>>Good morning from Los Angeles, Lisa Martin here at Qube con cloud native con north America, 2021. This is the cubes third day, a wall-to-wall coverage. So great to be back at an event in person I'm excited to be joined by Vince Wang, senior director of products at 49. We're going to talk security and Kubernetes then welcome to the program. >>Thank you for having me. >>So I always love talking to 40 minutes. Cybersecurity is something that is such an impersonal interest of mine. The fording that talks about the importance of integrating security and compliance and the dev sec ops workflow across the container life cycle. Why is this important and how do you help companies achieve it? >>Well, as companies are making digital innovations, they're trying to move faster and as to move faster, or many companies are shifting towards a cloud native approach, uh, rapid integrations, rapid development, and rapid deployment, uh, but sometimes speed, you know, there's a benefit to that, but there's also the downside of that, where, you know, you can lose track of issues and you can, uh, introduce a human error in a problem. So as part of the, as part of the, the, the means to deliver fast while maintaining his six year approach, where both the company and the organizations delivering it and their end customers, it's important to integrate security throughout the entire life cycle. From the moment you start planning and development, and people's in process to when you're developing it and then deploying and running in production, um, the entire process needs to be secured, monitored, and, um, and vetted regularly with good quality, um, processes, deep visibility, and an integrated approach to the problem. Um, and I think the other thing to also consider is in this day and age with the current situation with COVID, there's a lot of, uh, development of employment in terms of what I call NASA dental Baltic cloud, where you're deploying applications in random places, in places that are unplanned because you need speed and that, uh, diversity of infrastructure and diversity of, uh, of clouds and development and things to consider then, uh, produces a lot of, uh, you know, uh, opportunities for security and, and challenges to come about. >>And we've seen so much change from a security perspective, um, the threat landscape over the last 18 months. So it's absolutely critical that the integration happens shifting left. Talk to us about now let's switch topics. Application teams are adopting CIC D uh, CICB workflows. Why does security need to be at the center of that adoption? >>Well, it goes back to my earlier point where when you're moving fast, your organizations are doing, um, you're building, deploying, running continuously and monitoring, and then improving, right? So the idea is you're, you're creating smaller, incremental changes, throwing it to the cloud, running it, adjusting it. So then you're, you're rapidly integrating and you're rapidly developing and delivery. And again, it comes down to that, that rapid nature, uh, things can happen. There's, there's more, uh, more points of touching and there's more points of interactions. And, you know, and again, when you're moving that fast, it's really easy to, um, miss things along the way. So as you have security as a core fundamental element of that DNA, as you're building it, uh, that that's in parallel with everything you're doing, you just make sure that, um, when you do deliver something that is the most secure application possible, you're not exposing your customers or your organizations to unforeseen risks that just kind of sits there. >>Uh, and I think part of that is if you think about cloud infrastructure, misconfiguration is still number one, uh, biggest problem with, uh, with security on the, in the cloud space, there's, uh, tasks and vulnerabilities those, we all know, and there's there's means to control that, but the configurations, when you're storing the data, the registries, all these different considerations that go into a cloud environment, those are the things that organizations need visibility on. And, um, the ability to, to adopt their processes, to be proactive in those things and know what they, uh, do. They just need to know what, what then, where are they're operating in, um, to kind of make these informed decisions. >>That visibility is key. When you're talking with customers in any industry, what are the top three, let's say recommendations to say, here's how you can reduce your exposure to security vulnerabilities in the CIS CD pipeline. What are some of the things that you recommend there to reduce the risk? >>There's a couple, oh, obviously security as a fundamental practice. We've been talking about that. So that's number one, key number. The second thing that I would say would be, uh, when you're adopting solutions, you need to consider the fact that there is a very much of a heterogeneous environment in today's, uh, ecosystem, lots of different clouds, lots of different tools. So integration is key. The ability to, um, have choices of deployment, uh, in terms of where you wanted to play. You don't want to deploy based upon the technology limitations. You want to deploy and operate your business to meet your business needs and having the right of integrations and toolings to, uh, have that flexibility. Now, option is key. And I think the third thing is once you have security, the choices, then you can treat, you create