(upbeat music) >> Hello, everyone, from Palo Alto, Lisa Martin here. This is The Cube's coverage of CloudNativeSecurityCon, the inaugural event. I'm here with John Furrier in studio. In Boston, Dave Vellante joins us, and our guest, Liz Rice, one of our alumni, is joining us from Seattle. Great to have everyone here. Liz is the Chief Open Source officer at Isovalent. She's also the Emeritus Chair Technical Oversight Committee at CNCF, and a co-chair of this new event. Everyone, welcome Liz. Great to have you back on theCUBE. Thanks so much for joining us today. >> Thanks so much for having me, pleasure. >> So CloudNativeSecurityCon. This is the inaugural event, Liz, this used to be part of KubeCon, it's now its own event in its first year. Talk to us about the importance of having it as its own event from a security perspective, what's going on? Give us your opinions there. >> Yeah, I think security was becoming so- at such an important part of the conversation at KubeCon, CloudNativeCon, and the TAG security, who were organizing the co-located Cloud Native Security Day which then turned into a two day event. They were doing this amazing job, and there was so much content and so much activity and so much interest that it made sense to say "Actually this could stand alone as a dedicated event and really dedicate, you know, all the time and resources of running a full conference, just thinking about cloud native security." And I think that's proven to be true. There's plenty of really interesting talks that we're going to see. Things like a capture the flag. There's all sorts of really good things going on this week. >> Liz, great to see you, and Dave, great to see you in Boston Lisa, great intro. Liz, you've been a CUBE alumni. You've been a great contributor to our program, and being part of our team, kind of extracting that signal from the CNCF cloud native world KubeCon. This event really kind of to me is a watershed moment, because it highlights not only security as a standalone discussion event, but it's also synergistic with KubeCon. And, as co-chair, take us through the thought process on the sessions, the experts, it's got a practitioner vibe there. So we heard from Priyanka early on, bottoms up, developer first. You know KubeCon's shift left was big momentum. This seems to be a breakout of very focused security. Can you share the rationale and the thoughts behind how this is emerging, and how you see this developing? I know it's kind of a small event, kind of testing the waters it seems, but this is really a directional shift. Can you share your thoughts? >> Yeah I'm just, there's just so many different angles that you can consider security. You know, we are seeing a lot of conversations about supply chain security, but there's also runtime security. I'm really excited about eBPF tooling. There's also this opportunity to talk about how do we educate people about security, and how do security practitioners get involved in cloud native, and how do cloud native folks learn about the security concepts that they need to keep their deployments secure. So there's lots of different groups of people who I think maybe at a KubeCon, KubeCon is so wide, it's such a diverse range of topics. If you really just want to focus in, drill down on what do I need to do to run Kubernetes and cloud native applications securely, let's have a really focused event, and just drill down into all the different aspects of that. And I think that's great. It brings the right people together, the practitioners, the experts, the vendors to, you know, everyone can be here, and we can find each other at a smaller event. We are not spread out amongst the thousands of people that would attend a KubeCon. >> It's interesting, Dave, you know, when we were talking, you know, we're going to bring you in real quick, because AWS, which I think is the bellweather for, you know, cloud computing, has now two main shows, AWS re:Invent and re:Inforce. Security, again, broken out there. you see the classic security events, RSA, Black Hat, you know, those are the, kind of, the industry kind of mainstream security, very wide. But you're starting to see the cloud native developer first with both security and cloud native, kind of, really growing so fast. This is a major trend for a lot of the ecosystem >> You know, and you hear, when you mention those other conferences, John you hear a lot about, you know, shift left. There's a little bit of lip service there, and you, we heard today way more than lip service. I mean deep practitioner level conversations, and of course the runtime as well. Liz, you spent a lot of time obviously in your keynote on eBPF, and I wonder if you could share with the audience, you know, why you're so excited about that. What makes it a more effective tool compared to other traditional methods? I mean, it sounds like it simplifies things. You talked about instrumenting nodes versus workloads. Can you explain that a little bit more detail? >> Yeah, so with eBPF programs, we can load programs dynamically into the kernel, and we can attach them to all kinds of different events that could be happening anywhere on that virtual machine. And if you have the right knowledge about where to hook into, you can observe network events, you can observe file access events, you can observe pretty much anything that's interesting from a security perspective. And because eBPF programs are living in the kernel, there's only one kernel shared amongst all of the applications that are running on that particular machine. So you don't- you no longer have to instrument each individual application, or each individual pod. There's no more need to inject sidecars. We can apply eBPF based tooling on a per node basis, which just makes things operationally more straightforward, but it's also extremely performant. We can hook these programs into events that typically very lightweight, small programs, kind of, emitting an event, making a decision about whether to drop a packet, making a decision about whether to allow file access, things of that nature. There's super fast, there's no need to transition between kernel space and user space, which is usually quite a costly operation from performance perspective. So eBPF makes it really, you know, it's taking the security tooling, and other forms of tooling, networking and observability. We can take these tools into the kernel, and it's really efficient there. >> So Liz- >> So, if I may, one, just one quick follow up. You gave kind of a space age example (laughs) in your keynote. When, do you think a year from now we'll be able to see, sort of, real world examples in in action? How far away are we? >> Well, some of that is already pretty widely deployed. I mean, in my keynote I was talking about Cilium. Cilium is adopted by hundreds of really big scale deployments. You know, the users file is full of household names who've been using cilium. And as part of that they will be using network policies. And I showed some visualizations this morning of network policy, but again, network policy has been around, pretty much since the early days of Kubernetes. It can be quite fiddly to get it right, but there are plenty of people who are using it at scale today. And then we were also looking at some runtime security detections, seeing things like, in my example, exfiltrating the plans to the Death Star, you know, looking for suspicious executables. And again, that's a little bit, it's a bit newer, but we do have people running that in production today, proving that it really does work, and that eBPF is a scalable technology. It's, I've been fascinated by eBPF for years, and it's really amazing to see it being used in the real world now. >> So Liz, you're a maintainer on the Cilium project. Talk about the use of eBPF in the Cilium project. How is it contributing to cloud native security, and really helping to change the dials on that from an efficiency, from a performance perspective, as well as a, what's in it for me as a business perspective? >> So Cilium is probably best known as a networking plugin for Kubernetes. It, when you are running Kubernetes, you have to make a decision about some networking plugin that you're going to use. And Cilium is, it's an incubating project in the CNCF. It's the most mature of the different CNIs that's in the CNCF at the moment. As I say, very widely deployed. And right from day one, it was based on eBPF. And in fact some of the people who contribute to the eBPF platform within the kernel, are also working on the Cilium project. They've been kind of developed hand in hand for the last six, seven years. So really being able to bring some of that networking capability, it required changes in the kernel that have been put in place several years ago, so that now we can build these amazing tools for Kubernetes operators. So we are using eBPF to make the networking stack for Kubernetes and cloud native really efficient. We can bypass some of the parts of the network stack that aren't necessarily required in a cloud native deployment. We can use it to make these incredibly fast decisions about network policy. And we also have a sub-project called Tetragon, which is a newer part of the Cilium family which uses eBPF to observe these runtime events. The things like people opening a file, or changing the permissions on a file, or making a socket connection. All of these things that as a security engineer you are interested in. Who is running executables who is making network connections, who's accessing files, all of these operations are things that we can observe with Cilium Tetragon. >> I mean it's exciting. We've chatted in the past about that eBPF extended Berkeley Packet Filter, which is about the Linux kernel. And I bring that up Liz, because I think this is the trend I'm trying to understand with this event. It's, I hear bottoms up developer, developer first. It feels like it's an under the hood, infrastructure, security geek fest for practitioners, because Brian, in his keynote, mentioned BIND in reference the late Dan Kaminsky, who was, obviously found that error in BIND at the, in DNS. He mentioned DNS. There's a lot of things that's evolving at the silicone, kernel, kind of root levels of our infrastructure. This seems to be a major shift in focus and rightfully so. Is that something that you guys talk about, or is that coincidence, or am I just overthinking this point in terms of how nerdy it's getting in terms of the importance of, you know, getting down to the low level aspects of protecting everything. And as we heard also the quote was no software secure. (Liz chuckles) So that's up and down the stack of the, kind of the old model. What's your thoughts and reaction to that? >> Yeah, I mean I think a lot of folks who get into security really are interested in these kind of details. You know, you see write-ups of exploits and they, you know, they're quite often really involved, and really require understanding these very deep detailed technical levels. So a lot of us can really geek out about the details of that. The flip side of that is that as an application developer, you know, as- if you are working for a bank, working for a media company, you're writing applications, you shouldn't have to be worried about what's happening at the kernel level. This might be kind of geeky interesting stuff, but really, operationally, it should be taken care of for you. You've got your work cut out building business value in applications. So I think there's this interesting, kind of dual track going on almost, if you like, of the people who really want to get involved in those nitty gritty details, and understand how the underlying, you know, kernel level exploits maybe working. But then how do we make that really easy for people who are running clusters to, I mean like you said, nothing is ever secure, but trying to make things as secure as they can be easily, and make things visual, make things accessible, make things, make it easy to check whether or not you are compliant with whatever regulations you need to be compliant with. That kind of focus on making things usable for the platform team, for the application developers who deliver apps on the platform, that's the important (indistinct)- >> I noticed that the word expert was mentioned, I mentioned earlier with Priyanka. Was there a rationale on the 72 sessions, was there thinking around it or was it kind of like, these are urgent areas, they're obvious low hanging fruit. Was there, take us through the selection process of, or was it just, let's get 72 sessions going to get this (Liz laughs) thing moving? >> No, we did think quite carefully about how we wanted to, what the different focus areas we wanted to include. So we wanted to make sure that we were including things like governance and compliance, and that we talk about not just supply chain, which is clearly a very hot topic at the moment, but also to talk about, you know, threat detection, runtime security. And also really importantly, we wanted to have space to talk about education, to talk about how people can get involved. Because maybe when we talk about all these details, and we get really technical, maybe that's, you know, a bit scary for people who are new into the cloud native security space. We want to make sure that there are tracks and content that are accessible for newcomers to get involved. 'Cause, you know, given time they'll be just as excited about diving into those kind of kernel level details. But everybody needs a place to start, and we wanted to make sure there were conversations about how to get started in security, how to educate other members of your team in your organization about security. So hopefully there's something for everyone. >> That education piece- >> Liz, what's the- >> Oh sorry, Dave. >> What the buzz on on AI? We heard Dan talk about, you know, chatGPT, using it to automate spear phishing. There's always been this tension between security and speed to market, but CISOs are saying, "Hey we're going to a zero trust architecture and that's helping us move faster." Will, in your, is the talk on the floor, AI is going to slow us down a little bit until we figure it out? Or is it actually going to be used as an offensive defensive tool if I can use that angle? >> Yeah, I think all of the above. I actually had an interesting chat this morning. I was talking with Andy Martin from Control Plane, and we were talking about the risk of AI generated code that attempts to replicate what open source libraries already do. So rather than using an existing open source package, an organization might think, "Well, I'll just have my own version, and I'll have an AI write it for me." And I don't, you know, I'm not a lawyer so I dunno what the intellectual property implications of this will be, but imagine companies are just going, "Well you know, write me an SSL library." And that seems terrifying from a security perspective, 'cause there could be all sorts of very slightly different AI generated libraries that pick up the same vulnerabilities that exist in open source code. So, I think we're going to go through a pretty interesting period of vulnerabilities being found in AI generated code that look familiar, and we'll be thinking "Haven't we seen these vulnerabilities before? Yeah, we did, but they were previously in handcrafted code and now we'll see the same things being generated by AI." I mean, in the same way that if you look at an AI generated picture and it's got I don't know, extra fingers, or, you know, extra ears or something that, (Dave laughs) AI does make mistakes. >> So Liz, you talked about the education, the enablement, the 72 sessions, the importance of CloudNativeSecurityCon being its own event this year. What are your hopes and dreams for the practitioners to be able to learn from this event? How do you see the event as really supporting the growth, the development of the cloud native security community as a whole? >> Yeah, I think it's really important that we think of it as a Cloud Native Security community. You know, there are lots of interesting sort of hacker community security related community. Cloud native has been very community focused for a long time, and we really saw, particularly through the tag, the security tag, that there was this growing group of people who were, really wanted to work at that intersection between security and cloud native. And yeah, I think things are going really well this week so far, So I hope this is, you know, the first of many additions of this conference. I think it will also be interesting to see how the balance between a smaller, more focused event, compared to the giant KubeCon and cloud native cons. I, you know, I think there's space for both things, but whether or not there will be other smaller focus areas that want to stand alone and justify being able to stand alone as their own separate conferences, it speaks to the growth of cloud native in general that this is worthwhile doing. >> Yeah. >> It is, and what also speaks to, it reminds me of our tagline here at theCUBE, being able to extract the signal from the noise. Having this event as a standalone, being able to extract the value in it from a security perspective, that those practitioners and the community at large is going to be able to glean from these conversations is something that will be important, that we'll be keeping our eyes on. >> Absolutely. Makes sense for me, yes. >> Yeah, and I think, you know, one of the things, Lisa, that I want to get in, and if you don't mind asking Dave his thoughts, because he just did a breaking analysis on the security landscape. And Dave, you know, as Liz talking about some of these root level things, we talk about silicon advances, powering machine learning, we've been covering a lot of that. You've been covering the general security industry. We got RSA coming up reinforced with AWS, and as you see the cloud native developer first, really driving the standards of the super cloud, the multicloud, you're starting to see a lot more application focus around latency and kind of controlling that, These abstraction layer's starting to see a lot more growth. What's your take, Dave, on what Liz and- is talking about because, you know, you're analyzing the horses on the track, and there's sometimes the old guard security folks, and you got open source continuing to kick butt. And even on the ML side, we've been covering some of these foundation models, you're seeing a real technical growth in open source at all levels and, you know, you still got some proprietary machine learning stuff going on, but security's integrating all that. What's your take and your- what's your breaking analysis on the security piece here? >> I mean, to me the two biggest problems in cyber are just the lack of talent. I mean, it's just really hard to find super, you know, deep expertise and get it quickly. And I think the second is it's just, it's so many tools to deal with. And so the architecture of security is just this mosaic and a mess. That's why I'm excited about initiatives like eBPF because it does simplify things, and developers are being asked to do a lot. And I think one of the other things that's emerging is when you- when we talk about Industry 4.0, and IIoT, you- I'm seeing a lot of tools that are dedicated just to that, you know, slice of the world. And I don't think that's the right approach. I think that there needs to be a more comprehensive view. We're seeing, you know, zero trust architectures come together, and it's going to take some time, but I think that you're going to definitely see, you know, some rethinking of how to architect security. It's a game of whack-a-mole, but I think the industry is just- the technology industry is doing a really really good job of, you know, working hard to solve these problems. And I think the answer is not just another bespoke tool, it's a broader thinking around architectures and consolidating some of those tools, you know, with an end game of really addressing the problem in a more comprehensive fashion. >> Liz, in the last minute or so we have your thoughts on how automation and scale are driving some of these forcing functions around, you know, taking away the toil and the muck around developers, who just want stuff to be code, right? So infrastructure as code. Is that the dynamic here? Is this kind of like new, or is it kind of the same game, different kind of thing? (chuckles) 'Cause you're seeing a lot more machine learning, a lot more automation going on. What's, is that having an impact? What's your thoughts? >> Automation is one of the kind of fundamental underpinnings of cloud native. You know, we're expecting infrastructure to be written as code, We're expecting the platform to be defined in yaml essentially. You know, we are expecting the Kubernetes and surrounding tools to self-heal and to automatically scale and to do things like automated security. If we think about supply chain, you know, automated dependency scanning, think about runtime. Network policy is automated firewalling, if you like, for a cloud native era. So, I think it's all about making that platform predictable. Automation gives us some level of predictability, even if the underlying hardware changes or the scale changes, so that the application developers have something consistent and standardized that they can write to. And you know, at the end of the day, it's all about the business applications that run on top of this infrastructure >> Business applications and the business outcomes. Liz, we so appreciate your time talking to us about this inaugural event, CloudNativeSecurityCon 23. The value in it for those practitioners, all of the content that's going to be discussed and learned, and the growth of the community. Thank you so much, Liz, for sharing your insights with us today. >> Thanks for having me. >> For Liz Rice, John Furrier and Dave Vellante, I'm Lisa Martin. You're watching the Cube's coverage of CloudNativeSecurityCon 23. (electronic music)

