>>coverage of eight of US Re invent 2019 continues in a moment.

(bright music) >> Hello everyone. Welcome to theCUBE's coverage of AWS re:Invent 22. I'm John Furrier, host of theCUBE. Got some great coverage here talking about software supply chain and sustainability in the cloud. We've got a great conversation. Gunnar Hellekson, vice president and general manager at Red Hat Enterprise Linux and Business Unit of Red Hat. Thanks for coming on. And Adnan Ijaz, director of product management of commercial software services, AWS. Gentlemen, thanks for joining me today. >> It's a pleasure. (Adnan speaks indistinctly) >> You know, the hottest topic coming out of Cloud Native developer communities is slide chain software sustainability. This is a huge issue. As open source continues to power away and fund and grow this next generation modern development environment, you know, supply chain, you know, sustainability is a huge discussion because you got to check things out, what's in the code. Okay, open source is great, but now we got to commercialize it. This is the topic, Gunnar, let's get in with you. What are you seeing here and what's some of the things that you're seeing around the sustainability piece of it? Because, you know, containers, Kubernetes, we're seeing that that run time really dominate this new abstraction layer, cloud scale. What's your thoughts? >> Yeah, so I, it's interesting that the, you know, so Red Hat's been doing this for 20 years, right? Making open source safe to consume in the enterprise. And there was a time when in order to do that you needed to have a long term life cycle and you needed to be very good at remediating security vulnerabilities. And that was kind of, that was the bar that you had to climb over. Nowadays with the number of vulnerabilities coming through, what people are most worried about is, kind of, the providence of the software and making sure that it has been vetted and it's been safe, and that things that you get from your vendor should be more secure than things that you've just downloaded off of GitHub, for example. Right? And that's a place where Red Hat's very comfortable living, right? Because we've been doing it for 20 years. I think there's another aspect to this supply chain question as well, especially with the pandemic. You know, we've got these supply chains have been jammed up. The actual physical supply chains have been jammed up. And the two of these issues actually come together, right? Because as we go through the pandemic, we've got these digital transformation efforts, which are in large part, people creating software in order to manage better their physical supply chain problems. And so as part of that digital transformation, you have another supply chain problem, which is the software supply chain problem, right? And so these two things kind of merge on these as people are trying to improve the performance of transportation systems, logistics, et cetera. Ultimately, it all boils down to, both supply chain problems actually boil down to a software problem. It's very interesting. >> Well, that is interesting. I want to just follow up on that real quick if you don't mind. Because if you think about the convergence of the software and physical world, you know, that's, you know, IOT and also hybridcloud kind of plays into that at scale, this opens up more surface area for attacks, especially when you're under a lot of pressure. This is where, you know, you have a service area on the physical side and you have constraints there. And obviously the pandemic causes problems. But now you've got the software side. How are you guys handling that? Can you just share a little bit more of how you guys looking at that with Red Hat? What's the customer challenge? Obviously, you know, skills gaps is one, but, like, that's a convergence at the same time more security problems. >> Yeah, yeah, that's right. And certainly the volume of, if we just look at security vulnerabilities themselves, just the volume of security vulnerabilities has gone up considerably as more people begin using the software. And as the software becomes more important to, kind of, critical infrastructure. More eyeballs around it and so we're uncovering more problems, which is kind of, that's okay, that's how the world works. And so certainly the number of remediations required every year has gone up. But also the customer expectations, as I mentioned before, the customer expectations have changed, right? People want to be able to show to their auditors and to their regulators that no, in fact, I can show the providence of the software that I'm using. I didn't just download something random off the internet. I actually have like, you know, adults paying attention to how the software gets put together. And it's still, honestly, it's still very early days. I think as an industry, I think we're very good at managing, identifying remediating vulnerabilities in the aggregate. We're pretty good at that. I think things are less clear when we talk about, kind of, the management of that supply chain, proving the providence, and creating a resilient supply chain for software. We have lots of tools, but we don't really have lots of shared expectations. And so it's going to be interesting over the next few years, I think we're going to have more rules are going to come out. I see NIST has already published some of them. And as these new rules come out, the whole industry is going to have to kind of pull together and really rally around some of this shared understanding so we can all have shared expectations and we can all speak the same language when we're talking about this problem. >> That's awesome. Adnan, Amazon web service is obviously the largest cloud platform out there. You know, the pandemic, even post pandemic, some of these supply chain issues, whether it's physical or software, you're also an outlet for that. So if someone can't buy hardware or something physical, they can always get to the cloud. You guys have great network compute and whatnot and you got thousands of ISVs across the globe. How are you helping customers with this supply chain problem? Because whether it's, you know, I need to get in my networking gears and delay, I'm going to go to the cloud and get help there. Or whether it's knowing the workloads and what's going on inside them with respect to open source. 'Cause you've got open source, which is kind of an external forcing function. You've got AWS and you got, you know, physical compute stores, networking, et cetera. How are you guys helping customers with the supply chain challenge, which could be an opportunity? >> Yeah, thanks John. I think there are multiple layers to that. At the most basic level, we are helping customers by abstracting away all these data center constructs that they would have to worry about if they were running their own data centers. They would have to figure out how the networking gear, you talk about, you know, having the right compute, right physical hardware. So by moving to the cloud, at least they're delegating that problem to AWS and letting us manage and making sure that we have an instance available for them whenever they want it. And if they want to scale it, the capacity is there for them to use. Now then, so we kind of give them space to work on the second part of the problem, which is building their own supply chain solutions. And we work with all kinds of customers here at AWS from all different industry segments, automotive, retail, manufacturing. And you know, you see the complexity of the supply chain with all those moving pieces, like hundreds and thousands of moving pieces, it's very daunting. And then on the other hand, customers need more better services. So you need to move fast. So you need to build your agility in the supply chain itself. And that is where, you know, Red Hat and AWS come together. Where we can enable customers to build their supply chain solutions on platforms like Red Hat Enterprise Linux RHEL or Red Hat OpenShift on AWS, we call it ROSA. And the benefit there is that you can actually use the services that are relevant for the supply chain solutions like Amazon managed blockchain, you know, SageMaker. So you can actually build predictive analytics, you can improve forecasting, you can make sure that you have solutions that help you identify where you can cut costs. And so those are some of the ways we're helping customers, you know, figure out how they actually want to deal with the supply chain challenges that we're running into in today's world. >> Yeah, and you know, you mentioned sustainability outside of software sustainability, you know, as people move to the cloud, we've reported on SiliconANGLE here in theCUBE, that it's better to have the sustainability with the cloud because then the data centers aren't using all that energy too. So there's also all kinds of sustainability advantages. Gunnar, because this is kind of how your relationship with Amazon's expanded. You mentioned ROSA, which is Red Hat, you know, on OpenShift, on AWS. This is interesting because one of the biggest discussions is skills gap, but we were also talking about the fact that the humans are a huge part of the talent value. In other words, the humans still need to be involved. And having that relationship with managed services and Red Hat, this piece becomes one of those things that's not talked about much, which is the talent is increasing in value, the humans, and now you got managed services on the cloud. So we'll look at scale and human interaction. Can you share, you know, how you guys are working together on this piece? 'Cause this is interesting, 'cause this kind of brings up the relationship of that operator or developer. >> Yeah, yeah. So I think there's, so I think about this in a few dimensions. First is that it's difficult to find a customer who is not talking about automation at some level right now. And obviously you can automate the processes and the physical infrastructure that you already have, that's using tools like Ansible, right? But I think that combining it with the elasticity of a solution like AWS, so you combine the automation with kind of elastic and converting a lot of the capital expenses into operating expenses, that's a great way actually to save labor, right? So instead of like racking hard drives, you can have somebody do something a little more like, you know, more valuable work, right? And so, okay, but that gives you a platform. And then what do you do with that platform? You know, if you've got your systems automated and you've got this kind of elastic infrastructure underneath you, what you do on top of it is really interesting. So a great example of this is the collaboration that we had with running the RHEL workstation on AWS. So you might think, like, well why would anybody want to run a workstation on a cloud? That doesn't make a whole lot of sense. Unless you consider how complex it is to set up, if you have, the use case here is like industrial workstations, right? So it's animators, people doing computational fluid dynamics, things like this. So these are industries that are extremely data heavy. Workstations have very large hardware requirements, often with accelerated GPUs and things like this. That is an extremely expensive thing to install on-premise anywhere. And if the pandemic taught us anything, it's if you have a bunch of very expensive talent and they all have to work from home, it is very difficult to go provide them with, you know, several tens of thousands of dollars worth of workstation equipment. And so combine the RHEL workstation with the AWS infrastructure and now all that workstation computational infrastructure is available on demand and available right next to the considerable amount of data that they're analyzing or animating or working on. So it's a really interesting, it was actually, this is an idea that was actually born with the pandemic. >> Yeah. >> And it's kind of a combination of everything that we're talking about, right? It's the supply chain challenges of the customer, it's the lack of talent, making sure that people are being put to their best and highest use. And it's also having this kind of elastic, I think, OpEx heavy infrastructure as opposed to a CapEx heavy infrastructure. >> That's a great example. I think that illustrates to me what I love about cloud right now is that you can put stuff in the cloud and then flex what you need, when you need it, in the cloud rather than either ingress or egress of data. You just get more versatility around the workload needs, whether it's more compute or more storage or other high level services. This is kind of where this next gen cloud is going. This is where customers want to go once their workloads are up and running. How do you simplify all this and how do you guys look at this from a joint customer perspective? Because that example I think will be something that all companies will be working on, which is put it in the cloud and flex to whatever the workload needs and put it closer to the compute. I want to put it there. If I want to leverage more storage and networking, well, I'll do that too. It's not one thing, it's got to flex around. How are you guys simplifying this? >> Yeah, I think, so, I'll give my point of view and then I'm very curious to hear what Adnan has to say about it. But I think about it in a few dimensions, right? So there is a technically, like, any solution that Adnan's team and my team want to put together needs to be kind of technically coherent, right? Things need to work well together. But that's not even most of the job. Most of the job is actually ensuring an operational consistency and operational simplicity, so that everything is, the day-to-day operations of these things kind of work well together. And then also, all the way to things like support and even acquisition, right? Making sure that all the contracts work together, right? It's a really... So when Adnan and I think about places of working together, it's very rare that we're just looking at a technical collaboration. It's actually a holistic collaboration across support, acquisition, as well as all the engineering that we have to do. >> Adnan, your view on how you're simplifying it with Red Hat for your joint customers making collaborations? >> Yeah, Gunnar covered it well. I think the benefit here is that Red Hat has been the leading Linux distribution provider. So they have a lot of experience. AWS has been the leading cloud provider. So we have both our own points of view, our own learning from our respective set of customers. So the way we try to simplify and bring these things together is working closely. In fact, I sometimes joke internally that if you see Gunnar and my team talking to each other on a call, you cannot really tell who belongs to which team. Because we're always figuring out, okay, how do we simplify discount experience? How do we simplify programs? How do we simplify go to market? How do we simplify the product pieces? So it's really bringing our learning and share our perspective to the table and then really figure out how do we actually help customers make progress. ROSA that we talked about is a great example of that, you know, together we figured out, hey, there is a need for customers to have this capability in AWS and we went out and built it. So those are just some of the examples in how both teams are working together to simplify the experience, make it complete, make it more coherent. >> Great, that's awesome. Next question is really around how you help organizations with the sustainability piece, how to support them simplifying it. But first, before we get into that, what is the core problem around this sustainability discussion we're talking about here, supply chain sustainability, what is the core challenge? Can you both share your thoughts on what that problem is and what the solution looks like and then we can get into advice? >> Yeah. Well from my point of view, it's, I think, you know, one of the lessons of the last three years is every organization is kind of taking a careful look at how resilient it is, or I should say, every organization learned exactly how resilient it was, right? And that comes from both the physical challenges and the logistics challenges that everyone had, the talent challenges you mentioned earlier. And of course the software challenges, you know, as everyone kind of embarks on this digital transformation journey that we've all been talking about. And I think, so I really frame it as resilience, right? And resilience at bottom is really about ensuring that you have options and that you have choices. The more choices you have, the more options you have, the more resilient you and your organization is going to be. And so I know that's how I approach the market. I'm pretty sure that's how Adnan is approaching the market, is ensuring that we are providing as many options as possible to customers so that they can assemble the right pieces to create a solution that works for their particular set of challenges or their unique set of challenges and unique context. Adnan, does that sound about right to you? >> Yeah, I think you covered it well. I can speak to another aspect of sustainability, which is becoming increasingly top of mind for our customers. Like, how do they build products and services and solutions and whether it's supply chain or anything else which is sustainable, which is for the long term good of the planet. And I think that is where we have also been very intentional and focused in how we design our data center, how we actually build our cooling system so that those are energy efficient. You know, we are on track to power all our operations with renewable energy by 2025, which is five years ahead of our initial commitment. And perhaps the most obvious example of all of this is our work with ARM processors, Graviton3, where, you know, we are building our own chip to make sure that we are designing energy efficiency into the process. And you know, the ARM Graviton3 processor chips, they are about 60% more energy efficient compared to some of the CD6 comparable. So all those things that also we are working on in making sure that whatever our customers build on our platform is long term sustainable. So that's another dimension of how we are working that into our platform. >> That's awesome. This is a great conversation. You know, the supply chain is on both sides, physical and software. You're starting to see them come together in great conversations. And certainly moving workloads to the cloud and running them more efficiently will help on the sustainability side, in my opinion. Of course, you guys talked about that and we've covered it. But now you start getting into how to refactor, and this is a big conversation we've been having lately is as you not just lift and shift, but replatform it and refactor, customers are seeing great advantages on this. So I have to ask you guys, how are you helping customers and organizations support sustainability and simplify the complex environment that has a lot of potential integrations? Obviously API's help of course, but that's the kind of baseline. What's the advice that you give customers? 'Cause you know, it can look complex and it becomes complex, but there's an answer here. What's your thoughts? >> Yeah, I think, so whenever I get questions like this from customers, the first thing I guide them to is, we talked earlier about this notion of consistency and how important that is. One way to solve the problem is to create an entirely new operational model, an entirely new acquisition model, and an entirely new stack of technologies in order to be more sustainable. That is probably not in the cards for most folks. What they want to do is have their existing estate and they're trying to introduce sustainability into the work that they are already doing. They don't need to build another silo in order to create sustainability, right? And so there has to be some common threads, there has to be some common platforms across the existing estate and your more sustainable estate, right? And so things like Red Hat Enterprise Linux, which can provide this kind of common, not just a technical substrate, but a common operational substrate on which you can build these solutions. If you have a common platform on which you are building solutions, whether it's RHEL or whether it's OpenShift or any of our other platforms, that creates options for you underneath. So that in some cases maybe you need to run things on-premises, some things you need to run in the cloud, but you don't have to profoundly change how you work when you're moving from one place to another. >> Adnan, what's your thoughts on the simplification? >> Yeah, I mean, when you talk about replatforming and refactoring, it is a daunting undertaking, you know, especially in today's fast paced world. But the good news is you don't have to do it by yourself. Customers don't have to do it on their own. You know, together AWS and Red Hat, we have our rich partner ecosystem, you know, AWS has over 100,000 partners that can help you take that journey, the transformation journey. And within AWS and working with our partners like Red Hat, we make sure that we have- In my mind, there are really three big pillars that you have to have to make sure that customers can successfully re-platform, refactor their applications to the modern cloud architecture. You need to have the rich set of services and tools that meet their different scenarios, different use cases. Because no one size fits all. You have to have the right programs because sometimes customers need those incentives, they need those, you know, that help in the first step. And last but not least, they need training. So all of that, we try to cover that as we work with our customers, work with our partners. And that is where, you know, together we try to help customers take that step, which is a challenging step to take. >> Yeah, you know, it's great to talk to you guys, both leaders in your field. Obviously Red Hats, I remember the days back when I was provisioning and loading OSs on hardware with CDs, if you remember those days, Gunnar. But now with the high level services, if you look at this year's reinvent, and this is kind of my final question for the segment is, that we'll get your reaction to, last year we talked about higher level service. I sat down with Adam Saleski, we talked about that. If you look at what's happened this year, you're starting to see people talk about their environment as their cloud. So Amazon has the gift of the CapEx, all that investment and people can operate on top of it. They're calling that environment their cloud. Okay? For the first time we're seeing this new dynamic where it's like they have a cloud, but Amazon's the CapEx, they're operating. So, you're starting to see the operational visibility, Gunnar, around how to operate this environment. And it's not hybrid, this, that, it's just, it's cloud. This is kind of an inflection point. Do you guys agree with that or have a reaction to that statement? Because I think this is, kind of, the next gen supercloud-like capability. We're going, we're building the cloud. It's now an environment. It's not talking about private cloud, this cloud, it's all cloud. What's your reaction? >> Yeah, I think, well, I think it's very natural. I mean, we use words like hybridcloud, multicloud, I guess supercloud is what the kids are saying now, right? It's all describing the same phenomena, right? Which is being able to take advantage of lots of different infrastructure options, but still having something that creates some commonality among them so that you can manage them effectively, right? So that you can have, kind of, uniform compliance across your estate. So that you can have, kind of, you can make the best use of your talent across the estate. I mean this is, it's a very natural thing. >> John: They're calling it cloud, the estate is the cloud. >> Yeah. So yeah, so fine, if it means that we no longer have to argue about what's multicloud and what's hybridcloud, I think that's great. Let's just call it cloud. >> Adnan, what's your reaction, 'cause this is kind of the next gen benefits of higher level services combined with amazing, you know, compute and resource at the infrastructure level. What's your view on that? >> Yeah, I think the construct of a unified environment makes sense for customers who have all these use cases which require, like for instance, if you are doing some edge computing and you're running WS outpost or you know, wavelength and these things. So, and it is fair for customer to think that, hey, this is one environment, same set of tooling that they want to build that works across all their different environments. That is why we work with partners like Red Hat so that customers who are running Red Hat Enterprise Linux on-premises and who are running in AWS get the same level of support, get the same level of security features, all of that. So from that sense, it actually makes sense for us to build these capabilities in a way that customers don't have to worry about, okay, now I'm actually in the AWS data center versus I'm running outpost on-premises. It is all one. They just use the same set of CLI, command line APIs and all of that. So in that sense it actually helps customers have that unification so that consistency of experience helps their workforce and be more productive versus figuring out, okay, what do I do, which tool I use where? >> Adnan, you just nailed it. This is about supply chain sustainability, moving the workloads into a cloud environment. You mentioned wavelength, this conversation's going to continue. We haven't even talked about the edge yet. This is something that's going to be all about operating these workloads at scale and all with the cloud services. So thanks for sharing that and we'll pick up that edge piece later. But for re:Invent right now, this is really the key conversation. How to make the sustained supply chain work in a complex environment, making it simpler. And so thanks you for sharing your insights here on theCUBE. >> Thanks, thanks for having us. >> Okay, this is theCUBE's coverage of AWS re:Invent 22. I'm John Furrier, your host. Thanks for watching. (bright music)

>>Welcome back to the Cube, as a continued coverage here from AWS Reinvent 22. It's day three of our coverage here at the Venetian in Las Vegas, and we're part of the AWS Global Startup Showcase. With me to talk about what Kong's to in that regard is Marco Palladino, who's the, the CTO and the co-founder of Con Marco. Good >>To see you. Well, thanks for having me >>Here. Yeah, I was gonna say, by the way, I, I, you've got a beautiful exhibit down on the show floor. How's the week been for you so far as an exhibitor here? >>It's been very busy. You know, to this year we made a big investment at the WS reinvent. You know, I think this is one of the best conferences in the industry. There is technology developers, but it's also business oriented. So you can learn about all the business outcomes that our, you know, customers or, you know, people are trying to make when, when adopting these new technologies. So it's very good so far. >>Good, good, good to hear. Alright, so in your world, the API world, you know, it used to be we had this, you know, giant elephant. Now we're cutting down the little pieces, right? That's right. We're all going micro now these days. That's right. Talk about that trend a little bit, what you're seeing, and we'll jump in a little deeper as to how you're addressing that. >>Well, I think the industry learned a long time ago that running large code bases is actually quite problematic when it comes to scaling the organization and capturing new opportunities. And so, you know, we're transitioning to microservices because we want to get more opportunities in our business. We want to be able to create new products, fasters, we want to be able to leverage existing services or data that we have built, like an assembly line of software, you know, picking up APIs that other developers are building, and then assemble them together to create new experiences or new products, enter new markets. And so microservices are fantastic for that, except microservices. They also introduce significant concerns on the networking layer, on the API layer. And so this is where Kong specializes by providing API infrastructure to our customers. >>Right. So more about the problems, more about the challenges there, because you're right, it, opportunities always create, you know, big upside and, and I, I don't wanna say downside, but they do introduce new complexities. >>That's right. And introducing new complexity. It's a little bit the biggest enemy of any large organization, right? We want to reduce complexity, we want to move faster, we want to be more agile, and, and we need an API vision to be able to do that. Our teams, you know, I'm speaking with customers here at Reinvent, they're telling me that in the next five years, the organization is going to be creating more APIs than all the APIs they've created up until now. Right? So how do you >>Support, that's a mind boggling number, right? >>It's mind boggling. Yeah, exactly. How do you support that type of growth? And things have been moving so fast. I feel like there is a big dilemma in, you know, with certain organizations where, you know, we have not taught a long term strategy for APIs, whereas we do have a long term strategy for our business, but APIs are running the business. We must have a long term strategy for our APIs, otherwise we're not gonna be able to execute. And that's a big dilemma right now. Yeah. >>So, so how do we get the horse back in front of the cart then? Because it's like you said, it's almost as if we've, we're, we're reprioritizing, you know, incorrectly or inaccurately, right? You're, you're getting a little bit ahead of ourselves. >>Well, so, you know, whenever we have a long-term strategy for pretty much anything in the organization, right? We know what we want to do. We know the outcome that we want to achieve. We work backwards to, you know, determine what are the steps that are gonna bring us there. And, and the responsibility for thinking long term in, in every organization, including for APIs at the end of the day, always falls on the leaders and the should on the shoulders of the leadership and, and to see executives of the organization, right? And so we're seeing, you know, look at aws by the way. Look at Amazon. This conference would not have been possible without a very strong API vision from Amazon. And the CEO himself, Jeff Bezos, everybody talks about wanting to become an API first organization. And Amazon did that with the famous Jeff Bezos mandate today, aws, it's a hundred billion revenue for Amazon. You see, Amazon was not the first organization with, with an e-commerce, but if it was the first one that married a very strong e-commerce business execution with a very strong API vision, and here we are. >>So yeah, here we are putting you squarely in, in, in a pretty good position, right? In terms of what you're offering to the marketplace who has this high demand, you see this trend starting to explode. The hockey sticks headed up a little bit, right? You know, how are you answering that call specifically at how, how are you looking at your client's needs and, and trying to address what they need and when they need it, and how they need it. Because everybody's in a kind of a different place right now. >>Right? That's exactly right. And so you have multiple teams at different stages of their journey, right? With technology, some of them are still working on legacy, some of them are moving to the cloud. Yep. Some of them are working in containers and in microservices and Kubernetes. And so how do you, how do we provide an API vision that can fulfill the needs of the entire organization in such a way that we reduce that type of fragmentation and we don't introduce too much complexity? Well, so at con, we do it by essentially splitting the API platform in three different components. Okay. One is API management. When, whenever we want to expose APIs internally or to an ecosystem of partners, right? Or to mobile, DRA is a service mesh. You know, as we're splitting these microservices into smaller parts, we have a lot of connectivity, all, you know, across all the services that the teams are building that we need to, to manage. >>You know, the network is unreliable. It's by default, not secure, not observable. There is nothing that that works in there. And so how do we make that network reliable without asking our teams to go and build these cross-cut concerns whenever they create a new service. And so we need a service match for that, right? And then finally, we could have the best AP infrastructure in the world, millions of APIs and millions of microservices. Everything is working great. And with no API consumption, all of that would be useless. The value of our APIs and the value of our infrastructure is being driven by the consumption that we're able to drive to all of these APIs. And so there is a whole area of API productivity and discovery and design and testing and mocking that enables the application teams to be successful with APIs, even when they do have a, the proper API infrastructure in place that's made of meshes and management products and so on and so forth. Right. >>Can you gimme some examples? I mean, at least with people that you've been working with in terms of addressing maybe unique needs. Cuz again, as you've addressed, journeys are in different stages now. Some people are on level one, some people are on level five. So maybe just a couple of examples Yeah. Of clients with whom you've been working. Yeah, >>So listen, I I was talking with many organizations here at AWS Reinvent that are of course trying to migrate to the cloud. That's a very common common transformation that pretty much everybody's doing in the world. And, and how do you transition to the cloud by de-risking the migration while at the same time being able to get all the benefits of, of running in the cloud? Well, we think that, you know, we can do that in two, two ways. One, by containerizing our workloads so that we can make them portable. But then we also need to lift and shift the API connectivity in such a way that we can determine how much traffic goes to the legacy and how much traffic goes to the new cloud infrastructure. And by doing that, we're able to deal with some of these transformations that can be quite complex. And then finally, API infrastructure must support every team in the organization. >>And so being able to run on a single cloud, multi-cloud, single cluster, multi cluster VMs containers, that's important and essential because we want the entire organization to be on board. Because whenever we do not do that, then the developers will make short term decisions that are not going to be fitting into the organizational outcomes that we want to achieve. And we look at any outcome that your organization wants to achieve the cloud transformation, improving customer retention, creating new products, being more agile. At the end of the day, there is an API that's powering that outcome. >>Right? Right. Well, and, and there's always a security component, right? That you have to be concerned about. So how are you raising that specter with your clients to make them aware? Because sometimes it, I wouldn't say it's an afterthought, but sometimes it's not the first thought. And, and obviously with APIs and with their integral place, you know, in, in the system now security's gotta be included in that, right? >>API security is perhaps the biggest, biggest request that we're hearing from customers. You know, 83% of the world's internet traffic at the end of the day runs on APIs, right? That's a lot of traffic. As a matter of fact, APIs are the first attack vector for any, you know, malicious store party. Whenever there is a breach, APIs must be secured. And we can secure APIs on different layers of our infrastructure. We can secure APIs at the L four mesh layer by implementing zero trust security, for example, encrypting all the traffic, assigning an identity to every service, removing the concept of trust from our systems because trust is exploitable, right? And so we need to remove the cut zero trust, remove the concept of trust, and then once we have that underlying networking that's being secure and encrypted, we want to secure access to our APIs. >>And so this is the typical authentication, authorization concerns. You know, we can use patterns like op, op or opa open policy agent to create a security layer that does not rely on the team's writing code every time they're creating a new service. But the infrastructure is enforcing the type of layer. So for example, last week I was in Sweden, as a matter of fact speaking with the largest bank in Sweden while our customers, and they were telling us that they are implementing GDPR validation in the service mesh on the OPPA layer across every service that anybody's building. Why? Well, because you can embed the GDPR settings of the consumer into a claim in a gel token, and then you can use OPPA to validate in a blanket way that Jo Token across every service in the mesh, developers don't have to do that. It just comes out of the box like that. And then finally, so networking, security, API security for access and, and management of those APIs. And then finally we have deep inspection of our API traffic. And here you will see more exotic solutions for API security, where we essentially take a subset of our API traffic and we try to inspect it to see if there is anybody doing anything that they shouldn't be doing and, and perhaps block them or, you know, raise, raise, raise the flag, so to speak. >>Well, the answer is probably yes, they are. Somebody's trying to, somebody's trying to, yeah, you're trying to block 'em out. Before I let you go, you've had some announcements leading up here to the show that's just to hit a few of those highlights, if you would. >>Well, you know, Kong is an organization that you know, is very proud of the technology that we create. Of course, we started with a, with the API gateway Con Gateway, which was our first product, the most adopted gateway in the world. But then we've expanded our platform with service mesh. We just announced D B P F support in the service mesh. For example, we made our con gateway, which was already one of the fastest gateway, if not the fastest gateway out there, 30% faster with Con Gateway 3.0. We have shipped an official con operator for Kubernetes, both community and enterprise. And then finally we're doubling down on insomnia, insomnia's, our API productivity application that essentially connects the developers with the APIs that are creating and allows them to create a discovery mechanism for testing, mocking the bagging, those APIs, all of this, we of course ship it OnPrem, but then also on the cloud. And you know, in a cloud conference right now, of course, cloud, right? Right. Is a very important part of our corporate strategy. And our customers are asking us that. Why? Because they don't wanna manage the software, they want the API platform, they don't, don't wanna manage it. >>Well, no, nobody does. And there are a few stragglers, >>A few, a few. And for them there is the on-prem >>Platform. Fine, let 'em go. Right? Exactly. But if you wanna make it a little quick and dirty, hand it off, right? Oh, >>That's exactly right. Yes. >>Let Con do the heavy lifting for you. Hey Marco, thanks for the time. Yeah, thank you so much. We appreciate, and again, congratulations on what appears to be a pretty good show for you guys. Yeah, thank you. Well done. All right, we continue our discussions here at aws. Reinvent 22. You're watching the Cube, the leader in high tech coverage. >>Okay.