a situation where there's a lot of, uh, you know, process overhead and operational overhead, and you need a platform, a singular cybersecurity platform to kind of bring it all in that can work across multiple technologies and environments, and still be able to control at the visibility and consolidate, uh, policies and nationally consistent across all closet points. >>So we're to the DevOps folks, what are some of the key considerations that they need to take into >>Account to ensure that their container strategy isn't compromising security? Well, I think it comes down to having to think outside of just dev ops, right? You have to, we talk about CIC D you have to think beyond just the build process beyond just where things live. You have to think continuous life cycles and using a cyber security platform that brings it together, such as we have the Fortinet security fabric that does that tying a lot of different integration solutions. We work well within their core, but theirs have the ability to integrate well into various environments that provide that consistent policies. And I think that's the other thing is it's not just about integration. It's about creating that consistency across class. And the reality is also for, I think today's dev ops, many organizations are in transition it's, you know, as, as much as we all think and want to kind of get to that cloud native point in time, the reality is there's a lot of legacy things. >>And so dev ops set ups, the DevSecOps, all these different kind of operational functions need to consider the fact that everything is in transition. There are legacy applications, they are new cloud native top first type of application delivery is using containers of various technologies. And there needs to be a, again, that singular tool, the ability to tie this all together as a single pane of glass, to be able to then navigate emerge between legacy deployments and applications with the new way of doing things and the future of doing things with cloud native, uh, and it comes down again to, to something like the Fortinet security fabric, where we're tying things together, having solutions that can deploy on any cloud, securing any application on any cloud while bringing together that consistency, that visibility and the single point management, um, and to kind of lower that operational overhead and introduce security as part of the entire life cycle. >>Do you have a Vincent example of a customer that 49 has worked with that has done this, that you think really shows the value of what you're able to enable them to achieve? >>We do. We do. We have lots of customers, so can name any one specific customer for various reasons, you know, it's security after all. Um, but the, the most common use cases when customers look at it, that when you, we talked to a CIO, CSO CTO is I think that's a one enter they ask us is, well, how do we, how do we manage in this day and age making these cloud migrations? Everyone? I think the biggest challenge is everyone is in a different point in time in their cloud journey. Um, there's if you talk to a handful of customers or a rueful customers, you're not going to find one single organization that's going to be at the same point in time that matches them yet another person, another organization, in terms of how they're going about their cloud strategies, where they're deploying it at what stage of evolution there are in their organizational transformations. >>Um, and so what they're looking for is that, that that's the ability to deploy and security any application on any topic throughout their entire application life cycle. Um, and so, so the most common things that, that our customers are looking for, um, and, you know, they're doing is they're looking to secure things on the network and then interconnected to the cloud with, uh, to deliver that superior, uh, application experience. So they were deploying something like the security fabric. Uh, again, you know, Fordanet has a cybersecurity approach to that point and securing the native environments. They're looking at dev ops, they're deploying tooling to provide, uh, you know, security posture management, plus a few posture management to look at the things that are doing that, the registries, their environment, the dev environment, to then securing their cloud, uh, networks, uh, like what we do with our FortiGate solutions, where we're deploying things from the dev ops. >>I feel secure in the cloud environment with our FortiGate environments across all the various multitudes of cloud providers, uh, like, uh, AWS Azure, Google cloud, and that time that together with, with some secure, um, interconnections with SD LAN, and then tying that into the liver and productions, um, on the web application side. So it's a very much a continuous life cycle, and we're looking at various things. And again, the other example we have is because of the different places in different, uh, in terms of Tod journeys, that the number one key is the ability to then have that flexibility deployment to integrate well into existing infrastructure and build a roadmap out for, uh, cloud as they evolve. Because when you talk to customers today, um, they're not gonna know where they're going to be tomorrow. They know they need to get there. Uh, they're not sure how they're going to get there. And so what they're doing now is they're getting to cloud as quickly as they can. And then they're looking for flexibility