(upbeat music) >> Hello, welcome everyone to "theCUBE" presentation of the AWS Startup Showcase, this is Season Two, Episode Four of the ongoing series covering exciting startups from the AWS ecosystem. Here to talk about Cyber Security. I'm your host John Furrier here joined by two great "CUBE" alumnus, Liz Rice who's the chief open source officer at Isovalent, and Mark Nunnikhoven who's the distinguished cloud strategist at Lacework. Folks, thanks for joining me today. >> Hi. Pleasure. >> You're in the U.K. Mark, welcome back to the U.S, I know you were overseas as well. Thanks for joining in this panel to talk about set the table for the Cybersecurity Showcase. You guys are experts out in the field. Liz we've had many conversations with the rise of open source, and all the innovations coming from out in the open source community. Mark, we've been going and covering the events, looking at all the announcements we're kind of on this next generation security conversation. It's kind of a do over in progress, happening every time we talk security in the cloud, is what people are are talking about. Amazon Web Services had reinforced, which was more of a positive vibe of, Hey, we're all on it together. Let's participate, share information. And they talk about incidents, not breaches. And then, you got Black Hat just happened, and they're like, everyone's getting hacked. It's really interesting as we report that. So, this is a new market that we're in. People are starting to think differently, but still have to solve the same problems. How do you guys see the security in the cloud era unfolding? >> Well, I guess it's always going to be an arms race. Isn't it? Everything that we do to defend cloud workloads, it becomes a new target for the bad guys, so this is never going to end. We're never going to reach a point where everything is completely safe. But I think there's been a lot of really interesting innovations in the last year or two. There's been a ton of work looking into the security of the supply chain. There's been a ton of new tooling that takes advantage of technology that I'm really involved with and very excited about called eBPF. There's been a continuation of this new generation of tooling that can help us observe when security issues are happening, and also prevent malicious activities. >> And it's on to of open source activity. Mark, scale is a big factor now, it's becoming a competitive advantage on one hand. APIs have made the cloud great. Now, you've got APIs being hacked. So, all the goodness of cloud has been great, but now we've got next level scale, it's hard to keep up with everything. And so, you start to see new ways of doing things. What's your take? >> Yeah, it is. And everything that's old is new again. And so, as you start to see data and business workloads move into new areas, you're going to see a cyber crime and security activity move with them. And I love, Liz calling out eBPF and open source efforts because what we've really seen to contrast that sort of positive and negative attitude, is that as more people come to the security table, as more developers, as more executives are aware, and the accessibility of these great open source tools, we're seeing that shift in approach of like, Hey, we know we need to find a balance, so let's figure out where we can have a nice security outcome and still meet our business needs, as opposed to the more, let's say to be polite, traditional security view that you see at some other events where it's like, it's this way or no way. And so, I love to see that positivity and that collaboration happening. >> You know, Liz, this brings up a good point. We were talking at our Super Cloud Event we had here when we were discussing the future of how cloud's emerging. One of the conversations that Adrian Cockcroft brought up, who's now retired from AWS, former with Netflix. Adrian being open source fan as well. He was pointing out that every CIO or CISO will buy an abstraction layer. They love the dream. And vendors sell the dream, so to speak. But the reality it's not a lot of uptake because it's complex, And there's a lot of non-standard things per vendor. Now, we're in an era where people are looking for some standardization, some clean, safe ways to deploy. So, what's the message to CSOs, and CIOs, and CXOs out there around eBPF, things like that, that are emerging? Because it's almost top down, was the old way, now as bottoms up with open source, you're seeing the shift. I mean, it's complete flipping the script of how companies are buying? >> Yeah. I mean, we've seen with the whole cloud native movement, how people are rather than having like ETF standards, we have more of a defacto collaborative, kind of standardization process going on. So, that things like Kubernetes become the defacto standard that we're all using. And then, that's helping enterprises be able to run their workloads in different clouds, potentially in their own data centers as well. We see things like EKS anywhere, which is allowing people to run their workloads in their data center in exactly the same way as they're running it in AWS. That sort of leveling of the playing field, if you like, can help enterprises apply the same tooling, and that's going to always help with security if you can have a consistent approach wherever you are running your workload. >> Well, Liz's take a minute to explain eBPF. The Berkeley packet filtering technology, people know from Trace Dumps and whatnot. It's kind of been around for a while, but what is it specifically? Can you take a minute to explain eBPF, and what does that mean for the customer? >> Yeah. So, you mentioned the packet filtering acronym. And honestly, these days, I tell people to just forget that, because it means so much more for. What eBPF allows you to do now, is to run custom programs inside the kernel. So, we can use that to change the way that the kernel behaves. And because the kernel has visibility over every process that's running across a machine, a virtual machine or a bare metal machine, having security tooling and observability tooling that's written using eBPF and sitting inside the kernel. It has this great perspective and ability to observe and secure what's happening across that entire machine. This is like a step change in the capabilities really of security tooling. And it means we don't have to rely on things like kernel modules, which traditionally people have been quite worried about with good reason. eBPF is- >> From a vulnerability standpoint, you mean, right? From a reliability. >> From a vulnerability standpoint, but even just from the point of view that kernel modules, if they have bugs in them, a bug in the kernel will bring the machine to a halt. And one of the things that's different with eBPF, is eBPF programs go through a verification process that ensures that they're safe to run that, but happens dynamically and ensures that the program cannot crash, will definitely run to completion. All the memory access is safe. It gives us this very sort of reassuring platform to use for building these kernel-based tools. >> And what's the bottom line for the customer and the benefit to the organization? >> I think the bottom line is this new generation of really powerful tools that are very high performance. That have this perspective across the whole set of workloads on a machine. That don't need to rely on things like a CCAR model, which can add to a lot of complexity that was perfectly rational choice for a lot of security tools and observability tools. But if you can use an abstraction that lives in the kernel, things are much more efficient and much easier to deploy. So, I think that's really what that enterprise is gaining, simpler to deploy, easier to manage, lower overhead set of tools. >> That's the dream they want. That's what they want. Mark, this is whether the trade offs that comes up. We were talking about the supercloud, and all kinds. Even at AWS, you're going to have supercloud, but you got super hackers as well. As innovation happens on one side, the hackers are innovating on the other. And you start to see a lot of advances in the lower level, AWS with their Silicon and strategies are continuing to happen and be stronger, faster, cheaper, better down the lower levels at the network lay. All these things are innovating, but this is where the hackers are going too, right? So, it's a double edge sword? >> Yeah, and it always will be. And that's the challenge of technology, is sort of the advancement for one, is an advancement for all. But I think, while Liz hit the technical aspects of the eBPF spot on, what I'm seeing with enterprises, and in general with the market movement, is all of those technical advantages are increasing the confidence in some of this security tooling. So, the long sort of anecdote or warning in security has always been things like intrusion prevention systems where they will look at network traffic and drop things they think bad. Well, for decades, people have always deployed them in detect-only mode. And that's always a horrible conversation to have with the board saying, "Well, I had this tool in place that could have stopped the attack, but I wasn't really confident that it was stable enough to turn on. So, it just warned me that it had happened after the fact." And with the stability and the performance that we're seeing out of things based on technologies like eBPF, we're seeing that confidence increase. So, people are not only deploying this new level of tooling, but they're confident that it's actually providing the security it promised. And that's giving, not necessarily a leg up, but at least that level of parody with that push forward that we're seeing, similar on the attack side. Because attackers are always advancing as well. And I think that confidence and that reliability on the tooling, can't be underestimated because that's really what's pushing things forward for security outcomes. >> Well, one of the things I want get your both perspective on real quick. And you kind of segue into this next set of conversations, is with DevOps success, Dev and Ops, it's kind of done, right? We're all happy. We're seeing DevOps being so now DevSecOps. So, CSOs were like kind of old school. Buy a bunch of tools, we have a vendor. And with cloud native, Liz, you mentioned this earlier, accelerating the developers are even driving the standards more and more. So, shifting left is a security paradigm. So, tooling, Mark, you're on top of this too, it's tooling versus how do I organize my team? What are the processes? How do I keep the CICD pipeline going, higher velocity? How can I keep my app developers programming faster? And as Adrian Cockcroft said, they don't really care about locking, they want to go faster. It's the ops teams that have to deal with everything. So, and now security teams have to deal with the speed and velocity. So, you're seeing a new kind of step function, ratchet game where ops and security teams who are living DevOps, are still having to serve the devs, and the devs need more help here. So, how do you guys see that dynamic in security? Because this is clearly the shift left's, cloud native trend impacting the companies. 'Cause now it's not just shifting left for developers, it has a ripple effect into the organization and the security posture. >> We see a lot of organizations who now have what they would call a platform team. Which is something similar to maybe what would've been an ops team and a security team, where really their role is to provide that platform that developers can use. So, they can concentrate on the business function that they don't have to really think about the underlying infrastructure. Ideally, they're using whatever common definition for their applications. And then, they just roll it out to a cloud somewhere, and they don't have to think about where that's operating. And then, that platform team may have remit that covers, not just the compute, but also the networking, the common set of tooling that allows people to debug their applications, as well as securing them. >> Mark, this is a big discussion because one, I love the team, process collaboration. But where's the team? We've got a skills gap going on too, right? So, in all this, there's a lot of action happening. What's your take on this dynamic of tooling versus process collaboration for security success? >> Yeah, it's tough. And I think what we're starting to see, and you called it out spot on, is that the developers are all about dynamic change and rapid change, and operations, and security tend to like stability, and considered change in advance. And the business needs that needle to be threaded. And what we're seeing is sort of, with these new technologies, and with the ideas of finally moving past multicloud, into, as you guys call supercloud, which I absolutely love is a term. Let's get the advantage of all these things. What we're seeing, is people have a higher demand for the outputs from their tooling, and to find that balance of the process. I think it's acknowledged now that you're not going to have complete security. We've gotten past that, it's not a yes or no binary thing. It's, let's find that balance in risk. So, if we are deploying tooling, whether that's open source, or commercial, or something we built ourselves, what is the output? And who is best to take action on that output? And sometimes that's going to be the developers, because maybe they can just fix their architecture so that it doesn't have a particular issue. Sometimes that's going to be those platform teams saying like, "Hey, this is what we're going to apply for everybody, so that's a baseline standard." But the good news, is that those discussions are happening. And I think people are realizing that it's not a one size-fits-all. 10 years ago was sort of like, "Hey, we've got a blueprint and everyone does this." That doesn't work. And I think that being out in the open, really helps deliver these better outcomes. And because it isn't simple, it's always going to be an ongoing discussion. 'Cause what we decide today, isn't going to be the same thing in a week from now when we're sprint ahead, and we've made a whole bunch of changes on the platform and in our code. >> I think the cultural change is real. And I think this is hard for security because you got so much current action happening that's really important to the business. That's hard to just kind of do a reset without having any collateral damage. So, you kind of got to mitigate and manage all the current situation, and then try to build a blueprint for the future and transform into a kind of the next level. And it kind of reminds me of, I'm dating myself. But back in the days, you had open source was new. And the common enemy was proprietary, non-innovative old guard, kind of mainframe mini computer kind of proprietary analysis, proprietary everything. Here, there is no enemy. The clouds are doing great, right? They're leaning in open source is at all time high and not stopping, it's it's now standard. So, open is not a rebel. It's not the rebel anymore, it's the standard. So, you have the innovation happening in open source, Liz, and now you have large scale cloud. And this is a cultural shift, right? How people are buying, evaluating product, and implementing solutions. And I when I say new, I mean like new within the decades or a couple decades. And it's not like open source is not been around. But like we're seeing new things emerge that are pretty super cool in the sense that you have projects defining standards, new things are emerging. So, the CIO decision making process on how to structure teams and how to tackle security is changing. Why IT department? I mean, just have a security department and a Dev team. >> I think the fact that we are using so much more open source software is a big part of this cultural shift where there are still a huge ecosystem of vendors involved in security tools and observability tools. And Mark and I both represent vendors in those spaces. But the rise of open source tools, means that you can start with something pretty powerful that you can grow with. As you are experimenting with the security tooling that works for you, you don't have to pay a giant sum to get a sort of black box. You can actually understand the open source elements of the tooling that you are going to use. And then build on that and get the enterprise features when you need those. And I think that cultural change makes it much easier for people to work security in from the get go, and really, do that shift left that we've been talking about for the last few years. >> And I think one of the things to your point, and not only can you figure out what's in the open source code, and then build on top of it, you can also leave it too. You can go to something better, faster. So, the switching costs are a lot lower than a lock in from a vendor, where you do all the big POCs and the pilots. And, Mark, this is changing the game. I mean, I would just be bold enough to say, IT is going to be irrelevant in the sense of, if you got DevOps and it works, and you got security teams, do you really need IT 'cause the DevOps is the IT? So, if everyone goes to the cloud operations, what does IT even mean? >> Yeah, and it's a very valid point. And I think what we're seeing, is where IT is still being successful, especially in large companies, is sort of the economy of scale. If you have enough of the small teams doing the same thing, it makes sense to maybe take one tool and scale it up because you've got 20 teams that are using it. So, instead of having 20 teams run it, you get one team to run it. On the economic side, you can negotiate one contract if it's a purchase tool. There is still a place for it, but I think what we're seeing and in a very positive way, is that smaller works better when it comes to this. Because really what the cloud has done and what open source continues to do, is reduce the barrier to entry. So, a team of 10 people can build something that it took a 1000 people, a decade ago. And that's wonderful. And that opens up all these new possibilities. We can work faster. But we do need to rethink it at reinforce from AWS. They had a great track about how they're approaching it from people side of things with their security champion's idea. And it's exactly about this, is embedding high end security talent in the teams who are building it. So, that changes the central role, and the central people get called in for big things like an incident response, right? Or a massive auditor reviews. But the day-to-day work is being done in context. And I think that's the real key, is they've got the context to make smarter security decisions, just like the developers and the operational work is better done by the people who are actually working on the thing, as opposed to somebody else. Because that centralized thing, it's just communication overhead most of the time. >> Yeah. I love chatting with you guys because here's are so much experts on the field. To put my positive hat on around IT, remember the old argument of, "Oh, automation's, technology's going to kill the bank teller." There's actually more tellers now than ever before. So, the ATM machine didn't kill that. So, I think IT will probably reform from a human resource perspective. And I think this is kind of where the CSO conversation comes full circle, Liz and Mark, because, okay, let's assume that this continues the trajectory to open source, DevOps, cloud scale, hybrid. It's a refactoring of personnel. So, you're going to have DevOps driving everything. So, now the IT team becomes a team. So, most CSOs we talk to are CXOs, is how do I deploy my teams? How do I structure things, my investment in people, and machines and software in a way that I get my return? At the end of the day, that's what they live for, and do it securely. So, this is the CISO's kind of thought process. How do you guys react to that? What's the message to CISOs? 'Cause they have a lot of companies to look at here. And in the marketplace, they got to spend some money, they got to get a return, they got to reconfigure. What's your advice? Liz, what's your take? Then we'll go to Mark. >> That's a really great question. I think cloud skills, cloud engineering skills, cloud security skills have never been more highly valued. And I think investing in training people to understand cloud that there are tons of really great resources out there to help ramp people up on these skills. The CNCF, AWS, there's tons of organizations who have really great courses and exams, and things that people can do to really level up their skills, which is fantastic right from a grassroots level, through to the most widely deployed global enterprise. I think we're seeing a lot of people are very excited, develop these skills. >> Mark, what's your take for the CSO, the CXO out there? They're scratching their head, they're going, "Okay, I need to invest. DevOps is happening. I see the open source, I'm now got to change over. Yeah, I lift and shift some stuff, now I got to refactor my business or I'm dead." What's your advice? >> I think the key is longer term thinking. So, I think where people fell down previously, was, okay, I've got money, I can buy tools, roll 'em out. Every tool you roll out, has not just an economic cost, but a people cost. As Liz said, those people with those skills are in high demand. And so, you want to make sure that you're getting the most value out of your people, but your tooling. So, as you're investing in your people, you will need to roll out tools. But they're not the answer. The answer is the people to get the value out of the tools. So, hold your tools to a higher standard, whether that's commercial, open source, or something from the CSP, to make sure that you're getting actionable insights and value out of them that your people can actually use to move forward. And it's that balance between the two. But I love the fact that we're finally rotating back to focus more on the people. Because really, at the end of the day, that's what's going to make it all work. >> Yeah. The hybrid work, people processes. The key, the supercloud brings up the conversation of where we're starting to see maturation into OPEX models where CapEx is a gift from the clouds. But it's not the end of bilk. Companies are still responsible for their own security. At the end of the day, you can't lean on AWS or Azure. They have infrastructure and software, but at the end of the day, every company has to maintain their own. Certainly, with hybrid and edge coming, it's here. So, this whole concept of IT, CXO, CIO, CSO, CSO, I mean, this is hotter than ever in terms of like real change. What's your reaction to that? >> I was just reading this morning that the cost of ensuring against data breaches is getting dramatically more expensive. So, organizations are going to have to take steps to implement security. You can't just sort of throw money at the problem, you're going to actually have to throw people and technology at the problem, and take security really seriously. There is this whole ecosystem of companies and folks who are really excited about security and here to help. There's a lot of people interested in having that conversation to help those CSOs secure their deployments. >> Mark, your reaction? >> Yeah. I think, anything that causes us to question what we're doing is always a positive thing. And I think everything you brought up really comes down to remembering that no matter what, and no matter where, your data is always your data. And so, you have some level of responsibility, and that just changes depending on what system you're using. And I think that's really shifting, especially in the CSO or the CSO mindset, to go back to the basics where it used to be information security and not just cyber security. So, whether that information and that data is sitting on my desk physically, in a system in our data center, or in the cloud somewhere. Looking holistically, and that's why we could keep coming back to people. That's what it's all about. And when you step back there, you start to realize there's a lot more trade offs. There's a lot more levers that you can work on, to deliver the outcome you want, to find that balance that works for you. 'Cause at the end of the day, security is just all about making sure that whatever you built and the systems you're working with, do what you want them to do, and only what you want them to do. >> Well, Liz and Mark, thank you so much for your expert perspective. You're in the trenches, and really appreciate your time and contributing with "theCUBE," and being part of our Showcase. For the last couple of minutes, let's dig into some of the things you're working on. I know network policies around Kubernetes, Liz, EKS anywhere has been fabulous with Lambda and Serverless, you seeing some cool things go on there. Mark, you're at Lacework, very successful company. And looking at a large scale observability, signaling and management, all kinds of cool things around native cloud services and microservices. Liz, give us an update. What's going on over there at Isovalent? >> Yeah. So, Isovalent is the company behind Cilium Networking Project. Its best known as a Kubernetes networking plugin. But we've seen huge amount of adoption of cilium, it's really skyrocketed since we became an incubating project in the CNCF. And now, we are extending to using eBPF to not just do networking, but incredibly in depth observability and security observability have a new sub project called Tetragon, that gives you this amazing ability to see out of policy behavior. And again, because it's using eBPF, we've got the perspective of everything that's happening across the whole machine. So, I'm really excited about the innovations that are happening here. >> Well, they're lucky to have you. You've been a great contributor to the community. We've been following your career for very, very long time. And thanks for everything that you do, really appreciate it. Thanks. >> Thank you. >> Mark, Lacework, we we've following you guys. What are you up to these days? You know, we see you're on Twitter, you're very prolific. You're also live tweeting all the events, and with us as well. What's going on over there at Lacework? And what's going on in your world? >> Yeah. Lacework, we're still focusing on the customer, helping deliver good outcomes across cloud when it comes to security. Really looking at their environments and helping them understand, from their data that they're generating off their systems, and from the cloud usage as to what's actually happening. And that pairs directly into the work that I'm doing, the community looking at just security as a practice. So, a lot of that pulling people out of the technology, and looking at the process and saying, "Hey, we have this tech for a reason." So, that people understand what they need in place from a skill set, to take advantage of the great work that folks like Liz and the community are doing. 'Cause we've got these great tools, they're outputting all this great insights. You need to be able to take actions on top of that. So, it's always exciting. More people come into security with a security mindset, love it. >> Well, thanks so much for this great conversation. Every board should watch this video, every CSO, CIO, CSO. Great conversation, thanks for unpacking and making something very difficult, clear to understand. Thanks for your time. >> Pleasure. >> Thank you. >> Okay, this is the AWS Startup Showcase, Season Two, Episode Four of the ongoing series covering the exciting startups from the AWS ecosystem. We're talking about cybersecurity, this segment. Every quarter episode, we do a segment around a category and we go deep, we feature some companies, and talk to the best people in the industry to help you understand that. I'm John Furrier your host. Thanks for watching. (upbeat music)

>> Welcome back to Supercloud22, #Supercloud22. This is Dave Vellante. In 2019 Oracle and Microsoft announced a collaboration to bring interoperability between OCI, Oracle Cloud Infrastructure and Azure Clouds. It was Oracle's initial foray into so-called multi-cloud and we're joined by Karan Batta, who's the Vice President for Product Management at OCI. And Kris Rice is the Vice President of Software Development at Oracle Database. And we're going to talk about how this technology's evolving and whether it fits our view of what we call supercloud. Welcome gentlemen, thank you. >> Thanks for having us. >> So you recently just last month announced the new service. It extends on the initial partnership with Microsoft Oracle interconnect with Azure, and you refer to this as a secure private link between the two clouds, it cross 11 regions around the world, under two milliseconds data transmission sounds pretty cool. It enables customers to run Microsoft applications against data stored in Oracle databases without any loss in efficiency or presumably performance. So we use this term supercloud to describe a service or sets of services built on hyper scale infrastructure that leverages the core primitives and APIs of an individual cloud platform, but abstracts that underlying complexity to create a continuous experience across more than one cloud. Is that what you've done? >> Absolutely. I think it starts at the top layer in terms of just making things very simple for the customer, right. I think at the end of the day we want to enable true workloads running across two different clouds where you're potentially running maybe the app layer in one and the database layer or the back in another. And the integration I think starts with, you know, making it ease of use. Right. So you can start with things like, okay can you log into your second or your third cloud with the first cloud provider's credentials? Can you make calls against another cloud using another cloud's APIs? Can you peer the networks together? Can you make it seamless? I think those are all the components that are sort of, they're kind of the ingredients to making a multi-cloud or supercloud experience successful. >> Oh, thank you for that, Karan. So I guess there's a question for Chris is I'm trying to understand what you're really solving for? What specific customer problems are you focused on? What's the service optimized for presumably it's database but maybe you could double click on that. >> Sure. So, I mean, of course it's database. So it's a super fast network so that we can split the workload across two different clouds leveraging the best from both, but above the networking, what we had to do do is we had to think about what a true multi-cloud or what you're calling supercloud experience would be it's more than just making the network bites flow. So what we did is we took a look as Karan hinted at right, is where is my identity? Where is my observability? How do I connect these things across how it feels native to that other cloud? >> So what kind of engineering do you have to do to make that work? It's not just plugging stuff together. Maybe you could explain a little bit more detail, the the resources that you had to bring to bear and the technology behind the architecture. >> Sure. I think, it starts with actually, what our goal was, right? Our goal was to actually provide customers with a fully managed experience. What that means is we had to basically create a brand new service. So, we have obviously an Azure like portal and an experience that allows customers to do this but under the covers, we actually have a fully managed service that manages the networking layer, the physical infrastructure, and it actually calls APIs on both sides of the fence. It actually manages your Azure resources, creates them but it also interacts with OCI at the same time. And under the covers this service actually takes Azure primitives as inputs. And then it sort of like essentially translates them to OCI action. So, we actually truly integrated this as a service that's essentially built as a PaaS layer on top of these two clouds. >> So, the customer doesn't really care or know maybe they know cuz they might be coming through, an Azure experience, but you can run work on either Azure and or OCI. And it's a common experience across those clouds. Is that correct? >> That's correct. So like you said, the customer does know that they know there is a relationship with both clouds but thanks to all the things we built there's this thing we invented we created called a multi-cloud control plane. This control plane does operate against both clouds at the same time to make it as seamless as possible so that maybe they don't notice, you know, the power of the interconnect is extremely fast networking, as fast as what we could see inside a single cloud. If you think about how big a data center might be from edge to edge in that cloud, going across the interconnect makes it so that that workload is not important that it's spanning two clouds anymore. >> So you say extremely fast networking. I remember I used to, I wrote a piece a long time ago. Larry Ellison loves InfiniBand. I presume we've moved on from them, but maybe not. What is that interconnect? >> Yeah, so it's funny you mentioned interconnect you know, my previous history comes from Edge PC where we actually inside OCI today, we've moved from Infinite Band as is part of Exadata's core to what we call Rocky V two. So that's just another RDMA network. We actually use it very successfully, not just for Exadata but we use it for our standard computers that we provide to high performance computing customers. >> And the multi-cloud control plane runs. Where does that live? Does it live on OCI? Does it live on Azure? Yes? >> So it does it lives on our side. Our side of the house as part of our Oracle OCI control plane. And it is the veneer that makes these two clouds possible so that we can wire them together. So it knows how to take those Azure primitives and the OCI primitives and wire them at the appropriate levels together. >> Now I want to talk about this PaaS layer. Part of supercloud, we said to actually make it work you're going to have to have a super PaaS. I know we're taking this this term a little far but it's still it's instructive in that, what we surmised was you're probably not going to just use off the shelf, plain old vanilla PaaS, you're actually going to have a purpose built PaaS to solve for the specific problem. So as an example, if you're solving for ultra low latency, which I think you're doing, you're probably no offense to my friends at Red Hat but you're probably not going to develop this on OpenShift, but tell us about that PaaS layer or what we call the super PaaS layer. >> Go ahead, Chris. >> Well, so you're right. We weren't going to build it out on OpenShift. So we have Oracle OCI, you know, the standard is Terraform. So the back end of everything we do is based around Terraform. Today, what we've done is we built that control plane and it will be API drivable, it'll be drivable from the UI and it will let people operate and create primitives across both sides. So you can, you mentioned developers, developers love automation, right, because it makes our lives easy. We will be able to automate a multi-cloud workload from ground up config is code these days. So we can config an entire multi-cloud experience from one place. >> So, double click Chris on that developer experience. What is that like? They're using the same tool set irrespective of, which cloud we're running on is, and it's specific to this service or is it more generic, across other Oracle services? >> There's two parts to that. So one is the, we've only onboarded a portion. So the database portfolio and other services will be coming into this multi-cloud. For the majority of Oracle cloud, the automation, the config layer is based on Terraform. So using Terraform, anyone can configure everything from a mid-tier to an Exadata, all the way soup to nuts from smallest thing possible to the largest. What we've not done yet is integrated truly with the Azure API, from command line drivable. That is coming in the future. It is on the roadmap, it is coming. Then they could get into one tool but right now they would have half their automation for the multi-cloud config on the Azure tool set and half on the OCI tool set. >> But we're not crazy saying from a roadmap standpoint that will provide some benefit to developers and is a reasonable direction for the industry generally but Oracle and Microsoft specifically. >> Absolutely. I'm a developer at heart. And so one of the things we want to make sure is that developers' lives are as easy as possible. >> And is there a metadata management layer or intelligence that you've built in to optimize for performance or low latency or cost across the respective clouds? >> Yeah, definitely. I think, latency's going to be an important factor. The service that we've initially built isn't going to serve, the sort of the tens of microseconds but most applications that are sort of in, running on top of the enterprise applications that are running on top of the database are in the several millisecond range. And we've actually done a lot of work on the networking pairing side to make sure that when we launch these resources across the two clouds we actually picked the right trial site. We picked the right region we pick the right availability zone or domain. So we actually do the due diligence under the cover so the customer doesn't have to do the trial and error and try to find the right latency range. And this is actually one of the big reasons why we only launch the service on the interconnect regions. Even though we have close to, I think close to 40 regions at this point in OCI, this service is only built for the regions that we have an interconnect relationship with Microsoft. >> Okay, so you started with Microsoft in 2019. You're going deeper now in that relationship, is there any reason that you couldn't, I mean technically what would you have to do to go to other clouds? You talked about understanding the primitives and leveraging the primitives of Azure. Presumably if you wanted to do this with AWS or Google or Alibaba, you would have to do similar engineering work, is that correct? Or does what you've developed just kind of poured over to any cloud? >> Yeah, that's absolutely correct Dave. I think Chris talked a lot about the multi-cloud control plane, right? That's essentially the control plane that goes and does stuff on other clouds. We would have to essentially go and build that level of integration into the other clouds. And I think, as we get more popularity and as more products come online through these services I think we'll listen to what customers want. Whether it's, maybe it's the other way around too, Dave maybe it's the fact that they want to use Oracle cloud but they want to use other complimentary services within Oracle cloud. So I think it can go both ways. I think, the market and the customer base will dictate that. >> Yeah. So if I understand that correctly, somebody from another cloud Google cloud could say, Hey we actually want to run this service on OCI cuz we want to expand our market. And if TK gets together with his old friends and figures that out but then we're just, hypothesizing here. But, like you said, it can go both ways. And then, and I have another question related to that. So, multi clouds. Okay, great. Supercloud. How about the Edge? Do you ever see a day where that becomes part of the equation? Certainly the near Edge would, you know, a Home Depot or Lowe's store or a bank, but what about the far Edge, the tiny Edge. Can you talk about the Edge and where that fits in your vision? >> Yeah, absolutely. I think Edge is a interestingly, it's getting fuzzier and fuzzier day by day. I think, the term. Obviously every cloud has their own sort of philosophy in what Edge is, right. We have our own. It starts from, if you do want to do far Edge, we have devices like red devices, which is our ruggedized servers that talk back to our control plane in OCI. You could deploy those things unlike, into war zones and things like that underground. But then we also have things like clouded customer where customers can actually deploy components of our infrastructure like compute or Exadata into a facility where they only need that certain capability. And then a few years ago we launched, what's now called Dedicated Region. And that actually is a different take on Edge in some sense where you get the entire capability of our public commercial region, but within your facility. So imagine if a customer was to essentially point a finger on a commercial map and say, Hey, look, that region is just mine. Essentially that's the capability that we're providing to our customers, where if you have a white space if you have a facility, if you're exiting out of your data center space, you could essentially place an OCI region within your confines behind your firewall. And then you could interconnect that to a cloud provider if you wanted to, and get the same multi-cloud capability that you get in a commercial region. So we have all the spectrums of possibilities here. >> Guys, super interesting discussion. It's very clear to us that the next 10 years of cloud ain't going to be like the last 10. There's a whole new layer. Developing, data is a big key to that. We see industries getting involved. We obviously didn't get into the Oracle Cerner acquisitions. It's a little too early for that but we've actually predicted that companies like Cerner and you're seeing it with Goldman Sachs and Capital One they're actually building services on the cloud. So this is a really exciting new area and really appreciate you guys coming on the Supercloud22 event and sharing your insights. Thanks for your time. >> Thanks for having us. >> Okay. Keep it right there. #Supercloud22. We'll be right back with more great content right after this short break. (lighthearted marimba music)