>>Hello everyone. Welcome to the Cube's coverage of AWS Reinvent 22. I'm John Ferer, host of the Cube. Got some great coverage here talking about software supply chain and sustainability in the cloud. We've got a great conversation. Gunner Helickson, Vice President and general manager at Red Hat Enterprise Linux and Business Unit of Red Hat. Thanks for coming on. And Edon Eja Director, Product Management of commercial software services aws. Gentlemen, thanks for joining me today. >>Oh, it's a pleasure. >>You know, the hottest topic coming out of Cloudnative developer communities is slide chain software sustainability. This is a huge issue. As open source continues to power away and fund and grow this next generation modern development environment, you know, supply chain, you know, sustainability is a huge discussion because you gotta check things out where, what's in the code. Okay, open source is great, but now we gotta commercialize it. This is the topic, Gunner, let's get in, get with you. What, what are you seeing here and what's some of the things that you're seeing around the sustainability piece of it? Because, you know, containers, Kubernetes, we're seeing that that run time really dominate this new abstraction layer, cloud scale. What's your thoughts? >>Yeah, so I, it's interesting that the, you know, so Red Hat's been doing this for 20 years, right? Making open source safe to consume in the enterprise. And there was a time when in order to do that you needed to have a, a long term life cycle and you needed to be very good at remediating security vulnerabilities. And that was kind of, that was the bar that you had that you had to climb over. Nowadays with the number of vulnerabilities coming through, what people are most worried about is, is kind of the providence of the software and making sure that it has been vetted and it's been safe, and that that things that you get from your vendor should be more secure than things that you've just downloaded off of GitHub, for example. Right? And that's, that's a, that's a place where Red Hat's very comfortable living, right? >>Because we've been doing it for, for 20 years. I think there, there's another, there's another aspect to this, to this supply chain question as well, especially with the pandemic. You know, we've got these, these supply chains have been jammed up. The actual physical supply chains have been jammed up. And, and the two of these issues actually come together, right? Because as we've been go, as we go through the pandemic, we've had these digital transformation efforts, which are in large part people creating software in order to manage better their physical supply chain problems. And so as part of that digital transformation, you have another supply chain problem, which is the software supply chain problem, right? And so these two things kind of merge on these as people are trying to improve the performance of transportation systems, logistics, et cetera. Ultimately it all boils down to it all. Both supply chain problems actually boil down to a software problem. It's very >>Interesting that, Well, that is interesting. I wanna just follow up on that real quick if you don't mind. Because if you think about the convergence of the software and physical world, you know, that's, you know, IOT and also hybrid cloud kind of plays into that at scale, this opens up more surface area for attacks, especially when you're under a lot of pressure. This is where, you know, you can, you have a service area in the physical side and you have constraints there. And obviously the pandemic causes problems, but now you've got the software side. Can you, how are you guys handling that? Can you just share a little bit more of how you guys are looking at that with Red Hat? What's, what's the customer challenge? Obviously, you know, skills gaps is one, but like that's a convergence at the same time. More security problems. >>Yeah, yeah, that's right. And certainly the volume of, if we just look at security vulnerabilities themselves, just the volume of security vulnerabilities has gone up considerably as more people begin using the software. And as the software becomes more important to kind of critical infrastructure, more eyeballs are on it. And so we're uncovering more problems, which is kind of, that's, that's okay. That's how the world works. And so certainly the, the number of remediations required every year has gone up. But also the customer expectations, as I've mentioned before, the customer expectations have changed, right? People want to be able to show to their auditors and to their regulators that no, we, we, in fact, I can show the providence of the software that I'm using. I didn't just download something random off the internet. I actually have, like you, you know, adults paying attention to the, how the software gets put together. >>And it's still, honestly, it's still very early days. We can, I think the, in as an industry, I think we're very good at managing, identifying remediating vulnerabilities in the aggregate. We're pretty good at that. I think things are less clear when we talk about kind of the management of that supply chain, proving the provenance, proving the, and creating a resilient supply chain for software. We have lots of tools, but we don't really have lots of shared expectations. Yeah. And so it's gonna be interesting over the next few years, I think we're gonna have more rules are gonna come out. I see NIST has already, has already published some of them. And as these new rules come out, the whole industry is gonna have to kind of pull together and, and really and really rally around some of this shared understanding so we can all have shared expectations and we can all speak the same language when we're talking about this >>Problem. That's awesome. A and Amazon web service is obviously the largest cloud platform out there, you know, the pandemic, even post pandemic, some of these supply chain issues, whether it's physical or software, you're also an outlet for that. So if someone can't buy hardware or, or something physical, they can always get the cloud. You guys have great network compute and whatnot and you got thousands of ISVs across the globe. How are you helping customers with this supply chain problem? Because whether it's, you know, I need to get in my networking gears delayed, I'm gonna go to the cloud and get help there. Or whether it's knowing the workloads and, and what's going on inside them with respect open source. Cause you've got open source, which is kind of an external forcing function. You got AWS and you got, you know, physical compute stores, networking, et cetera. How are you guys helping customers with the supply chain challenge, which could be an opportunity? >>Yeah, thanks John. I think there, there are multiple layers to that. At, at the most basic level we are helping customers buy abstracting away all these data central constructs that they would have to worry about if they were running their own data centers. They would have to figure out how the networking gear, you talk about, you know, having the right compute, right physical hardware. So by moving to the cloud, at least they're delegating that problem to AWS and letting us manage and making sure that we have an instance available for them whenever they want it. And if they wanna scale it, the, the, the capacity is there for them to use now then that, so we kind of give them space to work on the second part of the problem, which is building their own supply chain solutions. And we work with all kinds of customers here at AWS from all different industry segments, automotive, retail, manufacturing. >>And you know, you see that the complexity of the supply chain with all those moving pieces, like hundreds and thousands of moving pieces, it's very daunting. So cus and then on the other hand, customers need more better services. So you need to move fast. So you need to build, build your agility in the supply chain itself. And that is where, you know, Red Hat and AWS come together where we can build, we can enable customers to build their supply chain solutions on platform like Red Hat Enterprise, Linux Rail or Red Hat OpenShift on, on aws. We call it Rosa. And the benefit there is that you can actually use the services that we, that are relevant for the supply chain solutions like Amazon managed blockchain, you know, SageMaker. So you can actually build predictive and s you can improve forecasting, you can make sure that you have solutions that help you identify where you can cut costs. And so those are some of the ways we are helping customers, you know, figure out how they actually wanna deal with the supply chain challenges that we're running into in today's world. >>Yeah, and you know, you mentioned sustainability outside of software su sustainability, you know, as people move to the cloud, we've reported on silicon angle here in the cube that it's better to have the sustainability with the cloud because then the data centers aren't using all that energy too. So there's also all kinds of sustainability advantages, Gunner, because this is, this is kind of how your relationship with Amazon's expanded. You mentioned Rosa, which is Red Hat on, you know, on OpenShift, on aws. This is interesting because one of the biggest discussions is skills gap, but we were also talking about the fact that the humans are huge part of the talent value. In other words, the, the humans still need to be involved and having that relationship with managed services and Red Hat, this piece becomes one of those things that's not talked about much, which is the talent is increasing in value the humans, and now you got managed services on the cloud, has got scale and human interactions. Can you share, you know, how you guys are working together on this piece? Cuz this is interesting cuz this kind of brings up the relationship of that operator or developer. >>Yeah, Yeah. So I think there's, so I think about this in a few dimensions. First is that the kind of the, I it's difficult to find a customer who is not talking about automation at some level right now. And obviously you can automate the processes and, and the physical infrastructure that you already have that's using tools like Ansible, right? But I think that the, combining it with the, the elasticity of a solution like aws, so you combine the automation with kind of elastic and, and converting a lot of the capital expenses into operating expenses, that's a great way actually to save labor, right? So instead of like racking hard drives, you can have somebody who's somebody do something a little more like, you know, more valuable work, right? And so, so okay, but that gives you a platform and then what do you do with that platform? >>And if you've got your systems automated and you've got this kind of elastic infrastructure underneath you, what you do on top of it is really interesting. So a great example of this is the collaboration that, that we had with running the rel workstation on aws. So you might think like, well why would anybody wanna run a workstation on, on a cloud? That doesn't make a whole lot of sense unless you consider how complex it is to set up, if you have the, the use case here is like industrial workstations, right? So it's animators, people doing computational fluid dynamics, things like this. So these are industries that are extremely data heavy. They have workstations have very large hardware requirements, often with accelerated GPUs and things like this. That is an extremely expensive thing to install on premise anywhere. And if the pandemic taught us anything, it's, if you have a bunch of very expensive talent and they all have to work from a home, it is very difficult to go provide them with, you know, several tens of thousands of dollars worth of worth of worth of workstation equipment. >>And so combine the rail workstation with the AWS infrastructure and now all that workstation computational infrastructure is available on demand and on and available right next to the considerable amount of data that they're analyzing or animating or, or, or working on. So it's a really interesting, it's, it was actually, this is an idea that I was actually born with the pandemic. Yeah. And, and it's kind of a combination of everything that we're talking about, right? It's the supply chain challenges of the customer, It's the lack of lack of talent, making sure that people are being put their best and highest use. And it's also having this kind of elastic, I think, opex heavy infrastructure as opposed to a CapEx heavy infrastructure. >>That's a great example. I think that's illustrates to me what I love about cloud right now is that you can put stuff in, in the cloud and then flex what you need when you need it at in the cloud rather than either ingress or egress data. You, you just more, you get more versatility around the workload needs, whether it's more compute or more storage or other high level services. This is kind of where this NextGen cloud is going. This is where, where, where customers want to go once their workloads are up and running. How do you simplify all this and how do you guys look at this from a joint customer perspective? Because that example I think will be something that all companies will be working on, which is put it in the cloud and flex to the, whatever the workload needs and put it closer to the work compute. I wanna put it there. If I wanna leverage more storage and networking, Well, I'll do that too. It's not one thing. It's gotta flex around what's, how are you guys simplifying this? >>Yeah, I think so for, I'll, I'll just give my point of view and then I'm, I'm very curious to hear what a not has to say about it, but the, I think and think about it in a few dimensions, right? So there's, there is a, technically like any solution that aan a nun's team and my team wanna put together needs to be kind of technically coherent, right? The things need to work well together, but that's not the, that's not even most of the job. Most of the job is actually the ensuring and operational consistency and operational simplicity so that everything is the day-to-day operations of these things kind of work well together. And then also all the way to things like support and even acquisition, right? Making sure that all the contracts work together, right? It's a really in what, So when Aon and I think about places of working together, it's very rare that we're just looking at a technical collaboration. It's actually a holistic collaboration across support acquisition as well as all the engineering that we have to do. >>And on your, your view on how you're simplifying it with Red Hat for your joint customers making Collabo >>Yeah. Gun, Yeah. Gunner covered it. Well I think the, the benefit here is that Red Hat has been the leading Linux distribution provider. So they have a lot of experience. AWS has been the leading cloud provider. So we have both our own point of views, our own learning from our respective set of customers. So the way we try to simplify and bring these things together is working closely. In fact, I sometimes joke internally that if you see Ghana and my team talking to each other on a call, you cannot really tell who who belongs to which team. Because we're always figuring out, okay, how do we simplify discount experience? How do we simplify programs? How do we simplify go to market? How do we simplify the product pieces? So it's really bringing our, our learning and share our perspective to the table and then really figure out how do we actually help customers make progress. Rosa that we talked about is a great example of that, you know, you know, we, together we figured out, hey, there is a need for customers to have this capability in AWS and we went out and built it. So those are just some of the examples in how both teams are working together to simplify the experience, make it complete, make it more coherent. >>Great. That's awesome. That next question is really around how you help organizations with the sustainability piece, how to support them, simplifying it. But first, before we get into that, what is the core problem around this sustainability discussion we're talking about here, supply chain sustainability, What is the core challenge? Can you both share your thoughts on what that problem is and what the solution looks like and then we can get into advice? >>Yeah. Well from my point of view, it's, I think, you know, one of the lessons of the last three years is every organization is kind of taking a careful look at how resilient it is. Or ever I should say, every organization learned exactly how resilient it was, right? And that comes from both the, the physical challenges and the logistics challenges that everyone had. The talent challenges you mentioned earlier. And of course the, the software challenges, you know, as everyone kind of embarks on this, this digital transformation journey that, that we've all been talking about. And I think, so I really frame it as, as resilience, right? And and resilience is at bottom is really about ensuring that you have options and that you have choices. The more choices you have, the more options you have, the more resilient you, you and your organization is going to be. And so I know that that's how, that's how I approach the market. I'm pretty sure that's exact, that's how AON is, has approaching the market, is ensuring that we are providing as many options as possible to customers so that they can assemble the right, assemble the right pieces to create a, a solution that works for their particular set of challenges or their unique set of challenges and and unique context. Aon, is that, does that sound about right to you? Yeah, >>I think you covered it well. I, I can speak to another aspect of sustainability, which is becoming increasingly top of mind for our customer is like how do they build products and services and solutions and whether it's supply chain or anything else which is sustainable, which is for the long term good of the, the planet. And I think that is where we have been also being very intentional and focused in how we design our data center. How we actually build our cooling system so that we, those are energy efficient. You know, we, we are on track to power all our operations with renewable energy by 2025, which is five years ahead of our initial commitment. And perhaps the most obvious example of all of this is our work with arm processors Graviton three, where, you know, we are building our own chip to make sure that we are designing energy efficiency into the process. And you know, we, there's the arm graviton, three arm processor chips, there are about 60% more energy efficient compared to some of the CD six comparable. So all those things that are also we are working on in making sure that whatever our customers build on our platform is long term sustainable. So that's another dimension of how we are working that into our >>Platform. That's awesome. This is a great conversation. You know, the supply chain is on both sides, physical and software. You're starting to see them come together in great conversations and certainly moving workloads to the cloud running in more efficiently will help on the sustainability side, in my opinion. Of course, you guys talked about that and we've covered it, but now you start getting into how to refactor, and this is a big conversation we've been having lately, is as you not just lift and ship but re-platform and refactor, customers are seeing great advantages on this. So I have to ask you guys, how are you helping customers and organizations support sustainability and, and simplify the complex environment that has a lot of potential integrations? Obviously API's help of course, but that's the kind of baseline, what's the, what's the advice that you give customers? Cause you know, it can look complex and it becomes complex, but there's an answer here. What's your thoughts? >>Yeah, I think so. Whenever, when, when I get questions like this from from customers, the, the first thing I guide them to is, we talked earlier about this notion of consistency and how important that is. It's one thing, it it, it is one way to solve the problem is to create an entirely new operational model, an entirely new acquisition model and an entirely new stack of technologies in order to be more sustainable. That is probably not in the cards for most folks. What they want to do is have their existing estate and they're trying to introduce sustainability into the work that they are already doing. They don't need to build another silo in order to create sustainability, right? And so there have to be, there has to be some common threads, there has to be some common platforms across the existing estate and your more sustainable estate, right? >>And, and so things like Red Hat enterprise Linux, which can provide this kind of common, not just a technical substrate, but a common operational substrate on which you can build these solutions if you have a common platform on which you are building solutions, whether it's RHEL or whether it's OpenShift or any of our other platforms that creates options for you underneath. So that in some cases maybe you need to run things on premise, some things you need to run in the cloud, but you don't have to profoundly change how you work when you're moving from one place to another. >>And that, what's your thoughts on, on the simplification? >>Yeah, I mean think that when you talk about replatforming and refactoring, it is a daunting undertaking, you know, in today's, in the, especially in today's fast paced work. So, but the good news is you don't have to do it by yourself. Customers don't have to do it on their own. You know, together AWS and Red Hat, we have our rich partner ecosystem, you know AWS over AWS has over a hundred thousand partners that can help you take that journey, the transformation journey. And within AWS and working with our partners like Red Hat, we make sure that we have all in, in my mind there are really three big pillars that you have to have to make sure that customers can successfully re-platform refactor their applications to the modern cloud architecture. You need to have the rich set of services and tools that meet their different scenarios, different use cases. Because no one size fits all. You have to have the right programs because sometimes customers need those incentives, they need those, you know, that help in the first step and last but no needs, they need training. So all of that, we try to cover that as we work with our customers, work with our partners and that is where, you know, together we try to help customers take that step, which is, which is a challenging step to take. >>Yeah. You know, it's great to talk to you guys, both leaders in your field. Obviously Red hats, well story history. I remember the days back when I was provisioning, loading OSS on hardware with, with CDs, if you remember, that was days gunner. But now with high level services, if you look at this year's reinvent, and this is like kind of my final question for the segment is then we'll get your reaction to is last year we talked about higher level services. I sat down with Adam Celski, we talked about that. If you look at what's happened this year, you're starting to see people talk about their environment as their cloud. So Amazon has the gift of the CapEx, the all that, all that investment and people can operate on top of it. They're calling that environment their cloud. Okay, For the first time we're seeing this new dynamic where it's like they have a cloud, but they're Amazon's the CapEx, they're operating. So you're starting to see the operational visibility gun around how to operate this environment. And it's not hybrid this, that it's just, it's cloud. This is kind of an inflection point. Do you guys agree with that or, or having a reaction to that statement? Because I, I think this is kind of the next gen super cloud-like capability. It's, it's, we're going, we're building the cloud. It's now an environment. It's not talking about private cloud, this cloud, it's, it's all cloud. What's your reaction? >>Yeah, I think, well I think it's a very natural, I mean we used words like hybrid cloud, multi-cloud, if, I guess super cloud is what the kids are saying now, right? It's, it's all, it's all describing the same phenomena, right? Which is, which is being able to take advantage of lots of different infrastructure options, but still having something that creates some commonality among them so that you can, so that you can manage them effectively, right? So that you can have kind of uniform compliance across your estate so that you can have kind of, you can make the best use of your talent across the estate. I mean this is a, this is, it's a very natural thing. >>They're calling it cloud, the estate is the cloud. >>Yeah. So yeah, so, so fine if it, if it means that we no longer have to argue about what's multi-cloud and what's hybrid cloud, I think that's great. Let's just call it cloud. >>And what's your reaction, cuz this is kind of the next gen benefits of, of higher level services combined with amazing, you know, compute and, and resource at the infrastructure level. What's your, what's your view on that? >>Yeah, I think the construct of a unified environment makes sense for customers who have all these use cases which require, like for instance, if you are doing some edge computing and you're running it WS outpost or you know, wave lent and these things. So, and, and it is, it is fear for customer to say, think that hey, this is one environment, same set of tooling that they wanna build that works across all their different environments. That is why we work with partners like Red Hat so that customers who are running Red Hat Enterprise Linux on premises and who are running in AWS get the same level of support, get the same level of security features, all of that. So from that sense, it actually makes sense for us to build these capabilities in a way that customers don't have to worry about, Okay, now I'm actually in the AWS data center versus I'm running outpost on premises. It is all one. They, they just use the same set of cli command line APIs and all of that. So in that sense, it's actually helps customers have that unification so that that consistency of experience helps their workforce and be more productive versus figuring out, okay, what do I do, which tool I use? Where >>And on you just nailed it. This is about supply chain sustainability, moving the workloads into a cloud environment. You mentioned wavelength, this conversation's gonna continue. We haven't even talked about the edge yet. This is something that's gonna be all about operating these workloads at scale and all the, with the cloud services. So thanks for sharing that and we'll pick up that edge piece later. But for reinvent right now, this is really the key conversation. How to bake the sustained supply chain work in a complex environment, making it simpler. And so thanks for sharing your insights here on the cube. >>Thanks. Thanks for having >>Us. Okay, this is the cube's coverage of ados Reinvent 22. I'm John Fur, your host. Thanks for watching.