to then kind of adjust and they need a partner like Fordanet to kind of bring that partnership and advisorship to, uh, to those organizations as they make their, their, their strategies clearer and, uh, adjust to new business demands. >>Yeah. That partnership is key there. So afforded it advocates, the importance of taking a platform approach to the application life cycle. Talk to me about what that means, and then give me like the top three considerations that customers need to be considering for this approach. >>Sure. Number one is how flexible is that deployment in terms of, do you, do customers have the option to secure and deploy any application, any cloud, do they have the flexibility of, um, integrating security into their existing toolings and then, uh, changing that out as they need, and then having a partner and a customer solution that kind of grows with that? I think that's the number one. Number two is how well are these, uh, integrations or these flexible options tied together? Um, like what we do with the security fabric, where everything kind of starts with, uh, the idea of a central management console that's, you know, uh, and consistent policies and security, um, from the get-go. And I think the third is, is looking at making sure that the, the, the security integrations, the secure intelligence is done in real time, uh, with a quality source of information, uh, and, and points of, uh, of responsiveness, um, what we do with four guard labs. >>For example, we have swell of large, um, machine learning infrastructure where have supported by all the various customer inputs and great intelligence organizations, but real time intelligence and percussion as part of that deployment life cycle. Again, this kind of really brings it all together, where organizations looking for application security and, and trying to develop in a CSED fashion. And you have the ability to then have security from the get, go hide ident to the existing toolings for flexibility, visibility, and then benefits from security all along the way with real time, you know, uh, you know, leading edge security, that then kind of brings that, that sense of confidence and reassurance as they're developing, they don't need to worry about security. Security should just be part of that. And they just need to worry about solving the customer problems and, uh, and, you know, delivering business outcomes and results. >>That's it, right? It's all about those business outcomes, but delivering that competence is key. Vince, thank you for joining me on the program today, talking through what 49 is doing, how you're helping customers to integrate security and compliance into the dev dev sec ops workflow. We appreciate your insights. >>Thank you so much for your time. I really appreciate it. My >>Pleasure for vents Wang. I'm Lisa Martin. You're watching the cube live from Los Angeles, uh, cube con and cloud native con 21 stick around at Dave Nicholson will join me next with my next guest.

>>Good morning, welcome to the cubes coverage of Qube con and cloud native con 21 live from Los Angeles. Lisa Martin, here with Dave Nicholson. David's great to be in person with other humans at this conference. Finally, I can't believe >>You're arms length away. It's unreal. >>I know, and they checked backs cards. So everybody's here is nice and safe. We're excited to welcome kingdom Barrett to the program, flux, maintainer and open source support engineer at we works. He came to him. Welcome to the program. >>Oh, thank you for having me on today. >>So let's talk about flux. This is a CNCF incubating project. I saw catalyze as adopt talk to us about flux and its evolution. >>Uh, so flex is, uh, uh, just got into its second version a while ago. We've been, uh, working on, um, uh, we're an incubating project and we're going towards graduation at this point. Um, flex has seen a great deal of adoption from, uh, infant cloud infrastructure vendors in particular, uh, like Microsoft and Amazon and VMware, all building products on, um, flux, uh, the latest version of flux. And, uh, we've heard, uh, from companies like Alibaba and state farm. We had a, uh, uh, conference, uh, at a co-hosted event earlier on Tuesday called get-ups con, uh, where we presented all about get ops, which is the technology, uh, guiding, uh, set of principles that underlies flux. And, uh, there are new adopters, um, all, all every day, including, uh, the department of defense, uh, who has a hundred thousand developers. Um, it's, it's, it's very successful project at this point, who are the >>Key users of flux flux? >>Excuse me. The key users of flux are, uh, probably, uh, application developers and infrastructure engineers, and platform support folks. So a pretty broad spectrum of people. >>And you've got some news at the event. >>Yeah, we actually, uh, we have a, uh, ecosystem event that's coming up, um, on October 20th, uh, it's free virtual event. Uh, folks can join us to hear from these companies. We have people from high level, uh, CTOs and GMs, uh, from companies like Microsoft, Amazon VMware, uh, we've worked D two IQ, um, that are, uh, going to be speaking, uh, about their, uh, products that you can buy from their cloud vendor, uh, that, uh, are based on flux. Uh, so, so that's a milestone for us. That's a major milestone. These are large vendors, um, major cloud vendors that have decided that they trust, uh, flux with their customers workloads. And it's, it's