(upbeat music) >> Welcome back to Supercloud22, #Supercloud22, this is Dave Vellante. In 2019, Oracle and Microsoft announced a collaboration to bring interoperability between OCI, Oracle Cloud Infrastructure and Azure clouds. It was Oracle's initial foray into so-called multi-cloud and we're joined by Karan Batta, who's the vice president for product management at OCI, and Kris Rice, is the vice president of software development at Oracle database. And we're going to talk about how this technology's evolving and whether it fits our view of what we call, Supercloud. Welcome, gentlemen. Thank you. >> Thanks for having us. >> Thanks for having us. >> So you recently just last month announced the new service. It extends on the initial partnership with Microsoft Oracle Interconnect with Azure, and you refer to this as a secure private link between the two clouds across 11 regions around the world. Under two milliseconds data transmission, sounds pretty cool. It enables customers to run Microsoft applications against data stored in Oracle databases without any loss in efficiency or presumably performance. So we use this term Supercloud to describe a service or sets of services built on hyperscale infrastructure that leverages the core primitives and APIs of an individual cloud platform, but abstracts that underlying complexity to create a continuous experience across more than one cloud. Is that what you've done? >> Absolutely. I think, you know, it starts at the, you know, at the top layer in terms of, you know, just making things very simple for the customer, right. I think at the end of the day we want to enable true workloads running across two different clouds, where you're potentially running maybe the app layer in one and the database layer or the back in another, and the integration I think, starts with, you know, making it ease of use. Right? So you can start with things like, okay can you log into your second or your third cloud with the first cloud provider's credentials? Can you make calls against another cloud using another cloud's APIs? Can you peer the networks together? Can you make it seamless? I think those are all the components that are sort of, they're kind of the ingredients to making a multi-cloud or Supercloud experience successful. >> Oh, thank you for that, Karan. So, I guess as a question for Kris is trying to understand what you're really solving for, what specific customer problems are you focused on? What's the service optimized for presumably its database but maybe you could double click on that. >> Sure. So, I mean, of course it's database so it's a super fast network so that we can split the workload across two different clouds leveraging the best from both, but above the networking, what we had to do is we had to think about what a true multi-cloud or what you're calling Supercloud experience would be. It's more than just making the network bytes flow. So what we did is, we took a look as Karan hinted at, right? Is where is my identity? Where is my observability? How do I connect these things across how it feels native to that other cloud? >> So what kind of engineering do you have to do to make that work? It's not just plugging stuff together. Maybe you could explain in a little bit more detail, the resources that you had to bring to bear and the technology behind the architecture? >> Sure. >> I think, you know, it starts with actually, you know, what our goal was, right? Our goal was to actually provide customers with a fully managed experience. What that means is we had to basically create a brand new service. So, you know, we have obviously an Azure like portal and an experience that allows customers to do this but under the covers, we actually have a fully managed service that manages the networking layer that the physical infrastructure, and it actually calls APIs on both sides of the fence. It actually manages your Azure resources, creates them, but it also interacts with OCI at the same time. And under the covers this service actually takes Azure primitives as inputs, and then it sort of like essentially translates them to OCI action. So, so we actually truly integrated this as a service that's essentially built as a PaaS layer on top of these two clouds. >> So, so the customer doesn't really care, or know, maybe they know, coz they might be coming through, you know, an Azure experience, but you can run work on either Azure and or OCI, and it's a common experience across those clouds, is that correct? >> That's correct. So, like you said, the customer does know that they know there is a relationship with both clouds but thanks to all the things we built there's this thing we invented, we created called a multi-cloud control plane. This control plane does operate against both clouds at the same time to make it as seamless as possible so that maybe they don't notice, you know, the power of the interconnect is extremely fast networking, as fast as what we could see inside a single cloud, if you think about how big a data center might be from edge to edge in that cloud. Going across the interconnect makes it so that that workload is not important that it's spanning two clouds anymore. >> So you say extremely fast networking. I remember I used to, I wrote a piece a long time ago. Hey, Larry Ellison loves InfiniBand. I presume we've moved on from them, but maybe not. What is that interconnect? >> Yeah, so it's funny, you mentioned interconnect, you know, my previous history comes from HPC where we actually inside inside OCI today, we've moved from, you know, InfiniBand as its part of Exadata's core, to what we call RoCEv2. So that's just another RDMA network. We actually use it very successfully, not just for Exadata but we use it for our standard computers, you know, that we provide to, you know, high performance computing customers. >> And the multi-cloud control plane, runs... Where does that live? Does it live on OCI? Does it live on Azure? Yes? >> So it does. It lives on our side. >> Yeah. >> Our side of the house, and it is part of our Oracle OCI control plane. And it is the veneer that makes these two clouds possible so that we can wire them together. So it knows how to take those Azure primitives and the OCI primitives and wire them at the appropriate levels together. >> Now I want to talk about this PaaS layer. Part of Supercloud, we said, to actually make it work you're going to have to have a super PaaS. I know, we're taking this term a little far but it's still, it's instructive in that, what we, what we surmised was, you're probably not going to just use off the shelf, plain old vanilla PaaS, you're actually going to have a purpose built PaaS to solve for the specific problem. So, as an example, if you're solving for ultra low latency, which I think you're doing, you're probably, no offense to my friends at Red Hat, but you're probably not going to develop this on OpenShift, but tell us about that, that PaaS layer or what we call the super PaaS layer. >> Go ahead, Kris. >> Well, so you're right. We weren't going to build it out on OpenShift. So we have Oracle OCI, you know, the standard is Terraform. So the back end of everything we do is based around Terraform. Today, what we've done, is we built that control plane and it will be API drivable. It'll be drivable from the UI and it will let people operate and create primitives across both sides. So you can, you, you mentioned developers developers love automation, right? Because it makes our lives easy. We will be able to automate a multi-cloud workload, from ground up, Config is code these days. So we can Config an entire multi-cloud experience from one place. >> So, double click Kris on that developer experience, you know, what is that like? They're using the same tool set irrespective of, you know, which cloud we're running on is, is it and it's specific to this service or is it more generic across other Oracle services? >> There's two parts to that. So one is the, we've only onboarded a portion. So the database portfolio and other services will be coming into this multi-cloud. For the majority of Oracle cloud the automation, the Config layer is based on Terraform. So using Terraform, anyone can configure everything from a mid tier to an Exadata, all the way soup to nuts from smallest thing possible to the largest. What we've not done yet is is integrated truly with the Azure API, from command line drivable, that is coming in the future. It will be, it is on the roadmap. It is coming, then they could get into one tool but right now they would have half their automation for the multi-cloud Config on the Azure tool set and half on the OCI tool set. >> But we're not crazy saying from a roadmap standpoint that will provide some benefit to developers and is a reasonable direction for the industry generally but Oracle and, and, and Microsoft specifically? >> Absolutely. I'm a developer at heart. And so one of the things we want to make sure is that developers' lives are as easy as possible. >> And, and is there a Metadata management layer or intelligence that you've built in to optimize for performance or low latency or cost across the, the respective clouds? >> Yeah, definitely. I think, you know, latency's going to be an important factor. You know, the, the service that we've initially built isn't going to serve, you know, the sort of the tens of microseconds but most applications that are sort of in, you know, running on top of, the enterprise applications that are running on top of the database are in the several millisecond range. And we've actually done a lot of work on the networking pairing side to make sure that when we launch, when we launch these resources across the two clouds we actually pick the right trial site, we pick the right region, we pick the right availability zone or domain. So we actually do the due diligence under the cover, so the customer doesn't have to do the trial and error and try to find the right latency range, you know, and this is actually one of the big reasons why we only launched this service on the interconnect regions. Even though we have close to, I think, close to 40 regions at this point in OCI, this, this, this service is only built for the regions that we have an interconnect relationship with with Microsoft. >> Okay. So, so you've, you started with Microsoft in 2019 you're going deeper now in that relationship, is there is there any reason that you couldn't, I mean technically what would you have to do to go to other clouds? Would you just, you talked about understanding the primitives and leveraging the primitives of Azure. Presumably if you wanted to do this with AWS or Google or Alibaba, you would have to do similar engineering work, is that correct? Or does what you've developed just kind of pour it over to any cloud? >> Yeah, that's, that's absolutely correct, Dave, I think, you know, Kris talked a lot about kind of the multi-cloud control plane, right? That's essentially the, the, the control plane that goes and does stuff on other clouds. We would have to essentially go and build that level of integration into the other clouds. And I think, you know, as we get more popularity and as as more products come online through these services I think we'll listen to what customers want, whether it's you know, maybe it's the other way around too, Dave maybe it's the fact that they want to use Oracle cloud but they want to use other complimentary services within Oracle cloud. So I think it can go both ways. I think, you know, kind of the market and the customer base will dictate that. >> Yeah. So if I understand that correctly, somebody from another cloud Google cloud could say, "Hey, we actually want to run this service on OCI coz we want to expand our market and..." >> Right. >> And if TK gets together with his old friends and figures that out but we're just, you know, hypothesizing here, but but like you said, it can, can go both ways. And then, and I have another question related to that. So you multi-clouds. Okay, great. Supercloud. How about the edge? Do you ever see a day where that becomes part of the equation? Certainly the, the near edge would, you know, a a home Depot or a Lowe's store or a bank, but what about like the far edge, the tiny edge. Do, do you, can you talk about the edge and and where that fits in your vision? >> Yeah, absolutely. I think edge is a interestingly, it's a, it's a it's getting fuzzier and fuzzier day by day. I think there's the term, you know, we, obviously every cloud has their own sort of philosophy in what edge is, right? We have our own, you know, it starts from, you know, if you if you do want to do far edge, you know, we have devices like red devices, which is our ruggedized servers that that talk back to our, our control plane in OCI you could deploy those things in like, you know, into war zones and things like that underground. But then we also have things like Cloud@Customer where customers can actually deploy components of our infrastructure, like Compute or Exadata into a facility where they only need that certain capability. And then a few years ago we launched, you know, what's now called Dedicated Region. And that actually is a, is a different take on edge in some sense where you get the entire capability of our public commercial region, but within your facility. So imagine if, if, if a customer was to essentially point to, you know, point to, point a finger on a commercial map and say, "Hey, look, that region is just mine." Essentially, that's the capability that we're providing to our customers, where if you have a white space if you have a facility if you're exiting out of your data center space you could essentially place an OCI region within your confines behind your firewall. And then you could interconnect that to a cloud provider if you wanted to. and get the same multi-cloud capability that you get in a commercial region. So we have all the spectrums of possibilities there. >> Guys, super interesting discussion. It's very clear to us that the next 10 years of cloud ain't going to be like the last 10. There's a whole new layer developing. Data is a big key to that. We see industries getting involved. We obviously didn't, didn't get into the Oracle Cerner acquisitions a little too early for that but we we've actually predicted that companies like Cerner and you've seen it with Goldman Sachs and Capital One, they're actually building services on the cloud. So this is a really exciting new area and I really appreciate you guys coming on the Supercloud22 event and sharing your insights. Thanks for your time. >> Thank very much. >> Thank very much. >> Okay. Keep it right there. #Supercloud22. We'll be right back with more great content right after this short break. (upbeat music)

>> Thinking back over the past 15 years of the modern cloud computing era we were first told that cloud was only for startups. It was for experiments, entire kickers. No IT executive would ever move production workloads or strategic data into the cloud. No financial services firm is another example would ever move anything into the cloud. Multi-cloud then emerged as a symptom of multi-vendor or of mergers and acquisitions or both. Fast forward now to 2022 and customers clearly want to take advantage of the best services that each cloud offers. For example, Azure for Microsoft apps, Amazon for IS, Google cloud for AI, Oracle for database, et cetera. However, this approach requires expertise in each cloud's primitives, tools and APIs and it puts the burden on customers to integrate apps and workloads across clouds, which increases cost, it exposes security risks and it creates time to market friction. The future of cloud is no longer just on-prem to cloud or so-called hybrid, but cloud to cloud. What many call multi-cloud and at the cube, we like to think beyond the conventional view of multi-cloud, and it's why we use the term super cloud as a metaphor for cross cloud services that are purpose built to solve a specific problem. While at the same time leveraging the best that various cloud providers have to offer. Karan Batta is the vice president of product management at OCI for Oracle and Kris Rice is the vice president of software development at Oracle database, and both are joining me in this cube conversation to discuss how Oracle and Microsoft are helping customers address cross cloud integration issues, making it possible for customers to use popular Azure based tools and Oracle databases and what the firm's claim is a simplified, secure and more facile experience, effectively making two clouds appear as one to developers and, and users. Gentlemen, welcome. Thanks for coming on the cube. >> Thanks for having me, Dave >> Karan, let's start with the news. What are you announcing? Why is it important to each company and what does it mean for your customers? >> Yeah, absolutely. Thanks for having me, Dave. I think, you know, what, what I can tell you is Microsoft and Oracle actually share a massive enterprise customer base. The same customers that are using Office 365 are also the same customer that are storing their critical, mission critical data on Oracle database. So we have thousands of customers that we share jointly and many of them use all sorts of different products from both technology companies. And, you know, multi-cloud, as you, as you sort of rightly pointed out has become the right approach for a lot of our customers to be able to run applications across different cloud providers in a very simplistic manner. You know, that's why we're, you know, with this new announcement we're reducing the complexity of connecting these things together. You know, all of the platform level capabilities, the networking capabilities, the identity management of it, you know, we're calling this new service Oracle database service for Microsoft Azure, and it really brings together a, a cohesive Azure like experience for Oracle customers. It's, you know, it's, it's going to be a new way to actually deploy multi-cloud applications. >> How is this service different from what the Oracle interconnect for Azure partnership that you announced pre pandemic? I think it was 2019. >> Right, right, right. So almost two years ago, you know, we announced this partnership with Microsoft that essentially interconnects the two data center regions from, from Azure and from Oracle. And, you know, it, it provided a great opportunity for customers to, to start their multi-cloud journey by making things like data transfer fees free, et cetera. And now we're close to 11 regions globally, you know, for those interconnected regions. The feedback that we got from customers was, you know, it was a great step in the right direction, but they needed more. And so this experience essentially builds on top of that interconnect, the physical interconnect on the data center side by giving customers an Azure like experience that allows them to basically deploy Oracle databases in a, in a very cohesive fashion with their Azure applications. It also gives them things like, you know, joint support, it gives them things like, you know, joint billing data, et cetera. But it basically allows them to get a first class experience for Oracle database services, you know, across the two clouds. >> It's interesting. I mean, I think back to the history of the industry, you know, before Oracle acquired Sun it would work with every hardware company then of course, you know, had its own hardware. And now it's working with, with Microsoft, who's in essence is a platform, you know, infrastructure company. So it's, it's quite a, quite a journey. Chris, I wonder, wonder if we could bring you into the conversation. What Oracle databases can Azure customers access now? Where, where does autonomous fit? Is that part of the package? >> Yeah, absolutely. So the, the initial offering is going to have all flavors of the Oracle database cloud. So that includes what we call now, the base database, which is database in a VM, the workhorse of the excess CS. So if you truly need the the extra horsepower of the exit data machine and of course it's going to include autonomous right out of the gate. So for customers that want to kick the tires on an Oracle database link with Azure there's no faster path than using autonomous. >> Yeah, so a lot of integration that you guys have done. Well, how does this service compare to other, you know, customers like to compare, they're always talking about their, their choices. How does it compare to others? How, what is the cost associated with this? What can you tell us? >> So from a cost stance, there there's no extra cost. So the only cost is on the base service. So if you get the autonomous, the base database, the exit data, your cost is in that base service. And we include all this plumbing that we've done to make it work best with Azure. And that includes wiring the metrics the logs, the vent home, the audit records to the Azure side of the house. >> And, and, and what what other things are like this out there? Can you share with us? What should customers, you know, compare this to? >> So the majority of what customers have done so far is it, it is DIY. So multi-cloud to date has been very DIY. Anything could be done that we've done. However, customers that have to roll up their sleeves they'd have to learn both clouds, learn the nomenclature of both clouds, they'd have to learn the networking infrastructure and they'd really have to roll their sleeves up and DIY it. What we've done is we've, we've done all that work for them. So it's as simple as a few mouse clicks and the two clouds can be talking together. >> Thank you, okay. Karan, you, you ever see the movie good morning Vietnam and they redact out all the, all the, like the words in the news that they didn't want, want read on the news. And so we hear Microsoft and Oracle, they're talking about multi-cloud, Google sort of talks about unifying cross cloud developer experiences with, with Antos. But when you go, when you go to like reinvent the word multi-cloud is redacted, like the movie. Do you anticipate customers are going to push more from multi-cloud in the future? What are you hearing? >> Yeah, absolutely. I think, I think customers are going to demand this of their cloud providers in the future. I think these are going to be table stakes moving forward. You know, as, as you rightly pointed out, Dave, I think, you know, customers and, and and actually cloud providers are focused on mostly transition from on-prem to the cloud. And I think in the future, you know, once everybody's picked their first cloud provider it's going to be, you know, the focus is going to shift from that to the interoperability across these two clouds or, or multiple clouds. You know, customers will want to have leverage against other cloud providers. Customers will want to pick the best of breed, complimentary services, et cetera, and also have, you know, decisions based on economics, right? So I think, you know, there's going to be a massive acceleration of customers want the support from, from all of their cloud providers. You know, which is why we're basically simply listening to customer feedback. And, you know, as mentioned earlier, we share so many different customers together it totally made sense for Microsoft and Oracle to start investing in it. This is not the entire answer. I think it's start of this journey in, in the future. >> Yeah, it's going to be interesting to see how this plays out. You know, I never say never with, with the hyperscalers or any large technology company. I, I wonder Karan, if we could stay with you. Can you give us some practical examples of, of what this service means for customers? How it's going to help them do something that they couldn't do before? What should we be focused on? >> Yeah, absolutely. I think, you know, I think it opens up a whole set of new possibilities. You know, I, I mentioned earlier kind of made a statement where, you know, the world's data kind of lives on Oracle databases. It's, it's the core of, of any mission critical data today. It's still the most popular database use in, in the world. And so, you know, customers want to be able to modify they want to be able to extract more information and and get more knowledge out of their data. And this opens up the possibility where you can use, you can have access to that Oracle database from Azure and you're able to connect it to all the complimentary services which allow you to extract more knowledge or, or insight out of that data. So whether you're moving it into, let's say Azure synapse analytics to do analytics workloads or whether you're moving it to the HUD cluster using Azure HD insight, or you're simply just looking at the data in different forms and factors through power BI. I think it opens up a whole new set of possibilities you just couldn't do it before. On the second hand, it also helps you modernize your existing on-premise estate of Oracle. So we have the largest backs, the largest financial services customers, the largest government customers running the largest exit data footprint on premise. It helps you modernize that into the cloud and then, and use complimentary services from Azure. >> Got it. Chris, what's the support model look like for this new service? You know, who do I, whose throat do I choke? >> I was going to say, so you brought us back to when we had multiple vendors in the vendors we've all lived through it, right. Vendors pointed fingers at each other. So, keeping that in mind, what we've done is we have a collaborative plan with Microsoft in place. So building on the, the interconnect from 2019 we have that collaborative support model. So right in this new console that we've built you can log a ticket and immediately both sides will be aware of the context and what's going on so that we can resolve those problems and avoid the finger pruning of vendor at vendor. >> Okay, great. So if somebody pick up a broom and, and start sweeping and fix the problem, I love it. To both of you guys, maybe you could kind of riff a little bit on the future. I, I mean, we use this term super cloud, which is, you know, cross multiple clouds so you're doing that. And we envision, you know, this this wonderful globally distributed system where you're not even thinking about the underlying infrastructure. Are you considering partnering with other major cloud providers to offer similar services? Or are you going to go sort of deeper with, with Azure? What's your feeling on that? >> I think, you know, I think the the capability here that we've built isn't specific to Azure, for sure. I think there's absolutely possibility of, of, you know, working with other clouds in the future. I think, you know, we'll continue to sort of listen to our feedback from the, from our largest customers. You know, and if the market demands, you know, it's, it's, it's going to be, as I said, table stakes. And, you know, as I said earlier, and and I think It'll be in the best interest of all the cloud providers to just work together in the future. >> And, and Dave, to go back on the other half of your question, are we going to go deeper? We are going to be going deeper. So today we've gone far enough that like I said, metrics logs, those things are flowing. We're also in progress of looking at the rest of the portfolio in Azure and seeing which things can and should integrate more tightly with OCI. So as Karan said broader, but also deeper at the same time. >> Great, thank you. But my last question is, you know, we, again, we use this term super cloud to, to, to me anyway and us multi-cloud has largely been running, you know, on different clouds, it's, it's sort of a symptom, just kind of the way things shook out. And maybe this, maybe super cloud is what multi-cloud should be, but, but what do you think are the key ingredients that make multi-cloud real, lots of people are talking about multi-cloud what, what makes it tangible? >> I think, you know, to, to begin with, I think it's, it's, it's removing the complexity of learning new clouds, right? I think that's the biggest challenge that customers have is you've you've already picked one cloud, you've, you've, you've trained your, your, your employees, you've trained your developers and your application, you know, engineers and learning a new cloud, onboarding a new cloud is an extensive challenge and, and, you know, requires a lot of time and effort. And I think, I think what the other cloud providers can do is actually make sure that they provide these experiences that office gate all of the guts and all of the plumbing under the covers so that the customer doesn't have to learn new things. I think they have, they can focus on their business value which is actually running the app and running the database. I think they can sort of leave the infrastructure component to the cloud providers to actually have the right interoperability, the right APIs, et cetera. So I think the experience is going to be critical moving forward. >> Kris, anything you'd add to that? Bring us home if you would. >> The things I would add is back to observability and manageability. So today a lot of customers consider themselves multi-cloud if they're leveraging two clouds. What we are truly talking about is a multi-cloud workload where a compute node on cloud A is talking to a database on Oracle, things like that. So then you get into the observability of the stack so that you can monitor and react to how the things are going. So I think it has to go a, a hair higher in that these, these layers of observing the entire multi-cloud experiences in one place. >> That's great guys. Thanks so much for coming to The Cube and, and share. Congratulations on the progress. I, I love that we have you guys back and we can see how you're moving forward, collaborating, you know, customers, it's a win-win win so appreciate your time. >> Absolutely. >> Absolutely. >> All right. And thank you for watching. This is Dave Vellante for The Cube. We'll see you next time.

(music) >> Hi, welcome to today's session of the CUBE's presentation of the AWS STARTUP SHOWCASE. New breakthroughs in DevOps, Data Analytics and Cloud Management Tools. This segment features HackerOne for DevOps. I'm Lisa Martin, and I am joined by Alex Rice, the founder and CTO of HackerOne. Alex, welcome to the program. >> Thank you for having me. >> Alex and I are going to spend the next 20 minutes or so talking about strengthening cloud application security with HackerOne. I want to go ahead Alex, and start you founded HackerOne back in 2012. Talk to me about, why you founded it? What were the glaring obvious gaps in the market? >> So I, I started out with the software development engineering background before moving into security about halfway through my career. And one of the things that's always bothered me about the security industry is how unreliable our feedback loops are. We only ever really get quality software by having as many, many points of feedback as possible in there from customer surveys and analytics and monitoring. And the security industry has just been really spotty about that. So when I was running the product security team for, for Facebook for a number of years, one of the surprising things that we did, that ended up being one of the best feedback loops we had, we just said to the, to the, the world hackers out there, if you find a vulnerability, find a security flaw, find something that we missed, we'll reward you for it. And we were really blown away with what very creative folks all across the world came back with. And so this concept of inviting outside friendly hackers to point out your flaws in exchange for compensation, ends up being a very valuable tool for any engineering team and any, any security team, particularly those that are adapting to more modern, faster agile environments. >> Right? Like DevOps. So you've amassed a community of over 1.2 million good actors, ethical hackers as you say. How do you vet those folks since there's so many nefarious actors out there? >> It's a great question what we start with. The bulk of the programs that we run on HackerOne are public. They're open to the world. There are organizations like Facebook and GM and the department of defense that say to anybody out there, if you find something that we've missed, we want to know about it. So it doesn't, you're not giving the hackers any special permissions or access that they wouldn't normally have. You're, you're inviting them to collaborate with you. From there we learned a lot about the hackers skillsets and demeanor and their track record to then vet them for more private or targeted programs. So while there are these public programs, that is where those million hackers originate from that list is, is vetted and filtered down for more private engagements. Because most folks building technology, they don't need a million hackers to help them out. They need 10 of the right hackers on their team at the right time. And vetting them and matching those hackers to the right challenges is, is a core part of what we try to do here at HackerOne. >> One of the things that we talk a lot about on this program is, you know, the last five years, this shortage, the cybersecurity skills gap. Is, is HackerOne's answer to that? These 1.2 million ethical hackers who can find those vulnerabilities that are open vectors for criminals to exploit. >> It's part of it. It's very much a part of it. My personal hypothesis about this on a big part of why we have such a glaring skills gap is because we've tried to separate it out from core engineering and DevOps principles. The most secure products out there, the ones that hopefully you trust and we all use regularly. Security is a core part of their engineering practices. It's a core part of their DevOps practices and the skillset overlaps dramatically there. And so we've had a lot more success in involving the core DevOps and engineering teams in security practices and really doing it as, as any other component of, of quality software development. And the challenge of that is that you're not going to find everything that you need in a single job description. If you're building a modern application or deploying modern infrastructure, the diversity of skill sets that you need is just staggering. And if you try to apply the old employment model of, okay, I need a security expert on this application. I need an expert in AWS and Kubernetes and RDS, and queuing systems and encryption for my and database security and account takeover. You quickly realize that it's just impossible for every organization that needs all that expertise to hire somebody with all that expertise. So our, our approach and what we try to do is to make sure that the core teams own responsibility for that security, but they're able to tap experts when they need them at, at, in a model that is really much more acclimated to how modern software is built. >> Got it. Okay. Interesting. Talk to me about the HackerOne security platform. Let's kind of dissect that. >> Absolutely. So there's a, there's a few different types of programs that we run for customers. At our, at its hard. There are public programs that we refer to as, as vulnerability disclosure programs. This is usually a security ad, it could be as simple as a security ad for a email address report vulnerabilities. That's really just an invitation to the world out there that says. Hey, we, our application is available to the public and you as a member of the public, if you find a security issue that we should be aware of, we'd like to hear about it. And it's incredible the amount of value that software teams receive just from asking, this putting that invitation out there. Then in parallel with those, for the organizations that are looking for more talented, a deeper dive we've run bug bounty programs, which is a very similar flavor, but the, our engineering and software teams will post bounties for the specific types of issues that they care about. Meaning if you can find a way to compromise user data, or if you can get access to our infrastructure, we'll reward $5,000 or $10,000. And you're specifically asking people to help you find things that will align with your goals and protect your customers. And then the, the third model that we do are our security assessments. These are a very targeted point in time assessments. They're not ongoing commitments. There are when a DevOps team is deploying a new application or releasing a new architecture or running new infrastructure, when they need a very targeted set of expertise for a constrained timeline to fit into their release processes, we can run assessments of matching just a small number of factors to what you care about and tie all that into your to release process. >> Okay. Let's talk about now, we know, one of the things that we've seen in the last 18 months as this massive acceleration to digital, we've seen a much more cloud adoption and really lifelines. Zoom, Netflix, for example, being these lifelines. As more organizations are moving to the cloud, we think, well, maybe risks are getting higher. With respect to customers that are moving to AWS. How does hacker one security platform help? >> The potential of technology. If it wasn't clear before the pandemic started, it should be clear to everybody now, like it is, it's unbelievable the positive impact it's able to have on our lives. And at the same time, most people don't trust technology. We as a technology industry have done a poor job of earning the public's trust that the technology that many of their lives are starting to depend upon is as trustworthy as they needed to be. And that's not a new challenge. Like as long as we've been developing software, there have been bugs, there have been security problems, but it's really amplified it both with the pace of development and just how accessible that's becoming to that to the world. And so in, in prior development models where we were releasing software, much more infrequently, where it was deployed in very controlled environments and accessible only to specific people who happen to be in a physical location or had a particular corporate account, that's all starting to change. Software is being released so much faster at a, at a pace that their traditional security models were already struggling to keep up with. And now are just completely, completely outclass. That's the trend number one that's changed. It's just the speed at which we have to apply. Security is, is unprecedented in this new world. And then at the same time, the access has just gone through the roof, the way of operating a modern business and surfing modern customers dictates that we have to meet them where they are wherever they are in the world, which means the adversaries have the same level of access that we're now affording to our, to our customers. So for our financial services customers that have gone completely remote access in the, in the last year, that's a whole range of attack surface. It wasn't accessible for many of them are using cloud systems to do that. Our healthcare customers that previously a tech service, it was only accessible when you were actually in the hospital is now open in large parts of the public and has many many more private conversations than it did before. And it's more than anything else that realization that we need this technology to be always on accessible anywhere in the world and trusted because people need to trust it. Like their lives depend on it. Literally has, has really changed how we need to look at this challenge. >> Yeah. That speed at which the attack surface is just spreading. And I was looking at some cybersecurity data in the last week or so, and there's really no signs of it slowing down. We saw this, the rapid shift to remote work a year and a half ago, remote learning. And we've got obviously we're in this hybrid world now where, you know, companies are in hybrid cloud, we're in this hybrid workforce of some remote, some homes, some doing both back and forth with that attack surface spreading. Give me an idea of some of the customers that you guys are working with to help them with HackerOne secure their AWS environments. >> Yeah. Our customer base really follows technology adoption trends. All of our early customers were, were tech companies that are kind of the ones that pioneered this model. Facebook, Google, Microsoft, Twitter, Uber were the, the early tech companies that quickly over the first ones to realize that the traditional approach to security model was just insufficient for a new cloud forward environment. Behind them you'll find technological, technology leaders in every industry. It's hard to just talk about the tech industry today. When you look at any industry out there, you can find one or two examples of very technology forward companies. On the finance side, customers like Goldman Sachs and Capital One. They really view themselves as technology companies these days. They're not finished service organizations or banking organizations, they're first and foremost technology companies. They were the first, some of the first to adopt this, this model. On the military side, the department of defense was one of the first organizations to do this cause they've long had, they're both one of the most traditional organizations out there. They've always had innovation arms to adapting practices like this. The automobile industry was a little bit early on the technology adoption trend. As consumers started relying on and demanding more technology in their vehicles. They were one of the early adopters of, of a practice here. And in the more recent years, the line has just completely gone away. We don't really use what we were engaging with a customer you don't really even ask. Are you, what's your, what's your digital strategy? or do you have a technology team? or are you developing first party applications? Do you use any cloud services? The answer to it is just is it's yes. So much more often than it's not. I think there's the safe assumption in 2021 is if you're, if you're doing business, you are probably have a software engineering team, you are probably deploying on the cloud. And if you're not, you're probably not going to be doing business in the, in the next decade. >> Right. That's, that's going to be a big differentiator, but you bring up a good point that every you can, you can almost say every company these days is a tech company or needs to become a tech powered company, a data-driven company. That is critical to especially organizations in this climate being able to pivot continuously as our world is changing. I want you to walk us through Alex, some of the HackerOne assessments that folks can do specifically in the AWS environment. >> For specifically for AWS, what we found is there's a category of AWS and we're really a cloud customers that want the always on security feedback loops that come from bounty programs. And so we, we've had that offering for quite a while of folks that want a feedback, no matter when it happens, because they're continuously received releasing applications. But then increasingly one of the use cases that we discovered was folks were in the midst of moving new applications to AWS, almost on a, on a weekly or monthly cadence. And they need needed a security testing cycle that would keep pace with that. Particularly folks that are ongoing any type of cloud migration or lifted shift of their, of their applications. And so we, we rolled out at AWS tailored specific version of our security assessment product. You can get it in the AWS marketplace as well, that lets you spin up a targeted security assessment on demand through the, through your native AWS tooling, whenever you need it. And the most common use case being this, we plan to open up access to this application next week. We'd love to have some hackers kicking the tires on it this week before the whole world has the opportunity to do that. All of those findings are then integrated back into Rietta U.S security hub, and tailored in a way that is meant for the DevOps teams and engineering teams that are deploying to, to be able to tell us what's going on. We're not asking folks to, to break out into specific security workflows. We really fundamentally believe that security accessible to DevOps teams is, is what's needed to keep us all moving fast and ship trustworthy now applications in the cloud. >> Is that at all a facilitator, you know, when we talk about DevOps folks, security folks, Devsecops. We talk about sort of the, the cultural shift and developers needing the DevOps folks need to be focusing on getting applications out at speed, security folks, developers, you know, we don't want to have to have security responsibilities. Are you helping to facilitate some of those? >> Yeah. We are, and it is more of a personal opinion here, but as someone who's worked on on many engineering teams and built multiple application and product security teams, the strongest ones in the industry, the lines between the product team and the product security team or the DevOps team or the security team are non-existent, those experts exist on to. I hate terms like Devsecops. We, it's necessary to, to approach things, but like if you're going to have a term like DevSecOps, you need to expand it to like DevQaSec in for ops. And it's just, you can't possibly capture every skillset and the critical aspect of quality software development in, in a short little acronym like that. And to me, DevSecOps just feels like a, an attempt by the industry to get invited to a party that nobody wants them at. And I really think we have to rewire our thinking. And if you have a, a development and an operations team, which are the two core functions there that doesn't take hands-on responsibility for the security of what they're developing and operating you're in trouble. Right? The more you try to outsource that to another team, another set of expertise, the worst you're going to be. There's a, there's a analogy that I draw to this that is a little bit of a poor analogy, but it, if it works well for me. For those of us that have been around in software engineering for, for long enough, there was a huge push in the early two thousands to build quality assurance processes across the board. Like everyone was investing in QA and building our QA teams. And every study across the board showed quality just tank after people invested millions in QA and quality assurance. And when, when you dig into it, it's intuitive, right? Like as soon as you can say. Oh, thank goodness quality is now somebody else's job. I've got, there's a dedicated team that can think about quality and deal with quality. Quality goes away. And security follows the exact same paradigm. Modern software is too complex, too interconnected, to be able to expect somebody else to completely do it for you. And so we really try to consult our customers on you should be thinking about organizational structures and responsibility, major SIGs that ensure developers and operations have the seat at the table in the security of the product. And then the challenge is how do we get the right people onto those teams? How do we get the right experience to them versus bolting it on with another acronym in the middle? >> I love your opinion there. In terms of facilitating that the latter part of what you just spoke, how are you finding those conversations within customers going? Is this now, I mean, think about it from a security perspective, it's going up to the board level imperative. Are you finding, especially in the last 18 months that your conversations with organizations are changing as that escalates up the chain? >> They are, but we also take a very pragmatic approach to this. I give you a very, a, a fairly, a personal opinion there on how to do it. The reality is most organizations aren't structured that way. They have a DevOps team, they have a security team, and the two are often in somewhat of an adversarial relationship. And, and we, we certainly work within those environments. You certainly can have a mature security program in an environment like that. It's not like there's one silver bullet to solve it, but we do work closely with our customers to try to bring down those walls. And increasingly technology leaders are engaged and hands-on, and are looking for ways to make this better. Five years ago, the CSO, The Chief Information Security Officer was almost always our main buyer, and our main point of contact. Is much, much more common now to see VPs of engineering, CIO's, CTOs have direct line responsibility for, security teams. And I think we're starting to see the early shifts of work structures that reflect that. If you have a DevOps team and you have a security team, that's responsible for the security of what the DevOps team is doing, and they are reporting to the same executive where there are major points of bureaucracy and politics between them. Every executive we talked to feels that, they lived through an experience like that, and they're motivated to start bringing those balls down. >> They've been through that pain and know the imperative give up getting alignment. So we've talked a lot in the last minute here. So I'm curious, we talked a lot about what HackerOne is doing, what you're doing for the AWS community, what's in it for your customers, but I'd love to understand just really quickly what's in it for the hackers? I do understand that you guys have more ethical hackers than black hats out there are out there, they're new assistants, which is good to know. But, what's in it? You know, from a bounty perspective for the hackers that work with you. >> We believe we're creating meaningful economic opportunity for, for hackers out there. We've had over a dozen hackers that have made a million dollars on the platform helping customers. But more importantly, it maps to how you want to develop your skillset. As hackers, a big part of the cyber security workforce challenge is these unrealistic job expectations that require every security engineer to be a Jack of all trades and work across 10 different product teams and master all of these skills. Whereas this model allows hackers to specialize. You can be a specialist in a very particular piece of technology and apply that specialization across everyone that depends upon it, and focus on what you can do best without dealing with the office politics or the unrealistic job expectations of what's needed in a modern school professional. It's one of the most painful things about the security community is you'll, you'll look at junior entry-level job descriptions for security engineers that already require five years of experience and expertise in 10 different technologies, which is just it's unrealistic. You're you're not going to find it. You don't want to, to be that individual. But it's also, it's back to what we were talking about earlier. It's trying to ask to find unicorns for roles that are just not in line with how modern software is built. And so I think for that, for the hacker community, what we hope we're doing is we hope we're creating meaningful economic opportunity. We're also hope we're enabling folks to develop and contribute to society with their skills in a way that they would like to. >> Awesome. Alex, thank you so much for joining me today, giving me kind of a background on what HackerOne's doing, what you're doing for AWS, the opportunities what's in it for me as a customer, what's in it for me as an ethical hacker. It's been great having you on the program. >> Thank you very much. Take care. >> This has been our coverage of the AWS startup showcase new breakthroughs in DevOps, data analytics and cloud management tools for Alex Rice. I'm Lisa Martin. Thanks for watching. (music)