>>Set restaurants. And who says TEUs had got a little ass more skin in the game for us, in charge of his destiny? You guys are excited. Robert Worship is Chief Alumni. >>My name is Dave Ante, and I'm a long time industry analyst. So when you're as old as I am, you've seen a lot of transitions. Everybody talks about industry cycles and waves. I've seen many, many waves. Met a lot of industry executives and of a little bit of a, an industry historian. When you interview many thousands of people, probably five or 6,000 people as I have over the last half of a decade, you get to interact with a lot of people's knowledge and you begin to develop patterns. And so that's sort of what I bring is, is an ability to catalyze the conversation and, you know, share that knowledge with others in the community. Our philosophy is everybody's expert at something. Everybody's passionate about something and has real deep knowledge about that's something well, we wanna focus in on that area and extract that knowledge and share it with our communities. This is Dave Ante. Thanks for watching the Cube. >>Hello everyone and welcome back to the Cube where we are streaming live this week from CubeCon. I am Savannah Peterson and I am joined by an absolutely stellar lineup of cube brilliance this afternoon. To my left, a familiar face, Lisa Martin. Lisa, how you feeling? End of day two. >>Excellent. It was so much fun today. The buzz started yesterday, the momentum, the swell, and we only heard even more greatness today. >>Yeah, yeah, abs, absolutely. You know, I, I sometimes think we've hit an energy cliff, but it feels like the energy is just >>Continuous. Well, I think we're gonna, we're gonna slide right into tomorrow. >>Yeah, me too. I love it. And we've got two fantastic analysts with us today, Sarge and Keith. Thank you both for joining us. We feel so lucky today. >>Great being back on. >>Thanks for having us. Yeah, Yeah. It's nice to have you back on the show. We were, had you yesterday, but I miss hosting with you. It's been a while. >>It has been a while. We haven't done anything in since, Since pre >>Pandemic, right? Yeah, I think you're >>Right. Four times there >>Be four times back in the day. >>We, I always enjoy whole thing, Lisa, cuz she's so well prepared. I don't have to do any research when I come >>Home. >>Lisa will bring up some, Oh, sorry. Jeep, I see that in 2008 you won this award for Yeah. Being just excellent and I, I'm like, Oh >>Yeah. All right Keith. So, >>So did you do his analysis? >>Yeah, it's all done. Yeah. Great. He only part, he's not sitting next to me too. We can't see it, so it's gonna be like a magic crystal bell. Right. So a lot of people here. You got some stats in terms of the attendees compared >>To last year? Yeah, Priyanka told us we were double last year up to 8,000. We also got the scoop earlier that 2023 is gonna be in Chicago, which is very exciting. >>Oh, that is, is nice. Yeah, >>We got to break that here. >>Excellent. Keith, talk to us about what some of the things are that you've seen the last couple of days. The momentum. What's the vibe? I saw your tweet about the top three things you were being asked. Kubernetes was not one of them. >>Kubernetes were, was not one of 'em. This conference is starting to, it, it still feels very different than a vendor conference. The keynote is kind of, you know, kind of all over the place talking about projects, but the hallway track has been, you know, I've, this is maybe my fifth or sixth CU con in person. And the hallway track is different. It's less about projects and more about how, how do we adjust to the enterprise? How do we Yes. Actually do enterprise things. And it has been amazing watching this community grow. I'm gonna say grow up and mature. Yes. You know, you know, they're not wearing ties yet, but they are definitely understanding kind of the, the friction of implementing new technology in, in an enterprise. >>Yeah. So ge what's your, what's been your take, We were with you yesterday. What's been the take today to take aways? >>NOMA has changed since yesterday, but a few things I think I, I missed talking about that yesterday were that, first of all, let's just talk about Amazon. Amazon earnings came out, it spooked the market and I think it's relevant in this context as well, because they're number one cloud provider. Yeah. And all, I mean, almost all of these technologies on the back of us here, they are related to cloud, right? So it will have some impact on these. Like we have to analyze that. Like will it make the open source go faster or slower in, in lieu of the fact that the, the cloud growth is slowing. Right? So that's, that's one thing that's put that's put that aside. I've been thinking about the, the future of Kubernetes. What is the future of Kubernetes? And in that context, I was thinking like, you know, I think in, when I put a pointer there, I think in tangents, like, what else is around this thing? So I think CN CNCF has been writing the success of Kubernetes. They are, that was their number one flagship project, if you will. And it was mature enough to stand on its own. It it was Google, it's Google's Borg dub da Kubernetes. It's a genericized version of that. Right? So folks who do tech deep down, they know that, Right. So I think it's easier to stand with a solid, you know, project. But when the newer projects come in, then your medal will get tested at cncf. Right. >>And cncf, I mean they've got over 140 projects Yeah. Right now. So there's definitely much beyond >>Kubernetes. Yeah. So they, I have numbers there. 18 graduated, right, 37 in incubation and then 81 in Sandbox stage. They have three stages, right. So it's, they have a lot to chew on and the more they take on, the less, you know, quality you get goes into it. Who is, who's putting the money behind it? Which vendors are sponsoring like cncf, like how they're getting funded up. I think it >>Something I pay attention to as well. Yeah. Yeah. Lisa, I know you've got >>Some insight. Those are the things I was thinking about today. >>I gotta ask you, what's your take on what Keith said? Are you also seeing the maturation of the enterprise here at at coupon? >>Yes, I am actually, when you say enterprise versus what's the other side? Startups, right? Yeah. So startups start using open source a lot more earlier or lot more than enterprises. The enterprise is what they need. Number one thing is the, for their production workloads, they want a vendor sporting them. I said that yesterday as well, right? So it depend depending on the size of the enterprise. If you're a big shop, definitely if you have one of the 500 or Fortune five hundreds and your tech savvy shop, then you can absorb the open source directly coming from the open source sort of universe right. Coming to you. But if you are the second tier of enterprise, you want to go to a provider which is managed service provider, or it can be cloud service provider in this case. Yep. Most of the cloud service providers have multiple versions of Kubernetes, for example. >>I'm not talking about Kubernetes only, but like, but that is one example, right? So at Amazon you can get five different flavors of Kubernetes, right? Fully manage, have, manage all kind of stuff. So people don't have bandwidth to manage that stuff locally. You have to patch it, you have to roll in the new, you know, updates and all that stuff. Like, it's a lot of work for many. So CNCF actually is formed for that reason. Like the, the charter is to bring the quality to open source. Like in other companies they have the release process and they, the stringent guidelines and QA and all that stuff. So is is something ready for production? That's the question when it comes to any software, right? So they do that kind of work and, and, and they have these buckets defined at high level, but it needs more >>Work. Yeah. So one of the things that, you know, kind of stood out to me, I have good friend in the community, Alex Ellis, who does open Fast. It's a serverless platform, great platform. Two years ago or in 2019, there was a serverless day date. And in serverless day you had K Native, you had Open Pass, you had Ws, which is supported by IBM completely, not CNCF platforms. K native came into the CNCF full when Google donated the project a few months ago or a couple of years ago, now all of a sudden there's a K native day. Yes. Not a serverless day, it's a K native day. And I asked the, the CNCF event folks like, what happened to Serverless Day? I missed having open at serverless day. And you know, they, they came out and said, you know what, K native got big enough. >>They came in and I think Red Hat and Google wanted to sponsor a K native day. So serverless day went away. So I think what what I'm interested in and over the next couple of years is, is they're gonna be pushback from the C against the cncf. Is the CNCF now too big? Is it now the gatekeeper for do I have to be one of those 147 projects, right? In order enough to get my project noticed the open, fast, great project. I don't think Al Alex has any desire to have his project hosted by cncf, but it probably deserves, you know, shoulder left recognition with that. So I'm pushing to happen to say, okay, if this is open community, this is open source. If CNC is the place to have the cloud native conversation, what about the projects that's not cncf? Like how do we have that conversation when we don't have the power of a Google right. Or a, or a Lenox, et cetera, or a Lenox Foundation. So GE what, >>What are your thoughts on that? Is, is CNC too big? >>I don't think it's too big. I think it's too small to handle the, what we are doing in open source, right? So it's a bottle. It can become a bottleneck. Okay. I think too big in a way that yeah, it has, it has, it has power from that point of view. It has that cloud, if you will. The people listen to it. If it's CNCF project or this must be good, it's like in, in incubators. Like if you are y white Combinator, you know, company, it must be good. You know, I mean, may not be >>True, but, >>Oh, I think there's a bold assumption there though. I mean, I think everyone's just trying to do the best they can. And when we're evaluating projects, a very different origin and background, it's incredibly hard. Very c and staff is a staff of 30 people. They've got 180,000 people that are contributing to these projects and a thousand maintainers that they're trying to uphold. I think the challenge is actually really great. And to me, I actually look at events as an illustration of, you know, what's the culture and the health of an organization. If I were to evaluate CNCF based on that, I'd say we're very healthy right now. I would say that we're in a good spot. There's a lot of momentum. >>Yeah. I, I think CNCF is very healthy. I'm, I'm appreciative for it being here. I love coupon. It's becoming the, the facto conference to have this conversation has >>A totally >>Different vibe to other, It's a totally different vibe. Yeah. There needs to be a conduit and truth be told, enterprise buyers, to subject's point, this is something that we do absolutely agree on, on enterprise buyers. We want someone to pick winners and losers. We do, we, we don't want a box of Lego dumped on our, the middle of our table. We want somebody to have sorted that out. So while there may be five or six different service mesh solutions, at least the cncf, I can go there and say, Oh, I'll pick between the three or four that are most popular. And it, it's a place to curate. But I think with that curation comes the other side of it. Of how do we, how, you know, without the big corporate sponsor, how do I get my project pushed up? Right? Elevated. Elevated, Yep. And, and put onto the show floor. You know, another way that projects get noticed is that startups will adopt them, Push them. They may not even be, I don't, my CNCF project may not, my product may not even be based on the CNCF product. But the new stack has a booth, Ford has a booth. Nothing to do with a individual prod up, but promoting open source. What happens when you're not sponsored? >>I gotta ask you guys, what do you disagree on? >>Oh, so what, what do we disagree on? So I'm of the mindset, I can, I can say this, I I believe hybrid infrastructure is the future of it. Bar none. If I built my infrastructure, if I built my application in the cloud 10 years ago and I'm still building net new applications, I have stuff that I built 10 years ago that looks a lot like on-prem, what do I do with it? I can't modernize it cuz I don't have the developers to do it. I need to stick that somewhere. And where I'm going to stick that at is probably a hybrid infrastructure. So colo, I'm not gonna go back to the data center, but I'm, I'm gonna look, pick up something that looks very much like the data center and I'm saying embrace that it's the future. And if you're Boeing and you have, and Boeing is a member, cncf, that's a whole nother topic. If you have as 400 s, hpu X, et cetera, stick that stuff. Colo, build new stuff, but, and, and continue to support OpenStack, et cetera, et cetera. Because that's the future. Hybrid is the future. >>And sub g agree, disagree. >>I okay. Hybrid. Nobody can deny that the hybrid is the reality, not the future. It's a reality right now. It's, it's a necessity right now you can't do without it. Right. And okay, hybrid is very relative term. You can be like 10% here, 90% still hybrid, right? So the data center is shrinking and it will keep shrinking. Right? And >>So if by whole is the data center shrinking? >>This is where >>Quick one quick getting guys for it. How is growing by a clip? Yeah, but there's no data supporting. David Lym just came out for a report I think last year that showed that the data center is holding steady, holding steady, not growing, but not shrinking. >>Who sponsored that study? Wait, hold on. So the, that's a question, right? So more than 1 million data centers have been closed. I have, I can dig that through number through somebody like some organizations we published that maybe they're cloud, you know, people only. So the, when you get these kind of statements like it, it can be very skewed statements, right. But if you have seen the, the scene out there, which you have, I know, but I have also seen a lot of data centers walk the floor of, you know, a hundred thousand servers in a data center. I cannot imagine us consuming the infrastructure the way we were going into the future of co Okay. With, with one caveat actually. I am not big fan of like broad strokes. Like make a blanket statement. Oh no, data center's dead. Or if you are, >>That's how you get those esty headlines now. Yeah, I know. >>I'm all about to >>Put a stake in the ground. >>Actually. The, I think that you get more intelligence from the new end, right? A small little details if you will. If you're golden gold manak or Bank of America, you have so many data centers and you will still have data centers because performance matters to you, right? Your late latency matters for applications. But if you are even a Fortune 500 company on the lower end and or a healthcare vertical, right? That your situation is different. If you are a high, you know, growth startup, your situation is different, right? You will be a hundred percent cloud. So cloud gives you velocity, the, the, the pace of change, the pace of experimentation that actually you are buying innovation through cloud. It's proxy for innovation. And that's how I see it. But if you have, if you're stuck with older applications, I totally understand. >>Yeah. So the >>We need that OnPrem. Yeah, >>Well I think the, the bring your fuel sober, what we agree is that cloud is the place where innovation happens. Okay? At some point innovation becomes legacy debt and you have thus hybrid, you are not going to keep your old applications up to date forever. The, the, the math just doesn't add up. And where I differ in opinion is that not everyone needs innovation to keep moving. They need innovation for a period of time and then they need steady state. So Sergeant, we >>Argue about this. I have a, I >>Love this debate though. I say it's efficiency and stability also plays an important role. I see exactly what you're talking about. No, it's >>Great. I have a counter to that. Let me tell you >>Why. Let's >>Hear it. Because if you look at the storage only, right? Just storage. Just take storage computer network for, for a minute. There three cost reps in, in infrastructure, right? So storage earlier, early on there was one tier of storage. You say pay the same price, then now there are like five storage tiers, right? What I'm trying to say is the market sets the price, the market will tell you where this whole thing will go, but I know their margins are high in cloud, 20 plus percent and margin will shrink as, as we go forward. That means the, the cloud will become cheaper relative to on-prem. It, it, in some cases it's already cheaper. But even if it's a stable workload, even in that case, we will have a lower tier of service. I mean, you, you can't argue with me that the cloud versus your data center, they are on the same tier of services. Like cloud is a better, you know, product than your data center. Hands off. >>I love it. We, we are gonna relish in the debates between the two of you. Mic drops. The energy is great. I love it. Perspective. It's not like any of us can quite see through the crystal ball that we have very informed opinions, which is super exciting. Yeah. Lisa, any last thoughts today? >>Just love, I love the debate as well. That, and that's, that's part of what being in this community is all about. So sharing about, sharing opinions, expressing opinions. That's how it grows. That's how, that's how we innovate. Yeah. Obviously we need the cloud, but that's how we innovate. That's how we grow. Yeah. And we've seen that demonstrated the last couple days and I and your, your takes here on the Cuban on Twitter. Brilliant. >>Thank you. I absolutely love it. I'm gonna close this out with a really important analysis on the swag of the show. Yes. And if you know, yesterday we were looking at what is the weirdest swag or most unique swag We had that bucket hat that took the grand prize. Today we're gonna focus on something that's actually quite cool. A lot of the vendors here have really dedicated their swag to being local to Detroit. Very specific in their sourcing. Sonotype here has COOs. They're beautiful. You can't quite feel this flannel, but it's very legit hand sound here in Michigan. I can't say that I've been to too many conferences, if any, where there was this kind of commitment to localizing and sourcing swag from around the corner. We also see this with the Intel booth. They've got screen printers out here doing custom hoodies on spot. >>Oh fun. They're even like appropriately sized. They had local artists do these designs and if you're like me and you care about what's on your wrist, you're familiar with Shinola. This is one of my favorite swags that's available. There is a contest. Oh going on. Hello here. Yeah, so if you are Atan, make sure that you go and check this out. The we, I talked about this on the show. We've had the founder on the show or the CEO and yeah, I mean Shine is just full of class as since we are in Detroit as well. One of the fun themes is cars. >>Yes. >>And Storm Forge, who are also on the show, is actually giving away an Aston Martin, which is very exciting. Not exactly manufactured in Detroit. However, still very cool on the car front and >>The double oh seven version named the best I >>Know in the sixties. It's love it. It's very cool. Two quick last things. We talk about it a lot on the show. Every company now wants to be a software company. Yep. On that vein, and keeping up with my hat theme, the Home Depot is here because they want everybody to know that they in fact are a technology company, which is very cool. They have over 500,000 employees. You can imagine there's a lot of technology that has to go into keeping Napa. Absolutely. Yep. Wild to think about. And then last, but not at least very quick, rapid fire, best t-shirt contest. If you've ever ran to one of these events, there are a ton of T-shirts out there. I rate them on two things. Wittiest line and softness. If you combine the two, you'll really be our grand champion for the year. I'm just gonna hold these up and set them down for your laughs. Not afraid to commit, which is pretty great. This is another one designed by locals here. Detroit Code City. Oh, love it. This one made me chuckle the most. Kiss my cash. >>Oh, that's >>Good. These are also really nice and soft, which is fantastic. Also high on the softness category is this Op Sarah one. I also like their bird logo. These guys, there's just, you know, just real nice touch. So unfortunately, if you have the fumble, you're not here with us, live in Detroit. At least you're gonna get taste of the swag. I taste of the stories and some smiles hear from those of us on the cube. Thank you both so much for being here with us. Lisa, thanks for another fabulous day. Got it, girl. My name's Savannah Peterson. Thank you for joining us from Detroit. We're the cube and we can't wait to see you tomorrow.

hello I'm John Furrier with thecube and welcome to this special presentation of the cube and Horizon 3.ai they're announcing a global partner first approach expanding their successful pen testing product Net Zero you're going to hear from leading experts in their staff their CEO positioning themselves for a successful Channel distribution expansion internationally in Europe Middle East Africa and Asia Pacific in this Cube special presentation you'll hear about the expansion the expanse partner program giving Partners a unique opportunity to offer Net Zero to their customers Innovation and Pen testing is going International with Horizon 3.ai enjoy the program [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're here with Jennifer Lee head of Channel sales at Horizon 3.ai Jennifer welcome to the cube thanks for coming on great well thank you for having me so big news around Horizon 3.aa driving Channel first commitment you guys are expanding the channel partner program to include all kinds of new rewards incentives training programs help educate you know Partners really drive more recurring Revenue certainly cloud and Cloud scale has done that you got a great product that fits into that kind of Channel model great Services you can wrap around it good stuff so let's get into it what are you guys doing what are what are you guys doing with this news why is this so important yeah for sure so um yeah we like you said we recently expanded our Channel partner program um the driving force behind it was really just um to align our like you said our Channel first commitment um and creating awareness around the importance of our partner ecosystems um so that's it's really how we go to market is is through the channel and a great International Focus I've talked with the CEO so you know about the solution and he broke down all the action on why it's important on the product side but why now on the go to market change what's the what's the why behind this big this news on the channel yeah for sure so um we are doing this now really to align our business strategy which is built on the concept of enabling our partners to create a high value high margin business on top of our platform and so um we offer a solution called node zero it provides autonomous pen testing as a service and it allows organizations to continuously verify their security posture um so we our company vision we have this tagline that states that our pen testing enables organizations to see themselves Through The Eyes of an attacker and um we use the like the attacker's perspective to identify exploitable weaknesses and vulnerabilities so we created this partner program from a perspective of the partner so the partner's perspective and we've built It Through The Eyes of our partner right so we're prioritizing really what the partner is looking for and uh will ensure like Mutual success for us yeah the partners always want to get in front of the customers and bring new stuff to them pen tests have traditionally been really expensive uh and so bringing it down in one to a service level that's one affordable and has flexibility to it allows a lot of capability so I imagine people getting excited by it so I have to ask you about the program What specifically are you guys doing can you share any details around what it means for the partners what they get what's in it for them can you just break down some of the mechanics and mechanisms or or details yeah yep um you know we're really looking to create business alignment um and like I said establish Mutual success with our partners so we've got two um two key elements that we were really focused on um that we bring to the partners so the opportunity the profit margin expansion is one of them and um a way for our partners to really differentiate themselves and stay relevant in the market so um we've restructured our discount model really um you know highlighting profitability and maximizing profitability and uh this includes our deal registration we've we've created deal registration program we've increased discount for partners who take part in our partner certification uh trainings and we've we have some other partner incentives uh that we we've created that that's going to help out there we've we put this all so we've recently Gone live with our partner portal um it's a Consolidated experience for our partners where they can access our our sales tools and we really view our partners as an extension of our sales and Technical teams and so we've extended all of our our training material that we use internally we've made it available to our partners through our partner portal um we've um I'm trying I'm thinking now back what else is in that partner portal here we've got our partner certification information so all the content that's delivered during that training can be found in the portal we've got deal registration uh um co-branded marketing materials pipeline management and so um this this portal gives our partners a One-Stop place to to go to find all that information um and then just really quickly on the second part of that that I mentioned is our technology really is um really disruptive to the market so you know like you said autonomous pen testing it's um it's still it's well it's still still relatively new topic uh for security practitioners and um it's proven to be really disruptive so um that on top of um just well recently we found an article that um that mentioned by markets and markets that reports that the global pen testing markets really expanding and so it's expected to grow to like 2.7 billion um by 2027. so the Market's there right the Market's expanding it's growing and so for our partners it's just really allows them to grow their revenue um across their customer base expand their customer base and offering this High profit margin while you know getting in early to Market on this just disruptive technology big Market a lot of opportunities to make some money people love to put more margin on on those deals especially when you can bring a great solution that everyone knows is hard to do so I think that's going to provide a lot of value is there is there a type of partner that you guys see emerging or you aligning with you mentioned the alignment with the partners I can see how that the training and the incentives are all there sounds like it's all going well is there a type of partner that's resonating the most or is there categories of partners that can take advantage of this yeah absolutely so we work with all different kinds of Partners we work with our traditional resale Partners um we've worked we're working with systems integrators we have a really strong MSP mssp program um we've got Consulting partners and the Consulting Partners especially with the ones that offer pen test services so we they use us as a as we act as a force multiplier just really offering them profit margin expansion um opportunity there we've got some technology partner partners that we really work with for co-cell opportunities and then we've got our Cloud Partners um you'd mentioned that earlier and so we are in AWS Marketplace so our ccpo partners we're part of the ISP accelerate program um so we we're doing a lot there with our Cloud partners and um of course we uh we go to market with uh distribution Partners as well gotta love the opportunity for more margin expansion every kind of partner wants to put more gross profit on their deals is there a certification involved I have to ask is there like do you get do people get certified or is it just you get trained is it self-paced training is it in person how are you guys doing the whole training certification thing because is that is that a requirement yeah absolutely so we do offer a certification program and um it's been very popular this includes a a seller's portion and an operator portion and and so um this is at no cost to our partners and um we operate both virtually it's it's law it's virtually but live it's not self-paced and we also have in person um you know sessions as well and we also can customize these to any partners that have a large group of people and we can just we can do one in person or virtual just specifically for that partner well any kind of incentive opportunities and marketing opportunities everyone loves to get the uh get the deals just kind of rolling in leads from what we can see if our early reporting this looks like a hot product price wise service level wise what incentive do you guys thinking about and and Joint marketing you mentioned co-sell earlier in pipeline so I was kind of kind of honing in on that piece sure and yes and then to follow along with our partner certification program we do incentivize our partners there if they have a certain number certified their discount increases so that's part of it we have our deal registration program that increases discount as well um and then we do have some um some partner incentives that are wrapped around meeting setting and um moving moving opportunities along to uh proof of value gotta love the education driving value I have to ask you so you've been around the industry you've seen the channel relationships out there you're seeing companies old school new school you know uh Horizon 3.ai is kind of like that new school very cloud specific a lot of Leverage with we mentioned AWS and all the clouds um why is the company so hot right now why did you join them and what's why are people attracted to this company what's the what's the attraction what's the vibe what do you what do you see and what what do you use what did you see in in this company well this is just you know like I said it's very disruptive um it's really in high demand right now and um and and just because because it's new to Market and uh a newer technology so we are we can collaborate with a manual pen tester um we can you know we can allow our customers to run their pen test um with with no specialty teams and um and and then so we and like you know like I said we can allow our partners can actually build businesses profitable businesses so we can they can use our product to increase their services revenue and um and build their business model you know around around our services what's interesting about the pen test thing is that it's very expensive and time consuming the people who do them are very talented people that could be working on really bigger things in the in absolutely customers so bringing this into the channel allows them if you look at the price Delta between a pen test and then what you guys are offering I mean that's a huge margin Gap between street price of say today's pen test and what you guys offer when you show people that they follow do they say too good to be true I mean what are some of the things that people say when you kind of show them that are they like scratch their head like come on what's the what's the catch here right so the cost savings is a huge is huge for us um and then also you know like I said working as a force multiplier with a pen testing company that offers the services and so they can they can do their their annual manual pen tests that may be required around compliance regulations and then we can we can act as the continuous verification of their security um um you know that that they can run um weekly and so it's just um you know it's just an addition to to what they're offering already and an expansion so Jennifer thanks for coming on thecube really appreciate you uh coming on sharing the insights on the channel uh what's next what can we expect from the channel group what are you thinking what's going on right so we're really looking to expand our our Channel um footprint and um very strategically uh we've got um we've got some big plans um for for Horizon 3.ai awesome well thanks for coming on really appreciate it you're watching thecube the leader in high tech Enterprise coverage [Music] [Music] hello and welcome to the Cube's special presentation with Horizon 3.ai with Raina Richter vice president of emea Europe Middle East and Africa and Asia Pacific APAC for Horizon 3 today welcome to this special Cube presentation thanks for joining us thank you for the invitation so Horizon 3 a guy driving Global expansion big international news with a partner first approach you guys are expanding internationally let's get into it you guys are driving this new expanse partner program to new heights tell us about it what are you seeing in the momentum why the expansion what's all the news about well I would say uh yeah in in international we have I would say a similar similar situation like in the US um there is a global shortage of well-educated penetration testers on the one hand side on the other side um we have a raising demand of uh network and infrastructure security and with our approach of an uh autonomous penetration testing I I believe we are totally on top of the game um especially as we have also now uh starting with an international instance that means for example if a customer in Europe is using uh our service node zero he will be connected to a node zero instance which is located inside the European Union and therefore he has doesn't have to worry about the conflict between the European the gdpr regulations versus the US Cloud act and I would say there we have a total good package for our partners that they can provide differentiators to their customers you know we've had great conversations here on thecube with the CEO and the founder of the company around the leverage of the cloud and how successful that's been for the company and honestly I can just Connect the Dots here but I'd like you to weigh in more on how that translates into the go to market here because you got great Cloud scale with with the security product you guys are having success with great leverage there I've seen a lot of success there what's the momentum on the channel partner program internationally why is it so important to you is it just the regional segmentation is it the economics why the momentum well there are it's there are multiple issues first of all there is a raising demand in penetration testing um and don't forget that uh in international we have a much higher level in number a number or percentage in SMB and mid-market customers so these customers typically most of them even didn't have a pen test done once a year so for them pen testing was just too expensive now with our offering together with our partners we can provide different uh ways how customers could get an autonomous pen testing done more than once a year with even lower costs than they had with with a traditional manual paint test so and that is because we have our uh Consulting plus package which is for typically pain testers they can go out and can do a much faster much quicker and their pain test at many customers once in after each other so they can do more pain tests on a lower more attractive price on the other side there are others what even the same ones who are providing um node zero as an mssp service so they can go after s p customers saying okay well you only have a couple of hundred uh IP addresses no worries we have the perfect package for you and then you have let's say the mid Market let's say the thousands and more employees then they might even have an annual subscription very traditional but for all of them it's all the same the customer or the service provider doesn't need a piece of Hardware they only need to install a small piece of a Docker container and that's it and that makes it so so smooth to go in and say okay Mr customer we just put in this this virtual attacker into your network and that's it and and all the rest is done and within within three clicks they are they can act like a pen tester with 20 years of experience and that's going to be very Channel friendly and partner friendly I can almost imagine so I have to ask you and thank you for calling the break calling out that breakdown and and segmentation that was good that was very helpful for me to understand but I want to follow up if you don't mind um what type of partners are you seeing the most traction with and why well I would say at the beginning typically you have the the innovators the early adapters typically Boutique size of Partners they start because they they are always looking for Innovation and those are the ones you they start in the beginning so we have a wide range of Partners having mostly even um managed by the owner of the company so uh they immediately understand okay there is the value and they can change their offering they're changing their offering in terms of penetration testing because they can do more pen tests and they can then add other ones or we have those ones who offer 10 tests services but they did not have their own pen testers