the way that they want to push get ups. Great >>Validation. Yeah. >>So give us an example, just digging in a little bit on flux and get ops. What are some of the things that flux either enforces or enables or validates? What, how would you describe the flux get ops relationship? >>So the first to get ops principles is declarative infrastructure and that's, uh, that's something that people who are using Kubernetes are already very familiar with. Um, flux has a basic itself, or, or I guess spawned, uh, maybe is a better way to say it. Uh, this, um, uh, whole get ops working group, that's just defined the principles. There's four of them in the formal definition. That's just been promoted to a 1.0 and, uh, the get ups working group, publish, publish this at, uh, open get-ups dot dev where you can read all four. And, um, it's great copy site. If you're not really familiar with get ops, you can, you can read all four, but, uh, the other, uh, the second one I would have mentioned is, uh, version storage is, is, uh, it's called get ups and get as a version store. So it's a good for, um, disaster recovery. >>Uh, and, uh, if you have an issue with a new release, if you're, uh, pushing changes frequently, that's, you know, more than likely you will have issues from time to time. Uh, you can roll back with, get ups because everything is version. Um, and, uh, you can do those releases rapidly because the deployment is automatic, um, and it's continuously reconciling. So those are the four principles of get ups. Uh, and they're, they're not exactly prescriptive. You don't have to adopt them all at once. You can pick and choose where you want to get started. Um, but that's what, uh, is underneath flux. >>How do you help customers pick and choose based on what are some of the key criteria that you would advise them on? >>We would advise them to try to follow all of those principles, because that's what you get out of the box with fluxes is a solution that does those things. But if there is one of those things that gets in a way, um, there's also the concept of a closed loop that is, um, sometimes debated as whether it should be part of the get ops principles or not. Um, that just means that, uh, when you use get-ups the only changes that go to your infrastructure are coming through get-ups. Uh, so you don't have someone coming in and using the back door. Um, it all goes through get, uh, w when you want to make a change to your cluster or your application, you push it to get the automation takes over from there and, um, and makes, uh, developers and platform engineers jobs a lot easier. And it makes it easier for them to collaborate with each other, >>Of course, productivity. You mentioned AWS, Microsoft, VMware, uh, all working with you to deliver, get ups to enterprise customers. Talk to me about some of the benefits in it for these big guys. I mean, that's great validation, but what's in it for AWS and VMware and Microsoft, for example, business outcome wise. >>Well, uh, one of the things that we've been promoting and since June is a flex has been, uh, uh, there's an API underneath, that's called the get ops toolkit. This is, uh, if you're building a platform for platforms like these cloud vendors are, um, we announced that fluxes APRs are officially stable. So that means that it's safe for them to build on top of, and they can, uh, go ahead and build things and not worry that we're going to pull the rug out from under them. So that's one of the major vendors, uh, one of the major, uh, uh, vendor benefits and, um, uh, we've, we've also added a recent improvement, uh, uh, called service side apply that, uh, will improve performance. Uh, we reduced the number of, um, API calls, but also for, for, uh, users, it makes things a lot easier because they don't have to write explicitly health checks on everything. Uh, it's possible for them to say, we'd like to see everything is healthy, and it's a one-line addition, that's it? >>So, you know, there's been a lot of discussion from a lot of different angles of the subject of security, uh, in this space. Um, how does this, how does this dovetail with that? A lot of discussion specifically about software supply chain security. Now this is more in the operations space. How do, how do those come together? Do you have any thoughts on security? >>Well, flux is built for security first. Um, there are a lot of products out there that, uh, will shell out to other tools and, and that's a potential vulnerability and flux does not do that. Uh, we've recently undergone a security audit, which we're waiting for the results and the report over, but this is part of our progress towards the CNCF graduated status. Um, and, uh, we've, we've liked what we've seen and preliminary results. Uh, we've, we've prepared for the security audit on knowing that it was coming and, uh, uh, flexes, uh, uh, designed for security first. Uh, you're able to verify that the commits that you're applying to your cluster are signed and actually come from a valid author who is, uh, permitted to make changes to the cluster and, uh, get ops itself is, is this, uh, model of operations by poll requests. So, um, you, you have an opportunity to make sure that your changes are, uh, appropriately reviewed before they get applied. >>Got it. So you had a session at coupon this week. Talk to me a little bit about that. What were like the top three takeaways, and maybe even share with us some of the feedback