>>from around the globe. It's the Cube with coverage of Coop Con and Cloud, Native Con Europe 2020 Virtual brought to You by Red Hat, The Cloud Native Computing Foundation and its ecosystem Partners. Hi, I'm stupid, man. And this is the Cube's coverage of Cube con Cloud Native Con Europe event, which, of course, this year has gone virtual, really lets us be able to talk to those guests where they are around the globe. Really happy to welcome back to the program. Liz Rice. First of all, she is the vice president of Open Source Engineering at Aqua Security. She's also the chair of the Technical Oversight Committee has part of Ah CN cf. Liz, it is great to see you. Unfortunately, it's remote, but ah, great to catch up with you. Thanks for joining. >>Yeah, Thanks for having me. Nice to see you if you know across the ocean. >>So, uh, you know, one of the one of the big things? Of course, for the Cube Con show. It's the rallying point for the community. There are so many people participating. One of the things we always love to highlight its not only the the vendor ecosystem. But there is a very robust, engaged community of end users that participate in it. And as I mentioned, you're the chair of that technology oversight committee. So maybe just give our audience a little bit of, you know, in case they're not familiar with the TOC does. And let's talk about the latest pieces there. >>Yes, say the TOC is really hit. C can qualify the different projects that want to join the CNC F. So we're assessing whether or not they're cloud native. We're assessing whether they could joined at sandbox or incubation or graduation levels. Which of the different maturity levels that we have for for project within the CN CF yeah, we're really there, Teoh also provide it steering around the What does cloud native mean and what does it mean to be a project inside the CN CF community? We're also a voice for all of the projects. We're not the only voice, but, you know, part >>of our role >>really is to make sure the projects are getting what they need in order to be successful. So it's it's really around the technology and the projects that we call cloud native >>Yeah, and and obliges Cloud Native because when people first heard of the show, of course, Kubernetes and Cube Con was the big discussion point. But as you said, Cloud native, there's a lot of projects there. I just glanced at the sandbox page and I think there's over 30 in the sandbox category on and you know they move along their process until they're, you know, fully mature and reach that, you know, 1.0 state, which is the stamp of approval that, you know, this could be used in production. I understand there's been some updates for the sandbox process, so help us understand you know where that is and what's the new piece of that? >>Yeah. So it's really been because of the growth off cloud native in general, the popularity off the CN CF and so much innovation happening in our space. So there's been so many projects who want Teoh become hard off the CNC f family on and we used to have a sponsorship model where members of the TOC would essentially back projects that they wanted to see joining at the sandbox level. But we ran into a number of issues with that process on and also dealing with the scale, the number of applications that have come in. So we've revamped the process. We made it much easier for projects to apply as much simpler form where really not making so much judgment we're really saying is it's a cloud native project and we have some requirements in terms off some governance features that we need from a project. And it's worth mentioning that when a project joins the CN CF, they are donating the intellectual property and the trademark off that project into the foundation. So it's not something that people should take lightly. But we have tried to make it easier and therefore much smoother. We're able Teoh assess the applications much more quickly, which I think everyone, the community, the projects, those of us on the TOC We're all pretty happy that we can make that a much faster process. >>Yeah, I actually, it brings up An interesting point is so you know, I've got a little bit of background in standards committees. A swell as I've been involved in open source for a couple of decades now some people don't understand. You know, when you talk about bringing a project under a foundation. You talked about things like trademarks and the like. There are more than one foundation out there for CN CF Falls under the Linux Foundation. Google, of course, brought Kubernetes in fully to be supported. There's been some rumblings I've heard for the last couple of years about SDO and K Native and I know about a month before the show there was some changes along SDO and what Google was doing there may be without trying to pass too many judgments in getting into some of the political arguments, help us understand. You know what Google did and you know where that kind of comparison the projects that sit in the CN cf themselves. >>Yeah, So I e I guess two years ago around two years ago, Stu was very much the new kid in the cloud native block. So much excitement about the project. And it was actually when I was a program co chair that we had a lot of talks about sdo at Cube Con cloud native bomb, particularly in Copenhagen, I'm recalling. And, uh, I think everyone I just saw a natural fit between that project on the CN, CF and There was an assumption from a lot of people across the community that it would eventually become part of the CNC f. That was it's natural home. And one of the things that we saw in recent weeks was a very clear statement from IBM, who were one off the Uh huh, yeah, big contributing companies towards that project that that was also their expectation. They were very much under the impression that Stu would be donated to the CN CF at an appropriate point of maturity, and unfortunately, that didn't happen. From my point of view, I think that has sown a lot of confusion amongst the community because we've seen so much. It's very much a project of fits. Service mesh designed to work with kubernetes is it really does. You're fit naturally in with the other CN CF projects. So it's created confusion for end users who, many of whom assume that it was called the CN CF, and that it has the neutral governance that the other projects. It's part of the requirements that we have on those projects. They have to have an open governance that they're not controlled by a single vendor, Uh, and we've seen that you know that confusion, Andi. Frustration around that confusion being expressed by more and more end users as well as other people across the community. And yeah, the door is still open, you know, we would still love to see SDO join the community. Clearly there are different opinions within the SD wan maintainers. I will have to see what happens. >>Yeah, lets you bring up some really good points. You know, absolutely some of some of that confusion out there. Absolutely. I've heard from customers that if they're making a decision point, they might say, Hey, maybe I'm not going to go down that maybe choose something else because I'm concerned about that. Um, you know, I sdo front and center k native, another project currently under Google that has, you know, a number of other big vendors in the community that aiding in that So hopefully we will see some progress on that, you know, going forward. But, you know, back to you talked about, You know, the TOC doesn't make judgements as to you know which project and how they are. One of the really nice things out there in the CN CF, it's like the landscape just for you to help, understand? Okay, here's all of these projects. Here's the different categories they fit in. Here is where they are along that maturity. There's another tool that I read. Cheryl Hung blogged about the technology radar. I believe for continuous delivery is the first technology radar. Help us understand how that is, you know, not telling customers what to do but giving them a little guidance that you know where some of these projects projects fit. In a certain segment, >>Yeah, the technology radar is a really great initiative. I'm really excited about it because we have increasing numbers or end users who are using these different projects it both inside the CN CF and projects that are outside of the CNC F family. Your end users are building stacks. They're solving real problems in the real world and with the technology radar. What Cheryl's been able to facilitate is having the end you to the end user community share with us. What tools? They're actually using what they actually believe are the right hammers for specific nails. And, you know, it's it's one thing for us as it's more on the developer or vendor side Teoh look at different projects and say what we think are the better solutions for solving different problems. Actually hearing from the horse's mouth from the end users who are doing it in the real world is super valuable. And I think that is a really useful input to help us understand. What are the problems that the end user is still a challenge by what are the gaps that we still need to fail more input we can get from the end user community, the more will be solving real problems and no necessarily academic problems that we haven't sorry discovered in >>the real world. Alright, well is, you know, teeing up a discussion about challenges that users still have in the world. If we go to your primary jobs, Main hat is you live in the security world and you know, we know security is still something, you know, front and center. It is something that has never done lots of discussion about the shared responsibility model and how cloud native in security fit together and all that. So maybe I know there's some new projects there, but love to just give me a snap shot as where we are in the security space. As I said, Overall, it's been, you know, super important topic for years. This year, with a global pandemic going on, security seems to be raised even more. We've seen a couple of acquisitions in the space, of course. Aqua Security helping customers along their security journey. So what do you seeing out there in the marketplace today and hear from your custom? >>Yeah, I Every business this year has, you know, look at what's going on and you know, it's been crazy time for everyone, but we've been pleasantly surprised at how, you know, in relative terms, our business has been able to. It's been strong, you know. And I think you know what you're touching on the fact that people are working remotely. People are doing so many things online. Security is evermore online. Cloud security's evermore part off what people need to pay attention to. We're doing more and more business online. So, actually, for those of us in the security business, it has bean, you know that there have been some silver linings to this this pandemic cloud? Um, yes. So many times in technology. The open source projects and in particularly defaults in kubernetes. Things are improving its long Bina thing that I've you know, I wished for and talked about that. You know, some of the default settings has always been the most secure they could be. We've seen a lot of improvements over the last 23 years we're seeing continuing to see innovation in the open source world as well as you know, on the commercial side and products that vendors like Akwa, you know, we continue to innovate, continue to write you ways for customers to validate that the application workloads that they're going to run are going to run securely in the cloud. >>Alright and lives. There's a new project that I know. Ah, you know, you Aqua are participating in Tell us a little bit about Starbird. You know what's what's the problem? It's helping solve and you know where that budget >>Yes, So stockholders, one of our open source initiatives coming out of my team are equal on, and the idea is to take security reporting information and turn it into a kubernetes native, uh, resources custom resources. And then that means the security information, your current security status could be queried over the kubernetes AP I, as you're querying the status or the deployment, say you can also be clearing to see whether it's passing configuration audits or it's passing vulnerability scans for the application containers inside that deployment. So that information is available through the same AP eyes through the queue control interface through dashboards like Octane, which is a nice dashboard viewer for kubernetes. And starboard brings security information not just from acquittals but from other vendor tools as well front and center into that kubernetes experience. So I'm really excited about Star Border. It's gonna be a great way of getting security visibility, Teoh more kubernetes use it >>all right. And we were talking earlier about just the maturity of projects and how they get into the sandbox. Is is this still pretty sandbox for >>this? OK, we're still very much in the early phases and you know it. I think in the open source world, we have the ability to share what we're doing early so that we can get feedback. We can see how it resonates with with real users. We've had some great feedback from partners that we've worked with and some actual customers who actually collaborated with When we're going through the initial design, some great feedback. There's still lots of work to do. But, yeah, the initial feedback has been really positive. >>Yeah, is usually the event is one of those places where you can help try toe, recruit some other people that might have tools as well as educate customers about what's going on. So is that part of the call to action on this is, you know, what are you looking for for kind of the rest of 2020 when it when it comes to this project? >>Yeah, absolutely. So internally, we're working on an operator which will automate some of the work that's double does in the background in terms off getting more collaboration. We would love to see integrations from or security tooling. We're talking with some people across the community about the resource definition, so we've come up with some custom resource definitions, but we'd love them to be applicable it to a variety of different tools. So we want to get feedback on on those definitions of people are interested in collaborating on that absolutely do come and talk to me and my team are reluctant. >>Great. Listen, and I'll give you the final word. Obviously, we're getting the community together while we're part So you know any other you know, engagement opportunities, you get togethers. Things that you want people to know about the European show this year. >>Well, it's gonna be really you know, I'm on tenterhooks to see whether or not we can recreate the same atmosphere as we would have in Q con. I mean, it won't be exactly the same, but I really hope that people will engage online. Do come and, you know, ask questions of the speakers. Come and talk to the vendors, get into slack channels with the community. You know, this is an opportunity to pretend we're in the same room. Let's let's let's do what we can Teoh recreate as close as we can. That community experience that you keep corn is famous for >>Yeah, absolutely. That whole way track is something that is super challenging to recreate. And there's no way that I am getting the Indonesian food that I was so looking forward to in Amsterdam just such a great culinary and cultural city. So hopefully sometime in the future will be able to be back there. Liz Rice. Always pleasure catching up with you. Thanks so much for all the work you're doing on the TOC. And always a pleasure talking to you. >>Thanks for having me. >>All right, Lots more coverage from Cube Con Cloud, Native con the European 2020 show, Of course. Virtual I'm stew minimum. And thank you for watching the Cube. Yeah, yeah, yeah, yeah.

>> Live from Barcelona, Spain it's theCUBE. Covering KubeCon + CloudNativeCon Europe 2019. Brought to you by Red Hat, the Cloud Native Computing Foundation and ecosystem partners. >> Welcome back to theCUBE here in Barcelona, Spain at the Fira, it's KubeCon + CloudNativeCon 2019. I'm Stu Miniman and my co-hosts for two days of live wall-to-wall coverage is Corey Quinn. Joining us back, we have two CUBE alums, Liz Rice, right to my right here who is a Technology Evangelist with Aqua security. Liz, thank you so much welcome back. >> Pleasure to be here. >> And Jeff Brewer, Vice President and Chief Architect, Small Business & Self-Employed Group, of Intuit. A CUBE alum since a few hours ago this morning. >> Yes, yes, thank you. >> Jeff, welcome back. >> Thank you. >> So, we've got you back with a different hat. Everybody in our industry can definitely recognize we wear lots of different hats we have lots of jobs thrown at us. Both of you are in the Technical Oversight Committee and Liz is not only a member but also the Chairperson, President. (people laughing) >> President is definitely a promotion. But, yeah, I'm Chair of the committee. >> Maybe, as it's known, the TOC. Liz, before we get there, your shirt says +1 binding. You have to explain for us and did not get a preview before the interview, so we'll see where this goes. >> It's one of the perks of being on the TOC. When we have something that comes to a vote we want to get input from the community so we ask anyone in the community to vote. But unless you're a member of the TOC your vote is non-binding. As a member of the committee, we have binding votes. And the traditional thing you write on the voting email is +1 binding. So, it's a nice surprise to get a t-shirt when I joined the TOC. >> Very nice. Can you just give us, our audience, that might not be familiar with the TOC, give us some of the key things about it. >> It's the Technical Oversight Committee for the CNCF. We are, really, the technical curation of the projects that come in to the CNCF. Which projects will get support and at what level because we have the sandbox experimentation stage then incubation and then finally graduation for the really established and kind of, de-risked projects. So, we're really evaluating the projects and kind of making a decision collaboratively on which ones we want the CNCF to support. >> All right. So Jeff, we had a great conversation with you about Intuit's cloud journey. Tell us how you got involved in the TOC. We always love the end users, not just using but participating in and helping to give some governance over what the community is doing. >> Yeah, so, about a year and a half ago we made a decision to acquire a small company called Applatix. Who was, actually, already in the end user community. And also contributors as well. Through that acquisition, I was part of that acquisition, I led that acquisition from the Intuit side and really got excited about the Kubernetes and the KubeCon story overall. Through the Kubernetes experts, I met them at a KubeCon and they introduced me to a whole lot more of the community. Just through some overall partnerships with AWS and also spending a lot of time with end-users that's how I really got to know the community a little bit. And then, was voted onto the CNCF as an end user representative in January. >> Wonderful. As far as you're concerned, as you go through this, do you find it challenging at times to separate your roles professionally from working for a large company, to whom many things matter incredibly. Again, as mentioned earlier, I am one of your customers. I care very much about technical excellence, coming out of Intuit, versus your involvement with the larger project. >> Yeah, so like most people in technology companies I'm extremely busy and I would love to spend, I would love to clone myself and spend more (laughing) more time. >> Everybody wants to submit a client project to the TOC we will prioritize that one. >> Exactly, exactly. >> The way I really balance it is that I make an explicit time carve out for those two activities. And most importantly, I attend the meetings. The TOC meetings that we have, those are extremely important. We get a lot of project reviews in those meetings. Liz chairs those meetings. That's where I always make sure that my schedule is cleared for that. >> Taking it, I guess, one step further. Do you find it challenging at all to separate out, in fact, when you're making decisions and making votes, for example, that are presumably binding, +1 binding as we've learned now, is the terminology. Do you find that you are often pulled between trying to advocate for your company and advocating for the community or are they invariably aligned in your mind? >> I mean, my job's the easiest because I come from an end user. So what I use and what I consume is likely what the community at large. There might be some niches and stuff like that. But I usually don't have that conflict. I don't know, as more of a vendor, you might have more of a conflict. >> It's something that I have be conscious of. I just try to mentally separate. I have a role with a company that pays my salary but when I'm doing open-source things if I feel conflicted about. This hasn't really come up yet, but if I do feel that there's some kind of conflict of interest I will always recuse myself. Actually, in my previous role, as the Co-Chair for the Program Committee for the KubeCon and CloudNativeCon Conference, on a couple of occasions we had competitors submit, and I would always just step back from those. Because it's the right thing to do. >> All right. So Liz, there's quite a few projects now, under the umbrella of CNCF. If I've go it right, it was like, 38 different ones. When Brian went on the stage this morning, 16 in the sandbox, 16 incubating and six have graduated now. How do you manage that? You know, there's some in the community they're like, oh my gosh, reminds us of like, big tent, from some initiatives. Some other things here, how much is too much? How do you balance that and what's the input of the TOC? >> Yeah, so one of the things that we're doing with the TOC is we've just established a thing called the SIGs, the special interest groups. Very much following the same model of Kubernetes SIGs. But the idea here is that we can, kind of formalize getting experts in the community to help us with particular kind of areas. So, we've already got a storage and security SIG set up. We expect there will be probably four to six more coming on board during the year. And that helps us with things like the project reviews and the due diligence to just be able to say, we would really appreciate some help. Those groups are also really enthusiastic about kind of sharing knowledge in the form of things like white papers. I think it will be really important for end-users to be able to navigate their way around these projects. Quite often there is more than one solution for a particular thing. And being able to, in a non-vendor way, in a neutral way, express why project X is good in one circumstance and project Y would be better in a different environment. There's work to be done there and I'm hoping to see that come out. >> This is one of my passions as the end user representative, is that trail map or that road map. That's one of the reasons why we really have invested at Intuit, in the Kubernetes technology and the Cloud Native technology. We didn't just roll them out as is. We actually curate them and create, really, a paved road for our developers to navigate that space. >> Yeah, and as we heard from your story it's not always, well, if there's some overlap you use SDO and Hellman. >> Yeah. >> That there's a fit for both of those in your environment, right. >> Yeah. >> From a, I guess, an end user perspective is there a waiting difference between someone like Intuit and someone like Twitter for pets, where there's a slight revenue scale, a slight revenue difference, like scale difference, like everything difference. >> Yes. >> Certainly, there is. I think that, but that's one of the beautiful things about the Cloud Native technologies. You can consume what you need and what you want, right. It's not one size fits all. A lot of people talk about, oh, there's a paradox of choice, there's so many projects, right. Actually, that's a benefit. Really, all you need is that road map to navigate your way through that, rather than just adopting a paved road that might not work for everybody. >> It almost feels, to some extent, almost like the AWS Service Catalog. Whenever you wind up looking at all the things they offer. It feels like going out to eat at the Cheesecake Factory. Where there is 80 pages of menu to flip through with some advertisements, great. And reminding yourself, at time, that they are not Pokemon, you do not need to catch them all. It's, sometimes, a necessary step, as you start to contextualize this. >> That's one of the great things about having over 80 members in the end user is. You can find a buddy, you can find a company like you. Talk to them, get connected with them and figure out what they're doing and learn from them. The community is broad enough to be able to do that. >> All right, so Liz, let's talk about security. >> Okay. (people laughing) >> You said there's a SIG that started up. Where are we, how are things going and you can you share about where we're going in the near future? >> The SIG came together from a group of people who really wanted to make it easier for end-users to roll out their Cloud Native stacks in a secure fashion. We don't always, as a community, speak the same language about security, we don't always have the most secure settings by default. They really came together around this common interest of just making it easier for people to secure. I think a big part of that will be looking at how the different projects, are they applying best practices from a security perspective? Is there more they should do to document how to operate their particular project more securely? I think that whole initiative and that group of people who've come together for SIG security, I'm so impressed and so pleased that they have come together with that enthusiasm to help on that front. >> Any commentary on what you're seeing in this space? >> Yeah, so as an almost, a fintech company, with a lot of fintech and, you know, we're not quite a bank, but we have a lot of the same security and compliance things. That SIG is so, so important to us. And having a roadmap. I found a education is really, really a big part of it of the security experts, right. Because this is somewhat newer technology. Even though it's been in use at Google for a long time the regulator's, the compliance people, don't totally understand it, right. So you have to have a way to explain to them what's going on. So things like, open policy agent, something that we've adopted, helps us explain what's going on in our system. Once they get it, they're like, this is awesome and our end users can now, really, our end users, meaning the people that use QuickBooks and TurboTax can really trust that we have those guardrails in place. >> At Aqua, it's a huge concern from a lot of our customers. Many of whom, coming from that kind of finance industry. That they're coming to us and saying, well, how can I be PCI compliant or GDPR. How do I manage these requirements with my container based stack, with my Cloud Native stack. That's why there is this huge ecosystem quite a lot of effort around security, compliance, policy. >> It feels very much like it's two problems rolled into one. First, how do you make sure that data is secure in these things? Secondly, how do you effectively and responsibly communicate that to a regulator, who expects to be taken on a tour of a data center when they show up on site? (people laughing) I checked, they won't let you. >> There are definitely two sets of security people in my experience. There are a set of people who care about how will I get attacked. How will breaches happen. And there are other people who go, I have a checklist and I need to check the boxes in the checklist, tell me how. Sometimes those two things overlap, but not always. >> All right, Liz, lot of updates, as always. Jeff, I really appreciate your commentary there. Well, there's the paradox of choice but we have a lot of customers out there and therefore we do. (people chuckling) Any highlights you want to share with our audience? >> I think one thing that happens every year is we see more. Well, we saw Kubernetes graduate, I think, early last year, end of the previous year. Now we've got six projects into graduation. From my perspective, that says something about how mature this whole set of projects, this whole platform is becoming. Because graduation is a pretty high bar. Not least in terms of the number of end users that have to be using it in production. This is solid technology. >> Yeah, any highlights from you? >> I think, like we might have touched on a little bit this morning. But I think that usually the technologies that where you're facing the big problems is pretty obvious which one to use, right. Like serverless, you're going to go look at something like Knative or whatnot. Functions as a service. There's some open fast projects, whatnot, like that. SDO services mesh is another one where it's getting mature and it's getting to the point where you can have these ubiquitous service meshes throughout it. So, those are the areas that we're most looking at right now. >> Great, all right. Well, Liz and Jeff, thank you so much for joining us. Thanks for all the work you do on the Oversight Committee and appreciate you sharing the updates with our community. >> Thank you for having us. >> Thank you. >> For Cory Quinn, I'm Stu Miniman. We'll be back more, with theCUBE here at KubeCon + CloudNativeCon 2019. Thanks for watching. (upbeat music)