so they had to go out on the open market and Source paint testing experts um to get the pen test at a particular customer done and now with node zero they're totally independent they can't go out and say okay Mr customer here's the here's the service that's it we turn it on and within an hour you're up and running totally yeah and those pen tests are usually expensive and hard to do now it's right in line with the sales delivery pretty interesting for a partner absolutely but on the other hand side we are not killing the pain testers business we do something we're providing with no tiers I would call something like the foundation work the foundational work of having an an ongoing penetration testing of the infrastructure the operating system and the pen testers by themselves they can concentrate in the future on things like application pen testing for example so those Services which we we're not touching so we're not killing the paint tester Market we're just taking away the ongoing um let's say foundation work call it that way yeah yeah that was one of my questions I was going to ask is there's a lot of interest in this autonomous pen testing one because it's expensive to do because those skills are required are in need and they're expensive so you kind of cover the entry level and the blockers that are in there I've seen people say to me this pen test becomes a blocker for getting things done so there's been a lot of interest in the autonomous pen testing and for organizations to have that posture and it's an overseas issue too because now you have that that ongoing thing so can you explain that particular benefit for an organization to have that continuously verifying an organization's posture yep certainly so I would say um typically you are you you have to do your patches you have to bring in new versions of operating systems of different Services of uh um operating systems of some components and and they are always bringing new vulnerabilities the difference here is that with node zero we are telling the customer or the partner package we're telling them which are the executable vulnerabilities because previously they might have had um a vulnerability scanner so this vulnerability scanner brought up hundreds or even thousands of cves but didn't say anything about which of them are vulnerable really executable and then you need an expert digging in one cve after the other finding out is it is it really executable yes or no and that is where you need highly paid experts which we have a shortage so with notes here now we can say okay we tell you exactly which ones are the ones you should work on because those are the ones which are executable we rank them accordingly to the risk level how easily they can be used and by a sudden and then the good thing is convert it or indifference to the traditional penetration test they don't have to wait for a year for the next pain test to find out if the fixing was effective they weren't just the next scan and say Yes closed vulnerability is gone the time is really valuable and if you're doing any devops Cloud native you're always pushing new things so pen test ongoing pen testing is actually a benefit just in general as a kind of hygiene so really really interesting solution really bring that global scale is going to be a new new coverage area for us for sure I have to ask you if you don't mind answering what particular region are you focused on or plan to Target for this next phase of growth well at this moment we are concentrating on the countries inside the European Union Plus the United Kingdom um but we are and they are of course logically I'm based into Frankfurt area that means we cover more or less the countries just around so it's like the total dark region Germany Switzerland Austria plus the Netherlands but we also already have Partners in the nordics like in Finland or in Sweden um so it's it's it it's rapidly we have Partners already in the UK and it's rapidly growing so I'm for example we are now starting with some activities in Singapore um um and also in the in the Middle East area um very important we uh depending on let's say the the way how to do business currently we try to concentrate on those countries where we can have um let's say um at least English as an accepted business language great is there any particular region you're having the most success with right now is it sounds like European Union's um kind of first wave what's them yes that's the first definitely that's the first wave and now we're also getting the uh the European instance up and running it's clearly our commitment also to the market saying okay we know there are certain dedicated uh requirements and we take care of this and and we're just launching it we're building up this one uh the instance um in the AWS uh service center here in Frankfurt also with some dedicated Hardware internet in a data center in Frankfurt where we have with the date six by the way uh the highest internet interconnection bandwidth on the planet so we have very short latency to wherever you are on on the globe that's a great that's a great call outfit benefit too I was going to ask that what are some of the benefits your partners are seeing in emea and Asia Pacific well I would say um the the benefits is for them it's clearly they can they can uh talk with customers and can offer customers penetration testing which they before and even didn't think about because it penetrates penetration testing in a traditional way was simply too expensive for them too complex the preparation time was too long um they didn't have even have the capacity uh to um to support a pain an external pain tester now with this service you can go in and say even if they Mr customer we can do a test with you in a couple of minutes within we have installed the docker container within 10 minutes we have the pen test started that's it and then we just wait and and I would say that is we'll we are we are seeing so many aha moments then now because on the partner side when they see node zero the first time working it's like this wow that is great and then they work out to customers and and show it to their typically at the beginning mostly the friendly customers like wow that's great I need that and and I would say um the feedback from the partners is that is a service where I do not have to evangelize the customer everybody understands penetration testing I don't have to say describe what it is they understand the customer understanding immediately yes penetration testing good about that I know I should do it but uh too complex too expensive now with the name is for example as an mssp service provided from one of our partners but it's getting easy yeah it's great and it's great great benefit there I mean I gotta say I'm a huge fan of what you guys are doing I like this continuous automation that's a major benefit to anyone doing devops or any kind of modern application development this is just a godsend for them this is really good and like you said the pen testers that are doing it they were kind of coming down from their expertise to kind of do things that should have been automated they get to focus on the bigger ticket items that's a really big point so we free them we free the pain testers for the higher level elements of the penetration testing segment and that is typically the application testing which is currently far away from being automated yeah and that's where the most critical workloads are and I think this is the nice balance congratulations on the international expansion of the program and thanks for coming on this special presentation really I really appreciate it thank you you're welcome okay this is thecube special presentation you know check out pen test automation International expansion Horizon 3 dot AI uh really Innovative solution in our next segment Chris Hill sector head for strategic accounts will discuss the power of Horizon 3.ai and Splunk in action you're watching the cube the leader in high tech Enterprise coverage foreign [Music] [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're with Chris Hill sector head for strategic accounts and federal at Horizon 3.ai a great Innovative company Chris great to see you thanks for coming on thecube yeah like I said uh you know great to meet you John long time listener first time caller so excited to be here with you guys yeah we were talking before camera you had Splunk back in 2013 and I think 2012 was our first splunk.com and boy man you know talk about being in the right place at the right time now we're at another inflection point and Splunk continues to be relevant um and continuing to have that data driving Security in that interplay and your CEO former CTO of his plug as well at Horizon who's been on before really Innovative product you guys have but you know yeah don't wait for a breach to find out if you're logging the right data this is the topic of this thread Splunk is very much part of this new international expansion announcement uh with you guys tell us what are some of the challenges that you see where this is relevant for the Splunk and Horizon AI as you guys expand uh node zero out internationally yeah well so across so you know my role uh within Splunk it was uh working with our most strategic accounts and so I looked back to 2013 and I think about the sales process like working with with our small customers you know it was um it was still very siled back then like I was selling to an I.T team that was either using this for it operations um we generally would always even say yeah although we do security we weren't really designed for it we're a log management tool and we I'm sure you remember back then John we were like sort of stepping into the security space and and the public sector domain that I was in you know security was 70 of what we did when I look back to sort of uh the transformation that I was witnessing in that digital transformation um you know when I look at like 2019 to today you look at how uh the IT team and the security teams are being have been forced to break down those barriers that they used to sort of be silent away would not commute communicate one you know the security guys would be like oh this is my box I.T you're not allowed in today you can't get away with that and I think that the value that we bring to you know and of course Splunk has been a huge leader in that space and continues to do Innovation across the board but I think what we've we're seeing in the space and I was talking with Patrick Coughlin the SVP of uh security markets about this is that you know what we've been able to do with Splunk is build a purpose-built solution that allows Splunk to eat more data so Splunk itself is ulk know it's an ingest engine right the great reason people bought it was you could build these really fast dashboards and grab intelligence out of it but without data it doesn't do anything right so how do you drive and how do you bring more data in and most importantly from a customer perspective how do you bring the right data in and so if you think about what node zero and what we're doing in a horizon 3 is that sure we do pen testing but because we're an autonomous pen testing tool we do it continuously so this whole thought I'd be like oh crud like my customers oh yeah we got a pen test coming up it's gonna be six weeks the week oh yeah you know and everyone's gonna sit on their hands call me back in two months Chris we'll talk to you then right not not a real efficient way to test your environment and shoot we saw that with Uber this week right um you know and that's a case where we could have helped oh just right we could explain the Uber thing because it was a contractor just give a quick highlight of what happened so you can connect the doctor yeah no problem so um it was uh I got I think it was yeah one of those uh you know games where they would try and test an environment um and with the uh pen tester did was he kept on calling them MFA guys being like I need to reset my password we need to set my right password and eventually the um the customer service guy said okay I'm resetting it once he had reset and bypassed the multi-factor authentication he then was able to get in and get access to the building area that he was in or I think not the domain but he was able to gain access to a partial part of that Network he then paralleled over to what I would assume is like a VA VMware or some virtual machine that had notes that had all of the credentials for logging into various domains and So within minutes they had access and that's the sort of stuff that we do you know a lot of these tools like um you know you think about the cacophony of tools that are out there in a GTA architect architecture right I'm gonna get like a z-scale or I'm going to have uh octum and I have a Splunk I've been into the solar system I mean I don't mean to name names we have crowdstriker or Sentinel one in there it's just it's a cacophony of things that don't work together they weren't designed work together and so we have seen so many times in our business through our customer support and just working with customers when we do their pen tests that there will be 5 000 servers out there three are misconfigured those three misconfigurations will create the open door because remember the hacker only needs to be right once the defender needs to be right all the time and that's the challenge and so that's what I'm really passionate about what we're doing uh here at Horizon three I see this my digital transformation migration and security going on which uh we're at the tip of the spear it's why I joined sey Hall coming on this journey uh and just super excited about where the path's going and super excited about the relationship with Splunk I get into more details on some of the specifics of that but um you know well you're nailing I mean we've been doing a lot of things on super cloud and this next gen environment we're calling it next gen you're really seeing devops obviously devsecops has already won the it role has moved to the developer shift left is an indicator of that it's one of the many examples higher velocity code software supply chain you hear these things that means that it is now in the developer hands it is replaced by the new Ops data Ops teams and security where there's a lot of horizontal thinking to your point about access there's no more perimeter huge 100 right is really right on things one time you know to get in there once you're in then you can hang out move around move laterally big problem okay so we get that now the challenges for these teams as they are transitioning organizationally how do they figure out what to do okay this is the next step they already have Splunk so now they're kind of in transition while protecting for a hundred percent ratio of success so how would you look at that and describe the challenge is what do they do what is it what are the teams facing with their data and what's next what are they what are they what action do they take so let's use some vernacular that folks will know so if I think about devsecops right we both know what that means that I'm going to build security into the app it normally talks about sec devops right how am I building security around the perimeter of what's going inside my ecosystem and what are they doing and so if you think about what we're able to do with somebody like Splunk is we can pen test the entire environment from Soup To Nuts right so I'm going to test the end points through to its I'm going to look for misconfigurations I'm going to I'm going to look for um uh credential exposed credentials you know I'm going to look for anything I can in the environment again I'm going to do it at light speed and and what what we're doing for that SEC devops space is to you know did you detect that we were in your environment so did we alert Splunk or the Sim that there's someone in the environment laterally moving around did they more importantly did they log us into their environment and when do they detect that log to trigger that log did they alert on us and then finally most importantly for every CSO out there is going to be did they stop us and so that's how we we do this and I think you when speaking with um stay Hall before you know we've come up with this um boils but we call it fine fix verifying so what we do is we go in is we act as the attacker right we act in a production environment so we're not going to be we're a passive attacker but we will go in on credentialed on agents but we have to assume to have an assumed breach model which means we're going to put a Docker container in your environment and then we're going to fingerprint the environment so we're going to go out and do an asset survey now that's something that's not something that Splunk does super well you know so can Splunk see all the assets do the same assets marry up we're going to log all that data and think and then put load that into this long Sim or the smoke logging tools just to have it in Enterprise right that's an immediate future ad that they've got um and then we've got the fix so once we've completed our pen test um we are then going to generate a report and we can talk about these in a little bit later but the reports will show an executive summary the assets that we found which would be your asset Discovery aspect of that a fix report and the fixed report I think is probably the most important one it will go down and identify what we did how we did it and then how to fix that and then from that the pen tester or the organization should fix those then they go back and run another test and then they validate like a change detection environment to see hey did those fixes taste play take place and you know snehaw when he was the CTO of jsoc he shared with me a number of times about it's like man there would be 15 more items on next week's punch sheet that we didn't know about and it's and it has to do with how we you know how they were uh prioritizing the cves and whatnot because they would take all CBDs it was critical or non-critical and it's like we are able to create context in that environment that feeds better information into Splunk and whatnot that brings that brings up the efficiency for Splunk specifically the teams out there by the way the burnout thing is real I mean this whole I just finished my list and I got 15 more or whatever the list just can keeps growing how did node zero specifically help Splunk teams be more efficient like that's the question I want to get at because this seems like a very scale way for Splunk customers and teams service teams to be more so the question is how does node zero help make Splunk specifically their service teams be more efficient so so today in our early interactions we're building customers we've seen are five things um and I'll start with sort of identifying the blind spots right so kind of what I just talked about with you did we detect did we log did we alert did they stop node zero right and so I would I put that you know a more Layman's third grade term and if I was going to beat a fifth grader at this game would be we can be the sparring partner for a Splunk Enterprise customer a Splunk Essentials customer someone using Splunk soar or even just an Enterprise Splunk customer that may be a small shop with three people and just wants to know where am I exposed so by creating and generating these reports and then having um the API that actually generates the dashboard they can take all of these events that we've logged and log them in and then where that then comes in is number two is how do we prioritize those logs right so how do we create visibility to logs that that um are have critical impacts and again as I mentioned earlier not all cves are high impact regard and also not all or low right so if you daisy chain a bunch of low cves together boom I've got a mission critical AP uh CPE that needs to be fixed now such as a credential moving to an NT box that's got a text file with a bunch of passwords on it that would be very bad um and then third would be uh verifying that you have all of the hosts so one of the things that splunk's not particularly great at and they'll literate themselves they don't do asset Discovery so dude what assets do we see and what are they logging from that um and then for from um for every event that they are able to identify one of the cool things that we can do is actually create this low code no code environment so they could let you know Splunk customers can use Splunk sword to actually triage events and prioritize that event so where they're being routed within it to optimize the Sox team time to Market or time to triage any given event obviously reducing MTR and then finally I think one of the neatest things that we'll be seeing us develop is um our ability to build glass cables so behind me you'll see one of our triage events and how we build uh a Lockheed Martin kill chain on that with a glass table which is very familiar to the community we're going to have the ability and not too distant future to allow people to search observe on those iocs and if people aren't familiar with it ioc it's an instant of a compromise so that's a vector that we want to drill into and of course who's better at Drilling in the data and smoke yeah this is a critter this is an awesome Synergy there I mean I can see a Splunk customer going man this just gives me so much more capability action actionability and also real understanding and I think this is what I want to dig into if you don't mind understanding that critical impact okay is kind of where I see this coming got the data data ingest now data's data but the question is what not to log you know where are things misconfigured these are critical questions so can you talk about what it means to understand critical impact yeah so I think you know going back to the things that I just spoke about a lot of those cves where you'll see um uh low low low and then you daisy chain together and they're suddenly like oh this is high now but then your other impact of like if you're if you're a Splunk customer you know and I had it I had several of them I had one customer that you know terabytes of McAfee data being brought in and it was like all right there's a lot of other data that you probably also want to bring but they could only afford wanted to do certain data sets because that's and they didn't know how to prioritize or filter those data sets and so we provide that opportunity to say hey these are the critical ones to bring in but there's also the ones that you don't necessarily need to bring in because low cve in this case really does mean low cve like an ILO server would be one that um that's the print server uh where the uh your admin credentials are on on like a printer and so there will be credentials on that that's something that a hacker might go in to look at so although the cve on it is low is if you daisy chain with somebody that's able to get into that you might say Ah that's high and we would then potentially rank it giving our AI logic to say that's a moderate so put it on the scale and we prioritize those versus uh of all of these scanners just going to give you a bunch of CDs and good luck and translating that if I if I can and tell me if I'm wrong that kind of speaks to that whole lateral movement that's it challenge right print serve a great example looks stupid low end who's going to want to deal with the print server oh but it's connected into a critical system there's a path is that kind of what you're getting at yeah I use Daisy Chain I think that's from the community they came from uh but it's just a lateral movement it's exactly what they're doing in those low level low critical lateral movements is where the hackers are getting in right so that's the beauty thing about the uh the Uber example is that who would have thought you know I've got my monthly Factor authentication going in a human made a mistake we can't we can't not expect humans to make mistakes we're fallible right the reality is is once they were in the environment they could have protected themselves by running enough pen tests to know that they had certain uh exposed credentials that would have stopped the breach and they did not had not done that in their environment and I'm not poking yeah but it's an interesting Trend though I mean it's obvious if sometimes those low end items are also not protected well so it's easy to get at from a hacker standpoint but also the people in charge of them can be fished easily or spearfished because they're not paying attention because they don't have to no one ever told them hey be careful yeah for the community that I came from John that's exactly how they they would uh meet you at a uh an International Event um introduce themselves as a graduate student these are National actor States uh would you mind reviewing my thesis on such and such and I was at Adobe at the time that I was working on this instead of having to get the PDF they opened the PDF and whoever that customer was launches and I don't know if you remember back in like 2008 time frame there was a lot of issues around IP being by a nation state being stolen from the United States and that's exactly how they did it and John that's or LinkedIn hey I want to get a joke we want to hire you double the salary oh I'm gonna click on that for sure you know yeah right exactly yeah the one thing I would say to you is like uh when we look at like sort of you know because I think we did 10 000 pen tests last year is it's probably over that now you know we have these sort of top 10 ways that we think and find people coming into the environment the funniest thing is that only one of them is a cve related vulnerability like uh you know you guys know what they are right so it's it but it's it's like two percent of the attacks are occurring through the cves but yeah there's all that attention spent to that and very little attention spent to this pen testing side which is sort of this continuous threat you know monitoring space and and this vulnerability space where I think we play a such an important role and I'm so excited to be a part of the tip of the spear on this one yeah I'm old enough to know the movie sneakers which I loved as a you know watching that movie you know professional hackers are testing testing always testing the environment I love this I got to ask you as we kind of wrap up here Chris if you don't mind the the benefits to Professional Services from this Alliance big news Splunk and you guys work well together we see that clearly what are what other benefits do Professional Services teams see from the Splunk and Horizon 3.ai Alliance so if you're I think for from our our from both of our uh Partners uh as we bring these guys together and many of them already are the same partner right uh is that uh first off the licensing model is probably one of the key areas that we really excel at so if you're an end user you can buy uh for the Enterprise by the number of IP addresses you're using um but uh if you're a partner working with this there's solution ways that you can go in and we'll license as to msps and what that business model on msps looks like but the unique thing that we do here is this C plus license and so the Consulting plus license allows like a uh somebody a small to mid-sized to some very large uh you know Fortune 100 uh consulting firms use this uh by buying into a license called um Consulting plus where they can have unlimited uh access to as many IPS as they want but you can only run one test at a time and as you can imagine when we're going and hacking passwords and um checking hashes and decrypting hashes that can take a while so but for the right customer it's it's a perfect tool and so I I'm so excited about our ability to go to market with uh our partners so that we understand ourselves understand how not to just sell to or not tell just to sell through but we know how to sell with them as a good vendor partner I think that that's one thing that we've done a really good job building bring it into the market yeah I think also the Splunk has had great success how they've enabled uh partners and Professional Services absolutely you know the services that layer on top of Splunk are multi-fold tons of great benefits so you guys Vector right into that ride that way with friction and and the cool thing is that in you know in one of our reports which could be totally customized uh with someone else's logo we're going to generate you know so I I used to work in another organization it wasn't Splunk but we we did uh you know pen testing as for for customers and my pen testers would come on site they'd do the engagement and they would leave and then another release someone would be oh shoot we got another sector that was breached and they'd call you back you know four weeks later and so by August our entire pen testings teams would be sold out and it would be like well even in March maybe and they're like no no I gotta breach now and and and then when they do go in they go through do the pen test and they hand over a PDF and they pack on the back and say there's where your problems are you need to fix it and the reality is that what we're going to generate completely autonomously with no human interaction is we're going to go and find all the permutations of anything we found and the fix for those permutations and then once you've fixed everything you just go back and run another pen test it's you know for what people pay for one pen test they can have a tool that does that every every Pat patch on Tuesday and that's on Wednesday you know triage throughout the week green yellow red I wanted to see the colors show me green green is good right not red and one CIO doesn't want who doesn't want that dashboard right it's it's exactly it and we can help bring I think that you know I'm really excited about helping drive this with the Splunk team because they get that they understand that it's the green yellow red dashboard and and how do we help them find more green uh so that the other guys are in red yeah and get in the data and do the right thing and be efficient with how you use the data know what to look at so many things to pay attention to you know the combination of both and then go to market strategy real brilliant congratulations Chris thanks for coming on and sharing um this news with the detail around the Splunk in action around the alliance thanks for sharing John my pleasure thanks look forward to seeing you soon all right great we'll follow up and do another segment on devops and I.T and security teams as the new new Ops but and super cloud a bunch of other stuff so thanks for coming on and our next segment the CEO of horizon 3.aa will break down all the new news for us here on thecube you're watching thecube the leader in high tech Enterprise coverage [Music] yeah the partner program for us has been fantastic you know I think prior to that you know as most organizations most uh uh most Farmers most mssps might not necessarily have a a bench at all for penetration testing uh maybe they subcontract this work out or maybe they do it themselves but trying to staff that kind of position can be incredibly difficult for us this was a differentiator a a new a new partner a new partnership that allowed us to uh not only perform services for our customers but be able to provide a product by which that they can do it themselves so we work with our customers in a variety of ways some of them want more routine testing and perform this themselves but we're also a certified service provider of horizon 3 being able to perform uh penetration tests uh help review the the data provide color provide analysis for our customers in a broader sense right not necessarily the the black and white elements of you know what was uh what's critical what's high what's medium what's low what you need to fix but are there systemic issues this has allowed us to onboard new customers this has allowed us to migrate some penetration testing services to us from from competitors in the marketplace But ultimately this is occurring because the the product and the outcome are special they're unique and they're effective our customers like what they're seeing they like the routineness of it many of them you know again like doing this themselves you know being able to kind of pen test themselves parts of their networks um and the the new use cases right I'm a large organization I have eight to ten Acquisitions per year wouldn't it be great to have a tool to be able to perform a penetration test both internal and external of that acquisition before we integrate the two companies and maybe bringing on some risk it's a very effective partnership uh one that really is uh kind of taken our our Engineers our account Executives by storm um you know this this is a a partnership that's been very valuable to us [Music] a key part of the value and business model at Horizon 3 is enabling Partners to leverage node zero to make more revenue for themselves our goal is that for sixty percent of our Revenue this year will be originated by partners and that 95 of our Revenue next year will be originated by partners and so a key to that strategy is making us an integral part of your business models as a partner a key quote from one of our partners is that we enable every one of their business units to generate Revenue so let's talk about that in a little bit more detail first is that if you have a pen test Consulting business take Deloitte as an example what was six weeks of human labor at Deloitte per pen test has been cut down to four days of Labor using node zero to conduct reconnaissance find all the juicy interesting areas of the of the Enterprise that are exploitable and being able to go assess the entire organization and then all of those details get served up to the human to be able to look at understand and determine where to probe deeper so what you see in that pen test Consulting business is that node zero becomes a force multiplier where those Consulting teams were able to cover way more accounts and way more IPS within those accounts with the same or fewer consultants and so that directly leads to profit margin expansion for the Penn testing business itself because node 0 is a force multiplier the second business model here is if you're an mssp as an mssp you're already making money providing defensive cyber security operations for a large volume of customers and so what they do is they'll license node zero and use us as an upsell to their mssb business to start to deliver either continuous red teaming continuous verification or purple teaming as a service and so in that particular business model they've got an additional line of Revenue where they can increase the spend of their existing customers by bolting on node 0 as a purple team as a service offering the third business model or customer type is if you're an I.T services provider so as an I.T services provider you make money installing and configuring security products like Splunk or crowdstrike or hemio you also make money reselling those products and you also make money generating follow-on services to continue to harden your customer environments and so for them what what those it service providers will do is use us to verify that they've installed Splunk correctly improved to their customer that Splunk was installed correctly or crowdstrike was installed correctly using our results and then use our results to drive follow-on services and revenue and then finally we've got the value-added reseller which is just a straight up reseller because of how fast our sales Cycles are these vars are able to typically go from cold email to deal close in six to eight weeks at Horizon 3 at least a single sales engineer is able to run 30 to 50 pocs concurrently because our pocs are very lightweight and don't require any on-prem customization or heavy pre-sales post sales activity so as a result we're able to have a few amount of sellers driving a lot of Revenue and volume for us well the same thing applies to bars there isn't a lot of effort to sell the product or prove its value so vars are able to sell a lot more Horizon 3 node zero product without having to build up a huge specialist sales organization so what I'm going to do is talk through uh scenario three here as an I.T service provider and just how powerful node zero can be in driving additional Revenue so in here think of for every one dollar of node zero license purchased by the IT service provider to do their business it'll generate ten dollars of additional revenue for that partner so in this example kidney group uses node 0 to verify that they have installed and deployed Splunk correctly so Kitty group is a Splunk partner they they sell it services to install configure deploy and maintain Splunk and as they deploy Splunk they're going to use node 0 to attack the environment and make sure that the right logs and alerts and monitoring are being handled within the Splunk deployment so it's a way of doing QA or verifying that Splunk has been configured correctly and that's going to be internally used by kidney group to prove the quality of their services that they've just delivered then what they're going to do is they're going to show and leave behind that node zero Report with their client and that creates a resell opportunity for for kidney group to resell node 0 to their client because their client is seeing the reports and the results and saying wow this is pretty amazing and those reports can be co-branded where it's a pen testing report branded with kidney group but it says powered by Horizon three under it from there kidney group is able to take the fixed actions report that's automatically generated with every pen test through node zero and they're able to use that as the starting point for a statement of work to sell follow-on services to fix all of the problems that node zero identified fixing l11r misconfigurations fixing