that you got from the audience? >>Um, so, uh, the session was about Jenkins and get ups or Jenkins and flux. And the, um, the main idea is that when you use flux, flux is a tool for delivery. So you've heard maybe of CIC, D C I N C D are separate influx. We consider these as two separate jobs that should not cross over. And, uh, when, when, uh, you do that. So the talk is about Jenkins and flux. Jenkins is a very popular CII solution and the messages, uh, you don't have to abandon, if you've made a large infrastructure investment in a CII solution, you don't have to abandon your Jenkins or your GitHub actions or, or whatever other CII solution you're using to build and test images. Uh, you can take it with you and adopt get ups. >>Um, so there's compatibility there and, and usability familiarity for the audience, the users. Yeah. What was some of the feedback that they provided to you? Um, were they surprised by that? Happy about that? >>Well, and talk to us a little bit fast paced. Uh, we'll put it in the advanced CIC D track. I covered a lot of ground in that talk, and I hope to go back and cover things in a little bit smaller steps. Um, I tried to show as many of the features of Fluxus as I could. Uh, and, and so one of the feedback that I got was actually, it was a little bit difficult to follow up as, so I'm a new presenter. Um, this is my first year we've worked. I've never presented at CubeCon before. Um, I'm really glad I got the opportunity to be here. This is a great, uh, opportunity to collaborate with other open source teams. And, um, that's, that's, uh, that's the takeaway from me? No. >>So you've got to give a shout out to, uh, to weave works. Absolutely. You know, any, any organization that realizes the benefit of having its folks participating in the community, realizing that it, it helps the community, it helps you, it helps them, you know, that's, that's what we love about, about all of this. >>Yeah. We're, uh, we're really excited to grow adoption for, um, Kubernetes and get ops together. So, >>So I've asked a few people this over the last couple of days, where do you think we are in the peak Kubernetes curve? Are we still just at the very beginning stages of this, of this as a, as a movement? >>Um, certainly we're, um, it's, it's, uh, for, for people who are here at CubeCon, I think we see that, you know, uh, a lot of companies are very successful with Kubernetes, but, um, I come from a university, it, uh, background and I haven't seen a lot of adoption, uh, in, in large enterprise, um, more conservative enterprises, at least in, in my personal experience. And I think that, uh, there is a lot for those places to gain, um, through, through, uh, adopting Kubernetes and get ups together. I think get ops is, uh, we'll provide them with the opportunity to, uh, experience Kubernetes in the best way possible. >>We've seen such acceleration in the last 18, 19 months of digital transformation for companies to survive, to pivot during COVID to survive, doubt to thrive. Do you see that influencing the adoption of Kubernetes and maybe different industries getting more comfortable with leveraging it as a platform? >>Sure. Um, a lot of companies see it as a cost center. And so if you can make it easier or possible to do, uh, operations with fewer people in the loop, um, that, that makes it a cost benefit for a lot of people, but also you need to keep people in the loop. You need to keep the people that you have included and, and be transparent about what infrastructure choices and changes you're making. So, uh, that's one of the things that get ups really helps with >>At transparency is key. One more question for you. Can you share a little bit before we wrap here about the project roadmap and some of the things that are coming down the pike? Yeah. >>So I mentioned a graduation. That's the immediate goal that we're working towards? Uh, most directly, uh, we have, um, grown our, uh, number of integrations pretty significantly. We have an operator how entry in red hat, open shift there's operator hub, where you can go and click to install flux. And that's great. Um, and, uh, we looked forward to, uh, making flux more compatible with more of the tools that you find in the CNCF umbrella. Um, that's, that's what our roadmap is for >>Increasing that compatibility. And one more time mentioned the event, October 20th, I believe he said, let folks know where they can go and find it on the web. Yeah. >>If you're interested in the get ups days.com, it's the get-ups one-stop shop and it's, uh, vendors like AWS and Microsoft and VMware detour IQ. And we've worked, we've all built a flux based solutions, um, for, uh, that are available for sale right now. So if you're, uh, trying to use get-ups and you have one of these vendors as your cloud vendor, um, it seems like a natural fit to try the solution that's out of the box. Uh, but if you need convincing, you get Upstate's dot com, you can go find out more about the event and, uh, we'll hope to see you there. >>I get upstairs.com kingdom. Thank you. You're joining Dave and me on the program, talking to us about flux. Congratulations on its evolution. We look forward to hearing more great things as the years unfold. >>Thank you so much for having me on our pleasure >>For Dave Nicholson. I'm Lisa Martin. You're watching the kid live from Los Angeles at CubeCon cloud native con 21 stick around Dave and I, and we'll be right back with our next guest.