you know with themselves. >> Where do I sign up for the summer program? (all laugh) >> It's coming this summer. >> So Boston will launch in the end of June. >> End of June, early July. >> And the June timeframe we had, I don't know how many dozens of clients, and partners, and Red Hatters go through in hard hat tours this week, here at the Summit. And then in two weeks, we'll open in downtown or really in the heart of London. >> Stu: Alright, yeah, quick flat flight across the pond to get to London. Anything special about that location? >> I think just overall the locations all have a little bit of uniqueness to them. I they're definitely - we did design them to inspire innovation, thinking outside the box. So I think you know, if you go visit one of our locations you might a couple kind of hidden rooms if you will. Some other unique things. But overall, they are just hubs in general for the regions. Hubs of technology and innovation. And so from the go forward perspective I mean we are trying to say, you know, Red Hat is doing things different, thinking different. And these are kind of a way to show it. So trying to find that urban location that is a center point for people to be able to travel in and be able to experience that is really kind of the core. >> So London will open in two weeks, and then we're already working on blueprints for Singapore. >> Singapore, yeah. >> For our Asia hub, and had some great conversations with our leader for Latin America about some very initial plans for Latin America as well. So you know, we'll have great presence across the globe. We'll be able to bring this capability to customer sites. We've already done that. We'll be able to do pop ups. 'Cause even in some cases customers are saying you know we don't want to travel, but we want to get out of our home environment so we can really focus on this and have that immersive experience, and that intimate experience. So we'll do the pop ups as well. >> Driving change, we are seeing that that's the best way. Especially with this kind of, you know, the residency. It is a time box. So if we get them out of their day to day, some of the things, you know, sometimes are the things that are holding them out. Get them in the pop up location, get them outside of their space. All of a sudden their eyes open up. And we had a large retailer, international retailer that we did a project with on the west coast, and getting them out of their space got them coming back. The actual quotes from their executives and the key stakeholders were like they came back fired up. >> Stu: Yeah. >> And they came back motivated to try to make change without our organization. So it's disruption on every level. >> Yeah, you can't underestimate the motivation and the spirit that people come out of these engagements with. It's like a renewed sense of, "I can do this." And we saw that exactly with this retail engagement of really already working on preparing for Black Friday, and putting some great plans in place and really building that out for them. >> John Allessio, Nick Hopman; we always love digging in about the innovation. Absolutely something that excites most people of our industry. That doesn't? Maybe you're in the wrong industry. >> Exactly. >> We've got a couple more interviews. Stay tuned with us. I'm Stu Miniman, you're watching the Cube. (light music)