or patching VMware or updating credentials policies and so on so what happens is node 0 has found a bunch of problems the client often lacks the capacity to fix and so kidney group can use that lack of capacity by the client as a follow-on sales opportunity for follow-on services and finally based on the findings from node zero kidney group can look at that report and say to the customer you know customer if you bought crowdstrike you'd be able to uh prevent node Zero from attacking and succeeding in the way that it did for if you bought humano or if you bought Palo Alto networks or if you bought uh some privileged access management solution because of what node 0 was able to do with credential harvesting and attacks and so as a result kidney group is able to resell other security products within their portfolio crowdstrike Falcon humano Polito networks demisto Phantom and so on based on the gaps that were identified by node zero and that pen test and what that creates is another feedback loop where kidney group will then go use node 0 to verify that crowdstrike product has actually been installed and configured correctly and then this becomes the cycle of using node 0 to verify a deployment using that verification to drive a bunch of follow-on services and resell opportunities which then further drives more usage of the product now the way that we licensed is that it's a usage-based license licensing model so that the partner will grow their node zero Consulting plus license as they grow their business so for example if you're a kidney group then week one you've got you're going to use node zero to verify your Splunk install in week two if you have a pen testing business you're going to go off and use node zero to be a force multiplier for your pen testing uh client opportunity and then if you have an mssp business then in week three you're going to use node zero to go execute a purple team mssp offering for your clients so not necessarily a kidney group but if you're a Deloitte or ATT these larger companies and you've got multiple lines of business if you're Optive for instance you all you have to do is buy one Consulting plus license and you're going to be able to run as many pen tests as you want sequentially so now you can buy a single license and use that one license to meet your week one client commitments and then meet your week two and then meet your week three and as you grow your business you start to run multiple pen tests concurrently so in week one you've got to do a Splunk verify uh verify Splunk install and you've got to run a pen test and you've got to do a purple team opportunity you just simply expand the number of Consulting plus licenses from one license to three licenses and so now as you systematically grow your business you're able to grow your node zero capacity with you giving you predictable cogs predictable margins and once again 10x additional Revenue opportunity for that investment in the node zero Consulting plus license my name is Saint I'm the co-founder and CEO here at Horizon 3. I'm going to talk to you today about why it's important to look at your Enterprise Through The Eyes of an attacker the challenge I had when I was a CIO in banking the CTO at Splunk and serving within the Department of Defense is that I had no idea I was Secure until the bad guys had showed up am I logging the right data am I fixing the right vulnerabilities are my security tools that I've paid millions of dollars for actually working together to defend me and the answer is I don't know does my team actually know how to respond to a breach in the middle of an incident I don't know I've got to wait for the bad guys to show up and so the challenge I had was how do we proactively verify our security posture I tried a variety of techniques the first was the use of vulnerability scanners and the challenge with vulnerability scanners is being vulnerable doesn't mean you're exploitable I might have a hundred thousand findings from my scanner of which maybe five or ten can actually be exploited in my environment the other big problem with scanners is that they can't chain weaknesses together from machine to machine so if you've got a thousand machines in your environment or more what a vulnerability scanner will do is tell you you have a problem on machine one and separately a problem on machine two but what they can tell you is that an attacker could use a load from machine one plus a low from machine two to equal to critical in your environment and what attackers do in their tactics is they chain together misconfigurations dangerous product defaults harvested credentials and exploitable vulnerabilities into attack paths across different machines so to address the attack pads across different machines I tried layering in consulting-based pen testing and the issue is when you've got thousands of hosts or hundreds of thousands of hosts in your environment human-based pen testing simply doesn't scale to test an infrastructure of that size moreover when they actually do execute a pen test and you get the report oftentimes you lack the expertise within your team to quickly retest to verify that you've actually fixed the problem and so what happens is you end up with these pen test reports that are incomplete snapshots and quickly going stale and then to mitigate that problem I tried using breach and attack simulation tools and the struggle with these tools is one I had to install credentialed agents everywhere two I had to write my own custom attack scripts that I didn't have much talent for but also I had to maintain as my environment changed and then three these types of tools were not safe to run against production systems which was the the majority of my attack surface so that's why we went off to start Horizon 3. so Tony and I met when we were in Special Operations together and the challenge we wanted to solve was how do we do infrastructure security testing at scale by giving the the power of a 20-year pen testing veteran into the hands of an I.T admin a network engineer in just three clicks and the whole idea is we enable these fixers The Blue Team to be able to run node Zero Hour pen testing product to quickly find problems in their environment that blue team will then then go off and fix the issues that were found and then they can quickly rerun the attack to verify that they fixed the problem and the whole idea is delivering this without requiring custom scripts be developed without requiring credential agents be installed and without requiring the use of external third-party consulting services or Professional Services self-service pen testing to quickly Drive find fix verify there are three primary use cases that our customers use us for the first is the sock manager that uses us to verify that their security tools are actually effective to verify that they're logging the right data in Splunk or in their Sim to verify that their managed security services provider is able to quickly detect and respond to an attack and hold them accountable for their slas or that the sock understands how to quickly detect and respond and measuring and verifying that or that the variety of tools that you have in your stack most organizations have 130 plus cyber security tools none of which are designed to work together are actually working together the second primary use case is proactively hardening and verifying your systems this is when the I that it admin that network engineer they're able to run self-service pen tests to verify that their Cisco environment is installed in hardened and configured correctly or that their credential policies are set up right or that their vcenter or web sphere or kubernetes environments are actually designed to be secure and what this allows the it admins and network Engineers to do is shift from running one or two pen tests a year to 30 40 or more pen tests a month and you can actually wire those pen tests into your devops process or into your detection engineering and the change management processes to automatically trigger pen tests every time there's a change in your environment the third primary use case is for those organizations lucky enough to have their own internal red team they'll use node zero to do reconnaissance and exploitation at scale and then use the output as a starting point for the humans to step in and focus on the really hard juicy stuff that gets them on stage at Defcon and so these are the three primary use cases and what we'll do is zoom into the find fix verify Loop because what I've found in my experience is find fix verify is the future operating model for cyber security organizations and what I mean here is in the find using continuous pen testing what you want to enable is on-demand self-service pen tests you want those pen tests to find attack pads at scale spanning your on-prem infrastructure your Cloud infrastructure and your perimeter because attackers don't only state in one place they will find ways to chain together a perimeter breach a credential from your on-prem to gain access to your cloud or some other permutation and then the third part in continuous pen testing is attackers don't focus on critical vulnerabilities anymore they know we've built vulnerability Management Programs to reduce those vulnerabilities so attackers have adapted and what they do is chain together misconfigurations in your infrastructure and software and applications with dangerous product defaults with exploitable vulnerabilities and through the collection of credentials through a mix of techniques at scale once you've found those problems the next question is what do you do about it well you want to be able to prioritize fixing problems that are actually exploitable in your environment that truly matter meaning they're going to lead to domain compromise or domain user compromise or access your sensitive data the second thing you want to fix is making sure you understand what risk your crown jewels data is exposed to where is your crown jewels data is in the cloud is it on-prem has it been copied to a share drive that you weren't aware of if a domain user was compromised could they access that crown jewels data you want to be able to use the attacker's perspective to secure the critical data you have in your infrastructure and then finally as you fix these problems you want to quickly remediate and retest that you've actually fixed the issue and this fine fix verify cycle becomes that accelerator that drives purple team culture the third part here is verify and what you want to be able to do in the verify step is verify that your security tools and processes in people can effectively detect and respond to a breach you want to be able to integrate that into your detection engineering processes so that you know you're catching the right security rules or that you've deployed the right configurations you also want to make sure that your environment is adhering to the best practices around systems hardening in cyber resilience and finally you want to be able to prove your security posture over a time to your board to your leadership into your regulators so what I'll do now is zoom into each of these three steps so when we zoom in to find here's the first example using node 0 and autonomous pen testing and what an attacker will do is find a way to break through the perimeter in this example it's very easy to misconfigure kubernetes to allow an attacker to gain remote code execution into your on-prem kubernetes environment and break through the perimeter and from there what the attacker is going to do is conduct Network reconnaissance and then find ways to gain code execution on other machines in the environment and as they get code execution they start to dump credentials collect a bunch of ntlm hashes crack those hashes using open source and dark web available data as part of those attacks and then reuse those credentials to log in and laterally maneuver throughout the environment and then as they loudly maneuver they can reuse those credentials and use credential spraying techniques and so on to compromise your business email to log in as admin into your cloud and this is a very common attack and rarely is a CV actually needed to execute this attack often it's just a misconfiguration in kubernetes with a bad credential policy or password policy combined with bad practices of credential reuse across the organization here's another example of an internal pen test and this is from an actual customer they had 5 000 hosts within their environment they had EDR and uba tools installed and they initiated in an internal pen test on a single machine from that single initial access point node zero enumerated the network conducted reconnaissance and found five thousand hosts were accessible what node 0 will do under the covers is organize all of that reconnaissance data into a knowledge graph that we call the Cyber terrain map and that cyber Terrain map becomes the key data structure that we use to efficiently maneuver and attack and compromise your environment so what node zero will do is they'll try to find ways to get code execution reuse credentials and so on in this customer example they had Fortinet installed as their EDR but node 0 was still able to get code execution on a Windows machine from there it was able to successfully dump credentials including sensitive credentials from the lsas process on the Windows box and then reuse those credentials to log in as domain admin in the network and once an attacker becomes domain admin they have the keys to the kingdom they can do anything they want so what happened here well it turns out Fortinet was misconfigured on three out of 5000 machines bad automation the customer had no idea this had happened they would have had to wait for an attacker to show up to realize that it was misconfigured the second thing is well why didn't Fortinet stop the credential pivot in the lateral movement and it turned out the customer didn't buy the right modules or turn on the right services within that particular product and we see this not only with Ford in it but we see this with Trend Micro and all the other defensive tools where it's very easy to miss a checkbox in the configuration that will do things like prevent credential dumping the next story I'll tell you is attackers don't have to hack in they log in so another infrastructure pen test a typical technique attackers will take is man in the middle uh attacks that will collect hashes so in this case what an attacker will do is leverage a tool or technique called responder to collect ntlm hashes that are being passed around the network and there's a variety of reasons why these hashes are passed around and it's a pretty common misconfiguration but as an attacker collects those hashes then they start to apply techniques to crack those hashes so they'll pass the hash and from there they will use open source intelligence common password structures and patterns and other types of techniques to try to crack those hashes into clear text passwords so here node 0 automatically collected hashes it automatically passed the hashes to crack those credentials and then from there it starts to take the domain user user ID passwords that it's collected and tries to access different services and systems in your Enterprise in this case node 0 is able to successfully gain access to the Office 365 email environment because three employees didn't have MFA configured so now what happens is node 0 has a placement and access in the business email system which sets up the conditions for fraud lateral phishing and other techniques but what's especially insightful here is that 80 of the hashes that were collected in this pen test were cracked in 15 minutes or less 80 percent 26 of the user accounts had a password that followed a pretty obvious pattern first initial last initial and four random digits the other thing that was interesting is 10 percent of service accounts had their user ID the same as their password so VMware admin VMware admin web sphere admin web Square admin so on and so forth and so attackers don't have to hack in they just log in with credentials that they've collected the next story here is becoming WS AWS admin so in this example once again internal pen test node zero gets initial access it discovers 2 000 hosts are network reachable from that environment if fingerprints and organizes all of that data into a cyber Terrain map from there it it fingerprints that hpilo the integrated lights out service was running on a subset of hosts hpilo is a service that is often not instrumented or observed by security teams nor is it easy to patch as a result attackers know this and immediately go after those types of services so in this case that ILO service was exploitable and were able to get code execution on it ILO stores all the user IDs and passwords in clear text in a particular set of processes so once we gain code execution we were able to dump all of the credentials and then from there laterally maneuver to log in to the windows box next door as admin and then on that admin box we're able to gain access to the share drives and we found a credentials file saved on a share Drive from there it turned out that credentials file was the AWS admin credentials file giving us full admin authority to their AWS accounts not a single security alert was triggered in this attack because the customer wasn't observing the ILO service and every step thereafter was a valid login in the environment and so what do you do step one patch the server step two delete the credentials file from the share drive and then step three is get better instrumentation on privileged access users and login the final story I'll tell is a typical pattern that we see across the board with that combines the various techniques I've described together where an attacker is going to go off and use open source intelligence to find all of the employees that work at your company from there they're going to look up those employees on dark web breach databases and other forms of information and then use that as a starting point to password spray to compromise a domain user all it takes is one employee to reuse a breached password for their Corporate email or all it takes is a single employee to have a weak password that's easily guessable all it takes is one and once the attacker is able to gain domain user access in most shops domain user is also the local admin on their laptop and once your local admin you can dump Sam and get local admin until M hashes you can use that to reuse credentials again local admin on neighboring machines and attackers will start to rinse and repeat then eventually they're able to get to a point where they can dump lsas or by unhooking the anti-virus defeating the EDR or finding a misconfigured EDR as we've talked about earlier to compromise the domain and what's consistent is that the fundamentals are broken at these shops they have poor password policies they don't have least access privilege implemented active directory groups are too permissive where domain admin or domain user is also the local admin uh AV or EDR Solutions are misconfigured or easily unhooked and so on and what we found in 10 000 pen tests is that user Behavior analytics tools never caught us in that lateral movement in part because those tools require pristine logging data in order to work and also it becomes very difficult to find that Baseline of normal usage versus abnormal usage of credential login another interesting Insight is there were several Marquee brand name mssps that were defending our customers environment and for them it took seven hours to detect and respond to the pen test seven hours the pen test was over in less than two hours and so what you had was an egregious violation of the service level agreements that that mssp had in place and the customer was able to use us to get service credit and drive accountability of their sock and of their provider the third interesting thing is in one case it took us seven minutes to become domain admin in a bank that bank had every Gucci security tool you could buy yet in 7 minutes and 19 seconds node zero started as an unauthenticated member of the network and was able to escalate privileges through chaining and misconfigurations in lateral movement and so on to become domain admin if it's seven minutes today we should assume it'll be less than a minute a year or two from now making it very difficult for humans to be able to detect and respond to that type of Blitzkrieg attack so that's in the find it's not just about finding problems though the bulk of the effort should be what to do about it the fix and the verify so as you find those problems back to kubernetes as an example we will show you the path here is the kill chain we took to compromise that environment we'll show you the impact here is the impact or here's the the proof of exploitation that we were able to use to be able to compromise it and there's the actual command that we executed so you could copy and paste that command and compromise that cubelet yourself if you want and then the impact is we got code execution and we'll actually show you here is the impact this is a critical here's why it enabled perimeter breach affected applications will tell you the specific IPS where you've got the problem how it maps to the miter attack framework and then we'll tell you exactly how to fix it we'll also show you what this problem enabled so you can accurately prioritize why this is important or why it's not important the next part is accurate prioritization the hardest part of my job as a CIO was deciding what not to fix so if you take SMB signing not required as an example by default that CVSs score is a one out of 10. but this misconfiguration is not a cve it's a misconfig enable an attacker to gain access to 19 credentials including one domain admin two local admins and access to a ton of data because of that context this is really a 10 out of 10. you better fix this as soon as possible however of the seven occurrences that we found it's only a critical in three out of the seven and these are the three specific machines and we'll tell you the exact way to fix it and you better fix these as soon as possible for these four machines over here these didn't allow us to do anything of consequence so that because the hardest part is deciding what not to fix you can justifiably choose not to fix these four issues right now and just add them to your backlog and surge your team to fix these three as quickly as possible and then once you fix these three you don't have to re-run the entire pen test you can select these three and then one click verify and run a very narrowly scoped pen test that is only testing this specific issue and what that creates is a much faster cycle of finding and fixing problems the other part of fixing is verifying that you don't have sensitive data at risk so once we become a domain user we're able to use those domain user credentials and try to gain access to databases file shares S3 buckets git repos and so on and help you understand what sensitive data you have at risk so in this example a green checkbox means we logged in as a valid domain user we're able to get read write access on the database this is how many records we could have accessed and we don't actually look at the values in the database but we'll show you the schema so you can quickly characterize that pii data was at risk here and we'll do that for your file shares and other sources of data so now you can accurately articulate the data you have at risk and prioritize cleaning that data up especially data that will lead to a fine or a big news issue so that's the find that's the fix now we're going to talk about the verify the key part in verify is embracing and integrating with detection engineering practices so when you think about your layers of security tools you've got lots of tools in place on average 130 tools at any given customer but these tools were not designed to work together so when you run a pen test what you want to do is say did you detect us did you log us did you alert on us did you stop us and from there what you want to see is okay what are the techniques that are commonly used to defeat an environment to actually compromise if you look at the top 10 techniques we use and there's far more than just these 10 but these are the most often executed nine out of ten have nothing to do with cves it has to do with misconfigurations dangerous product defaults bad credential policies and it's how we chain those together to become a domain admin or compromise a host so what what customers will do is every single attacker command we executed is provided to you as an attackivity log so you can actually see every single attacker command we ran the time stamp it was executed the hosts it executed on and how it Maps the minor attack tactics so our customers will have are these attacker logs on one screen and then they'll go look into Splunk or exabeam or Sentinel one or crowdstrike and say did you detect us did you log us did you alert on us or not and to make that even easier if you take this example hey Splunk what logs did you see at this time on the VMware host because that's when node 0 is able to dump credentials and that allows you to identify and fix your logging blind spots to make that easier we've got app integration so this is an actual Splunk app in the Splunk App Store and what you can come is inside the Splunk console itself you can fire up the Horizon 3 node 0 app all of the pen test results are here so that you can see all of the results in one place and you don't have to jump out of the tool and what you'll show you as I skip forward is hey there's a pen test here are the critical issues that we've identified for that weaker default issue here are the exact commands we executed and then we will automatically query into Splunk all all terms on between these times on that endpoint that relate to this attack so you can now quickly within the Splunk environment itself figure out that you're missing logs or that you're appropriately catching this issue and that becomes incredibly important in that detection engineering cycle that I mentioned earlier so how do our customers end up using us they shift from running one pen test a year to 30 40 pen tests a month oftentimes wiring us into their deployment automation to automatically run pen tests the other part that they'll do is as they run more pen tests they find more issues but eventually they hit this inflection point where they're able to rapidly clean up their environment and that inflection point is because the red and the blue teams start working together in a purple team culture and now they're working together to proactively harden their environment the other thing our customers will do is run us from different perspectives they'll first start running an RFC 1918 scope to see once the attacker gained initial access in a part of the network that had wide access what could they do and then from there they'll run us within a specific Network segment okay from within that segment could the attacker break out and gain access to another segment then they'll run us from their work from home environment could they Traverse the VPN and do something damaging and once they're in could they Traverse the VPN and get into my cloud then they'll break in from the outside all of these perspectives are available to you in Horizon 3 and node zero as a single SKU and you can run as many pen tests as you want if you run a phishing campaign and find that an intern in the finance department had the worst phishing behavior you can then inject their credentials and actually show the end-to-end story of how an attacker fished gained credentials of an intern and use that to gain access to sensitive financial data so what our customers end up doing is running multiple attacks from multiple perspectives and looking at those results over time I'll leave you two things one is what is the AI in Horizon 3 AI those knowledge graphs are the heart and soul of everything that we do and we use machine learning reinforcement techniques reinforcement learning techniques Markov decision models and so on to be able to efficiently maneuver and analyze the paths in those really large graphs we also use context-based scoring to prioritize weaknesses and we're also able to drive collective intelligence across all of the operations so the more pen tests we run the smarter we get and all of that is based on our knowledge graph analytics infrastructure that we have finally I'll leave you with this was my decision criteria when I was a buyer for my security testing strategy what I cared about was coverage I wanted to be able to assess my on-prem cloud perimeter and work from home and be safe to run in production I want to be able to do that as often as I wanted I want to be able to run pen tests in hours or days not weeks or months so I could accelerate that fine fix verify loop I wanted my it admins and network Engineers with limited offensive experience to be able to run a pen test in a few clicks through a self-service experience and not have to install agent and not have to write custom scripts and finally I didn't want to get nickeled and dimed on having to buy different types of attack modules or different types of attacks I wanted a single annual subscription that allowed me to run any type of attack as often as I wanted so I could look at my Trends in directions over time so I hope you found this talk valuable uh we're easy to find and I look forward to seeing seeing you use a product and letting our results do the talking when you look at uh you know kind of the way no our pen testing algorithms work is we dynamically select uh how to compromise an environment based on what we've discovered and the goal is to become a domain admin compromise a host compromise domain users find ways to encrypt data steal sensitive data and so on but when you look at the the top 10 techniques that we ended up uh using to compromise environments the first nine have nothing to do with cves and that's the reality cves are yes a vector but less than two percent of cves are actually used in a compromise oftentimes it's some sort of credential collection credential cracking uh credential pivoting and using that to become an admin and then uh compromising environments from that point on so I'll leave this up for you to kind of read through and you'll have the slides available for you but I found it very insightful that organizations and ourselves when I was a GE included invested heavily in just standard vulnerability Management Programs when I was at DOD that's all disa cared about asking us about was our our kind of our cve posture but the attackers have adapted to not rely on cves to get in because they know that organizations are actively looking at and patching those cves and instead they're chaining together credentials from one place with misconfigurations and dangerous product defaults in another to take over an environment a concrete example is by default vcenter backups are not encrypted and so as if an attacker finds vcenter what they'll do is find the backup location and there are specific V sender MTD files where the admin credentials are parsippled in the binaries so you can actually as an attacker find the right MTD file parse out the binary and now you've got the admin credentials for the vcenter environment and now start to log in as admin there's a bad habit by signal officers and Signal practitioners in the in the Army and elsewhere where the the VM notes section of a virtual image has the password for the VM well those VM notes are not stored encrypted and attackers know this and they're able to go off and find the VMS that are unencrypted find the note section and pull out the passwords for those images and then reuse those credentials across the board so I'll pause here and uh you know Patrick love you get some some commentary on on these techniques and other things that you've seen and what we'll do in the last say 10 to 15 minutes is uh is rolled through a little bit more on what do you do about it yeah yeah no I love it I think um I think this is pretty exhaustive what I like about what you've done here is uh you know we've seen we've seen double-digit increases in the number of organizations that are reporting actual breaches year over year for the last um for the last three years and it's often we kind of in the Zeitgeist we pegged that on ransomware which of course is like incredibly important and very top of mind um but what I like about what you have here is you know we're reminding the audience that the the attack surface area the vectors the matter um you know has to be more comprehensive than just thinking about ransomware scenarios yeah right on um so let's build on this when you think about your defense in depth you've got multiple security controls that you've purchased and integrated and you've got that redundancy if a control fails but the reality is that these security tools aren't designed to work together so when you run a pen test what you want to ask yourself is did you detect node zero did you log node zero did you alert on node zero and did you stop node zero and when you think about how to do that every single attacker command executed by node zero is available in an attacker log so you can now see you know at the bottom here vcenter um exploit at that time on that IP how it aligns to minor attack what you want to be able to do is go figure out did your security tools catch this or not and that becomes very important in using the attacker's perspective to improve your defensive security controls and so the way we've tried to make this easier back to like my my my the you know I bleed Green in many ways still from my smoke background is you want to be able to and what our customers do is hey we'll look at the attacker logs on one screen and they'll look at what did Splunk see or Miss in another screen and then they'll use that to figure out what their logging blind spots are and what that where that becomes really interesting is we've actually built out an integration into Splunk where there's a Splunk app you can download off of Splunk base and you'll get all of the pen test results right there in the Splunk console and from that Splunk console you're gonna be able to see these are all the pen tests that were run these are the issues that were found um so you can look at that particular pen test here are all of the weaknesses that were identified for that particular pen test and how they categorize out for each of those weaknesses you can click on any one of them that are critical in this case and then we'll tell you for that weakness and this is where where the the punch line comes in so I'll pause the video here for that weakness these are the commands that were executed on these endpoints at this time and then we'll actually query Splunk for that um for that IP address or containing that IP and these are the source types that surface any sort of activity so what we try to do is help you as quickly and efficiently as possible identify the logging blind spots in your Splunk environment based on the attacker's perspective so as this video kind of plays through you can see it Patrick I'd love to get your thoughts um just seeing so many Splunk deployments and the effectiveness of those deployments and and how this is going to help really Elevate the effectiveness of all of your Splunk customers yeah I'm super excited about this I mean I think this these kinds of purpose-built integration snail really move the needle for our customers I mean at the end of the day when I think about the power of Splunk I think about a product I was first introduced to 12 years ago that was an on-prem piece of software you know and at the time it sold on sort of Perpetual and term licenses but one made it special was that it could it could it could eat data at a speed that nothing else that I'd have ever seen you can ingest massively scalable amounts of data uh did cool things like schema on read which facilitated that there was this language called SPL that you could nerd out about uh and you went to a conference once a year and you talked about all the cool things you were splunking right but now as we think about the next phase of our growth um we live in a heterogeneous environment where our customers have so many different tools and data sources that are ever expanding and as you look at the as you look at the role of the ciso it's mind-blowing to me the amount of sources Services apps that are coming into the ciso span of let's just call it a span of influence in the last three years uh you know we're seeing things like infrastructure service level visibility application performance monitoring stuff that just never made sense for the security team to have visibility into you um at least not at the size and scale which we're demanding today um and and that's different and this isn't this is why it's so important that we have these joint purpose-built Integrations that um really provide more prescription to our customers about how do they walk on that Journey towards maturity what does zero to one look like what does one to two look like whereas you know 10 years ago customers were happy with platforms today they want integration they want Solutions and they want to drive outcomes and I think this is a great example of how together we are stepping to the evolving nature of the market and also the ever-evolving nature of the threat landscape and what I would say is the maturing needs of the customer in that environment yeah for sure I think especially if if we all anticipate budget pressure over the next 18 months due to the economy and elsewhere while the security budgets are not going to ever I don't think they're going to get cut they're not going to grow as fast and there's a lot more pressure on organizations to extract more value from their