>> Live from Seattle, Washington it's theCUBE covering KubeCon and CloudNativeCom North America 2018. Brought to you by Red Hat the cloud-native computing foundation and its ecosystem partner. >> Welcome back everyone, it's theCUBE's live coverage here in Seattle of KubeCon and CloudNativeCon 2018. I'm John Furrier, with Stu Miniman, host of theCUBE. Three days of live coverage. Wall to wall, 8000 people here. Doubled from the previous event in North America, expanding globally, we are here with Liz Rice, technology analyst, evangelist at Aqua Security and program co-chair here at KubeCon, CloudNativeCon. Liz, thanks for joining us. >> Thank you for having me. >> I know you had a busy day, keynotes and all. A lot of activity, a lot of hand shaking, walking around, very crowded. >> It is, we're packed. We're absolutely at capacity here and the event sold out and it's busy. >> A lot of energy, real quick, I know you guys did a lot of work, you guys always do a great job, exceptional performance again. >> Thank you. >> CNCF does a great job on the content programming. It's about the open source communities. That's fundamental, a lot of end users, both participating and consuming. Vendor list is expanding. Putting the program together gets challenging when you have these kind of numbers. What were the themes? How did you put it all together? What was resonating? What's the focus? >> Yeah, it was so hard, we had so many applications that we could only accept 13%, which makes it almost impossible some of the decisions you have to make. And some of the things that were coming out, were like Knative, a lot of submissions around Knative. Serverless in general obviously being quite a hot topic, I would say across our industry. Really great talks from end users and we've seen a few on the keynote stage. Where some brands that we're all aware of, people like Airbnb, sharing their stories of what they've done to make their deployments, their cloud-native deployments, their use of kubernetes successful. So it's not just working from the ties, and doing some experiments, they are telling us how they've done this for real. >> You had a very successful KubeCon in Copenhagen. And so how did you integrate from Copenhagen to here. What were some of the inefficiencies? Obviously, the bigger numbers here. You recently had China the success where, we've reported on SiliconANGLE, the open source consumption and contribution is off the charts. It's huge, it's growing and it's a new dynamic. So between China, and Copenhagen, here, interesting things happening. >> China was phenomenal for me. It was my first trip to China, so it was eye-opening in all sorts of respects. And one of the really interesting things there was the use of machine learning. The uses of kube flow, real life examples. Again I think there is something about how much data they've been able to collect in China. But we heard some really great stories of, for example, electricity companies using machine learning on kubernetes to predict demand. It was fascinating. >> It's a lot of adoption. >> Yes. >> They are at the front end, they are a mobile culture. IOT is booming over there, it's just massive. >> Absolutely. >> Alright here in Seattle, obviously Seattle home of AWS, and I was just talking to some folks here locally in Seattle, just this morning, they said they think this is the biggest conference of the year here in Seattle. Which is really telling where you guys have come from. Interesting dynamic. A lot of new ecosystem partners. What's happening? It seems to be energy, the buzz. There's a subtext here that's buzzing around the hallways. What's the most important thing that people should be taking away from this event this year? >> I think the scale of it is coming from real adoption and businesses that are moving their applications into the cloud. Public cloud and hybrid cloud and finding success through doing that with cloud native components. You mentioned the end users who want to be part of the community, and they actually wanted to contribute to the community. You can look around the hall and see booths from, like Uber's over there. They're really contributing to this community. It's not just a bunch of enthusiasts, it's for real. >> Problems being solved, real company end users. >> So Liz, one of the things we've been looking at this is not a monolith here. You've actually got a whole lot of communities. As I've been wandering the floor, if I'm talking to people. We had Matt come on to talk about Envoy and they had their own conference at the beginning of the week and they had 250 people. As I'm wandering around, you talk to a number and it's like oh, I'm here all about Helm. You know there's different service meshes all over the place that everybody is talking about. >> Yeah another big theme. >> You're heavily focused on the security aspects there. I believe you've got a project that Aqua has been involved in. It was kube-hunter if I've got it. Maybe before you talk about kube-hunter, maybe just talk about balancing, this isn't one community, it's gotten really big. Do we need to break this into a micro-services space show? We'll have the core, but lots of other things and spread it out all over the world. >> Sure, it's a real challenge as this community is growing so fast and trying to keep the community feel. Balancing what the contributors want to do and making sure they're getting value and having the conversations they want, but also enabling the vendors, and the end users, and every constituent part to get something good out of this conference. It's a challenge as this gets bigger. There's no kind of, if this doubles again, will it feel the same? That's hard to imagine. So we got to think carefully about how-- >> We've seen that happen and it would not, even from last year to this year was a big change for a lot of people. >> For sure. >> So kube-hunter tell us about that. >> Yeah, kube-hunter, yes, kube-hunter is one of our open source projects at Aqua. It's basically penetration testing for kubernetes clusters, so it's written in Python. It attempts to make network requests looking for things like the open ports. It will tell you if you got some misconfigurations, 'cause a lot of the security issues with kubernetes can come about through poor configuration. And the other thing you can do, you can run it from externally to your cluster. You can also run it inside a pod inside your cluster and then that's simulating what might happen if an attacker got into your cluster, what could they do from there. They compromised a pod which could happen to a software vulnerability. Once they're in the pod, how vulnerable are you? What's the blast radius of that attack? And kube-hunter can help you see whether it's a complete disaster or actually fairly contained. >> Alright, Liz how are we doing from a security standpoint? We've watched the rise of containers over the last few years. And it's like okay wait do I need to put in some kind of lightweight VM? Do I do something there? What can I trust? What do I do? At AWS Reinvent a couple of weeks ago, there's the whole container marketplace. Feels like we are making progress but still plenty of work to do. >> Right, right, container security has lots of parts to it as you go through the life cycle of a container. Actually at AWS Reinvent, Aqua was recognized as having, I think they called it competency. Which I think it's a bit better than competency in container security. >> That's a complement I believe. >> Yeah, really complement, really competent. I think as community on the open source level, there are lots of good things happening. For example, the defaults in kubernetes have been getting better and better. If you are an enterprise, and particularly if you're a financial user, or a media company, or a government organization, you have much stronger requirements from a security perspective and that's where the open source tooling on its own may not be sufficient, and you may need to plug in commercial solutions like Aqua to really beef that up. And also to provide that end to end security right from when you're building your image through to the run time protection which is really powerful. >> Security has got to be built in from the beginning. Let me get your thoughts on end user traction and the huge demand for what end users are doing. I know you guys are seeing on the program side, the Linux foundation, CNC was talking about trying to get more case studies. We're seeing the end users prominent here. You mentioned Uber, Apple's here. A bunch of other companies, they're here. So end users are not only just contributing, they are also consuming. How are the new enterprises that are coming in consuming and interacting and engaging with kubernetes? Where are they on the IQ, if you will, level and what are they engaging on? Kubernetes has matured a bit and ready. It's been deployed, people using it. People gathering around it, but now people are starting to consume and deploy it at different scales. What's the end user uptake? What's the hot areas? What do you see the most people digging in? >> Great question, so I think we are seeing a lot of, particularly, I want to say like mature start-ups, so the Ubers and the Airbnbs and the Lyfts. They've got these massive scaled technology problems, and kubernetes is giving them, and the whole cloud-native community around it, it's giving them the ability to do these kind of custom things that they need to do. The kind of weird and wonderful things. They can add whatever adaptations they need, that maybe they wouldn't get if they were in a traditional architecture. So they're kind of the prominent voices that we are hearing right now. But at Aqua we are seeing some of these, maybe what you might call more traditional businesses like banks. They want to replicate that. They want to shape functionality really quickly. They are seeing challenges from upstart and they want to compete. So they know they've got to shift functionality quickly. They've got to do continuous deployment. Containers enable that. The whole cloud-native world enables that and that's where the adoption's from. >> They can take the blueprints from the people who built it from the ground up, the large scale startups, cloud-native in the beginning, and kind of apply the traditional IT kind of approach with the same tooling and the same platform. >> And we are seeing some interesting things around making that easier. So things like the CNAB, the cloud-native application bundling, that is coming out at Microsoft and Docker are involved in that. I think that's all to do with making it easier for enterprises to just go, yeah, this is the application I want to run it in the cloud. >> So let me ask you a question around the customer end users that we see coming onboard, because you have the upstream kind of community, the downstream benefits are impacting certainly IT and then developers, right? The classic developers, IT is starting to reimagine their infrastructure. All the goodness with cloud, and machine learning, and application is being redefined. It's changing the investment. So in 2019, what's your view on how companies are shaping their investment strategy to IT investment or technology investment strategies with cloud-native? Because this is a real trend that you just pointed out. Okay I'm a big company and I've used the old way and now I want the new way. So there's a lot of okay, instant start. Turn the key, does it run? There's a lot of managed services here, so the new persona of customer. How does that impact their investment, IT investments in your mind? What are you seeing please share any color commentary around that? >> I'm sure we're all aware that we're seeing shifts away from the traditional data center into public cloud which has implications around opex rather than capex. And I guess following on from that people worrying about whether vendor lock-in is a thing. Should they be just adopting in one public cloud or perhaps putting their eggs across different baskets? Should they be using these managed platforms? We have all these different distributions, we have these different managed solutions for kubernetes, there's a lot of choice out there. I think it's going to be interesting to see how that shapes out over the next few years. Are all these different distributions going to find a niche or how's that going to work? >> Matt Klein had a great observation. He was on earlier today from Lyft. He says look to solve a problem, use the tech to solve a problem, and then iterate, build on that. It's iteration mull of dev, ops. I think that's a good starting point. There's no magic silver bullet here. There's no magic answer, I think it's more of just get in there and get it going. The other question I have for you is 2019 prediction for kubernetes. What's going to happen this coming year? We're seeing this picture now, 8000 people, diverse audience. >> Yeah. >> What's the prediction 2019 for kubernetes? >> Oh, great question. I think maybe broader than just kubernetes, but the kind of cloud-native. Because kubernetes is like Janet said in her keynote this morning it's essentially boring. It kind of does what it's supposed to do now. I think what's going to be interesting is seeing those other pieces around it and above it, the improved developer experiences making it easier for companies to adopt. Maybe some of these choices around things like what service mesh you're going to use. How you're going to implement your observability. How you're going to deploy all this stuff without needing to hire 20 super detailed experts. We've got all the experts in this stuff. They're kind of here. The early adopters, great. Maybe that next wave, how are they going to be able to take advantage of this cloud-native? >> I think the programmability is key. Well great to have-- >> I think a big part of that is actually is going to be serverless. The ease of using serverless rather than the flexibility you get out of-- >> The millisecond latency around compute, yeah it's great. Well thanks for coming on, really appreciate it. Final question for you, what surprised you this year? Is there one thing that jumped out at you that you didn't expect? Good, bad or ugly? Great show here, it was packed. The waiting list was like 1500. What was the surprise this year from a program standpoint? >> I think actually the nicest surprise was the contribution of Phippy and all those lovely characters from Phippy Goes to the Zoo and those characters being donated by Microsoft, Matt Butcher and Karen Chu's work, was terrific. And it's just beautiful, just lovely. >> That's awesome, thanks so much Liz. Appreciate Liz right here. Program co-chair at KubeCon, CloudNativeCon, also technology evangelist at Aqua Security. That's her day job and her other job, she's running the content programming which is very huge here. Congratulations, I know it's tough work, a great job. >> Thank you very much. >> It's theCUBE coverage, breaking down all the action here at KubeCon and CloudNativeCon. I'm John Furrier and Stu Miniman, stay with us. Three days of wall-to-wall coverage. We're only on day two, we've got a whole nother day. A lot of great stories coming out of here and great content. Stay with us for more after this short break. (upbeat music)

>> Announcer: Live from Copenhagen, Denmark, it's theCUBE. Covering KubeCon and CloudNativeCon Europe 2018. Brought to you by the Cloud Native Computing Foundation and its ecosystem partners. >> Hello, everyone. Welcome back to theCUBE's exclusive coverage here in Copenhagen, Denmark for KubeCon 2018, part of the CNCF Cloud Native Compute Foundation, which is part of the Linux Foundation. I'm John Furrier, your host. We've got two great guests here, we've got Liz Rice, the co-chair of KubeCon and CloudNativeCon, kind of a dual naming because it's Kubernetes and it's Cloud Native and also technology evangelist at Aqua Security. She's co-chairing with Kelsey Hightower who will be on later today, and CUBE alumni as well, and Janet Kuo who is a software engineer at Google. Welcome to theCUBE, thanks for coming on. >> Yeah, thanks for inviting us. >> Super excited, we have a lot of energy even though we've got interviews all day and it's kind of, we're holding the line here. It's almost a celebration but also not a celebration because there's more work to do with Kubernetes. Just the growth of the CNCF continues to hit some interesting good performance KPIs on metrics. Growth's up on the membership, satisfaction is high, Kubernetes is being called a de facto standard. So by all kind of general qualitative metrics and quantitative, it's doing well. >> Lauren: It's doing great. >> But it's just the beginning. >> Yeah, yeah. I talked yesterday a little bit in, in the keynote, about project updates, about how Kubernetes has graduated. That's a real signal of maturity. It's a signal to the end-user companies out there that you know, the risk, nothing is ever risk-free, but you know, Kubernetes is here to stay. It's stable, it's got stable governance model, you know, it's not going away. >> John: It's working. >> It's going to continue to evolve and improve. But it's really working, and we've got end users, you know, not only happy and using it, they're prepared to come to this conference and share their stories, share their learnings, it's brilliant. >> Yeah, and Janet also, you know, you talk about China, we have announcement that, I don't know if it's formally announced, but Shanghai, is it out there now? >> Lauren: It is. >> Okay, so Shanghai in, I think November 14th, let me get the dates here, 14th and 15th in Shanghai, China. >> Janet: Yeah. >> Where it's going to be presented in either English or in Chinese, so it's going to be fully translated. Give us the update. >> Yeah, it will be fully translated, and we'll have a CFP coming soon, and people will be submitting their talks in English but they can choose to present either in English or Chinese. >> Can you help us get a CUBE host that can translate theCUBE for us? We need some, if you're out there watching, we need some hosts in China. But in all seriousness, this is a global framework, and this is again the theme of Cloud Native, you know. Being my age, I've seen the lift and shift IT world go from awesome greatness to consolidation to VMwares. I've seen the waves. But this is a different phenomenon with Cloud Native. Take a minute to share your perspectives on the global phenomenon of Cloud Native. It's a global platform, it's not just IT, it's a global platform, the cloud, and what that brings to the table for end users. >> I think for end users, if we're talking about consumers, it actually is, well what it's doing is allowing businesses to develop applications more quickly, to respond to their market needs more quickly. And end users are seeing that in more responsive applications, more responsive services, improved delivery of tech. >> And the businesses, too, have engineers on the front lines now. >> Absolutely, and there's a lot of work going on here, I think, to basically, we were talking earlier about making technology boring, you know, this Kubernetes level is really an abstraction that most application developers don't really need to know about. And making their experience easier, they can just write their code and it runs. >> So if it's invisible to the application developer, that's the success. >> That's a really helpful thing. They shouldn't have to worry about where their code is running. >> John: That's DevOps. >> Yeah, yeah. >> I think the container in Kubernetes technology or this Cloud Native technology that brings developer the ability to, you know, move fast and give them the agility to react to the business needs very quickly. And also users benefit from that and operators also, you know, can manage their applications much more easily. >> Yeah, when you have that abstraction layer, when you have that infrastructure as code, or even this new abstraction layer which is not just infrastructure, it's services, micro-services, growth has been phenomenal. You're bringing the application developer into an efficiency productivity mode where they're dictating the business model through software of the companies. So it's not just, "Hey build me something "and let's go sell it." They're on the front lines, writing the business logic of businesses and their customers. So you're seeing it's super important for them to have that ability to either double down or abandon quickly. This is what agile is. Now it's going from software to business. This, to me, I think is the highlight for me on this show. You see the dots connecting where the developers are truly in charge of actually being a business impact because they now have more capability. As you guys put this together and do the co-chair, do you and Kelsey, what do you guys do in the room, the secret room, you like, "Well let's do this on the content." I mean, 'cause there's so much to do. Take us through the process. >> So, a little bit of insight into how that whole process works. So we had well over 1,000 submissions, which, you know, there's no, I think there's like 150 slots, something like that. So that's a pretty small percentage that we can actually accept. We had an amazing program committee, I think there were around 60 people who reviewed, every individual reviewer looked at a subset. We didn't ask them to look at all thousand, that would be crazy. They scored them, that gave us a kind of first pass, like a sort of an ability to say, "Well, anything that was below average, "we can only take the top 15%, "so anything that's below average "is not going to make the cut." And then we could start looking at trying to balance, say, for example, there's been a lot of talk about were there too many Istio talks? Well, there were a lot of Istio talks because there were a lot of Istio submissions. And that says to us that the community wants to talk about Istio. >> And then number of stars, that's the number one project on the new list. I mean, Kubeflow and Istio are super hot. >> Yeah, yeah, Kubeflow's another great example, there are lots of submissions around it. We can't take them all but we can use the ratings and the advice from the program committee to try and assemble, you know, the best talks to try and bring different voices in, you know, we want to have subject matter experts and new voices. We want to have the big name companies and start-ups, we wanted to try and get a mix, you know. A diversity of opinion, really. >> And you're a membership organization so you have to balance the membership needs with the content program so, challenging with given the growth. I mean, I can only imagine. >> Yeah, so as program co-chairs, we actually have a really free hand over the content, so it's one of the really, I think, nice things about this conference. You know, sponsors do get to stand on stage and deliver their message, but they don't get to influence the actual program. The program is put together for the community, and by doing things like looking at the number of submissions, using those signals that the community want to talk about, I hope we can carry on giving the attendees that format. >> I would just say from an outsider perspective, I think that's something you want to preserve because if you look at the success of the CNCF, one thing I'm impressed by is they've really allowed a commercial environment to be fostered and enabled. But they didn't compromise the technical. >> Lauren: Yeah. >> And the content to me, content and technical tracks are super important because content, they all work together, right? So as long as there's no meddling, stay in your swim lane, whatever, whatever it is. Content is really important. >> Absolutely, yeah. >> Because that's the learning. >> Yeah, yeah. >> Okay, so what's on the cut list that you wish you could have put back on stage? Or is that too risque? You'll come back to that. >> Yeah. >> China, talk about China. Because obviously, we were super impressed last year when we went to go visit Alibaba just to the order of magnitude to the cultural mindset for their thinking around Cloud Native. And what I was most impressed with was Dr. Wong was talking about artistry. They just don't look at it as just technology, although they are nerdy and geeky like us in Silicon Valley. But they really were thinking about the artistry 'cause the app side of it has kind of a, not just design element to the user perspective. And they're very mobile-centric in China, so they're like, they were like, "This is what we want to do." So they were very advanced in my mind on this. Does that change the program in China vis a vis Seattle and here, is there any stark differences between Shanghai and Copenhagen and Seattle in terms of the program? Is there a certain focus? What's the insight into China? >> I think it's a little early to say 'cause we haven't yet opened the CFP. It'll be opening soon but I'm fully expecting that there will be, you know, some differences. I think the, you know, we're hoping to have speakers, a lot more speakers from China, from Asia, because it's local to them. So, like here, we tried to have a European flavor. You'll see a lot of innovators from Europe, like Spotify and the Financial Times, Monzo Bank. You know, they've all been able to share their stories with us. And I think we're hoping to get the same kind of thing in China, hear local stories as well. >> I mean that's a good call. I think conferences that do the rinse and repeat from North America and just slap it down in different regions aren't as effective as making it localized, in a way. >> Yeah. >> That's super important. >> I know that a lot of China companies, they are pretty invested pretty heavily into Kubernetes and Cloud Native technology and they are very innovative. So I actually joined a project in 2015 and I've been collaborating with a lot of Chinese contributors from China remotely on GitHub. For example, the contributors from Huawei and they've been invested a lot in this. >> And they have some contributors in the core. >> Yeah, so we are expecting to see submissions from those contributors and companies and users. >> Well, that's super exciting. We look forward to being there, and it should be excellent. We always have a fun time. The question that I want to ask you guys now, just to switch gears is, for the people watching who couldn't make it or might watch it on YouTube on Demand who didn't make the trip. What surprised you here? What's new, I'm asking, you have a view as the co-chair, you've seen it. But was there anything that surprised you, or did it go right? Nothing goes perfect. I mean, it's like my wedding, everything happens, didn't happen the way you planned it. There's always a surprise. Any wild cards, any x-factors, anything that stands out to you guys? >> So what I see from, so I attend, I think around five KubeCons. So from the first one it's only 550 people, only the small community, the contributors from Google and Red Hat and CoreOS and growing from now. We are growing from the inner circle to the outside circle, from the just contributors to also the users of it, like and also the ecosystem. Everyone that's building the technology around Cloud Native, and I see that growth and it's very surprising to me. We have a keynote yesterday from CERN and everyone is talking about their keynote, like they have I think 200 clusters, and that's amazing. And they said because of Kubernetes they can just focus on physics. >> Yeah, and that's a testimonial right there. >> Yeah. >> That was really good stories to hear, and I think maybe one of the things that surprises me, it sort of continues to surprise me is how collaborative, it's something about this kind of organization, this conference, this whole kind of movement, if you like. Where companies are coming in and sharing their learnings, and we've seen that, we've seen that a lot through the keynotes. And I think we see it on the conference floor, we see it in the hallway chat. And I think we see it in the way that the different SIGs and working groups and projects are all, kind of, collaborating on problem solving. And that's really exciting. >> That's why I was saying earlier in the beginning that there's a celebration amongst ourselves and the community. But also a realization that this is just the beginning, it's not a, it's kind of like when you get venture funding if you're a start-up. That's really when it begins, you don't celebrate, but you take a little bit of a pause. Now my personal take only to all of the hundreds of events we do a year is that I that think this community here has fought the hard DevOps battle. If you go back to 2008 timeframe, and '08, '09, '10, '11, '12, those years were, those were hyper scale years. Look at Google, Facebook, all the original DevOps engineers, they were eating glass and spitting nails. It was hard work. And it was really build your own, a lot of engineering, not just software development. So I think this, kind of like, camaraderie amongst the DevOps community saying, "Look, this is a really big "step up function with Kubernetes." Everyone's had some scar tissue. >> Yeah, I think a lot of people have learned from previous, you know, even other open source projects that they've worked on. And you see some of the amazing work that goes into the kind of, like, community governance side. The things that, you know, Paris Pittman does around contributor experience. It's so good to see people who are experts in helping developers engage, helping engineers engage, really getting to play that role. >> There's a lot of common experiences for people who have never met each other because there's people who have seen the hard work pay with scale and leverage and benefits. They see it, this is amazing. We had Sheryl from Google on saying, "When I left Google and I went out into the real world, "I was like, oh my God, "they don't actually use Borg," like, what? "What do they, how do they actually write software?" I mean, so she's a fish out of water and that, it's like, so again I think there's a lot of commonality, and it's a super great opportunity and a great community and you guys have done a great job, CNCF. And we hope to nurture that, the principles, and looking forward to China. Thanks for coming on theCUBE, we appreciate it. >> Yeah. >> Okay we're here at CNCF's KubeCon 2018, I'm John Furrier, more live coverage. Stay with us, day two of two days of CUBE coverage. Go to thecube.net, siliconangle.com for all the coverage. We'll be back, stay with us after this short break.