existing Investments as well as extracting more value and more impact from their existing teams and so security Effectiveness Fierce prioritization and automation I think become the three key themes of security uh over the next 18 months so I'll do very quickly is run through a few other use cases um every host that we identified in the pen test were able to score and say this host allowed us to do something significant therefore it's it's really critical you should be increasing your logging here hey these hosts down here we couldn't really do anything as an attacker so if you do have to make trade-offs you can make some trade-offs of your logging resolution at the lower end in order to increase logging resolution on the upper end so you've got that level of of um justification for where to increase or or adjust your logging resolution another example is every host we've discovered as an attacker we Expose and you can export and we want to make sure is every host we found as an attacker is being ingested from a Splunk standpoint a big issue I had as a CIO and user of Splunk and other tools is I had no idea if there were Rogue Raspberry Pi's on the network or if a new box was installed and whether Splunk was installed on it or not so now you can quickly start to correlate what hosts did we see and how does that reconcile with what you're logging from uh finally or second to last use case here on the Splunk integration side is for every single problem we've found we give multiple options for how to fix it this becomes a great way to prioritize what fixed actions to automate in your soar platform and what we want to get to eventually is being able to automatically trigger soar actions to fix well-known problems like automatically invalidating passwords for for poor poor passwords in our credentials amongst a whole bunch of other things we could go off and do and then finally if there is a well-known kill chain or attack path one of the things I really wish I could have done when I was a Splunk customer was take this type of kill chain that actually shows a path to domain admin that I'm sincerely worried about and use it as a glass table over which I could start to layer possible indicators of compromise and now you've got a great starting point for glass tables and iocs for actual kill chains that we know are exploitable in your environment and that becomes some super cool Integrations that we've got on the roadmap between us and the Splunk security side of the house so what I'll leave with actually Patrick before I do that you know um love to get your comments and then I'll I'll kind of leave with one last slide on this wartime security mindset uh pending you know assuming there's no other questions no I love it I mean I think this kind of um it's kind of glass table's approach to how do you how do you sort of visualize these workflows and then use things like sore and orchestration and automation to operationalize them is exactly where we see all of our customers going and getting away from I think an over engineered approach to soar with where it has to be super technical heavy with you know python programmers and getting more to this visual view of workflow creation um that really demystifies the power of Automation and also democratizes it so you don't have to have these programming languages in your resume in order to start really moving the needle on workflow creation policy enforcement and ultimately driving automation coverage across more and more of the workflows that your team is seeing yeah I think that between us being able to visualize the actual kill chain or attack path with you know think of a of uh the soar Market I think going towards this no code low code um you know configurable sore versus coded sore that's going to really be a game changer in improve or giving security teams a force multiplier so what I'll leave you with is this peacetime mindset of security no longer is sustainable we really have to get out of checking the box and then waiting for the bad guys to show up to verify that security tools are are working or not and the reason why we've got to really do that quickly is there are over a thousand companies that withdrew from the Russian economy over the past uh nine months due to the Ukrainian War there you should expect every one of them to be punished by the Russians for leaving and punished from a cyber standpoint and this is no longer about financial extortion that is ransomware this is about punishing and destroying companies and you can punish any one of these companies by going after them directly or by going after their suppliers and their Distributors so suddenly your attack surface is no more no longer just your own Enterprise it's how you bring your goods to Market and it's how you get your goods created because while I may not be able to disrupt your ability to harvest fruit if I can get those trucks stuck at the border I can increase spoilage and have the same effect and what we should expect to see is this idea of cyber-enabled economic Warfare where if we issue a sanction like Banning the Russians from traveling there is a cyber-enabled counter punch which is corrupt and destroy the American Airlines database that is below the threshold of War that's not going to trigger the 82nd Airborne to be mobilized but it's going to achieve the right effect ban the sale of luxury goods disrupt the supply chain and create shortages banned Russian oil and gas attack refineries to call a 10x spike in gas prices three days before the election this is the future and therefore I think what we have to do is shift towards a wartime mindset which is don't trust your security posture verify it see yourself Through The Eyes of the attacker build that incident response muscle memory and drive better collaboration between the red and the blue teams your suppliers and Distributors and your information uh sharing organization they have in place and what's really valuable for me as a Splunk customer was when a router crashes at that moment you don't know if it's due to an I.T Administration problem or an attacker and what you want to have are different people asking different questions of the same data and you want to have that integrated triage process of an I.T lens to that problem a security lens to that problem and then from there figuring out is is this an IT workflow to execute or a security incident to execute and you want to have all of that as an integrated team integrated process integrated technology stack and this is something that I very care I cared very deeply about as both a Splunk customer and a Splunk CTO that I see time and time again across the board so Patrick I'll leave you with the last word the final three minutes here and I don't see any open questions so please take us home oh man see how you think we spent hours and hours prepping for this together that that last uh uh 40 seconds of your talk track is probably one of the things I'm most passionate about in this industry right now uh and I think nist has done some really interesting work here around building cyber resilient organizations that have that has really I think helped help the industry see that um incidents can come from adverse conditions you know stress is uh uh performance taxations in the infrastructure service or app layer and they can come from malicious compromises uh Insider threats external threat actors and the more that we look at this from the perspective of of a broader cyber resilience Mission uh in a wartime mindset uh I I think we're going to be much better off and and will you talk about with operationally minded ice hacks information sharing intelligence sharing becomes so important in these wartime uh um situations and you know we know not all ice acts are created equal but we're also seeing a lot of um more ad hoc information sharing groups popping up so look I think I think you framed it really really well I love the concept of wartime mindset and um I I like the idea of applying a cyber resilience lens like if you have one more layer on top of that bottom right cake you know I think the it lens and the security lens they roll up to this concept of cyber resilience and I think this has done some great work there for us yeah you're you're spot on and that that is app and that's gonna I think be the the next um terrain that that uh that you're gonna see vendors try to get after but that I think Splunk is best position to win okay that's a wrap for this special Cube presentation you heard all about the global expansion of horizon 3.ai's partner program for their Partners have a unique opportunity to take advantage of their node zero product uh International go to Market expansion North America channel Partnerships and just overall relationships with companies like Splunk to make things more comprehensive in this disruptive cyber security world we live in and hope you enjoyed this program all the videos are available on thecube.net as well as check out Horizon 3 dot AI for their pen test Automation and ultimately their defense system that they use for testing always the environment that you're in great Innovative product and I hope you enjoyed the program again I'm John Furrier host of the cube thanks for watching

(upbeat music) >> Welcome back, everyone to CUBE Supercloud 22. I'm John Furrier, your host. Got a great influencer, Cloud Cloud RRT segment with Sarbjeet Johal, Cloud influencer, Cloud economist, Cloud consultant, Cloud advisor. Sarbjeet, welcome back, CUBE alumni. Good to see you. >> Thanks John and nice to be here. >> Now, what's your title? Cloud consultant? Analyst? >> Consultant, actually. Yeah, I'm launching my own business right now formally, soon. It's in stealth mode right now, we'll be (inaudible) >> Well, I'll just call you a Cloud guru, Cloud influencer. You've been great, friend of theCUBE. Really powerful on social. You share a lot of content. You're digging into all the trends. Supercloud is a thing, it's getting a lot of traction. We introduced that concept last reinvent. We were riffing before that. As we kind of were seeing the structural change that is now Supercloud, it really is kind of the destination or outcome of what we're seeing with hybrid cloud as a steady state into the what's now, they call multicloud, which is kind of awkward. It feels like it's default. Like multicloud, multi-vendor, but Supercloud has much more of a comprehensive abstraction around it. What's your thoughts? >> As you said, as Dave says that too, the Supercloud has that abstraction built into it. It's built on top of cloud, right? So it's being built on top of the CapEx which is being spent by likes of AWS and Azure and Google Cloud, and many others, right? So it's leveraging that infrastructure and building software stack on top of that, which is a platform. I see that as a platform being built on top of infrastructure as code. It's another platform which is not native to the cloud providers. So it's like a kind of cross-Cloud platform. That's what I said. >> Yeah, VMware calls it that cloud-cross cloud. I'm not a big fan of the name but I get what you're saying. We had a segment on earlier with Adrian Cockcroft, Laurie McVety and Chris Wolf, all part of the Cloud RRT like ourselves, and you've involved in Cloud from day one. Remember the OpenStack days Early Cloud, AWS, when they started we saw the trajectory and we saw the change. And I think the OpenStack in those early days were tell signs because you saw the movement of API first but Amazon just grew so fast. And then Azure now is catching up, their CapEx is so large that companies like Snowflake's like, "Why should I build my own? "I just sit on top of AWS, "move fast on one native cloud, then figure it out." Seems to be one of the playbooks of the Supercloud. >> Yeah, that is true. And there are reasons behind that. And I think number one reason is the skills gravity. What I call it, the developers and/or operators are trained on one set of APIs. And I've said that many times, to out compete your competition you have to out educate the market. And we know which cloud has done that. We know what traditional vendor has done that, in '90s it was Microsoft, they had VBS number one language and they were winning. So in the cloud era, it's AWS, their marketing efforts, their go-to market strategy, the micro nature of the releasing the micro sort of features, if you will, almost every week there's a new feature. So they have got it. And other two are trying to mimic that and they're having low trouble light. >> Yeah and I think GCP has been struggling compared to the three and native cloud on native as you're right, completely successful. As you're caught up and you see the Microsoft, I think is a a great selling point around multiple clouds. And the question that's on the table here is do you stay with the native cloud or you jump right to multicloud? Now multicloud by default is kind of what I see happening. We've been debating this, I'd love to get your thoughts because, Microsoft has a huge install base. They've converted to Office 365. They even throw SQL databases in there to kind of give it a little extra bump on the earnings but I've been super critical on their numbers. I think their shares are, there's clearly overstating their share, in my opinion, compared to AWS is a need of cloud, Azure though is catching up. So you have customers that are happy with Microsoft, that are going to run their apps on Azure. So if a customer has Azure and Microsoft that's technically multiple clouds. >> Yeah, true. >> And it's not a strategy, it's just an outcome. >> Yeah, I see Microsoft cloud as friendly to the internal developers. Internal developers of enterprises. but AWS is a lot more ISV friendly which is the software shops friendly. So that's what they do. They just build software and give it to somebody else. But if you're in-house developer and you have been a Microsoft shop for a long time, which enterprise haven't been that, right? So Microsoft is well entrenched into the enterprise. We know that, right? >> Yeah. >> For a long time. >> Yeah and the old joke was developers love code and just go with a lock in and then ops people don't want lock in because they want choice. So you have the DevOps movement that's been successful and they get DevSecOps. The real focus to me, I think, is the operating teams because the ops side is really with the pressure vis-a-vis. I want to get your reaction because we're seeing kind of the script flip. DevOps worked, infrastructure's code has worked. We don't yet see security as code yet. And you have things like cloud native services which is all developer, goodness. So I think the developers are doing fine. Give 'em a thumbs up and open source's booming. So they're shifting left, CI/CD pipeline. You have some issues around repo, monolithic repos, but devs are doing fine. It's the ops that are now have to level up because that seems to be a hotspot. What's your take? What's your reaction to that? Do you agree? And if you say you agree, why? >> Yeah, I think devs are doing fine because some of the devs are going into ops. Like the whole movement behind DevOps culture is that devs and ops is one team. The people who are building that application they're also operating that as well. But that's very foreign and few in enterprise space. We know that, right? Big companies like Google, Microsoft, Amazon, Twitter, those guys can do that. They're very tech savvy shops. But when it comes to, if you go down from there to the second tier of enterprises, they are having hard time with that. Once you create software, I've said that, I sound like a broken record here. So once you create piece of software, you want to operate it. You're not always creating it. Especially when it's inhouse software development. It's not your core sort of competency to. You're not giving that software to somebody else or they're not multiple tenants of that software. You are the only user of that software as a company, or maybe maximum to your employees and partners. But that's where it stops. So there are those differences and when it comes to ops, we have to still differentiate the ops of the big companies, which are tech companies, pure tech companies and ops of the traditional enterprise. And you are right, the ops of the traditional enterprise are having tough time to cope up with the changing nature of things. And because they have to run the old traditional stacks whatever they happen to have, SAP, Oracle, financial, whatnot, right? Thousands of applications, they have to run that. And they have to learn on top of that, new scripting languages to operate the new stack, if you will. >> So for ops teams do they have to spin up operating teams for every cloud specialized tooling, there's consequences to that. >> Yeah. There's economics involved, the process, if you are learning three cloud APIs and most probably you will end up spending a lot more time and money on that. Number one, number two, there are a lot more problems which can arise from that, because of the differences in how the APIs work. The rule says if you pick one primary cloud and then you're focused on that, and most of your workloads are there, and then you go to the secondary cloud number two or three on as need basis. I think that's the right approach. >> Well, I want to get your take on something that I'm observing. And again, maybe it's because I'm old school, been around the IT block for a while. I'm observing the multi-vendors kind of as Dave calls the calisthenics, they're out in the market, trying to push their wears and convincing everyone to run their workloads on their infrastructure. multicloud to me sounds like multi-vendor. And I think there might not be a problem yet today so I want to get your reaction to my thoughts. I see the vendors pushing hard on multicloud because they don't have a native cloud. I mean, IBM ultimately will probably end up being a SaaS application on top of one of the CapEx hyperscale, some say, but I think the playbook today for customers is to stay on one native cloud, run cloud native hybrid go in on OneCloud and go fast. Then get success and then go multiple clouds. versus having a multicloud set of services out of the gate. Because if you're VMware you'd love to have cross cloud abstraction layer but that's lock in too. So what's your lock in? Success in the marketplace or vendor access? >> It's tricky actually. I've said that many times, that you don't wake up in the morning and say like, we're going to do multicloud. Nobody does that by choice. So it falls into your lab because of mostly because of what MNA is. And sometimes because of the price to performance ratio is better somewhere else for certain kind of workloads. That's like foreign few, to be honest with you. That's part of my read is, that being a developer an operator of many sort of systems, if you will. And the third tier which we talked about during the VMworld, I think 2019 that you want vendor diversity, just in case one vendor goes down or it's broken up by feds or something, and you want another vendor, maybe for price negotiation tactics, or- >> That's an op mentality. >> Yeah, yeah. >> And that's true, they want choice. They want to get locked in. >> You want choice because, and also like things can go wrong with the provider. We know that, we focus on top three cloud providers and we sort of assume that they'll be there for next 10 years or so at least. >> And what's also true is not everyone can do everything. >> Yeah, exactly. So you have to pick the provider based on all these sort of three sets of high level criteria, if you will. And I think the multicloud should be your last choice. Like you should not be gearing up for that by default but it should be by design, as Chuck said. >> Okay, so I need to ask you what does Supercloud in my opinion, look like five, 10 years out? What's the outcome of a good Supercloud structure? What's it look like? Where did it come from? How did it get there? What's your take? >> I think Supercloud is getting born in the absence of having standards around cloud. That's what it is. Because we don't have standards, we long, or we want the services at different cloud providers, Which have same APIs and there's less learning curve or almost zero learning curve for our developers and operators to learn that stuff. Snowflake is one example and VMware Stack is available at different cloud providers. That's sort of infrastructure as a service example if you will. And snowflake is a sort of data warehouse example and they're going down the stack. Well, they're trying to expand. So there are many examples like that. What was the question again? >> Is Supercloud 10 years out? What does it look like? What's the components? >> Yeah, I think the Supercloud 10 years out will expand because we will expand the software stack faster than the hardware stack and hardware stack will be expanding of course, with the custom chips and all that. There was the huge event yesterday was happening from AWS. >> Yeah, the Silicon. >> Silicon Day. And that's an eyeopening sort of movement and the whole technology consumption, if you will. >> And yeah, the differentiation with the chips with supply chain kind of herding right now, we think it's going to be a forcing function for more cloud adoption. Because if you can't buy networking gear you going to go to the cloud. >> Yeah, so Supercloud to me in 10 years, it will be bigger, better in the likes of HashiCorp. Actually, I think we need likes of HashiCorp on the infrastructure as a service side. I think they will be part of the Supercloud. They are kind of sitting on the side right now kind of a good vendor lost in transition kind of thing. That sort of thing. >> It's like Kubernetes, we'll just close out here. We'll make a statement. Is Kubernetes a developer thing or an infrastructure thing? It's an ops thing. I mean, people are coming out and saying Kubernetes is not a developer issue. >> It's ops thing. >> It's an ops thing. It's in operation, it's under the hood. So you, again, this infrastructure's a service integrating this super pass layer as Dave Vellante and Wikibon call it. >> Yeah, it's ops thing, actually, which enables developers to get that the Azure service, like you can deploy your software in sort of different format containers, and then you don't care like what VMs are those? And, but Serverless is the sort of arising as well. It was hard for a while now it's like the lull state, but I think Serverless will be better in next three to five years on. >> Well, certainly the hyperscale is like AWS and Azure and others have had great CapEx and investments. They need to stay ahead, in your opinion, final question, how do they stay ahead? 'Cause, AWS is not going to stand still nor will Azure, they're pedaling as fast as they can. Google's trying to figure out where they fit in. Are they going to be a real cloud or a software stack? Same with Oracle. To me, it's really, the big race is now with AWS and Azure's nipping at their heels. Hyperscale, what do they need to do to differentiate going forward? >> I think they are in a limbo. They, on one side, they don't want to compete with their customers who are sitting on top of them, likes of Snowflake and others, right? And VMware as well. But at the same time, they have to keep expanding and keep innovating. And they're debating within their themselves. Like, should we compete with these guys? Should we launch similar sort of features and functionality? Or should we keep it open? And what I have heard as of now that internally at AWS, especially, they're thinking about keeping it open and letting people sort of (inaudible)- >> And you see them buying some the Cerner with Oracle that bought Cerner, Amazon bought a healthcare company. I think the likes of MongoDB, Snowflake, Databricks, are perfect examples of what we'll see I think on the AWS side. Azure, I'm not so sure, they like to have a little bit more control at the top of the stack with the SaaS, but I think Databricks has been so successful open source, Snowflake, a little bit more proprietary and closed than Databricks. They're doing well is on top of data, and MongoDB has got great success. All of these things compete with AWS higher level services. So, that advantage of those companies not having the CapEx investment and then going multiple clouds on other ecosystems that's a path of customers. Stay one, go fast, get traction, then go. >> That's huge. Actually the last sort comment I want to make is that, Also, that you guys include this in the definition of Supercloud, the likes of Capital One and Soner sort of vendors, right? So they are verticals, Capital One is in this financial vertical, and then Soner which Oracle bar they are in this healthcare vertical. And remember in the beginning of the cloud and when the cloud was just getting born. We used to say that we will have the community clouds which will be serving different verticals. >> Specialty clouds. >> Specialty clouds, community clouds. And actually that is happening now at very sort of small level. But I think it will start happening at a bigger level. The Goldman Sachs and others are trying to build these services on the financial front risk management and whatnot. I think that will be- >> Well, what's interesting, which you're bringing up a great discussion. We were having discussions around these vertical clouds like Goldman Sachs Capital One, Liberty Mutual. They're going all in on one native cloud then going into multiple clouds after, but then there's also the specialty clouds around functionality, app identity, data security. So you have multiple 3D dimensional clouds here. You can have a specialty cloud just on identity. I mean, identity on Amazon is different than Azure. Huge issue. >> Yeah, I think at some point we have to distinguish these things, which are being built on top of these infrastructure as a service, in past with a platform, a service, which is very close to infrastructure service, like the lines are blurred, we have to distinguish these two things from these Superclouds. Actually, what we are calling Supercloud maybe there'll be better term, better name, but we are all industry path actually, including myself and you or everybody else. Like we tend to mix these things up. I think we have to separate these things a little bit to make things (inaudible) >> Yeah, I think that's what the super path thing's about because you think about the next generation SaaS has to be solved by innovations of the infrastructure services, to your point about HashiCorp and others. So it's not as clear as infrastructure platform, SaaS. There's going to be a lot of interplay between this levels of services. >> Yeah, we are in this flasker situation a lot of developers are lost. A lot of operators are lost in this transition and it's just like our economies right now. Like I was reading at CNBC today, and here's sort of headline that people are having hard time understanding what state the economy is in. And so same is true with our technology economy. Like we don't know what state we are in. It's kind of it's in the transition phase right now. >> Well we're definitely in a bad economy relative to the consumer market. I've said on theCUBE publicly, Dave has as well, not as aggressive. I think the tech is still in a boom. I don't think there's tech bubble at all that's bursting, I think, the digital transformation from post COVID is going to continue. And this is the first recession downturn where the hyperscalers have been in market, delivering the economic value, almost like they're pumping on all cylinders and going to the next level. Go back to 2008, Amazon web services, where were they? They were just emerging out. So the cloud economic impact has not been factored into the global GDP relationship. I think all the firms that are looking at GDP growth and tech spend as a correlation, are completely missing the boat on the fact that cloud economics and digital transformation is a big part of the new economics. So refactoring business models this is continuing and it's just the early days. >> Yeah, I have said that many times that cloud works good in the bad economy and cloud works great in the good economy. Do you know why? Because there are different type of workloads in the good economy. A lot of experimentation, innovative solutions go into the cloud. You can do experimentation that you have extra money now, but in the bad economy you don't want to spend the CapEx because don't have money. Money is expensive at that point. And then you want to keep working and you don't need (inaudible) >> I think inflation's a big factor too right now. Well, Sarbjeet, great to see you. Thanks for coming into our studio for our stage performance for Supercloud 22, this is a pilot episode that we're going to get a consortium of experts Cloud RRT like yourselves, in the conversation to discuss what the architecture is. What is a taxonomy? What are the key building blocks and what things need to be in place for Supercloud capability? Because it's clear that if without standards, without defacto standards, we're at this tipping point where if it all comes together, not all one company can do everything. Customers want choice, but they also want to go fast too. So DevOps is working. It's going the next level. We see this as Supercloud. So thank you so much for your participation. >> Thanks for having me. And I'm looking forward to listen to the other sessions (inaudible) >> We're going to take it on A stickers. We'll take it on the internet. I'm John Furrier, stay tuned for more Supercloud 22 coverage, here at the Palo Alto studios in one minute. (bright music)

(electronic music) >> Welcome back to our studios in Palo Alto, California. My name is Dave Vellante, I'm here with John Furrier, who is taking a quick break. You know, in one of the early examples that we used of so called super cloud was Snowflake. We called it a super data cloud. We had, really, a lot of fun with that. And we've started to evolve our thinking. Years ago, we said that data was going to form in the cloud around industries and ecosystems. And Benoit Dogeville is a many time guest of theCube. He's the co-founder and president of products at Snowflake. Benoit, thanks for spending some time with us, at Supercloud 22, good to see you. >> Thank you, thank you, Dave. >> So, you know, like I said, we've had some fun with this meme. But it really is, we heard on the previous panel, everybody's using Snowflake as an example. Somebody how builds on top of hyper scale infrastructure. You're not building your own data centers. And, so, are you building a super data cloud? >> We don't call it exactly that way. We don't like the super word, it's a bit dismissive. >> That's our term. >> About our friends, cloud provider friends. But we call it a data cloud. And the vision, really, for the data cloud is, indeed, it's a cloud which overlays the hyper scaler cloud. But there is a big difference, right? There are several ways to do this super cloud, as you name them. The way we picked is to create one single system, and that's very important, right? There are several ways, right. You can instantiate your solution in every region of the cloud and, you know, potentially that region could be AWS, that region could be GCP. So, you are, indeed, a multi-cloud solution. But Snowflake, we did it differently. We are really creating cloud regions, which are superimposed on top of the cloud provider region, infrastructure region. So, we are building our regions. But where it's very different is that each region of Snowflake is not one instantiation of our service. Our service is global, by nature. We can move data from one region to the other. When you land in Snowflake, you land into one region. But you can grow from there and you can, you know, exist in multiple cloud at the same time. And that's very important, right? It's not different instantiation of a system, it's one single instantiation which covers many cloud regions and many cloud provider. >> So, we used Snowflake as an example. And we're trying to understand what the salient aspects are of your data cloud, what we call super cloud. In fact, you've used the word instantiate. Kit Colbert, just earlier today, laid out, he said, there's sort of three levels. You can run it on one cloud and communicate with the other cloud, you can instantiate on the clouds, or you can have the same service running 24/7 across clouds, that's the hardest example. >> Yeah. >> The most mature. You just described, essentially, doing that. How do you enable that? What are the technical enablers? >> Yeah, so, as I said, first we start by building, you know, Snowflake regions, we have today 30 regions that span the world, so it's a world wide system, with many regions. But all these regions are connected together. They are meshed together with our technology, we name it Snow Grid, and that makes it hard because, you know, Azure region can talk to a WS region, or GCP regions, and as a user for our cloud, you don't see, really, these regional differences, that regions are in different potentially cloud. When you use Snowflake, you can exist, your presence as an organization can be in several regions, several clouds, if you want, geographic, both geographic and cloud provider. >> So, I can share data irrespective of the cloud. And I'm in the Snowflake data cloud, is that correct? I can do that today? >> Exactly, and that's very critical, right? What we wanted is to remove data silos. And when you insociate a system in one single region, and that system is locked in that region, you cannot communicate with other parts of the world, you are locking data in one region. Right, and we didn't want to do that. We wanted data to be distributed the way customer wants it to be distributed across the world. And potentially sharing data at world scales. >> Does that mean if I'm in one region and I want to run a query, if I'm in AWS in one region, and I want to run a query on data that happens to be in an Azure cloud, I can actually execute that? >> So, yes and no. The way we do it is very expensive to do that. Because, generally, if you want to join data which are in different region and different cloud, it's going to be very expensive because you need to move data every time you join it. So, the way we do it is that you replicate the subset of data that you want to access from one region from other region. So, you can create this data mesh, but data is replicated to make it very cheap and very performing too. >> And is the Snow Grid, does that have the metadata intelligence to actually? >> Yes, yes. >> Can you describe that a little? >> Yeah, Snow Grid is both a way to exchange metadata. So, each region of Snowflake knows about all the other regions of Snowflake. Every time we create a new region, the metadata is distributed over our data cloud, not only region knows all the region, but knows every organization that exists in our cloud, where this organization is, where data can be replicated by this organization. And then, of course, it's also used as a way to exchange data, right? So, you can exchange data by scale of data size. And I was just receiving an email from one of our customers who moved more than four petabytes of data, cross region, cross cloud providers in, you know, few days. And it's a lot of data, so it takes some time to move. But they were able to do that online, completely online, and switch over to the other region, which is very important also. >> So, one of the hardest parts about super cloud that I'm still trying to struggling through is the security model. Because you've got the cloud as your sort of first line of defense. And now we've got multiple clouds, with multiple first lines of defense, I've got a shared responsibility model across those clouds, I've got different tools in each of those clouds. Do you take care of that? Where do you pick up from the cloud providers? Do you abstract that security layer? Do you bring in partners? It's a very complicated. >> No, this is a great question. Security has always been the most important aspect of Snowflake sense day one, right? This is the question that every customer of ours has. You know, how can you guarantee the security of my data? And, so, we secure data really tightly in region. We have several layers of security. It starts by creating every data at rest. And that's very important. A lot of customers are not doing that, right? You hear of these attacks, for example, on cloud, where someone left their buckets. And then, you know, you can access the data because it's a non-encrypted. So, we are encrypting everything at rest. We are encrypting everything in transit. So, a region is very secure. Now, you know, from one region, you never access data from another region in Snowflake. That's why, also, we replicate data. Now the replication of that data across region, or the metadata, for that matter, is really our least secure, so Snow Grid ensures that everything is encrypted, everything is, we have multiple encryption keys, and it's stored in hardware secure modules, so, we bit Snow Grid such that it's secure and it allows very secure movement of data. >> Okay, so, I know we kind of, getting into the technology here a lot today, but because super cloud is the future, we actually have to have an architectural foundation on which to build. So, you mentioned a bucket, like an S3 bucket. Okay, that's storage, but you also, for instance, taking advantage of new semi-conductor technology. Like Graviton, as an example, that drives efficiency. You guys talk about how you pass that on to your customers. Even if it means less revenue for you, so, awesome, we love that, you'll make it up in volume. And, so. >> Exactly. >> How do you deal with the lowest common denominator problem? I was talking to somebody the other day and this individual brought up what I thought was a really good point. What if we, let's say, AWS, have the best, silicon. And we can run the fastest and the least expensive, and the lowest power. But another cloud provider hasn't caught up yet. How do you deal with that delta? Do you just take the best of and try to respect that? >> No, it's a great question. I mean, of course, our software is extracting all the cloud providers infrastructure so that when you run in one region, let's say AWS, or Azure, it doesn't make any difference, as far as the applications are concerned. And this abstraction, of course, is a lot of work. I mean, really, a lot of work. Because it needs to be secure, it needs to be performance, and every cloud, and it has to expose APIs which are uniform. And, you know, cloud providers, even though they have potentially the same concept, let's say block storage, APIs are completely different. The way these systems are secure, it's completely different. There errors that you can get. And the retry mechanism is very different from one cloud to the other. The performance is also different. We discovered that when we starting to port our software. And we had to completely rethink how to leverage block storage in that cloud versus that cloud, because just off performance too. And, so, we had, for example, to stripe data. So, all this work is work that you don't need as an application because our vision, really, is that application, which are running in our data cloud, can be abstracted for this difference. And we provide all the services, all the workload that this application need. Whether it's transactional access to data, analytical access to data, managing logs, managing metrics, all of this is abstracted too, so that they are not tied to one particular service of one cloud. And distributing this application across many region, many cloud, is very seamless. >> So, Snowflake has built, your team has built a true abstraction layer across those clouds that's available today? It's actually shipping? >> Yes, and we are still developing it. You know, transactional, Unistore, as we call it, was announced last summit. So, they are still, you know, work in progress. >> You're not done yet. >> But that's the vision, right? And that's important, because we talk about the infrastructure, right. You mention a lot about storage and compute. But it's not only that, right. When you think about application, they need to use the transactional database. They need to use an analytical system. They need to use machine learning. So, you need to provide, also, all these services which are consistent across all the cloud providers. >> So, let's talk developers. Because, you know, you think Snowpark, you guys announced a big application development push at the Snowflake summit recently. And we have said that a criterion of super cloud is a super paz layer, people wince when I say that, but okay, we're just going to go with it. But the point is, it's a purpose built application development layer, specific to your particular agenda, that supports your vision. >> Yes. >> Have you essentially built a purpose built paz layer? Or do you just take them off the shelf, standard paz, and cobble it together? >> No, we build it a custom build. Because, as you said, what exist in one cloud might not exist in another cloud provider, right. So, we have to build in this, all these components that a multi-application need. And that goes to machine learning, as I said, transactional analytical system, and the entire thing. So that it can run in isolation physically. >> And the objective is the developer experience will be identical across those clouds? >> Yes, the developers doesn't need to worry about cloud provider. And, actually, our system will have, we didn't talk about it, but a marketplace that we have, which allows, actually, to deliver. >> We're getting there. >> Yeah, okay. (both laughing) I won't divert. >> No, no, let's go there, because the other aspect of super cloud that we've talked about is the ecosystem. You have to enable an ecosystem to add incremental value, it's not the power of many versus the capabilities of one. So, talk about the challenges of doing that. Not just the business challenges but, again, I'm interested in the technical and architectural challenges. >> Yeah, yeah, so, it's really about, I mean, the way we enable our ecosystem and our partners to create value on top of our data cloud, is via the marketplace. Where you can put shared data on the marketplace. Provide listing on this marketplace, which are data sets. But it goes way beyond data. It's all the way to application. So, you can think of it as the iPhone. A little bit more, all right. Your iPhone is great. Not so much because the hardware is great, or because of the iOS, but because of all the applications that you have. And all these applications are not necessarily developed by Apple, basically. So, we are, it's the same model with our marketplace. We foresee an environment where providers and partners are going to build these applications. We call it native application. And we are going to help them distribute these applications across cloud, everywhere in the world, potentially. And they don't need to worry about that. They don't need to worry about how these applications are going to be instantiated. We are going to help them to monetize these applications. So, that unlocks, you know, really, all the partner ecosystem that you have seen, you know, with something like the iPhone, right? It has created so many new companies that have developed these applications. >> Your detractors have criticized you for being a walled garden. I've actually used that term. I used terms like defacto standard, which are maybe less sensitive to you, but, nonetheless, we've seen defacto standards actually deliver value. I've talked to Frank Slootman about this, and he said, Dave, we deliver value, that's what we're all about. At the same time, he even said to me, and I want your thoughts on this, is, look, we have to embrace open source where it makes sense. You guys announced Apache Iceberg. So, what are your thoughts on that? Is that to enable a developer ecosystem? Why did you do Iceberg? >> Yeah, Iceberg is very important. So, just to give some context, Iceberg is an open table format. >> Right. >> Which was first developed by Netflix. And Netflix put it open source in the Apache community. So, we embraced that open source standard because it's widely used by many companies. And, also, many companies have really invested a lot of effort in building big data, Hadoop Solutions, or DataX Solution, and they want to use Snowflake. And they couldn't really use Snowflake, because all their data were in open format. So, we are embracing Iceberg to help these companies move through the cloud. But why we have been reluctant with direct access to data, direct access to data is a little bit of a problem for us. And the reason is when you direct access to data, now you have direct access to storage. Now you have to understand, for example, the specificity of one cloud versus the other. So, as soon as you start to have direct access to data, you lose your cloud data sync layer. You don't access data with API. When you have direct access to data, it's very hard to sync your data. Because you need to grant access, direct access to tools which are not protected. And you see a lot of hacking of data because of that. So, direct access to data is not serving well our customers, and that's why we have been reluctant to do that. Because it is not cloud diagnostic. You have to code that, you need a lot of intelligence, why APIs access, so we want open APIs. That's, I guess, the way we embrace openness, is by open API versus you access, directly, data. >> iPhone. >> Yeah, yeah, iPhone, APIs, you know. We define a set of APIs because APIs, you know, the implementation of the APIs can change, can improve. You can improve compression of data, for example. If you open direct access to data now, you cannot evolve. >> My point is, you made a promise, from governed, security, data sharing ecosystem. It works the same way, so that's the path that you've chosen. Benoit Dogeville, thank you so much for coming on theCube and participating in Supercloud 22, really appreciate that. >> Thank you, Dave. It was a great pleasure. >> All right, keep it right there, we'll be right back with our next segment, right after this short break. (electronic music)

>>Welcome everyone. This is Stephanie Chan with the cube, but this conversation is part of Ws 2022 coverage. Today, we'll be speaking with Lila cor managing director at Google. Welcome to show Lila. >>Thank you so much. It's great to be here. >>So how did you come to be a data science leader? >>Yeah. Thank you. Um, you know, let me tell you how I came to be a data science leader, and also just thank you again to, uh, WIDS for having me here, this mission to support those in university or aspiring to be data scientists and those who are in the fee. It's just so important and inspiring to me. So it's been great to see this interest in WIDS and data science from young people all across the globe. So just thanks for having me here, uh, let me tell you how I came to be a data science leader. It really starts with identifying what you're passionate about and what you enjoy and what you're good at really passionate about using data to solve problems. I enjoy problem solving with data and analytics and following these passions led me to take classes in math and economics and econometrics. >>And I also took classes in political science and public policy have a diverse background. Um, and I think that having diverse backgrounds around the table are critical and an asset, um, but that those, uh, courses and that, uh, getting a, that undergrad and a master's started, I started my career as an economist at the us treasury department. And then I moved into technology over 20 years ago. I joined a startup in early 2000 and I've been a big tech companies like Google as well as at startups. And I really realized early on, uh, in my career, how much I enjoy data driven decision making. And I understood how powerful of a role data plays in making informed business decisions. There's just so much uncertainty in the problem that we're trying to address. There's a lot of ambiguity. Um, and data science is just absolutely critical to helping think through making those decisions and uncertainty. >>Another passion of mine is asking questions. My teams will tell you, I like asking a lot of questions and that is key. Uh, when you're a data scientist and we, you lead data science team, who's asking a lot of really good questions and impact. That's also super important to me. The best feeling is the impact you can make on a company with data. Finally, I'm also passionate about managing people and team leadership and applying data to solve cross-functional problems across so many different functions. I've been able to work product and marketing and strategy and operations. And by following these passions, I've gravitated towards managing more quantitative and analytical teams that are also passionate about using data and analytics to grow businesses. And when you work at Google, you're surrounded by this culture of innovation and a culture that's focused on translating data into value. So that's how I ended up becoming a data science leader. Um, you know, my advice to everyone is just like, uh, you know, to is stay curious, think about your passions, what you enjoy doing and the type of problems that you enjoy solving and that, that, and think about the kind of impact that you are looking to drive in this world. For me, that's led to leading data science teams and other broader teams, um, and I had to be open and flexible to where that might take take you, uh, it, it might be different from what you envisioned front >>And speaking of your teams, can you tell us about your teams and the work they do? >>Absolutely. Um, so I'm currently the managing director of Google's technical professional services and marketing data science teams for a group called the global clients and agency solutions. And we help the world's largest brands. In the digital age. We work directly with some of the world's most sophisticated, uh, chief marketing officers and marketing organizations in the world. So I'm honored to lead an organization that develops advanced engineering and data science solutions for Google's largest customers and largest advertisers. My team include customer solution engineers. They include engagement managers, they include technical specialists, and they also include, uh, data scientists. There's, you know, PhD, statisticians, economists, former consultants with deep experience in data science, machine learning and marketing analytics, uh, in my teams and my data teams, they find insights that change the business, uh, in the future. They're, they're amazing. And they do work. That's really groundbreaking. Actually. Can I tell you about some of the superpowers of the data scientists on my teams? >>Of course, I would love to hear it. >>Yeah, well, um, our marketing data science teams, they help measure optimize marketing, uh, a return on investment for Google's largest global clients. So one superpower is their customer obsessed. Um, they, we sit down at the C level table and with our customers, we ask a lot of questions so that we can understand the customer's business objective and how data can help them think through the various options they have. Another superpower is my teams are really good at asking really important questions. You know, you need to really have that back and forth to understand what your customer, what your exec, what they're trying to achieve. Um, and then they build cutting edge complex models that address our customers, key business questions that translates into things like marketing analytics, marketing, mix modeling, statistical modeling, machine learning, uh, you know, digital attribution, predictive analytics, my teams, they create rigorous experiments to help deliver the best possible solutions to our customers. >>Um, another superpower is helping to make better decisions in uncertainty. This is key data. Scientists are so good at this and my teams help these big cutting edge, you know, C level execs and CMOs and marketing organizations all around the world. Um, they help them find better ways to achieve peak marketing ROI. I've been a VP of marketing, um, you know, in startups and throughout my career, I know how hard it is and how important it, it is to grow your business with marketing, um, and really impact, uh, a business and all of their customers. So I'm really proud of the groundbreaking work that my teams are doing to help the world's biggest brands grow, uh, in the digital age, this just one of the types of careers and data science. Uh, my teams were in the, a business organization that works with marketers and advertisers, but I've also been able to lead teams that work with Google's product and engineering leadership to improve our products as well with data science. And there are data science teams in so many different parts of Google that are working on really complex, important challenges, whether it's in our global business organization, whether it's in Google cloud or Google product, YouTube, Google health, I mean, Google health, you know, has done some amazing things using artificial intelligence to prevent blindness. So that's a little bit about my teams and the work that they do >>And what career skills and experiences are most important to you as a data science leader at Google. >>Yeah. Um, thank you. Like I mentioned, we have such a great culture here at Google, a culture of innovation, um, a culture of really trying to solve complex and hard problems, important problems. And these problems have a lot of ambiguity. A lot of uncertainty, there's not always a, a clear right answer. This is where data science can just have such a huge impact. So of course, there's the strong foundation that we look for in the core data, science skills, stats, econometrics, and math, but some of the other skills that are so important, I would say being clear on the problem that you're trying to solve, uh, and focusing on what matters most, this is so important when you're faced with complex ambiguous, multifaceted problems to not get lost in the details or lose focus, asking those really important and, uh, questions and really trying to understand the problem that your customer or your exec is trying to solve. >>So ask, uh, being clear on the problem that you're trying to solve and asking really good questions. That's a, a, a key skill, um, that I think is very important at Google. Another one is the importance of storytelling. I mean, without a good narrative, it can be hard to move from data to insight. And when you're faced with lots of data, you know, being able to distill that complex data into a meaningful and coherent and impactful story. So those strong narrative and communication skills, they're critical, they're critical to ensure that your customer or your exec or your audience, here's the insight that these types of skills, data science skills can help uncover. And I've just add one more, which is there's a skill around thriving and uncertainty and thriving and ambiguity. You know, there's, you'll, it's just inevitable. Um, you've got to, you're gonna hit roadblocks. There's gonna be setbacks. There's a lot of complexity. So being able to be flexible, being able to pivot, being a leader, a role model about how to bounce back, helping others to do so. That's a really critical skill because a lot of the work that we're doing, uh, at Google and specifically data science, they're here to help people think through uncertainty. So those are some of the, um, the skills and experiences that I think are most important to me as a data science leader at Google >>And throughout your career, what is the best piece of advice you have received? >>Uh, thank you for that question. Um, I've received a lot of really great advice, but if I were to pick one for this group, it would be never underestimate the power of showing the world. What's possible. Ruth Perra said that, um, I heard her say that once, and she's the CFO at Google, and it really resonates with me. It's a great reminder of how powerful role models are. They provide us with inspiration and a vision for who we can aspire to be. They help us dream bigger dreams for ourselves. I know I've benefited so much from role models all throughout my life and career who show, show me what's possible. And that idea that you are showing someone else what's possible that they may not have envisioned for themselves. Well, that's super inspiring, motivating to me. So don't underestimate that power that you are providing visual proof, uh, for others about being leaders in data science or to technology. >>And I'd, you know, when I reflect on that advice, I also realize you don't need to have a big title to do this, to show the world what's possible. I have two daughters, my 10 year old daughter. She's inspiring people all the time, including me. Uh, my eight year old daughter is a role model for others in the community, including me. Um, I see courage and inspiration all around me every single day from my team members. Like I, uh, mentioned from friends, from colleagues, from community members. There, there there's so many important firsts that they're role modeling, whether they're first in their family to go to college or the first to pursue data science or just so many other important firsts. So I would say never underestimate the power of showing the world. What's possible. That's a great piece of advice I've received. >>And this, my last question for you, what, what is one thing that you want all of the aspiring data scientists or women in the field who are listening to this interview to take away? >>Yeah. I would want them to take away that your voice matters. You belong at this table for everyone who is listening in the audience. You know, those of you in universe are aspiring to be data scientists. Those in the field, the world needs you. We need you to be data scientists. We need your voice and your insights at the table to address the biggest challenges in business and technology in the environment, in health, in society, you belong, you belong in data science, you belong at that sea sweet table. You belong here, you belong in your voice matters. >>Well, thank you so much for teaching us more about science and all your advice. >>It's a pleasure. Thank you again for having me. I really appreciate it. >>I'm Stephanie Chan with de cube. We'll see you next time.

(upbeat music) >> Welcome back to Las Vegas everybody. You are watching theCube's coverage of AWS reinvent 2021. I'll tell you this place is packed. It's quite amazing here over 20,000 people, I'd say it's closer to 25, maybe 27,000. And there's a little overflow, lots going on in the evenings. It's quite remarkable. And we're really happy to be part of this. Jay Turner is here, he's the vice president of development and ops at PCCW Global. He's joined by Garrett Lowell, vice-president of ecosystem partnerships for the Americas at PCCW Global. Guys, welcome to theCube. Thanks for coming on. >> Thank you so much. >> So, Jay, maybe you could take us through for those people who aren't familiar with your company, what do you guys do? What do you all about? >> Yes, so PCCW Global is the international operating wing of Hong Kong Telecom. So if it's outside of Hong Kong, it's our network. We've got about 695,000 kilometers of diverse cable. We've got about 43, 44 terabit of capacity. Came into business in 2005 if my brain is serving me correctly right now. So we have a very diverse and vast portfolio ranging all the way from satellite teleports, all the way to IP transit. We're a tier one service provider from that perspective as well. So we do one of everything when it comes to networking and that's really what was the basis of Console Connect, was inventing a platform to really enable our users to capitalize on that our network and our assets. >> Okay, so 2005, obviously you predated cloud, you laid a bunch of fibers, it's getting in the ocean, I mean, global networks, I mean, there was a big trend to do that and you had to think, you had to go bigger or go home and that business. >> Jay: Yes you had to do. >> So and Console Connect is your platform, is that right? So explain. >> Yeah, sorry. Yeah, Console Connect is our software defined interconnection platform. So we built a user self-service portal. Users can allocate ports, they get the LOAs issue to them directly from the platform. And then once they've got an active port or they've come in via one of our partnerships, they can then provision connectivity across our platform. And that may be extending to their data centers or extending or their branch office, or it could be building a circuit into the cloud via direct connect, could be building a circuit into an internet exchange. And all of those circuits are going to be across that 685,000 kilometers of diverse fiber rather than going across the public internet. >> So, when you started, it took some time obviously to build out that infrastructure and then the cloud came into play, but it was still early days, but it sounds like you're taking the cloud model, AWS Cloud model and applying that to your business, eliminate all that undifferentiated, heavy lifting, if you will, the visioning and management. >> Yeah, we've heard many people and that's kind of the impetus of this was, I want to be directly connected to my end point. And how do I do that? And AWS, yes, they had direct connect, but figuring out how to do that as an enterprise was challenging. So we said, hey, we'll automate that for you. Just tell us what region you want to connect to. And we'll do all the heavy lifting, and we'll just hand you back a villain tag. You're good to go. >> So it's a classic case of, okay, AWS has direct connect, people they go, "Ah, that's directly competitive, but it's not, you're adding value on top of that." Right. So describe where you fit Garrett inside of the AWS ecosystem. You look around this hall and it's just a huge growing ecosystem, where you fit inside of that ecosystem and then your ecosystem, what's that like? >> Okay, so where we fit into the AWS ecosystem, as Jay alluded to, we're adding value to our partners and customers where they can come in, not only are they able to access the AWS platform as well as other cloud platforms, but they're also able to access each other. So we have a marketplace in our platform, which allows our customers and partners to put a description of their services on the marketplace and advertise their capabilities out to the rest of the ecosystem of PCCW Global and Console Connect. >> Okay, so and you're doing that inside of AWS? I that right? Or at least in part? >> No, that's not inside of AWS. >> Okay, so your platform is your platform. >> Yes. >> And then, so your relationship with AWS is to sort of superpower direct connect, is that right or? >> So we're directly connected to AWS throughout the globe. And this allows our customers and partners to be able to utilize not only the PCCW Global network, but also to expand that capability to the AWS platform in clouds. >> Wherever there's a cloud you plug into it? Okay. >> That's correct. >> And then another advantage there is the customer, obviously doesn't have to be directly co-located with AWS. They don't have to be in the same geographic region. If for some reason you need to be connected to US West, but you're in Frankfurt, fine, we'll back all the traffic for you. >> Does that happen a lot? >> It actually does. >> How come? Why, what's the use case there? >> Global diversity is certainly one of them, just being able to have multiple footprints. But the other thing that we're seeing more of late is these cloud-based companies are beginning to kind of be attracted to where their customers are located. So they'll start seeing these pockets of use and they'll go, well, okay, we're going to go into that region as well, stand up a VPC there. And so then we want to our customers then being able to directly connect to that asset, that's closest to them. And then still be able to back call that traffic if necessary or take it wherever. >> What are the big, sort of macro trends in your business? I mean, broadly you see cost per bit coming down, you see data consumption and usage going through the roof. How does that affect you? What are some of the big trends that you see? >> I think one of the biggest ones and one that we targeted with Console Connect, we were hearing a lot of customers going, the world's changing so dynamically. We don't know how to do a one-year forecast of bandwidth, much less a three-year, which is what a lot of contracts are asking us for. So we said, hey, how about one day? Can you do one day? (Dave laughing) Because that's what our granularity is. So we allow for anything from one day up to three years right now, and then even within that term, we're dynamic. So if something happens, suddenly some product goes through the roof and you've suddenly got a spike in traffic. If a ship drags its anchor through a sub sea cable, and suddenly you're having to pivot, you just come into the platform, you click a couple of buttons, 20 seconds later, we've modified your bandwidth for you, or we've provisioned a new circuit for you. We've got your backup going whatever. Really at the end of the day, it's the customer paying for their network, so the customer should be the one making those decisions. >> How's that affect pricing? I presume, so I can have one date or a three-year term. Presume if I commit to three years, I get a better deal, is that right or? >> You do, but I mean, at the end of the day, it's actually pretty much a moderate, a better deal. We don't want to force the hand of the customer. So yeah, if you signed a 12 month contract with us, we're going to give you a 3% discount. >> Yeah, so it's not really, that's not a motivation to do it. Is just you want to reduce the transaction complexity. And that's why you would sign up for a longer term not to get the big discount. >> Correct. And then, like I said, even within a longer contract, we're still going to allow you to flex and flow and modify if you need to because it's your network. >> What kind of constraints do you put on that? Do I have to commit to a floor and then everything above that is I can flex up? Is that how it works? Okay. And then the more I commit to the better the deal is, or not necessarily? >> No, it's pretty much flat, right. >> So, okay. So I'm going to come in and I'm going to say, all right, I know I'm going to use X, I'll sign up for that and anything over it. You're pretty flexible, I might get a few points if I sign up for more, somebody might want to optimize that if they're big enough. >> And another really neat advantage, and the other complaint we heard from customers, they go, I need three different direct connect, or I need to be connected to three different parties, but I don't want to run three different cross-connects and I don't want to have three different ports. That's just an expense I don't want. And we say, fine, take your one gig port, run one gig of services on it, if that's 20 different services, we're fine. So we allow you to multiplex your port and provision- >> It's awesome. I love that model. I know some software companies who I would recommend take a look at that pricing model. So, Garrett, how do you segment the ecosystem? How do you look at that way? Maybe you could draw paint a picture sort of the, the ideal partners and what they look like. I know there's not just one category, but. >> Sure, so our ideal partners are internet exchanges, cloud partners, and SAS providers, because a big piece of our business is migration to the cloud. And the flexibility of our platform allows and encourages our SAS providers and SI partners to perform migration to the cloud much easier and flexible in a flexible format for their customers. >> Yeah, so what can you tell us, any kind of metrics you can give us around your business to give a sense of the the scope, the scale. >> Well, of our business, kind of one of the driving factors here, Gardner says that about 2023, I think 40% of the enterprise workloads will be deployed in the cloud, which is all fine and dandy, except in my head, you're just trading one set of complexities for another. So now, instead of having everything in a glass house and being able to kind of understand that now you're going, well, okay, so it's in the cloud now I need to manage my connectivity there. And, oh, well, wait a minute, are my security policies still the same? Do they apply if I'm going across the public internet? What exposure have I just, bought into myself to try to run this? So the platform really aims at normalizing that as much as possible. If you're directly connected to AWS, at the end of the day, that's a really long ethernet cable. So you're a glass house just got a lot bigger, but you're still able to maintain and use the exact same policies and procedures that you've been using. So that's really one of our guiding principles is to reduce that complexity and make it very simple for the user. >> Well, I don't understand, 'cause in the early days of cloud, a lot of enterprises, CIO they were concerned about security. And I think they realized that AWS has pretty good security, well, CIA is using it. But still people would say to me, it's not that it's bad security, it's just different. We move slow, Dave. So how do you accommodate, now I don't know, does that diversity, I mean, AWS has obviously matured, but are you suggesting that you can take my security edicts in my glass house and bring those into your networks and ultimately into the cloud? Is that kind of how it works? >> That's the goal. It's not going to be a panacea more than likely, but the more edicts that we can allow you to bring across and not have to go back and revamp and the better for you as a customer and the better really for us, because it normalizes things, it makes it much easier for us to accommodate more and more users. >> It is such now in the eco, it was all the diversity in the ecosystem. Is it such that there's enough common patterns that you you guys can kind of accommodate most of those use cases? >> Yeah, absolutely. I think the, one of the key components is the fact that the platform runs on our MPLS network, which is inherently secure. It's not on the public internet anywhere. Now we do have internet on demand capability. So in the event that a customer wants access to the internet, no problem, we can accommodate this. And we also have 5G capability built into the platform to allow flexibility of location and flexibility of... I would say, standing up new customer locations. And then the other component of the security is the fact that the customers can bring their own security and apply anywhere. So we're not blocking, we don't have any port filters or anything of this nature. >> Well, I would think 5G actually, I mean, I could see people arguing both sides, but my sense is 5G is going to be a huge driver for your business, 'cause it's going to just create so much more demand for your services I think, I could see somebody arguing the counter, but what's your point of view on that? >> No. I think that's a fair assessment. I think it's going to drive business for everyone here on the show floor. And it's pushing those workloads more toward the edge, which is not an area that people were typically concerned with. The edge was just the door that they walked through. That's becoming much different now. And we're also going to start seeing, and we're already seeing it, huge trends of moving that data at the edge, rather than bringing it all the way back to a central warehouse in Hare pending it. So, again, the ability to have a dynamic platform where you can see exactly what your network's doing and in the push of a button, modify that, or provision new connectivity in response to how your business is performing. >> Yeah, and ultimately it's all about the applications that are going to be driving demand for more data. And that's just a tailwind for you guys. >> Yeah, yeah and then you look at some of the car companies are coming on, you know, Tesla, you're driving around with like eight CPU's in that thing, communicating back over the air. >> Dave: Yeah right. >> You start scaling that, and you start getting into some real bottleneck. >> Amazing business you guys having, obviously capital intensive, but once you get in there, you've got a big moat, and then it's a matter of getting on a flywheel and innovating. Guys, congratulations on all the progress and thanks so much for coming on theCube. >> Yeah. No, thanks for the time. >> Thank you very much. >> Yeah, great to meet you guys. Good luck. All right. Thank you for watching. This is Dave Vellante for theCube, the leader in high-tech coverage, right back. (upbeat music)