>> Announcer: Live from Orlando, Florida it's the CUBE, covering Grace Hopper's Celebration of Women in Computing, brought to you by SiliconANGLE Media. >> Welcome back to theCUBE's coverage of the Grace Hopper Conference here in Orlando, Florida. I'm your host, Rebecca Knight. We're joined by Pamela Rice. She is the Head of Technology, Strategy, and Innovation Labs Engineering at Capital One. So, thanks so much for joining us. >> Absolutely, it's good to be here. It's really good. >> So, you're only been at Capital One for nine months. >> That's right. >> You're new to the job, new to the company. Tell our viewers a little bit about why you chose Capital One and what your first experiences were. >> Yeah, absolutely. So, I'm leading technology, strategy, and innovation, and what that means is looking at how we can use emerging technologies to set our course for really creating better and different changing products for our customers. We know that customers' expectations are changing drastically and technology is really rapidly accelerating. So, using things like IOT, machine-learning, streaming data, these are all ways we can connect with our customers better. It's funny, when I first walked in the Capital One doors to interview nine months back, they had been talking to me for some time and I'm like, Okay, I'll talk to you. I didn't have high expectations-- >> Because it's a-- >> It's a bank! >> You thought it was a buttoned up kind of-- >> I had been part of Fintech and startups and I'm like, rapid, let's change the world kind of thing, and I walked into the building in Richmond, and I asked a person, 'cause I could immediately see that teams were working on things together, there was a sense of real purpose and energy. Like you could feel the energy in the walls. They were using buzzwords like machine-learning, and I was like, wait a minute. I must have gone to the wrong place. I went back to the front desk and I'm like, "Is this Capital One?" I really did that, because it felt like a tech company. The walls were bright and shiny and people were running around, and it was a little bit of a hectic pace to it. I just thought immediately, there's something to this place that looks different than my expectations of a bank were. >> What is Capital One doing right in the sense of bringing this technology buzz into a financial institution? >> I think that it's safe to say that, to Capital One, really understands that customer expectations are changing so fast, and technology is changing so fast, that they have to invest heavily in technology to really reach their customers and go where their customers are going to want to go. So, part of my job is looking at strategy. Where do we think technology is going to go and how do we make big bets now so that we can meet our customer needs in the future? I think one of the things that holds true for me is that our internal moral compass, our fiber, our DNA, comes out when we talk about how we get there. We want to get there together with diverse teams, and that's why it's so important for us to be here. Because, the way we build products is the way that we will connect with our customers, and we want our customers, all of our customers, to feel connected to our products, not just one segment of the community. >> So, talk to me a little bit about the process of designing a new product for your customers, with that diverse team behind it. >> It's funny, because in the old waterfall ways, an idea would be born in some boardroom or some shadow room, and then all a sudden, engineers would get a speck on their plate that would say, hey, go build this. Then, oftentimes, they were so disconnected from the customers. We've taken that and pivoted it totally around, so that we have whole teams that are filled with designers, with design thinking, with product, with engineering, and they can connect with the customers in a way that really optimized towards getting a product out to market faster. By the way, that tight life cycle from the time an idea is born to the time you can get something in customers' hands, that needs to shorten as well, so that you can focus on innovation. If your day-to-day activities takes you months, if not years, to get out to market, you have no time for innovation. So, part of my job also is optimizing how we get things out to market faster and in a streamlined way, and empower that team to connect with the customers better. >> And see what the customers like and what they don't like, and then iterate. >> Exactly. >> What are some of the most exciting things you're working on now? >> Well, it's hard to say that there's just one thing. We have so many really big milestones underway. It's no secret that we have a heavy migration to the cloud. We were one of the first financial institutions that really doubled down and said we're all in, we're going there. In fact, I think there's going to be more and more financial institutions that start going there, because it's such a time-saving. If I don't have to worry about all these racks and all this hardware, I spend more time connecting with the customers. Again, operational efficiency in connecting with your customers. We have a high dev-ops mindset, meaning we disconnect that bridge from engineer to throwing something over the wall, and we combine the team that has everything it takes to get something out to the customer, and then fix something if something goes bump in the night. We also have a high culture, that is we have a goal of getting into microservices more. So, instead of these big monolithic applications, really focusing on these small, microelements that have functionality that is enabled to the customer so we get things out the door faster. >> So, when you talk about diverse teams, and you're talking about a lot of cross-functional teams, so you've got teams with engineers and designers on them, working together. But, you're also talking about racial diversity and gender diversity. So, how do you make that happen? >> It's a tough problem. I've been asked a lot of questions about how do you have diversity programs that actually work, and I will say it is not just one program. When you're focusing on diversity, you can't just think about it from a program perspective. You have to think about it at your DNA level. Like every conversation, every way that you think about who should be promoted or who should get an opportunity, or economic parity, all of these things you should be questioning, am I thinking about this through a diversity lens? So, even in conversations I have with my team where somebody should be bring up something as innocuous as man-hours, I correct them. I say, it's not man-hours. These are people-hours. So, even if you can have those small hints, you need a program, absolutely. But, you need diversity included in every conversation you have, whether it is about who's going to get promoted, who's going to get a bonus, or how we talk about people and where they spend their time. >> As a woman engineer- I hate saying a woman eng- You're an engineer! You're a human being engineer. But, you also are a role model to the younger women here at Grace Hopper. What is your best advice for them, if they want to have a career as an engineer? >> It was funny, yesterday I was on a panel. Over 700 people came. I was just so honored to be part of that experience. My role in technology and being an executive now in technology really has shifted quite a bit. I feel like it's my job to give back to the community. There's nothing more empowering for me personally than to see somebody helped by words of advice or being connected to somebody else. I think that my biggest words of advice are really to know that you deserve it, know that you deserve this career, know that you deserve to dream big. You deserve a loud voice. You deserve a seat at the table. You deserve the whole table. You deserve whatever you want to dream and if you have voices in your head or external voices that are telling you you can't have it, quiet those voices and believe in yourself. Because, there's nothing more powerful than believing in yourself. We are all here believing in you, because these engineers deserve it. I would just tell them to believe that. >> That's great advice. >> Thank you. >> Well, Pamela, thanks so much for being on our show. It's been really fun talking to you. >> Thank you so much. >> We will have more from Orlando and the Grace Hopper Conference just after this. (light, electronic music)

>> Announcer: Live from San Francisco, it's the Cube. Covering Informatica World 2017, brought to you by Informatica. >> Okay, welcome back, everyone. We're here live in San Francisco for Informatica World 2017. This is the Cube, a flagship program. We go out to the events and extract the signal from the noise. I'm John Furrier, the host of the Cube. Our next guess is Lima Rice, who's the chief data officer Global Enterprise Data Analytics for Allegis Group. Salema, welcome to the Cube. >> Thank you. >> So you won the Informatica Innovation Award Monday night. Congratulations. >> Salema: Thank you. >> You're also a chief data officer, so we love to have conversations with because really, what does that mean? (laughing) You're the chief of everything now. Data's at the center, you're like the heart surgeon of the organization. What was the award for? Tell us a little bit about Allegis Group. >> Sure. So the award was really about how we're innovating with data. So for us, it's really about using data as an asset and how we really want to transform our company the way that we transformed the industry almost 30 years ago. So we've really partnered with Informatica to build out our Master Data Management, data as a service, data quality, everything that would help us to find the right person for the right position at the right time. >> Talk about what you guys do at Allegis Group and how it fits into your parent company. A lot of folks, you guys are very large, but tell us a little bit about your firm. >> Sure. So Allegis Group is the largest talent solution company in the world, largest privately held one. We have almost 450,000 contract employees worldwide. We have over 500 offices in 53 countries that we service. Our two flagship companies are Tech Systems and Aerotech, which make up probably a little over 75% of our organization. >> So you guys match talent that's in your network with opportunities that they are fit for. >> That's correct, for most of the operating. For Tech Systems and Aerotech, which makes up that large portion, that's exactly what they do. Then we have service organizations and we have managed service programs and vendor management solutions and other operating companies that service other types of industries. >> You mentioned as we were getting started that you use data as a competitive strategy weapon, if you will, key asset. >> Absolutely. >> I kind of weaved in competitive strategy. If you're doing well, it's also competitive strategy. >> Right. >> If you're successful. That's the key conversation here at Informatica World this year and in the industry worldwide as they look at the assets differently. It's not just an accounting thing. Most CFOs know where the plant and equipment are, the depreciation schedule, itemization schedule, all that stuff is kind of like in Financial 101. Data now is coming in as an asset where sometimes they don't even know where the data is, that's one problem. How are you looking at that? Because take us through what that means to make data as the asset, and how do you wrangle it in, how do you get your hands on it so to speak, metaphorically speaking, and then, also, how do you deploy it as an asset? How does it get paid back to the company? >> So that's a lot of questions in there. I'll start with, we believe that being able to ingest any data from anywhere in any format and use that in order to enable our producers which are our recruiters and our account managers to make better, faster decisions and really reduce our risk is a way that we can help produce and make quality, fact-based decisioning. So it all starts with great quality data. When you think about the journey that somebody goes through of getting a job, there's probably not, maybe two other times in your life that are more traumatic, right? So, birth, death, and you know? >> John: I know. >> Getting married, maybe? >> John: That too. >> And changing careers, right? So we try to use data and we try to make the best out of each situation so that people feel like they're really becoming part of our Allegis family and not just taking a job. >> Or a piece, a resume that's on file so to speak. >> Salema: That's right. >> Take us through an example of a use case that someone could relate to with you guys or applying data and the benefit to you guys and your customer. >> So at any given time, we have roughly 55 million resumes that we're parsing through and trying to identify and make the perfect search and match for our customers. And that's really the core part of our business. >> 55 million. >> 55 million resumes. (chuckling) So within that search and match process, it's really important that my team help enable that search and match team with good quality data so that, when you think about, if you have bad data, you're going to make bad decision matching rules. And so the better quality the data, the better we can help that team. >> I mean, everyone's had an experience where they've gotten an email or something where you can see some sort of form was inserted Dear Placeholder, my name, they didn't insert my name. That's just a random example, but that's the kind of example where it's not personalized. It's not a fit for me. I'm like, hey, I'm a machine, you're talking to me, I'm a person, I instantly delete it if it's not already in my spam folder. >> Right. >> Similarly with your, it's a high touch and again, it's intimate-- >> Very much so. >> Very intimate to the user. How will you guys doing that personalization and what's the data angle on that? >> That's very important to us, actually. So when our founders created the company almost 30 years ago, they made three promises. They made a promise to the customer that they would work harder than any other vendor ever worked for them. They wouldn't stop until they filled that rack. To the consultants coming in, they made a promise that they'd never just sling their resumes. That they would get to know them intimately. They would find out their likes, their dislikes, what are things that they want to do to make a life? And then to the people working in-house, they promised that if you would work harder than you ever thought was possible, the company would pour into them and those three things are still the core value of what we do today. So while our competition looks very different today than it used to, I mean, for probably 20 years our competition looked exactly like us. The same model, the same comp model, everything. Until about four years ago, and we started seeing competition that had no brick and mortar, that has no recruiters. We have 25,000 recruiters, we have 500 offices. >> Where was the competition going? All online automated? >> They're going algorithm, so they're going bionic recruitment. The thing for us is that that relationship is what really sets us apart. The relationship means that much to us that we want to use data to enable our recruiters and enable our producers so that they can become more talented advisors and career coaches. >> You know, there's two things that jump in my head. One is, you don't want to be a slave to the algorithm. >> That's right. >> Or slave to process, you want the process to work for you. >> Absolutely. >> The second one is, we always talk about the start-up community and growing companies is that you always hear people, "Oh, he and she is a good fit." You know, being a good fit for a job really is key because you could be in a job and be unhappy and no one wins. >> That's right. >> So getting the fit is critical. So you guys are using humans with machines-- >> That's right. >> Together so you're making the data work for the human process which is a hybrid. >> That's right. We look at it as we use data to have a competitive advantage by empowering our producers and really using that combination of human touch and technology to deliver the best customer experience. >> Okay, talk about the marketplace. As you look back, and you notice your Informatica customer, we'll get to that in a second, but there's a lot of solutions out there. People are peddling software. You got to be kind of a skeptic, but you don't want to miss the wave. >> Salema: That's right. >> The data wave, that that's something you obviously as a Chief Data Officer. So you got to squint through the BS of the fog or the smokescreens that are out there. How do you tell, well first of all, what is the current landscape from your perspective? What's the right solutions that you see emerging out of this new modern era of data at the center? With software, with algorithms, and obviously mixed with humans. What's the big industry trend that you like, and what don't you like? >> Yeah, I love what Informatica's doing. I love that they're combining the best of artificial intelligence and machine learning into every application that they create. That's really critical to us, and I think to every company is we always say as we're teaching our children, if you learn from your own mistakes, you'll be smart. But if you can learn from the mistakes of others, you're going to be a genius. Well, when we make mistakes, if our applications can learn from them, but what if those applications can learn from all the customers and from the information that they're putting in? So Informatica embedding AI with Claire now, I think is genius. I think that it's going to set them apart and really set their customers apart. So that's why we like partnering with them. >> You mentioned data quality. It's one of my favorite topics, and I always talk about dirty data, it's bad for you. Clean data, good data, is really instrumental. >> Salema: That's right. >> How are you guys refreshing the data? Someone from Informatica was on, talking about heartbeat of data as the, but also that implies the heart is a critical organ so you need a surgeon for that, heart surgery. But sometimes, data hygiene. You need a data hygienist. So there's a spectrum of data interaction points. What's your thoughts on data quality? What are the key things you keep on top of to keep the data high quality? >> It's really important to us. We use, so if you think about one of the things that makes a great match for somebody, it's about the proximity to your position. So making sure that the addresses are clean. We use Informatica's data as a service. And we do all world geo lat long, and we do Address Doctor and address verification. Email verification is big in our business. Phone number cleansing, and then just overall making sure that we have a single golden record. If you think about somebody like me, I started with the company in 1998 as a consultant. So being out there as a consultant for 23 years and then coming in-house, all of my data from my maiden name still exists in our systems. So really, it's about not just cleansing good to bad, but making sure that you're creating that golden record of a person so somebody on LinkedIn might just put their first initial or on any third party system and knowing that those are all still the same person and making sure that we're connecting the right people is really important to us. >> You bring up such good points I don't even think about. Most people don't think about. But one of the most satisfying things about a job is the commute. I live in the Bay Area here. (laughing) If I'm in East Bay and I've got to go to Palo Alto, that's a nightmare. But that depends on the opportunity, right? So that's a blend. And the other one is the role of new data. So you mentioned LinkedIn. So LinkedIn seems to be a contextual resume, and in short term social network, which they're doing a decent job with. But that's more data. Reputation's super important in the world you're in. >> That's right, right. >> How are you guys looking at that? Because I can see how you guys got the blend of machines and humans, that's nice. Business philosophy's awesome. How do you guys get more reputation data points, too? Look for those blind spots. >> Sure. Well one of the things we do is by taking the person's information. One of the things that I think sets us apart from our competition is that we actually have the actuals. So if somebody, how they performed, how long they performed on a position for a lot of our consultants, that's information that we've had in our systems for 20, 30 years. So having the actual data to compare against what people are saying now makes a big difference. It's something our competition can't go out and buy. >> Yeah, it's interesting. It's just so interesting a world you're in. You're like in the cross hairs of a lot of moving waves. Look at the HR world is changing significantly from the world I live in in tech, for instance, has been a big thing and making sure people are being promoted. And the old way of doing HR is like, processes are kind of broken but the tools are available. So there's a whole dynamic going on in the future of work that's overlaying on top of your job. How are you dealing with that? >> It's very difficult. We use a lot of natural language processing and machine learning algorithms to really look at people and almost in some ways predict their level of thought leadership. So it's not enough any more to say, "I have those skills." It's can they do more than the skill we're hiring for and are they really going to be able to come in here and be that curious person, that problem solver, right? We can teach people tools. How do you teach somebody to be a problem solver? >> I can almost imagine Claire and some of these automated intelligences, I call it AIs. To me, it's automated intelligence. AIs don't really exist, I mean Google's probably about. Neural networks that teach neural networks, c'mon. >> Salema: Right. >> That's 1980s. But the augmentation is the key, and you think about what you're doing is you almost want the system to be working for the user. So instead of HR, you flip it around. So the HR should be notified that, "Hey, Salema needs a promotion right now. "She's peaked, she's been growing." Now new openings are coming up. Rather than trying to have the review, have the end user fill out their performances, having an ongoing performance track is probably pretty key. >> Yeah, it's something that we look at in our applicant tracking systems and how we keep track of the people that are out there working for our clients and the feedback that we get. Survey information is really important to us, both from our customers and from our consultants. So we use that to help them grow, and I mentioned earlier, one of the things that we tried really hard is coming to work for Allegis is about coming to work for a family where you're not just making a living, but you're making a life. >> Alright, final question, well, two final questions. But I'll get your thoughts on the show, that's a little bit of an easier question. The pointed question here, relative to what you're doing is, the world now with Cloud and data is about scale. And one of the things that's interesting about what you guys are doing at your work is it's pretty large scale. You mentioned 55 million people and beyond that. A lot of folks have to operate now at a higher level of scale. >> Yeah. >> What's your advice to other practitioners out there that have to start thinking differently in terms of order of magnitude scale. Just mindset, what advice would you share with folks on the scale question? >> I would say collect the data. Collect all the data you create as an organization. Collect everything, and then over time, connect it. Connect the dot. I often say collect it and we'll connect it. And I think that start small, right? I mean, when you don't want to boil the ocean, but collecting the data with the tools that we have today with the big data appliances, we use Cloudera, Informatica, by bringing all of that data into our enterprise data hub, then as those business problems exist and we can slowly start to help the organization by being those problem solvers. >> Awesome, great success story. Final question, word for you is, what's the show like? For the folks watching? What's the experience like, what's the vibe? >> Salema: At Informatica World? >> Informatica World here in San Francisco? >> It's been amazing. It's full of energy like the opening yesterday had my heart racing. It's really been a great event. It's a lot smaller than some of the ones that I think people are accustomed to coming to. And because of that, you get more of that personal touch. The classrooms aren't so big that you can't do a question and answers. >> John: It's very intimate. You get to meet the executives, they're very transparent. >> Yeah, absolutely. And really just see where it's going. And this isn't the kind of thing where you're seeing something that's going to be here years from now. You're seeing what's going to be released weeks from now. >> You're happy with Informatica? They've done a good job with the product? >> Absolutely. I love Informatica. I love our partnership with them. I mentioned for me, it's about, they have a seat at our table, and they help us solve problems and things where we didn't think they were possible, and they really help us identify what those things are and how we can resolve them. >> What do you think about their transformation? >> I love it. I absolutely love it. I love all of the buzz words around here, and I even love the new logo. I think it's great, it's full of energy. >> John: Salema Rice, thanks so much for spending the time here. >> Absolutely. >> Inside the Cube, sharing her experiences as an industry practitioner also large scale. Really using data as an asset, that is the theme here. And of course, we believe at the Cube. We're very data-driven as well, software-defined. And that's the future. Salema, thank you so much, it's the Cube. More live coverage here in San Francisco with the Cube after this short break. I'm John Furrier, stay with us.

>> Hey everyone. Welcome back to theCUBE's coverage day two of CloudNative Security CON 23. Lisa Martin here in studio in Palo Alto with John Furrier. John, we've had some great conversations. I've had a global event. This was a global event. We had Germany on yesterday. We had the Boston Studio. We had folks on the ground in Seattle. Lot of great conversations, a lot of great momentum at this event. What is your number one takeaway with this inaugural event? >> Well, first of all, our coverage with our CUBE alumni experts coming in remotely this remote event for us, I think this event as an inaugural event stood out because one, it was done very carefully and methodically from the CNCF. I think they didn't want to overplay their hand relative to breaking out from CUBE CON So Kubernetes success and CloudNative development has been such a success and that event and ecosystem is booming, right? So that's the big story is they have the breakout event and the question was, was it a good call? Was it successful? Was it going to, would the dog hunt as they say, in this case, I think the big takeaway is that it was successful by all measures. One, people enthusiastic and confident that this has the ability to stand on its own and still contribute without taking away from the benefits and growth of Kubernetes CUBE CON and CloudNative console. So that was the key. Hallway conversations, the sessions all curated and developed properly to be different and focused for that reason. So I think the big takeaway is that the CNCF did a good job on how they rolled this out. Again, it was very intimate event small reminds me of first CUBE CON in Seattle, kind of let's test it out. Let's see how it goes. Again, clearly it was people successful and they understood why they're doing it. And as we commented out in our earlier segments this is not something new. Amazon Web Services has re:Invent and re:Inforce So a lot of parallels there. I see there. So I think good call. CNCF did the right thing. I think this has legs. And then as Dave pointed out, Dave Vellante, on our last keynote analysis was the business model of the hackers is better than the business model of the industry. They're making more money, it costs less so, you know, they're playing offense and the industry playing defense. That has to change. And as Dave pointed out we have to make the cost of hacking and breaches and cybersecurity higher so that the business model crashes. And I think that's the strategic imperative. So I think the combination of the realities of the market globally and open source has to go faster. It's good to kind of decouple and be highly cohesive in the focus. So to me that's the big takeaway. And then the other one is, is that there's a lot more security problems still unresolved. The emphasis on developers productivity is at risk here, if not solved. You saw supply chain software, again, front and center and then down in the weeds outside of Kubernetes, things like BIND and DNS were brought up. You're seeing the Linux kernel. Really important things got to be paid attention to. So I think very good call, very good focus. >> I would love if for us to be able to, as the months go on talk to some of the practitioners that actually got to attend. There were 72 sessions, that's a lot of content for a small event. Obviously to your point, very well curated. We did hear from some folks yesterday who were just excited to get the community back together in person. To your point, having this dedicated focus on CloudNativesecurity is incredibly important. You talked about, you know, the offense defense, the fact that right now the industry needs to be able to pivot from being on defense to being on offense. This is a challenging thing because it is so lucrative for hackers. But this seems to be from what we've heard in the last couple days, the right community with the right focus to be able to make that pivot. >> Yeah, and I think if you look at the success of Kubernetes, 'cause again we were there at theCUBE first one CUBE CON, the end user stories really drove end user participation. Drove the birth of Kubernetes. Left some of these CloudNative early adopters early pioneers that were using cloud hyperscale really set the table for CloudNative CON. I think you're seeing that here with this CloudNative SecurityCON where I think we're see a lot more end user stories because of the security, the hairs on fire as we heard from Madrona Ventures, you know, as they as an investor you have a lot of use cases out there where customers are leaning in with getting the rolling up their sleeves, working with open source. This has to be the driver. So I'm expecting to see the next level of SecurityCON to be end user focused. Much more than vendor focused. Where CUBECON was very end user focused and then attracted all the vendors in that grew the industry. I expect the similar pattern here where end user action will be very high at the beginning and that will essentially be the rising tide for the vendors to be then participating. So I expect almost a similar trajectory to CUBECON. >> That's a good path that it needs to all be about all the end users. One of the things I'm curious if what you heard was what are some of the key factors that are going to move CloudNative Security forward? What did you hear the last two days? >> I heard that there's a lot of security problems and no one wants to kind of brag about this but there's a lot of under the hood stuff that needs to get taken care of. So if automation scales, and we heard that from one of the startups we've just interviewed. If automation and scale continues to happen and with the business model of the hackers still booming, security has to be refactored quickly and there's going to be an opportunity structurally to use the cloud for that. So I think it's a good opportunity now to get dedicated focus on fixing things like the DNS stuff old school under the hood, plumbing, networking protocols. You're going to start to see this super cloud-like environment emerge where data's involved, everything's happening and so security has to be re imagined. And I think there's a do over opportunity for the security industry with CloudNative driving that. And I think this is the big thing that I see as an opportunity to, from a story standpoint from a coverage standpoint is that it's a do-over for security. >> One of the things that we heard yesterday is that there's a lot of it, it's a pretty high percentage of organizations that either don't have a SOCK or have a very primitive SOCK. Which kind of surprised me that at this day and age the risks are there. We talked about that today's focus and the keynote was a lot about the software supply chain and what's going on there. What did you hear in terms of the appetite for organizations through the voice of the practitioner to say, you know what guys, we got to get going because there's going to be the hackers are they're here. >> I didn't hear much about that in the coverage 'cause we weren't in the hallways. But from reading the tea leaves and talking to the folks on the ground, I think there's an implied like there's an unlimited money from customers. So it's a very robust from the data infrastructure stack building we cover with the angel investor Kane you're seeing data infrastructure's going to be part of the solution here 'cause data and security go hand in hand. So everyone's got basically checkbook wide open everyone wants to have the answer. And we commented that the co-founder of Palo Alto you had on our coverage yesterday was saying that you know, there's no real platform, there's a lot of tools out there. People will buy anything. So there's still a huge appetite and spend in security but the answer's not going to more tool sprawling. It's going to more platform auto, something that enables automation, fix some of the underlying mechanisms involved and fix it fast. So to me I think it's going to be a robust monetary opportunity because of the demand on the business side. So I don't see that changing at all and I think it's going to accelerate. >> It's a great point in terms of the demand for the business side because as we know as we said yesterday, the next Log4j is out there. It's not a matter of if this happens again it's when, it's the extent, it's how frequent we know that. So organizations all the way up to the board have to be concerned about brand reputation. Nobody wants to be the next big headline in terms of breaches and customer data being given to hackers and hackers making all this money on that. That has to go all the way up to the board and there needs to be alignment between the board and the executives at the organization in terms of how they're going to deal with security, and now. This is not a conversation that can wait. Yeah, I mean I think the five C's we talked about yesterday the culture of companies, the cloud is an enabler, you've got clusters of servers and capabilities, Kubernetes clusters, you've got code and you've got all kinds of, you know, things going on there. Each one has elements that are at risk for hacking, right? So that to me is something that's super important. I think that's why the focus on security's different and important, but it's not going to fork the main event. So that's why I think the spin out was, spinout, or the new event is a good call by the CNCF. >> One of the things today that struck me they're talking a lot about software supply chain and that's been in the headlines for quite a while now. And a stat that was shared this morning during the keynote just blew my brains that there was a 742% increase in the software supply chain attacks occurring over the last three years. It's during Covid times, that is a massive increase. The threat landscape is just growing so amorphously but organizations need to help dial that down because their success and the health of the individuals and the end users is at risk. Well, Covid is an environment where everyone's kind of working at home. So there was some disruption to infrastructure. Also, when you have change like that, there's opportunities for hackers, they'll arbitrage that big time. But I think general the landscape is changing. There's no perimeter anymore. It's CloudNative, this is where it is and people who are moving from old IT to CloudNative, they're at risk. That's why there's tons of ransomware. That's why there's tons of risk. There's just hygiene, from hygiene to architecture and like Nick said from Palo Alto, the co-founder, there's not a lot of architecture in security. So yeah, people have bulked up their security teams but you're going to start to see much more holistic thinking around redoing security. I think that's the opportunity to propel CloudNative, and I think you'll see a lot more coming out of this. >> Did you hear any specific information on some of the CloudNative projects going on that really excite you in terms of these are the right people going after the right challenges to solve in the right direction? >> Well I saw the sessions and what jumped out to me at the sessions was it's a lot of extensions of what we heard at CUBECON and I think what they want to do is take out the big items and break 'em out in security. Kubescape was one we just covered. They want to get more sandbox type stuff into the security side that's very security focused but also plays well with CUBECON. So we'll hear more about how this plays out when we're in Amsterdam coming up in April for CUBECON to hear how that ecosystem, because I think it'll be kind of a relief to kind of decouple security 'cause that gives more focus to the stakeholders in CUBECON. There's a lot of issues going on there and you know service meshes and whatnot. So it's a lot of good stuff happening. >> A lot of good stuff happening. One of the things that'll be great about CUBECON is that we always get the voice of the customer. We get vendors coming on with the voice of the customer talking about and you know in that case how they're using Kubernetes to drive the business forward. But it'll be great to be able to pull in some of the security conversations that spin out of CloudNative Security CON to understand how those end users are embracing the technology. You brought up I think Nir Zuk from Palo Alto Networks, one of the themes there when Dave and I did their Ignite event in December was, of 22, was really consolidation. There are so many tools out there that organizations have to wrap their heads around and they need to be able to have the right enablement content which this event probably delivered to figure out how do we consolidate security tools effectively, efficiently in a way that helps dial down our risk profile because the risks just seem to keep growing. >> Yeah, and I love the technical nature of all that and I think this is going to be the continued focus. Chris Aniszczyk who's the CTO listed like E and BPF we covered with Liz Rice is one of the most three important points of the conference and it's just, it's very nerdy and that's what's needed. I mean it's technical. And again, there's no real standards bodies anymore. The old days developers I think are super important to be the arbiters here. And again, what I love about the CNCF is that they're developer focused and we heard developer first even in security. So you know, this is a sea change and I think, you know, developers' choice will be the standards bodies. >> Lisa: Yeah, yeah. >> They decide the future. >> Yeah. >> And I think having the sandboxing and bringing this out will hopefully accelerate more developer choice and self-service. >> You've been talking about kind of putting the developers in the driver's seat as really being the key decision makers for a while. Did you hear information over the last couple of days that validates that? >> Yeah, absolutely. It's clearly the fact that they did this was one. The other one is, is that engineering teams and dev teams and script teams, they're blending together. It's not just separate silos and the ones that are changing their team dynamics, again, back to the culture are winning. And I think this has to happen. Security has to be embedded everywhere in making it frictionless and to provide kind of the guardrail so developers don't slow down. And I think where security has become a drag or an anchor or a blocker has been just configuration of how the organization's handling it. So I think when people recognize that the developers are in charge and they're should be driving the application development you got to make sure that's secure. And so that's always going to be friction and I think whoever does it, whoever unlocks that for the developer to go faster will win. >> Right. Oh, that's what I'm sure magic to a developer's ear is the ability to go faster and be able to focus on co-development in a secure fashion. What are some of the things that you're excited about for CUBECON. Here we are in February, 2023 and CUBECON is just around the corner in April. What are some of the things that you're excited about based on the groundswell momentum that this first inaugural CloudNative Security CON is generating from a community, a culture perspective? >> I think this year's going to be very interesting 'cause we have an economic challenge globally. There's all kinds of geopolitical things happening. I think there's going to be very entrepreneurial activity this year more than ever. I think you're going to see a lot more innovative projects ideas hitting the table. I think it's going to be a lot more entrepreneurial just because the cycle we're in. And also I think the acceleration of mainstream deployments of out of the CNCF's main event CUBECON will happen. You'll see a lot more successes, scale, more clarity on where the security holes are or aren't. Where the benefits are. I think containers and microservices are continuing to surge. I think the Cloud scale hyperscale as Amazon, Azure, Google will be more aggressive. I think AI will be a big theme this year. I think you can see how data is going to infect some of the innovation thinking. I'm really excited about the data infrastructure because it powers a lot of things in the Cloud. So I think the Amazon Web Services, Azure next level gen clouds will impact what happens in the CloudNative foundation. >> Did you have any conversations yesterday or today with respect to AI and security? Was that a focus of anybody's? Talk to me about that. >> Well, I didn't hear any sessions on AI but we saw some demos on stage. But they're teasing out that this is an augmentation to their mission, right? So I think a lot of people are looking at AI as, again, like I always said there's the naysayers who think it's kind of a gimmick or nothing to see here, and then some are just going to blown away. I think the people who are alpha geeks and the industry connect the dots and understand that AI is going to be an accelerant to a lot of heavy lifting that was either manual, you know, hard to do things that was boring or muck as they say. I think that's going to be where you'll see the AI stories where it's going to accelerate either ways to make security better or make developers more confident and productive. >> Or both. >> Yeah. So definitely AI will be part of it. Yeah, definitely. One of the things too that I'm wondering if, you know, we talk about CloudNative and the goal of it, the importance of it. Do you think that this event, in terms of what we were able to see, obviously being remote the event going on in Seattle, us being here in Palo Alto and Boston and guests on from Seattle and Germany and all over, did you hear the really the validation for why CloudNative Security why CloudNative is important for organizations whether it's a bank or a hospital or a retailer? Is that validation clear and present? >> Yeah, absolutely. I think it was implied. I don't think there was like anyone's trying to debate that. I think this conference was more of it's assumed and they were really trying to push the ability to make security less defensive, more offensive and more accelerated into the solving the problems with the businesses that are out there. So clearly the CloudNative community understands where the security challenges are and where they're emerging. So having a dedicated event will help address that. And they've got great co-chairs too that put it together. So I think that's very positive. >> Yeah. Do you think, is it possible, I mean, like you said several times today so eloquently the industry's on the defense when it comes to security and the hackers are on the offense. Is it really possible to make that switch or obviously get some balances. As technology advances and industry gets to take advantage of that, so do the hackers, is that balance achievable? >> Absolutely. I mean, I think totally achievable. The question's going to be what's the environment going to be like? And I remember as context to understanding whether it's viable or not, is to look at, just go back 13 years ago, I remember in 2010 Amazon was viewed as an unsecure environment. Everyone's saying, "Oh, the cloud is not secure." And I remember interviewing Steve Schmidt at AWS and we discussed specifically how Amazon Cloud was being leveraged by hackers. They made it more complex for the hackers. And he said, "This is just the beginning." It's kind of like barbed wire on a fence. It's yeah, you're not going to climb it so people can get over it. And so since then what's happened is the Cloud has become more secure than on premises for a lot of either you know, personnel reasons, culture reasons, not updating, you know, from patches to just being insecure to be more insecure. So that to me means that the flip the script can be flipped. >> Yeah. And I think with CloudNative they can build in automation and code to solve some of these problems and make it more complex for the hacker. >> Lisa: Yes. >> And increase the cost. >> Yeah, exactly. Make it more complex. Increase the cost. That'll be in interesting journey to follow. So John, here we are early February, 2023 theCUBE starting out strong as always. What year are we in, 12? Year 12? >> 13th year >> 13! What's next for theCUBE? What's coming up that excites you? >> Well, we're going to do a lot more events. We got the theCUBE in studio that I call theCUBE Center as kind of internal code word, but like, this is more about getting the word out that we can cover events remotely as events are starting to change with hybrid, digital is going to be a big part of that. So I think you're going to see a lot more CUBE on location. We're going to do, still do theCUBE and have theCUBE cover events from the studio to get deeper perspective because we can then bring people in remote through our our studio team. We can bring our CUBE alumni in. We have a corpus of content and experts to bring to table. So I think the coverage will be increased. The expertise and data will be flowing through theCUBE and so Cube Center, CUBE CUBE Studio. >> Lisa: Love it. >> Will be a integral part of our coverage. >> I love that. And we have such great conversations with guests in person, but also virtually, digitally as well. We still get the voices of the practitioners and the customers and the vendors and the partner ecosystem really kind of lauded loud and clear through theCUBE megaphone as I would say. >> And of course getting the clips out there, getting the highlights. >> Yeah. >> Getting more stories. No stories too small for theCUBE. We can make it easy to get the best content. >> The best content. John, it's been fun covering CloudNative security CON with you with you. And Dave and our guests, thank you so much for the opportunity and looking forward to the next event. >> John: All right. We'll see you at Amsterdam. >> Yeah, I'll be there. We want to thank you so much for watching TheCUBES's two day coverage of CloudNative Security CON 23. We're live in Palo Alto. You are live wherever you are and we appreciate your time and your view of this event. For John Furrier, Dave Vellante, I'm Lisa Martin. Thanks for watching guys. We'll see you at the next show.

>> John Furrier: Hello, welcome back to theCUBE's coverage of Cloud Native Security Con 2023 North America the inaugural event. I'm John Furrier, host of theCUBE, along with Dave Alonte and Lisa Martin covering from the studio. But we have on location Emmy Eide, who is with Red Hat, director of Supply Chain Security. Emmy, great to have you on from location. Thanks for joining us. >> Emmy Eide: Yeah, thank you. >> So everyone wants to know this event is new, it's an aural event, cloud native con, coup con. Very successful. Was this event successful? They all want to know what's going on there. What's the vibe? What's the tracks like? Is it different? Why this event? Was it successful? What's different? >> Yeah, I've really enjoyed being here. The food is wonderful. There's also quite a few vendors here that are just some really cool emerging technologies coming out and a lot from open source, which is really cool to see as well. The talks are very interesting. It's really, they're very diverse in subject but still all security related which is really cool to see. And there's also a lot of different perspectives of how to approach security problems and the people behind them, which I love to see. And it's very nice to hear the different innovative ideas that we can go about doing security. >> We heard from some startups as well that they're very happy with the, with the decision to have a dedicated event. Red Hat is no stranger to open source. Obviously coup con, you guys are very successful there in cloud native con, Now the security con. Why do you think they did this? What's the vibe? What's the rationale? What's your take on this? And what's different from a topic standpoint? >> For non-security specific like events? Is that what you mean? >> What's different from coup con, cloud native con, and here at the cloud native security con? Obviously security's the focus. Is it just deeper dives? Is it more under the hood? Is it root problems or is this beyond Kubernetes? What's the focus, I guess. People want to know, you know, why the new event? >> I mean, there's a lot of focus on supply chain security, right? Like that's the hot topic in security right now. So that's been a huge focus. I can't speak to the differences of those other conferences. I haven't been able to attend them. But I will say that having a security specific conference, it really focuses on the open community and how technology is evolving, and how do you apply security. It's not just talking about tools which I think other conferences tend to focus on just the tools and you can really, I think, get lost in that as someone trying to learn about security or trying to even implement security, but they talk about what it takes to implement those tools, What's behind the people behind implementing those tools? >> Let's get into some of the key topics that we've identified and get your reaction. One, supply chain security, which I know you'll give a lot of commentary on 'cause that's your focus. Also we heard, like, Liz Rice talking about the extended Berkeley packet filtering. Okay, that's big. You know, your root kernel management, that's big. Developer productivity was kind of implied around removing the blockers of security, making it, you know, more aligned with developer first mentality. So that seems to be our takeaway. What's your reaction to those things? You see the same thing? >> I don't have a specific reaction to those things. >> Do you see the same thing happening on the ground there? Are they covering supply? >> Oh, yeah. >> Those three things are they the big focus? >> Yeah. Yeah, I think it's all of those things kind of like wrapped into one, right? But yeah, there's... I'm not sure how to answer your question. >> Well, let's jump into supply chain for instance. 'Cause that has come up a lot. >> Sure. >> What's the focus there on the supply chain security? Is it SBOMs? Is it the container security? What's the key conversations and topics being discussed around supply chain security? >> Well, I think there's a lot of laughter around SBOM right now because no one can really define it, specifically, and everyone's talking about it. So there's, there's a lot more than just the SBOM conversation. We're talking about like full end-to-end development process and that whole software supply chain that goes with it. So there's everything from infrastructure, security, all the way through to like signing transparency logs. Really the full gambit of supply chain, which is is really neat to see because it is such a broad topic. I think a lot of folks now are involved in supply chain security in some way. And so just kind of bringing that to the surface of what are the different people that are involved in this space, thinking about, what's on the top of their mind when it comes to supply chain security. >> How would you scope the order of magnitude of the uptick in supply chain attacks? Is it pretty heavy right now or is it, you know, people with the hair on fire or is it... What's the, give us the taste of the temperature in the room on the supply chain attacks? >> I think most of the folks who are involved in the space understand just that it's increasing. I mean, like, what is it? A 742% increase average annual year, year over year in supply chain attacks. So the amount of attacks increasing is a little daunting, right, for most of us. But it is what it is. So I think most of us right now are just trying to come together to say, "What are you doing that works? This is what I'm doing that works." And in all the different facets of that. 'cause I think we try to throw, we try to throw tools at a lot of problems and this problem is so big and broad reaching that we really are needing to share best practices as a community and as a security community. So this has been, this conference has been really great for that. >> Yeah, I've heard that a lot. You know, too many tools, not enough platform thinking, not enough architecture, needs some structure. Are you seeing any best practice around frameworks and structure around how to start getting in and and building out more of a better approach or posture? I mean, what's that, what's the, what's the state of the union for supply chain, how to handle that? >> Well, I talked about that a little bit in my my keynote that I gave, actually, which was about... And I've heard other other leaders talk about it too. And obviously it keyed my ear just because I'm so passionate about it, about partnership. So you know, empathetic security where the security team that's enforcing the policies, creating the policies, guidelines is working with the teams that are actually doing the production and the development, hand-in-hand, right? Like I can sit there and tell you, "Hey, you have all these problems and here's your security checklist or framework you need to follow." But that's not going to do them any good and it's going to create a ton of holes, right? So actually partnering with them helping them to understand the risks that are associated with their very specific need and use case, because every product has a different kind of quirk to it, right? Like how it's being developed. It might use a different tool and if I sit there and say, "Hey, you need to log on to this, you need to like make your tool work this platform over here and it's not compatible." I'm going to have to completely reframe how I'm doing productization. I need to know that as a security practitioner because me disrupting productization is not something that I should be doing. And I've heard a couple a couple of folks kind of talking about that, the people aspect behind how we implement these tools, the frameworks and the platforms, and how do we draw out risk, right? Like how do we talk about risk with these teams and really make them understand so it's part of their core culture in their understanding. So when they go back to their, when they go back and having to make decisions without me in the room they know they can make those business decisions with the risk as part of that decision. >> I love that empathetic angle because that's really going to, what needs to happen. It's not just, "Hey, that's your department, see you later." Or not even having a knowledge of the information. This idea of team construction, team management is a huge cultural shift. I'm sure the reaction was very positive. How do you explain that to an organization that's out there? Like how do you... what's the first three steps you got to take? Is there anything that you can share for advice people watch you saying, "Yeah we need to we need to change how our teams operate and interact with each other." >> Yeah, I think the first step is to take a good hard look at yourself. And if you are standing there on an ivory tower with a clipboard, you're probably doing it wrong. Check the box security is never going to be any way that works long term. It's going to take you a long time to implement any changes. At Red Hat, we did not look ourselves. You know, we've been doing a lot of great things in supply chain security for a while, but really taking that look and saying, "How can we be more empathetic leaders in the security space?" So we looked at that, then you say, "Okay, what is my my rate of change going to happen?" So if I need to make so many security changes explaining to these organizations, you're actually going to go faster. We improved our efficiency by 2000% just by doing that, just by creating this more empathetic. So why it seems like it's more hands-on, so it's going to be harder, it's easy to send out an email and say, "Hey, meet the security standard, right?" That might seem like the easy way 'cause you don't have time to engage. It's so much faster if you actually engage and share that message and have a a common understanding between the teams that like, "I'm here to deliver a product, so is the security team. The security team's here to deliver that same product and I want to help you do it in a trusted way." Right? >> Yeah. Dave Alonte, my co-host, was just on a session. We were talking together about security teams jumping on every team and putting a C on their jersey to be like the captain of the intramural team, and being involved, and it goes beyond just like the checklist, like you said, "Oh, I got the SBOM list of materials and I got a code scanning thing." That's not enough, is what we're hearing. >> No. >> Is there a framework or a methodology to go beyond that? You got the empathetic, that's really kind of team issue. You got to go beyond some of the tactical things. What's next beyond, you got the empathy and what's that framework structure when you say where you say anything there? >> So what do you do after you have the empathy, right? >> Yeah. >> I would say Salsa is a good place to start, the software levels. Supply chain levels for software artifacts. It's a mouthful. That's a really good maturity framework to start with. No matter what size organization you have, they're just going to be coming out here soon with version one. They release 0.1 a few months back. That's a really good place to give yourself a gut check of where you are in maturity and where you can go, what are best practices. And then there's the SSDF, which is the Secure Software Development framework. I think NIST wrote that one. But that is also a really, a really good framework and they map really well to each other, actually, When you work through Salsa, you're actually working through the SSDF requirements. >> Awesome. Well, great to have you on and great to get that that knowledge. I have to ask you like coup con, I remember when it started in Seattle, their first coup con events, right? Kind of small, similar to this one, but there's a lot of end user activities. Certainly the CNCF kind of was coming together like right after that. What's the end user activity like there this week? That seems to always been the driver of these events. It's a little bit organic. You got some of the key experts coming together, focus. Have you observed any end user activity in terms of contributions, participation? What's the story on the end user piece there? Is it heavy? Is it light? What's the... >> Um, yeah... It seems moderate. I guess somewhere in the middle. I would say largely heavy, but there's definitely participation. There is a lot of communing and networking happening between different organizations to partner together, which is important. But I haven't really paid attention much to like the Twitter side of this. >> Yeah, you've been busy doing the keynotes. How's Red Hat doing all this? You guys have been great positioned with the cloud native movement. Been following the Red Hat's moves since OpenStack days. Really good, good line of product, good open source, Mojo, of course. Good product mix, right, and relevant. Where's the security focus here? Obviously, you guys are clearly focused on security. How's the Red Hat story going on over there? >> There was yesterday a really good talk that explains that super well. It was given by a Red Hatter, connecting all of the open source projects we've been a part of and kind of explaining them. And obviously again, I'm keying in 'cause it's a supply chain kind of conversation, but I'd recommend that anyone who's going to go back and watch these on YouTube to check that one out just to see kind of how we're approaching the security space as well as how we contribute back to the community in that way. >> Awesome. Great to have you on. Final word, I'll give you the final word. What's the big buzz on supply chain? How would you peg the progress there? Feeling good about where things are? What's the current progress on supply chain security? >> I think that it has opened up a lot of doors for communication between security organizations that have tended to be closed. I'm in product security. Product securities, information securities tend to not speak externally about what we're doing. So you don't want to, you know, look bad or you don't want to expose any risk that we have, right? But it is, I think, necessary to open those lines of communication, to be able to start tackling this. It's a big problem throughout all of our industries, and if one supply chain is attacked and those products are used in someone else's supply chain, that can continue, right? So I think it's good. We have a lot of work to do as an industry and the advancements in technology is going to make that a little bit more complicated. But I'm excited for it. >> You can just throw AI at it. That's the big, everyone's doing AI. Just throw AI at it, it'll solve it. Isn't that the new thing? >> I do secure AI though. >> Super important. I love what you're doing there. Supply chain, open source needs, supply chain security. Open source needs this big time. It has to be there. Thank you for the work that you do. Really appreciate you coming on. Thank you. >> Yeah, thanks for having me. >> Yeah, good stuff. Supply chain, critical to open source growth. Open source is going to be the key to success in the future with automation and AI right around the corner. And that's important. This theCUBE covers from cloud native con, security con in North America, 2023. I'm John Furrier. Thanks for watching.

(upbeat music) >> Hey everyone and welcome to theCUBE's coverage day one of CloudNativeSecurityCon '23. Lisa Martin here with John Furrier and Dave Vellante. Dave and John, great to have you guys on the program. This is interesting. This is the first inaugural CloudNativeSecurityCon. Formally part of KubeCon, now a separate event here happening in Seattle over the next couple of days. John, I wanted to get your take on, your thoughts on this being a standalone event, the community, the impact. >> Well, this inaugural event, which is great, we love it, we want to cover all inaugural events because you never know, there might not be one next year. So we were here if it happens, we're here at creation. But I think this is a good move for the CNCF and the Linux Foundation as security becomes so important and there's so many issues to resolve that will influence many other things. Developers, machine learning, data as code, supply chain codes. So I think KubeCon, Kubernetes conference and CloudNativeCon, is all about cloud native developers. And it's a huge event and there's so much there. There's containers, there's microservices, all that infrastructure's code, the DevSecOps on that side, there's enough there and it's a huge ecosystem. Pulling it as a separate event is a first move for them. And I think there's a toe in the water kind of vibe here. Testing the waters a little bit on, does this have legs? How is it organized? Looks like they took their time, thought it out extremely well about how to craft it. And so I think this is the beginning of what will probably be a seminal event for the open source community. So let's listen to the clip from Priyanka Sharma who's a CUBE alumni and executive director of the CNCF. This is kind of a teaser- >> We will tackle issues of security together here and further on. We'll share our experiences, successes, perhaps more importantly, failures, and help with the collecting of understanding. We'll create solutions. That's right. The practitioners are leading the way. Having conversations that you need to have. That's all of you. This conference today and tomorrow is packed with 72 sessions for all levels of technologists to reflect the bottoms up, developer first nature of the conference. The co-chairs have selected these sessions and they are true blue practitioners. >> And that's a great clip right there. If you read between the lines, what she's saying there, let's unpack this. Solutions, we're going to fail, we're going to get better. Linux, the culture of iterating. But practitioners, the mention of practitioners, that was very key. Global community, 72 sessions, co-chairs, Liz Rice and experts that are crafting this program. It seems like very similar to what AWS has done with re:Invent as their core show. And then they have re:Inforce which is their cloud native security, Amazon security show. There's enough there, so to me, practitioners, that speaks to the urgency of cloud native security. So to me, I think this is the first move, and again, testing the water. I like the vibe. I think the practitioner angle is relevant. It's very nerdy, so I think this is going to have some legs. >> Yeah, the other key phrase Priyanka mentioned is bottoms up. And John, at our predictions breaking analysis, I asked you to make a prediction about events. And I think you've nailed it. You said, "Look, we're going to have many more events, but they're going to be smaller." Most large events are going to get smaller. AWS is obviously the exception, but a lot of events like this, 500, 700, 1,000 people, that is really targeted. So instead of you take a big giant event and there's events within the event, this is going to be really targeted, really intimate and focused. And that's exactly what this is. I think your prediction nailed it. >> Well, Dave, we'll call to see the event operating system really cohesive events connected together, decoupled, and I think the Linux Foundation does an amazing job of stringing these events together to have community as the focus. And I think the key to these events in the future is having, again, targeted content to distinct user groups in these communities so they can be highly cohesive because they got to be productive. And again, if you try to have a broad, big event, no one's happy. Everyone's underserved. So I think there's an industry concept and then there's pieces tied together. And I think this is going to be a very focused event, but I think it's going to grow very fast. >> 72 sessions, that's a lot of content for this small event that the practitioners are going to have a lot of opportunity to learn from. Do you guys, John, start with you and then Dave, do you think it's about time? You mentioned John, they're dipping their toe in the water. We'll see how this goes. Do you think it's about time that we have this dedicated focus out of this community on cloud native security? >> Well, I think it's definitely time, and I'll tell you there's many reasons why. On the front lines of business, there's a business model for security hackers and breaches. The economics are in favor of the hackers. That's a real reality from ransomware to any kind of breach attacks. There's corporate governance issues that's structural challenges for companies. These are real issues operationally for companies in the enterprise. And at the same time, on the tech stack side, it's been very slow movement, like glaciers in terms of security. Things like DNS, Linux kernel, there are a lot of things in the weeds in the details of the bowels of the tech world, protocol levels that just need to be refactored. And I think you're seeing a lot of that here. It was mentioned from Brian from the Linux Foundation, mentioned Dan Kaminsky who recently passed away who found that vulnerability in BIND which is a DNS construct. That was a critical linchpin. They got to fix these things and Liz Rice is talking about the Linux kernel with the extended Berkeley Packet Filtering thing. And so this is where they're going. This is stuff that needs to be paid attention to because if they don't do it, the train of automation and machine learning is going to run wild with all kinds of automation that the infrastructure just won't be set up for. So I think there's going to be root level changes, and I think ultimately a new security stack will probably be very driven by data will be emerging. So to me, I think this is definitely worth being targeted. And I think you're seeing Amazon doing the same thing. I think this is a playbook out of AWS's event focus and I think that's right. >> Dave, what are you thoughts? >> There was a lot of talk in, again, I go back to the progression here in the last decade about what's the right regime for security? Should the CISO report to the CIO or the board, et cetera, et cetera? We're way beyond that now. I think DevSecOps is being asked to do a lot, particularly DevOps. So we hear a lot about shift left, we're hearing about protecting the runtime and the ops getting much more involved and helping them do their jobs because the cloud itself has brought a lot to the table. It's like the first line of defense, but then you've really got a lot to worry about from a software defined perspective. And it's a complicated situation. Yes, there's less hardware, yes, we can rely on the cloud, but culturally you've got a lot more people that have to work together, have to share data. And you want to remove the blockers, to use an Amazon term. And the way you do that is you really, if we talked about it many times on theCUBE. Do over, you got to really rethink the way in which you approach security and it starts with culture and team. >> Well the thing, I would call it the five C's of security. Culture, you mentioned that's a good C. You got cloud, tons of issues involved in cloud. You've got access issues, identity. you've got clusters, you got Kubernetes clusters. And then you've got containers, the fourth C. And then finally is the code itself, supply chain. So all areas of cloud native, if you take out culture, it's cloud, cluster, container, and code all have levels of security risks and new things in there that need to be addressed. So there's plenty of work to get done for sure. And again, this is developer first, bottoms up, but that's where the change comes in, Dave, from a security standpoint, you always point this out. Bottoms up and then middle out for change. But absolutely, the imperative is today the business impact is real and it's urgent and you got to pedal as fast as you can here, so I think this is going to have legs. We'll see how it goes. >> Really curious to understand the cultural impact that we see being made at this event with the focus on it. John, you mentioned the four C's, five with culture. I often think that culture is probably the leading factor. Without that, without getting those teams aligned, is the rest of it set up to be as successful as possible? I think that's a question that's- >> Well to me, Dave asked Pat Gelsinger in 2014, can security be a do-over at VMWorld when he was the CEO of VMware? He said, "Yes, it has to be." And I think you're seeing that now. And Nick from the co-founder of Palo Alto Networks was quoted on theCUBE by saying, "Zero Trust is some structure to give to security, but cloud allows for the ability to do it over and get some scale going on security." So I think the best people are going to come together in this security world and they're going to work on this. So you're going to start to see more focus around these security events and initiatives. >> So I think that when you go to the, you mentioned re:Inforce a couple times. When you go to re:Inforce, there's a lot of great stuff that Amazon puts forth there. Very positive, it's not that negative. Oh, the world is falling, the sky is falling. And so I like that. However, you don't walk away with an understanding of how they're making the CISOs and the DevOps lives easier once they get beyond the cloud. Of course, it's not Amazon's responsibility. And that's where I think the CNCF really comes in and open source, that's where they pick up. Obviously the cloud's involved, but there's a real opportunity to simplify the lives of the DevSecOps teams and that's what's critical in terms of being able to solve, or at least keep up with this never ending problem. >> Yeah, there's a lot of issues involved. I took some notes here from some of the keynote you heard. Security and education, training and team structure. Detection, incidents that are happening, and how do you respond to that architecture. Identity, isolation, supply chain, and governance and compliance. These are all real things. This is not like hand-waving issues. They're mainstream and they're urgent. Literally the houses are on fire here with the enterprise, so this is going to be very, very important. >> Lisa: That's a great point. >> Some of the other things Priyanka mentioned, exposed edges and nodes. So just when you think we're starting to solve the problem, you got IOT, security's not a one and done task. We've been talking about culture. No person is an island. It's $188 billion business. Cloud native is growing at 27% a year, which just underscores the challenges, and bottom line, practitioners are leading the way. >> Last question for you guys. What are you hoping those practitioners get out of this event, this inaugural event, John? >> Well first of all, I think this inaugural event's going to be for them, but also we at theCUBE are going to be doing a lot more security events. RSA's coming up, we're going to be at re:Inforce, we're obviously going to be covering this event. We've got Black Hat, a variety of other events. We'll probably have our own security events really focused on some key areas. So I think the thing that people are going to walk away from this event is that paying attention to these security events are going to be more than just an industry thing. I think you're going to start to see group gatherings or groups convening virtually and physically around core issues. And I think you're going to start to see a community accelerate around cloud native and open source specifically to help teams get faster and better at what they do. So I think the big walkaway for the customers and the practitioners here is that there's a call to arms happening and this is, again, another signal that it's worth breaking out from the core event, but being tied to it, I think that's a good call and I think it's a well good architecture from a CNCF standpoint and a worthy effort, so I give it a thumbs up. We still don't know what it's going to look like. We'll see what day two looks like, but it seems to be experts, practitioners, deep tech, enabling technologies. These are things that tend to be good things to hear when you're at an event. I'll say the business imperative is obvious. >> The purpose of an event like this, and it aligns with theCUBE's mission, is to educate and inspire business technology pros to action. We do it in theCUBE with free content. Obviously this event is a for-pay event, but they are delivering some real value to the community that they can take back to their organizations to make change. And that's what it's all about. >> Yep, that is what it's all about. I'm looking forward to seeing over as the months unfold, the impact that this event has on the community and the impact the community has on this event going forward, and really the adoption of cloud native security. Guys, great to have you during this keynote analysis. Looking forward to hearing the conversations that we have on theCUBE today. Thanks so much for joining. And for my guests, for my co-hosts, John Furrier and Dave Vellante. I'm Lisa Martin. You're watching theCUBE's day one coverage of CloudNativeSecurityCon '23. Stick around, we got great content on theCUBE coming up. (upbeat music)

(upbeat music) >> Hello, and welcome back to AWS Startup Showcase, I'm John Furrier, your host. This is the Hero panel, the AWS Heroes. These are folks that have a lot of experience in Open Source, having fun building great projects and commercializing the value and best practices of Open Source innovation. We've got some great guests here. Liz Rice, Chief Open Source Officer, Isovalent. CUBE alumni, great to see you. Brian LeRoux, who is the Co-founder and CTO of begin.com. Erica Windisch who's an Architect for Developer Experience. AWS Hero, also CUBE alumni. Casey Lee, CTO Gaggle. Doing some great stuff in ed tech. Great collection of experts and experienced folks doing some fun stuff, welcome to this conversation this CUBE panel. >> Hi. >> Thanks for having us. >> Hello. >> Let's go down the line. >> I don't normally do this, but since we're remote and we have such great guests, go down the line and talk about why Open Source is important to you guys. What projects are you currently working on? And what's the coolest thing going on there? Liz we'll start with you. >> Okay, so I am very involved in the world of Cloud Native. I'm the chair of the technical oversight committee for the Cloud Native Computing Foundation. So that means I get to see a lot of what's going on across a very broad range of Cloud Native projects. More specifically, Isovalent. I focus on Cilium, which is it's based on a technology called EBPF. That is to me, probably the most exciting technology right now. And then finally, I'm also involved in an organization called OpenUK, which is really pushing for more use of open technologies here in the United Kingdom. So spread around lots of different projects. And I'm in a really fortunate position, I think, to see what's happening with lots of projects and also the commercialization of lots of projects. >> Awesome, Brian what project are you working on? >> Working project these days called Architect. It's a Open Source project built on top of AWSM. It adds a lot of sugar and terseness to the SM experience and just makes it a lot easier to work with and get started. AWS can be a little bit intimidating to people at times. And the Open Source community is stepping up to make some of that bond ramp a little bit easier. And I'm also an Apache member. And so I keep a hairy eyeball on what's going on in that reality all the time. And I've been doing this open-source thing for quite a while, and yeah, I love it. It's a great thing. It's real science. We get to verify each other's work and we get to expand and build on human knowledge. So that's a huge honor to just even be able to do that and I feel stoked to be here so thanks for having me. >> Awesome, yeah, and totally great. Erica, what's your current situation going on here? What's happening? >> Sure, so I am currently working on developer experience of a number of Open Source STKS and CLI components from my current employer. And previously, recently I left New Relic where I was working on integrating with OpenTelemetry, as well as a number of other things. Before that I was a maintainer of Docker and of OpenStack. So I've been in this game for a while as well. And I tend to just put my fingers in a lot of little pies anywhere from DVD players 20 years ago to a lot of this open telemetry and monitoring and various STKs and developer tools is where like Docker and OpenStack and the STKs that I work on now, all very much focusing on developer as the user. >> Yeah, you're always on the wave, Erica great stuff. Casey, what's going on? Do you got some great ed techs happening? What's happening with you? >> Yeah, sure. The primary Open Source project that I'm contributing to right now is ACT. This is a tool I created a couple of years back when GitHub Actions first came out, and my motivation there was I'm just impatient. And that whole commit, push, wait time where you're testing out your pipelines is painful. And so I wanted to build a tool that allowed developers to test out their GitHub Actions workflows locally. And so this tool uses Docker containers to emulate, to get up action environment and gives you fast feedback on those workflows that you're building. Lot of innovation happening at GitHub. And so we're just trying to keep up and continue to replicate those new features functionalities in the local runner. And the biggest challenge I've had with this project is just keeping up with the community. We just passed 20,000 stars, and it'd be it's a normal week to get like 10 PRs. So super excited to announce just yesterday, actually I invited four of the most active contributors to help me with maintaining the project. And so this is like a big deal for me, letting the project go and bringing other people in to help lead it. So, yeah, huge shout out to those folks that have been helping with driving that project. So looking forward to what's next for it. >> Great, we'll make sure the SiliconANGLE riders catch that quote there. Great call out. Let's start, Brian, you made me realize when you mentioned Apache and then you've been watching all the stuff going on, it brings up the question of the evolution of Open Source, and the commercialization trends have been very interesting these days. You're seeing CloudScale really impact also with the growth of code. And Liz, if you remember, the Linux Foundation keeps making projections and they keep blowing past them every year on more and more code and more and more entrance coming in, not just individuals, corporations. So you starting to see Netflix donates something, you got Lyft donate some stuff, becomes a project company forms around it. There's a lot of entrepreneurial activity that's creating this new abstraction layers, new platforms, not just tools. So you start to see a new kickup trajectory with Open Source. You guys want to comment on this because this is going to impact how fast the enterprise will see value here. >> I think a really great example of that is a project called Backstage that's just come out of Spotify. And it's going through the incubation process at the CNCF. And that's why it's front of mind for me right now, 'cause I've been working on the due diligence for that. And the reason why I thought it was interesting in relation to your question is it's spun out of Spotify. It's fully Open Source. They have a ton of different enterprises using it as this developer portal, but they're starting to see some startups emerging offering like a hosted managed version of Backstage or offering services around Backstage or offering commercial plugins into Backstage. And I think it's really fascinating to see those ecosystems building up around a project and different ways that people can. I'm a big believer. You cannot sell the Open Source code, but you can sell other things that create value around Open Source projects. So that's really exciting to see. >> Great point. Anyone else want to weigh in and react to that? Because it's the new model. It's not the old way. I mean, I remember when I was in college, we had the Pirate software. Open Source wasn't around. So you had to deal under the table. Now it's free. But I mean the old way was you had to convince the enterprise, like you've got a hard knit, it builds the community and the community manage the quality of the code. And then you had to build the company to make sure they could support it. Now the companies are actually involved in it, right? And then new startups are forming faster. And the proof points are shorter and highly accelerated for that. I mean, it's a whole new- >> It's a Cambrian explosion, and it's great. It's one of those things that it's challenging for the new developers because they come in and they're like, "Whoa, what is all this stuff that I'm supposed to figure out?" And there's no right answer and there's no wrong answer. There's just tons of it. And I think that there's a desire for us to have one sort of well-known trot and happy path, that audience we're a lot better with a more diverse community, with lots of options, with lots of ways to approach these problems. And I think it's just great. A challenge that we have with all these options and all these Cambrian explosion of projects and all these competing ideas, right now, the sustainability, it's a bit of a tricky question to answer. We know that there's a commercialization aspect that helps us fund these projects, but how we compose the open versus the commercial source is still a bit of a tricky question and a tough one for a lot of folks. >> Erica, would you chime in on that for a second. I want to get your angle on that, this experience and all this code, and I'm a new person, I'm an existing person. Do I get like a blue check mark and verify? I mean, these are questions like, well, how do you navigate? >> Yeah, I think this has been something happening for a while. I mean, back in the early OpenStack days, 2010, for instance, Rackspace Open Sourcing, OpenStack and ANSU Labs and so forth, and then trying, having all these companies forming in creating startups around this. I started at a company called Cloudccaling back in late 2010, and we had some competitors such as Piston and so forth where a lot of the ANSUL Labs people went. But then, the real winners, I think from OpenStack ended up being the enterprises that jumped in. We had Red Hat in particular, as well as HP and IBM jumping in and investing in OpenStack, and really proving out a lot of... not that it was the first time, but this is when we started seeing billions of dollars pouring into Open Source projects and Open Source Foundations, such as the OpenStack Foundation, which proceeded a lot of the things that we now see with the Linux Foundation, which was then created a little bit later. And at the same time, I'm also reflecting a little bit what Brian said because there are projects that don't get funded, that don't get the same attention, but they're also getting used quite significantly. Things like Log4j really bringing this to the spotlight in terms of projects that are used everywhere by everything with significant outsized impacts on the industry that are not getting funded, that aren't flashy enough, that aren't exciting enough because it's just logging, but a vulnerability in it brings every everything and everybody down and has possibly billions of dollars of impact to our industry because nobody wanted to fund this project. >> I think that brings up the commercialization point about maybe bringing a venture capital model in saying, "Hey, that boring little logging thing could be a key ingredient for say solving some observability problems so I think let's put some cash." Again then we'd never seen that before. Now you're starting to see that kind of a real smart investment thesis going into Open Source projects. I mean, Promethease, Crafter, these are projects that turned off companies. This is turning up companies. >> A decade ago, there was no money in Dev tools that I think that's been fully debunked now. They used to be a concept that the venture community believed, but there's just too much evidence to the contrary, the companies like Cash Court, Datadog, the list goes on and on. I think the challenge for the Open Source (indistinct) comes back to foundations and working (indistinct) these developers make this code safe and secure. >> Casey, what's your reaction to all of this? You've got, so a project has gained some traction, got some momentum. There's a lot of mission critical. I won't say white spaces, but the opportunities in the big cloud game happening. And there's a lot of, I won't say too many entrepreneurial, but there's a lot of community action happening that's precommercialization that's getting traction. How does this all develop naturally and then vector in quickly when it hits? >> Yeah, I want to go back to the Log4j topic real quick. I think that it's a great example of an area that we need to do better at. And there was a cool article that Rob Pike wrote describing how to quantify the criticality. I think that's sort of quantifying criticality was the article he wrote on how to use metrics, to determine how valuable, how important a piece of Open Source is to the community. And we really need to highlight that more. We need a way to make it more clear how important this software is, how many people depend on it and how many people are contributing to it. And because right now we all do that. Like if I'm going to evaluate an Open Source software, sure, I'll look at how many stars it has and how many contributors it has. But I got to go through and do all that work myself and come up with. It would be really great if we had an agreed upon method for ranking the criticality of software, but then also the risk, hey, that this is used by a ton of people, but nobody's contributing to it anymore. That's a concern. And that would be great to potential users of that to signal whether or not it makes sense. The Open Source Security Foundation, just getting off the ground, they're doing some work in this space, and I'm really excited to see where they go with that looking at ways to stop score critically. >> Well, this brings up a good point while we've got everyone here, let's take a plug and plug a project you think that's not getting the visibility it needs. Let's go through each of you, point out a project that you think people should be looking at and talking about that might get some free visibility here. Anyone want to highlight projects they think should be focused more on, or that needs a little bit of love? >> I think, I mean, particularly if we're talking about these sort of vulnerability issues, there's a ton of work going on, like in the Secure Software Foundation, other foundations, I think there's work going on in Apache somewhere as well around the bill of material, the software bill of materials, the Secure Software supply chain security, even enumerating your dependencies is not trivial today. So I think there's going to be a ton of people doing really good work on that, as well as the criticality aspect. It's all like that. There's a really great xkcd cartoon with your software project and some really big monolithic lumps. And then, this tiny little piece in a very important point that's maintained by somebody in his bedroom in Montana or something and if you called it out. >> Yeah, you just opened where the next lightening and a bottle comes from. And this is I think the beauty of Open Source is that you get a little collaboration, you get three feet in a cloud of dust going and you get some momentum, and if it's relevant, it rises to the top. I think that's the collective intelligence of Open Source. The question I want to ask that the panel here is when you go into an enterprise, and now that the game is changing with a much more collaborative and involved, what's the story if they say, hey, what's in it for me, how do I manage the Open Source? What's the current best practice? Because there's no doubt I can't ignore it. It's in everything we do. How do I organize around it? How do I build around it to be more efficient and more productive and reduce the risk on vulnerabilities to managing staff, making sure the right teams in place, the right agility and all those things? >> You called it, they got to get skin in the game. They need to be active and involved and donating to a sustainable Open Source project is a great way to start. But if you really want to be active, then you should be committing. You should have a goal for your organization to be contributing back to that project. Maybe not committing code, it could be committing resources into the darks or in the tests, or even tweeting about an Open Source project is contributing to it. And I think a lot of these enterprises could benefit a lot from getting more active with the Open Source Foundations that are out there. >> Liz, you've been actively involved. I know we've talked personally when the CNCF started, which had a great commercial uptake from companies. What do you think the current state-of-the-art kind of equation is has it changed a little bit? Or is it the game still the same? >> Yeah, and in the early days of the CNCF, it was very much dominated by vendors behind the project. And now we're seeing more and more membership from end-user companies, the kind of enterprises that are building their businesses on Cloud Native, but their business is not in itself. That's not there. The infrastructure is not their business. And I think seeing those companies, putting money in, putting time in, as Brian says contributing resources quite often, there's enough money, but finding the talent to do the work and finding people who are prepared to actually chop the wood and carry the water, >> Exactly. >> that it's hard. >> And if enterprises can find peoples to spend time on Open Source projects, help with those chores, it's hugely valuable. And it's one of those the rising tide floats all the boats. We can raise security, we can reduce the amount of dependency on maintain projects collectively. >> I think the business models there, I think one of the things I'll react to and then get your guys' comments is remember which CubeCon it was, it was one of the early ones. And I remember seeing Apple having a booth, but nobody was manning. It was just an Apple booth. They weren't doing anything, but they were recruiting. And I think you saw the transition of a business model where the worry about a big vendor taking over a project and having undue influence over it goes away because I think this idea of participation is also talent, but also committing that talent back into the communities as a model, as a business model, like, okay, hire some great people, but listen, don't screw up the Open Source piece of it 'cause that's a critical. >> Also hire a channel, right? They can use those contributions to source that talent and build the reputation in the communities that they depend on. And so there's really a lot of benefit to the larger organizations that can do this. They'll have a huge pipeline of really qualified engineers right out the gate without having to resort to cheesy whiteboard interviews, which is pretty great. >> Yeah, I agree with a lot of this. One of my concerns is that a lot of these corporations tend to focus very narrowly on certain projects, which they feel that they depend greatly, they'll invest in OpenStack, they'll invest in Docker, they'll invest in some of the CNCF projects. And then these other projects get ignored. Something that I've been a proponent of for a little bit for a while is observability of your dependencies. And I don't think there's quite enough projects and solutions to this. And it sounds maybe from lists, there are some projects that I don't know about, but I also know that there's some startups like Snyk and so forth that help with a little bit of this problem, but I think we need more focus on some of these edges. And I think companies need to do better, both in providing, having some sort of solution for observability of the dependencies, as well as understanding those dependencies and managing them. I've seen companies for instance, depending on software that they actively don't want to use based on a certain criteria that they already set projects, like they'll set a requirement that any project that they use has a code of conduct, but they'll then use projects that don't have codes of conduct. And if they don't have a code of conduct, then employees are prohibited from working on those projects. So you've locked yourself into a place where you're depending on software that you have instructed, your employees are not allowed to contribute to, for certain legal and other reasons. So you need to draw a line in the sand and then recognize that those projects are ones that you don't want to consume, and then not use them, and have observability around these things. >> That's a great point. I think we have 10 minutes left. I want to just shift to a topic that I think is relevant. And that is as Open Source software, software, people develop software, you see under the hood kind of software, SREs developing very quickly in the CloudScale, but also you've got your classic software developers who were writing code. So you have supply chain, software supply chain challenges. You mentioned developer experience around how to code. You have now automation in place. So you've got the development of all these things that are happening. Like I just want to write software. Some people want to get and do infrastructure as code so DevSecOps is here. So how does that look like going forward? How has the future of Open Source going to make the developers just want to code quickly? And the folks who want to tweak the infrastructure a bit more efficient, any views on that? >> At Gaggle, we're using AWS' CDK, exclusively for our infrastructure as code. And it's a great transition for developers instead of writing Yammel or Jason, or even HCL for their infrastructure code, now they're writing code in the language that they're used to Python or JavaScript, and what that's providing is an easier transition for developers into that Infrastructure as code at Gaggle here, but it's also providing an opportunity to provide reusable constructs that some Devs can build on. So if we've got a very opinionated way to deploy a serverless app in a database and do auto-scaling behind and all stuff, we can present that to a developer as a library, and they can just consume it as it is. Maybe that's as deep as they want to go and they're happy with that. But then they want to go deeper into it, they can either use some of the lower level constructs or create PRs to the platform team to have those constructs changed to fit their needs. So it provides a nice on-ramp developers to use the tools and languages they're used to, and then also go deeper as they need. >> That's awesome. Does that mean they're not full stack developers anymore that they're half stack developers they're taking care of for them? >> I don't know either. >> We'll in. >> No, only kidding. Anyway, any other reactions to this whole? I just want to code, make it easy for me, and some people want to get down and dirty under the hood. >> So I think that for me, Docker was always a key part of this. I don't know when DevSecOps was coined exactly, but I was talking with people about it back in 2012. And when I joined Docker, it was a part of that vision for me, was that Docker was applying these security principles by default for your application. It wasn't, I mean, yes, everybody adopted because of the portability and the acceleration of development, but it was for me, the fact that it was limiting what you could do from a security angle by default, and then giving you these tuna balls that you can control it further. You asked about a project that may not get enough recognition is something called DockerSlim, which is designed to optimize your containers and will make them smaller, but it also constraints the security footprint, and we'll remove capabilities from the container. It will help you build security profiles for app armor and the Red Hat one. SELinux. >> SELinux. >> Yeah, and this is something that I think a lot of developers, it's kind of outside of the realm of things that they're really thinking about. So the more that we can automate those processes and make it easier out of the box for users or for... when I say users, I mean, developers, so that it's straightforward and automatic and also giving them the capability of refining it and tuning it as needed, or simply choosing platforms like serverless offerings, which have these security constraints built in out of the box and sometimes maybe less tuneable, but very strong by default. And I think that's a good place for us to be is where we just enforced these things and make you do things in a secure way. >> Yeah, I'm a huge fan of Kubernetes, but it's not the right hammer for every nail. And there are absolutely tons of applications that are better served by something like Lambda where a lot more of that security surface is taken care of for the developer. And I think we will see better tooling around security profiling and making it easier to shrink wrap your applications that there are plenty of products out there that can help you with this in a cloud native environment. But I think for the smaller developer let's say, or an earlier stage company, yeah, it needs to be so much more straightforward. Really does. >> Really an interesting time, 10 years ago, when I was working at Adobe, we used to requisition all these analysts to tell us how many developers there were for the market. And we thought there was about 20 million developers. If GitHub's to be believed, we think there is now around 80 million developers. So both these groups are probably wrong in their numbers, but the takeaway here for me is that we've got a lot of new developers and a lot of these new developers are really struck by a paradox of choice. And they're typically starting on the front end. And so there's a lot of movement in the stack moved towards the front end. We saw that at re:Invent when Amazon was really pushing Amplify 'cause they're seeing this too. It's interesting because this is where folks start. And so a lot of the obstructions are moving in that direction, but maybe not always necessarily totally appropriate. And so finding the right balance for folks is still a work in progress. Like Lambda is a great example. It lets me focus totally on just business logic. I don't have to think about infrastructure pretty much at all. And if I'm newer to the industry, that makes a lot of sense to me. As use cases expand, all of a sudden, reality intervenes, and it might not be appropriate for everything. And so figuring out what those edges are, is still the challenge, I think. >> All right, thank you very much for coming on the CUBE here panel. AWS Heroes, thanks everyone for coming. I really appreciate it, thank you. >> Thank you. >> Thank you. >> Okay. >> Thanks for having me. >> Okay, that's a wrap here back to the program and the awesome startups. Thanks for watching. (upbeat music)