>>Yeah. Hey, everyone, Welcome to the cubes. Continuous coverage of AWS Re invent 2021. I'm Lisa Martin with John Furrier were running one of the industry's largest and most important hybrid tech events with AWS and massive ecosystem of partners. Right now there are two live cube sets to remote sets over 100 guests on the programme and we're pleased to welcome back one of our alum I to talk about the next generation and cloud innovation. Georgia Lisa is joins John to me, the director of product management for EC two edge at A. W S George. Welcome to the programme. >>Glad to be here in person. Thanks Great to be here in person. Awesome to be here in person. Finally, >>one of the things that is very clear is the US flywheel of innovation and there was no slowdown with what's happened in the last 22 months. Amazing announcements, new leadership. We talked a little bit about five g yesterday, but let's talk more about that. Everyone is excited about five g consumers businesses. What's going on? >>So, yeah, I wanted to talk to you today about the new service that we launched called AWS Private. Five g. Essentially, it's a service that allows any AWS customer to build their own private five g network and what we try to do with the services make it that simple and cost effective for anyone without any telco experience or expertise, really, to build their own private five g network. So you just have to go to your AWS console. Um, describe the parameters for network simple stuff like, Where do you want it to be located? The throughput, the number of devices and AWS will build a plan for your network and seep you everything that you need. Just plug it together. Uh, turn it on and the network automatically configures itself. All you got to do is popular sim cards that we send you into your mobile devices and you have a private five g network working in your your premise is >>one of the things that we know and love about AWS is its customer obsession. It's focused on the customer's that whole flywheel of all the innovation that comes out as Adam was saying yesterday to the customers, we deliver this, but but you wanted more. We said we deliver this, but you wanted more. Talk to me a little bit about some of the customer catalysts for private five G. >>Actually, one of the good examples is where we are right now. More and more AWS customers need to connect an increased number of devices, and these devices become more data hungry. You know they need to push data around. They also become more and more wireless, right? Uh, so when you are trying to connect devices in the manufacturing floor, bit sensors, you know, connect the tracks, forklifts or in a convention centre. You look at how many devices there are around us. When you're trying to connect these devices with a wired network, you quickly run into physical problems like it's. It's hard to lay cable anywhere, and customers try to use for many of these use cases. But as a number of devices grows into the thousands and you know you need to put more and more data around, you quickly reach the limitations of what the WiFi technology and also WiFi is not really great at covering really open, large space. So that's where these customers, you know, think of college campuses, convention centres, manufacturing floors, all of these customers. Really? What they need to be able to do is to level the power of the mobile networks. However, doing that by yourself is pretty hard. So that's what we aim to to enable here we are waiting to enable these customers to build very easily and cost effectively their own. Uh, >>Okay, George. So I have to ask. I'm truly curious. I love this announcement. Um, because it brings together kind of the edge story. But also, I'm a band with love. I love more broad. Give me more broadband. Faster, cheaper and more broadband. How does it work? So take me through the use case of what do I need to deploy? Do I need to have a back haul connection? What does that look like? Is there a certain band with requirements? How big is the footprint? What's the radius? Just walk me through. How do I roll this out? >>Yeah, sure. Some of that stuff actually depends on your requirements, right. How How big? How much of a space do you want to cover? Basically, what we see, if you were in preview right now, so we're sipping you. The simplest configuration, which is basically these things called small cells there, you know, radio units and antennas. And all you have to do is connect them to your local. The network has Internet access. These things connect and automatically had, you know, connect home to the cloud and basically integrate and build up your whole network. All all you need is that Internet connection, and I don't know what to do. Now, how big is the network? You can You can make it pretty big. You can cover hundreds of thousands of square feet with with cellular networks with mobile networks. Um, you know, the bigger you they especially want to cover the more of these radio units. We're gonna stop you, uh, >>classic wireless radios. >>Yes. You >>light up the area with five g connected to the network. That's your choke point. The big of the pipe >>took the bigger pipe. That toxic. I mean, well, there, there's two. There's two things to consider here. There is local connectivity. So devices talking to each other, and there was connectivity back to somewhere else, like the Internet or the cloud. There are use cases, for example. Let's say data video feeds that you want to push up to do some inference in the cloud. In these use cases, you're basically pushing all of the data up. There is no left. There's no East West connectivity locally, and that's where our simplest configuration works best. There are other, uh, use cases where there is a lot of connectivity and devices talk to each other locally, like in this place, for example, right in this. In these cases, we can sip you that second configuration where we actually see Pew, a managed hardware WS managed hardware on premises, and that runs the smart of the network and allows all of your data traffic to remain local. That's >>wavelength Outpost, or both. >>A different configuration of A. W s private five G. It's a managed service. We take. We take care of it. You basically it's very It has a pricing model, which is very customer friendly because you like multi W services. You can start with no upfront fees. You can scale and pay as you scale because >>it's designed to deploy easily. >>Yep, deploys the >>footprint. Just I'm just curious if the poll is it like, it's like an antenna. Is it like so and >>yeah, well, the antenna is, you know, the small cell. They call them small cells in, you know, in in cellular land there, this big. And you can you can hide this. There is actually a demo in the Venetian of the private service. So you can you can actually see it in action, but yeah, that thing can cover 10,000 square feet, just one of them. So you can >>go out and put a five g network downtown and be like the king. >>You could Yes. You could have your own private network. You can monetise that next >>on the Q. >>Great stuff. >>So in terms of industries adopting this, you gave us some examples. Obviously. Convention centres, campuses, universities. I'm just curious, given the amount of acceleration that we've seen in every industry the last 22 months where organisations must become digital. They depend on that for their livelihood. And we saw this all these pivots, right? 22 months ago. How do we survive this? How do we thrive? Are consumers now are whether it's an injury or consumer or enterprise. Have this expectation that we're gonna be able to communicate no matter where we are 24 by seven. Whether it's health care, financial services. I'm just curious if you're seeing any industries in particular that you think are really prime for this private five >>G. Yeah. So manufacturing is a is a really great example because you have to cover large spaces. You have thousands of devices, sensors, etcetera and using other solutions like WiFi does not provide you the depth of capabilities like, for example, you know, advanced security capabilities or even capabilities to prioritise traffic from some devices over others, which is what a five G network can do for you. But also, you know, it involves large spaces both indoors and outdoors. We, you know, actually, Amazon is a really great example of you know of using this. We're working with Amazon fulfilment centres. These are the warehouses that fulfil your orders when you order online. Um, and they are a mix of indoor space and outer space, and you can think of, you know, I don't know if you've seen pictures or videos. There's robots running around their sensors everywhere. There is packing lines, etcetera, all of these things in order to operate performantly, but also securely and safely for the people that are around. You need to be well connected at a very high reliability rate. Right? So, uh, Amazon for two networks is actually using private A W s private five G to connect all of these devices. The really key thing here is you don't have to go drop 1000 of these access points we're talking about you. Can you can. You can probably cover your space with 5 10 of these. So your operational expenses, your maintenance goes down and there is less interruption of your normal operations like you can't. You don't have to stop your manufacturing line for someone to come in and fix your WiFi access. >>It's great for campuses like college campuses, college >>campuses, a great one. We you know, we've worked with college campuses, including the CME University in the past two, you know, with some of our partners to, uh, to to deploy. So >>that's how close you have these distribution, gas systems, distribution, whatever they call it accelerate whatever amplifies into get extra coverage, this seems to be a good fit. Um, for that how you mentioned in the preview? How do people get involved? Is there like a criteria. How was it going to >>be available to get priority? Don't get you >>tell them ready to jump in. Take us through the programme. What's the plants? >>So currently we're you know, we're in that preview mode. So we're keeping you this small configuration, the simpler configuration. You can sign up on the AWS website and you know, we, as we scale our operations are supply chain. Because this involves also, you know, hardware, etcetera. We're gonna go to general availability g A over the next few months and we have both configurations open. So I I encourage everyone who is interested go to the W s website and sign up. We're asking to get that in customers' hands because we're getting overwhelmingly positive feedback on what we built. >>This is transformative. I mean, clearly what you're talking about here is going to transform industry and help organisations transform themselves and outpaced the competitors that are in the rear view mirror Aren't going to be able to take advantage of this were on the show floor. We've got lots of people here. Where can people actually go and see this preview tested up? >>There is an actual demo in the Venetian. I can't remember. Sorry, I can't remember the room. I think it's on the Yes, actually, it's on the floor on the third floor where the meeting rooms are on outside 35 or one. If anyone wants to go, we're >>going to start buying lunch time. >>Yes. Yeah, you can see it in action. And, you know, you could You could see a future where everything, You know, you look around. There's thousands of devices here. You could power all of these devices with a single cell and, you know, really scaled throughput >>in the five G. Just curious, um on the range is better than wifi >>ranges. Better outdoors, >>obviously, or factories. What's the throughput on the >>depending on the spectrum that you choose? And that's actually a really good save way. The device, the service that we built, its spectrum agnostic so it can be used on right now. We're using it on what we call C BRS spectrum, which is the free for all you can. You know, you can you can use it yourself. But also, customers can bring their own spectrum. And we're working with a batch of, uh, CSP operators to build advanced bundles where you can work this on licence spectrum. So if you're going up the spectrum in what they called millimetre wave >>spectrum owner to bring your own licence, >>you could So telco right? You could be a telco, bring your, you know, and work with us as a partner or some actually, actually, manufacturing customers have purchased rights to small spectrum bands so they can use those in combination with this service to deploy. So to your original question, as you're going back up the spectrum, you can drive more and more throughput. You it's not. It's not unheard of to drive one gig. You know what's so >>The low hanging fruit is the the use cases that have critical need for edge connectivity manufacturing? Um, certainly the retail or whatever that they help do the deployment >>we can. We can. We can see this being applicable because because you can start super small. You can see this being applicable even to branch offices, right? Like, uh, let's say I was talking to a customer yesterday. They were thinking or have all these branch offices. I don't even I don't even want to have I thought either he just wants something that's very quickly and easily. You know, I can manage centrally and it just connects. >>Can I should have fixed wireless shot to the wavelength order to have back all with wire >>too. Oh, they actually we are planning to. You know, I talked about where the smarts of the network live in the they can live in a region, they can live in the locals, and they can live in a wave election. So we're combining more and more of these products as well. And it's computing, obviously, is a is an obvious thing that, you know, we should be working on >>incredible work, George, that you and the team have done transforming industries. And I don't know if a feeling there might be a cube to Is it? Would it be too dot >>Oh, John, >>he's ready. Big George, Thank you so much for joining joining me today. It's great >>to be here. Thanks for having that >>for John Ferrier. I'm Lisa Martin. You're watching the Cube, the global leader in live coverage. Mhm

>>mm we are back and we're continuing the coverage on H P E. Aruba's news today around the D S X six S C X 10-K with Pensando. Now we want to get the perspective of a system Integrator because they're in the front lines, they understand how to put the pieces together where you're happy to bring john Galatea of Dasher technologies dashes and in the end I. T solutions provider, they gotta focus a lot of expertise on infrastructure, jOHn welcome. Good to see you. >>Thank you for having me. Good to be here. >>That's our pleasure. So I wonder if you could give us a little bit more color on Dasher where you focus what your core companies competencies are, what industries you focus on etcetera. >>Yeah, absolutely. So a dasher, we assess architect implement and manage I. T. Solutions that digitally transform businesses. Our practice areas include cybersecurity, networking, cloud data center and we also offer pro professional services around those practice areas. We partner with all the major tech companies in the space. Some of the examples are HP, Cisco, Aruba Palo Alto eight Ws and many others that fill out the, you know that practice area. >>Well that's great. So you have a very wide observation space, that's why we like talking to SA as you have an independent mindset and you can kind of tell it like it is. But so what are you seeing with customers? It's exactly, we hear a lot about digital transformation, you mentioned security, you're obviously doing cloud that's it's almost like john these pieces are all coming together to power Digital and digital transformation and we were forced into it over the past 18 months. And now people are stepping back saying hey okay we have all these resources, how do we put them together and really transform our business? What do you see? >>Yeah, seeing similar things. So you know, our customers are telling us that they're looking for more speed, more agility, um you know, limited complexity because they're trying to do more every single day with less staffing and a sophistication of integrating functionality that breaks down I. T. Silos. Um there also evaluating security span versus effectiveness And they're moving towards zero trust. >>Yeah. So I want to, I'm gonna come back and ask you about that. So I've written a lot about this is that you look at how much we spend versus as you say the effectiveness and there's sort of an imbalance there, it's like we can't spend enough, it budgets they're not infinite. And even though security is top of top priority for ceos, they've got other things that they have to fund and then zero trust, you know, before the pandemic john that was a buzzword and now it's become a mandate. Any thoughts on that >>in terms of zero Trust? Absolutely yeah it is a mandate, we've seen more and more of our customers moving toward in this direction and defending themselves against cyber threats and yeah absolutely. It accelerated during the pandemic and is continuing to accelerate today. >>Right? And I think there's some things that were reported now going to be permanent with regard to obviously hybrid and the like, cloud security and so forth. So, okay, let's get into some of the news here. What's the big trend, john can you explain the relevance of the H P E, Aruba and Pensando news? >>Yeah, I mean when I first heard of it, you know, I I looked at it as a whole new category because it's a category that's going to deliver cloud scale distributed services closer to where applications are. It's going to simplify. One of the things we mentioned earlier was limiting complexity. So it simplifies the network um, by putting security provisions and operations in a unified management platform and it helps improve your security posture around moving towards zero trust and limits the appliance and vendor sprawl that you might ordinarily have in a in a existing network today. >>Okay, so that's kind of the business cases, you're consolidating a lot of piece parts and that's, you know, from a system integrator standpoint. You know, it's funny people often say, well, isn't that bad for the s I'm like, no, they don't want to be in the business of plumbing, they want to be in the business of, you know, more strategy if they if they just end up bolting stuff together, they're going to go out of business, They need to extend their value. So as a strategic partner, you got an early preview of this launch? The D S S D S S C X 10,000, what was your initial impression reaction you called it? A new category? What do you mean by that? >>Well, it's a new category of of of a data center switch in the digital infrastructure because it includes or incorporates security. Um And more specifically it includes security around east west traffic, which is it doesn't eliminate your perimeter firewall but it actually incorporates more functionality which leads to better simplicity and easier use of management of a platform. So for us, I'm really excited to go position and talk to our clients about this. >>Yes. So we're seeing the flattening of that network, that's even it's obviously been accelerated by the pandemic, everybody talks about that. But if you think about the traditional headquarter hierarchical network and now all of a sudden everybody's working remotely using more cloud. Using more distributed infrastructure that flattens the network. That creates security challenges because you can't just build a perimeter and say, okay, we're safe. You now have to go to where the adversary is and that's everywhere. So what's your sense as to how customers are going to react to this new category of switch? >>I think really my sense is that I've got a really positive outlook on this product. I mean hardware, firewalls are costly and deploying software agents can be very disruptive and when you're integrating it into the switch layer. So um I think the C X 10,000 provides a great alternative to an embedded accelerated services embedded in accelerate service into the D C fabric. Um, it's great for brownfield migration, um, rack pod and you know, and the standards based leaf, you know, L two, L three um, and it doesn't necessarily replace, as I mentioned earlier the perimeter security, but um, it can cap and grow with DSS and east west firewall traffic. >>Yeah. And I think we've seen when we talked to see so, so like you said, it does, it doesn't replace the traditional perimeter security but you're going to see a shift and spending priorities obviously to a comedy because as I said earlier, there's not infinite budget but john give us the big takeaway, Bring us home. What what, what do you want to leave our audience with? >>Yeah, I think, you know, the number one takeaway is that it's a massive opportunity to reduce complexity, enhanced security and lower costs in the data center by eliminating dedicated devices and embedding services through software capability in the network closer to where workloads are are moving. So that's the big takeaway for me and for, I think for our clients, um, you know, other things are, you know, you're the data center perimeter is no longer confined and open an on prem location but extends out, right. We're seeing customers extend out to the cloud and across uh, you know, disparate locations, co locations. So The traditional architecture isn't going to be well suited for this, and I think the CX- 10,000 and its feature set are going to be really great for addressing the changing market. >>Yeah, that's, that's all. I mean, again, we're seeing the democratization of everything and and networking is, is no exception. The notion of simplify simplification, john really appreciate your time. Thanks for coming on. >>Thank you for having me. >>You're welcome. Okay, keep it right. There were unpacking the changing trends in networking generally, and specifically switch networking with HP, Aruba and Pensando and the cube. Keep it right there.

>>Hi everyone. Welcome to the cubes coverage of eight of his public sector summit live in Washington D. C, where it's a face to face real event. I'm johN for a year host but virtual events. Hybrid events were hybrid event as well. We've got a great remote interview. Got a guest here in person, Jon Stankovic, president of cloud solutions. Smartronix and Britain was the VP of eight of his managed services, also known as A M. S with amazon web services, jOHN and jOHN and three johns here. Welcome to the cube remote >>in person. >>Hybrid. >>Thanks. Thank you. Great to be on the cube longtime viewer and I really appreciate what you >>do for fun to be here remotely but I feel like it right there. >>Yeah, I love the hybrid if it's only gonna get better next time will be in the metaverse soon. But uh, jOHn on the line there, I want to ask you with AWS managed services, take us through what you guys are doing with Smart Trust because this is an interesting service you guys are working together. How's that relates at the table for us. >>Yeah, well, you know, we're really excited about this announcement, We've been working with Smartronix since we launched A. M S 4.5 years ago. So we've been able to build up working with them, you know, a huge library of automation capabilities and this really just formalised as that in an offer for our joint customers where we can bring the expertise from AWS and Smartronix and offer a full solution that's highly integrated to help help our customers jointly accelerate their cloud adoption as well as their operating model transformation as they start to move to a more devops motion and they need help. We're there together to provide our expertise and make that simple for them. >>Well I appreciate the call. You john b john s over here. Js john Stankevich. Um tell me about Smart trust because you heard what's going on with devoPS to point a whole revolutions going on in devops, you're starting to see a highly accelerated modern application development environment which means that the software developers are setting the pace there, the pace car of the innovation, right? And so other teams like security or I. T. Become blockers. Blockers a drag and anchor. So the shift left on security for instance is causing a lot of problems on the security team. So all this is going on like right now so still the speed is the game. What's your take? >>Sure so absolutely. I think that's where this partnership really really excels. You know, we want customers to focus on their mission, you know, national security, health care outcomes. Um we want them to kind of take the rest off their plate. So when you say some of the quote unquote blockers around security uh Smartronix has invested heavily in a federally authorized platform that sits on top of what a WS has done from a Fed ramp and so right off the bat speed agility. We don't want our customers spending time replicating things that we've done at scale and leveraging what AWS has and so by kind of utilizing this, this joint offer all of a sudden a big part of that compliance is taken care of. Uh, and then things like devoPS, things like SRE models that you hear a lot about, we fold all that into this uh, combined service offering. >>I know a little about what you guys are doing. You mentioned SRE is very cool, but let's take a minute to explain what you guys are doing because you guys are on the cutting edge of solving a lot of problems from infrastructure fools around the deVOPS stack. What are you guys doing in the cloud services? >>Sure. So I think jOHN hit a little bit on it. But you know, we look at AMS as best in breed at scale managing core parts of the U. S. Infrastructure. What Smartronix does is many times customers have some unique requirements and we take that core kind of powered by aims and we try and fill in those kind of complementary skill sets and complementary requirements. And so something like the devops, which is basically making sure that those people developing that software, they have also the ability to manage it and on an ongoing basis. Kind of run it. We develop all the frameworks and that's part of this offering to enable that. >>What's the solution jOHN B because I think you guys don't, this is people have challenges. I want to understand those challenges. And then when they go to the external managed service, what's involved, you walk us through that? Because I think that's important. >>Yeah, sure. You know, it turns out jOHN nailed this one. That moving to the cloud can be, can be a big transformation for many, many enterprises and government teams. Right. They worked for many years and have an ecosystem in their traditional data center. But when they move to the cloud, there's a lot of moving pieces and so what we like to focus on is helping them with the undifferentiated aspects of safely and automating cloud operations. So working with, with Smartronix allows us to take what we're doing across the infrastructure services, around security, around automation, around patching instance management, container management, all of those uh, undifferentiated, heavy lifting passed by now with Smartronix and expertise across the application layer across customers, unique environments across federal and moderate the various government standards and compliance is, and we think we're able to get, take a customer um, from kind of really early stage cloud experience and rapidly deploy configure and get them into a very stable scalable posture operationally on the cloud so that they can start to invest in their people, their skills and their differentiated application on the cloud that really drive the differentiation in their business and not have to worry about best practice configurations and operational run books and, and and automation is and and and the latest dep sec ops capabilities that will pick up for them while they're training and getting, they're getting their emotions in place, >>jOHn is on the Smartronix side. Talk about the difference between scale okay. Which is a big issue with cloud these customers want to have with AMS but then you also have some scale, maybe some scale to but highly compliant environments, regulated industries, for instance, this is the hot areas because scale is unwieldy, but if you don't want get rain it in, it can be chaotic. Right? So also regulations and compliance is a huge issue. >>Yeah. What what we found is um, at times customers look at it and they just get frustrated because it can be kind of intimidating and we as a combined team really have spent a lot of time we have accelerators to walk customers through that process and a really flexible model. If they feel that they have a lot of domain expertise in it, then we'll just kind of be almost a supporter other customers look at it and say, you know, we'd like you to take the entire patch of that compliance and so highly regulated environments. Both commercial D. O. D. National Security, um federal civilian agencies, state and local, they're all looking to this and saying we really want someone that's been through things like the U. S. Audited managed service provider, things like they're managed security service provider, things like fed ramp or D. O. D. Ill four and five. And I think to be honest Smartronix has just invested heavily in that with the goal of reducing all that complexity and it's it's really been taken off and we really appreciate the partnership specifically with jOHn and uh the A. W. S. A. M. S. Team. >>All right so you guys were going together, what's the ultimate benefit to the customer? >>I can I'll give my thing right off the bat all this innovation coming out of A. W. S. Um It's fantastic but only if you have the ability to take advantage of it. And so thousands of new services being rolled out. We really want customers to be able to take advantage of that and let at times us do what we do best and let them focus on their mission. And I think that's what really AWS is all about and we just feel very fortunate to be an enabler of that >>john be talking about talking about the staffing issues too because one of the problems that we have been reporting and this has come up at every reinvest on the max. Peterson about this as well. He's promised last year was gonna train 29 million people. See how that comes out of reinvent when the report card comes back. I was kinda busting his chops a little bit there but he had a smile on his face I think is gonna hit the numbers a lot of times, Maybe people don't have an SRE they don't have a devout person or they have some staff that they're in transition or transforming this is a huge factor. What's your take on this, >>you know, that that is so important, you know, as john mentioned, it's all about helping the customers focused and and their their cloud talent is scarce and it's a scarce resource and you you want to make sure that your cloud talent is working on the cool stuff or they're going to leave and and as you train and skill, these folks, they want to focus on what really impacts the business, what's really differentiating doing, you know, doing the cloud and the necessities on operations and operational tasks and sec ops and things like that, sometimes, that's not the sexiest part of the work that the customer really wants to focus their team on. So again, I think together we're able to help drive high levels of automation and really do that day in and day out work that is not necessarily the differentiator of their business and that's going to attract and keep the best and brightest minds in these in these customers um which allows us to help them with the undifferentiated aspects of of the heavy lifting. >>Not only is availability of people, it's keeping the people, I love that great call out there, Okay, where does this go? Where's the relationship. So you guys are partnering, you have the M. S. Is going on? Strong managed services not gonna go away mormon people were using managed services. It's part of the ecosystem within the ecosystem. What's next in the relationship? >>Well, I think, you know, I'll speak first, john, I'm sure you've got some thoughts to, but you know, we've got so many things on our plate around predictive operations and the predictive capabilities that we're excited about tackling together. Obviously there's all sorts of unique applications that require even deeper capabilities and working with Smartronix to help us, you know, provide even greater insight into the application layer. So I kind of see us expanding um both horizontally as well as well as vertically and horizontally. We've got customers looking at the edge with the outpost solutions and we can snap into those capabilities as well. So there's a tremendous amount of kind of, I'd say vertical and horizontal opportunity that we can continue to expand it together, >>john your reaction, That's >>pretty right on Absolutely. I think john Berger really hit it and I think really machine learning, you know, that's a big area of focus, if you look at all this data is being collected, predictive modeling and so we have this kind of transition from a model where people were basically watching screens reacting and what the AWS MSP offer and what you know, AmS offers is really predicting, so you you're not doing that, you're not reacting, you're proactively ahead of things. And that's the honest truth is AWS is such a well run service. It just doesn't break, you know, it doesn't break like what you see in the traditional kind of legacy infrastructure. And so at times we're just continuing to climb that stack. As, as john mentioned, >>it's really interesting as you guys are, as you're talking, I'm thinking myself just go back a couple of years ago, eight years ago or so. DevoPS is a bad word. Dev's dominate up. So I was through them now, operational leverage is a huge part of this ai operations, um, the entire I. T service management being disrupted heavily by cloud operations that also facilitate rapid development models. Right? So, again, this is like under reported, but it's a really nuanced point hardened operations for security and not holding back the developers is the cloud scale. What's your guys reaction to that? >>Yeah, I completely agree. I think, you know, the automation piece of things and I think customers are still going through transitions. You know, traditionally managed services means a big staff and it's like I said, sitting there watching screens and you flip that model where you have developers actually deploying code and infrastructure to support it. It's, you know, it's very transitional and very transformative and I think that's where an offering, like what we've really partnered on really, really helps because at times it can be overwhelming for customers and we just want to simplify that. And as I've said, let them focus on their mission. >>Amen one last question before we break, because I was talking to another partner, a big part of AWS. Um, and we're talking about SAS versus solutions and sometimes if you're too Sassy, you're not really building a custom solution, but you can have the best of both worlds. A little professional services, maybe some headroom on the stack, if you will your building solutions. So the next question is, as you guys put this cutting edge innovative innovative solution together, how are your customers consuming it? Like what's the consumption? I'm assuming there must be happy because a lot of heavy lifting being taken away, they don't have to deal with house the contract process. >>Well, you know, I think, you know, we have the opportunity, we support customers and kind of all modes of their application stack. So, you know, a full stacks solution. You know, even a legacy architecture moving to the cloud requires a high degree of automation to support it. And then as those applications become modernized over time, they become much more cloud native at some point, they might even become a full stack Starzz offer. So many of our customers actually run their SAAS platform leveraging our capability as well. So, you know, I think it gives the customer a lot of optionality uh, and future kind of growth as they modernize their application stack. >>Yeah, john your reaction. Absolutely. >>I think one of the greatest benefits is it's freeing up funds to do mission work. And so instead of spending time procuring hardware and managing it and leasing data center space, they literally have more funding. And so we've seen customers literally transform their business because this piece of it's done more efficiently and they have really excess and really additional funding to do their mission. >>We love the business model innovation, faster um, higher quality, easy and inexpensive. That's the flywheel gentlemen, Thank you for coming on and get the three. John john thank you. Vice President Cloud Solutions. That Smartronix, thank you for coming on. John Barrington BP of amazon websites managed. There is a also known as AWS and A M. S. A W. S got upside down. W. M. Looks the same. Thank you guys for coming. I appreciate it. Thank you. We appreciate great great Cube covers here. eight of us summit we're live on the ground and were remote. It's a hybrid event. I'm John for your host. Thanks for watching. Mhm

>>Welcome back to the cubes coverage of AWS public sector summit live in Washington D. C. A face to face event were on the ground here is to keep coverage. I'm john Kerry, your hosts got two great guests. Both cuba alumni Shannon Kellogg VP of public policy for the Americas and john would ceo tell us congratulations on some announcement on stage and congressional john being a public company. Last time I saw you in person, you are private. Now your I. P. O. Congratulations >>totally virtually didn't meet one investor, lawyer, accountant or banker in person. It's all done over zoom. What's amazing. >>We'll go back to that and a great great to see you had great props here earlier. You guys got some good stuff going on in the policy side, a core max on stage talking about this Virginia deal. Give us the update. >>Yeah. Hey thanks john, it's great to be back. I always like to be on the cube. Uh, so we made an announcement today regarding our economic impact study, uh, for the commonwealth of Virginia. And this is around the amazon web services business and our presence in Virginia or a WS as we all, uh, call, uh, amazon web services. And um, basically the data that we released today shows over the last decade the magnitude of investment that we're making and I think reflects just the overall investments that are going into Virginia in the data center industry of which john and I have been very involved with over the years. But the numbers are quite um, uh, >>just clever. This is not part of the whole H. 20. H. Q. Or whatever they call HQ >>To HQ two. It's so Virginia Amazon is investing uh in Virginia as part of our HQ two initiative. And so Arlington Virginia will be the second headquarters in the U. S. In addition to that, AWS has been in Virginia for now many years, investing in both data center infrastructure and also other corporate facilities where we house AWS employees uh in other parts of Virginia, particularly out in what's known as the dullest technology corridor. But our data centers are actually spread throughout three counties in Fairfax County, Loudoun County in Prince William County. >>So this is the maxim now. So it wasn't anything any kind of course this is Virginia impact. What was, what did he what did he announce? What did he say? >>Yeah. So there were a few things that we highlighted in this economic impact study. One is that over the last decade, if you can believe it, we've invested $35 billion 2020 alone. The AWS investment in construction and these data centers. uh it was actually $1.3 billion 2020. And this has created over 13,500 jobs in the Commonwealth of Virginia. So it's a really great story of investment and job creation and many people don't know John in this Sort of came through in your question too about HQ two, But aws itself has over 8000 employees in Virginia today. Uh, and so we've had this very significant presence for a number of years now in Virginia over the last, you know, 15 years has become really the cloud capital of the country, if not the world. Uh, and you see all this data center infrastructure that's going in there, >>John What's your take on this? You've been very active in the county there. Um, you've been a legend in the area and tech, you've seen this many years, you've been doing so I think the longest running company doing cyber my 31st year, 31st year. So you've been on the ground. What does this all mean to you? >>Well, you know, it goes way back to, it was roughly 2005 when I served on the Economic Development Commission, Loudon County as the chairman. And at the time we were the fastest-growing county in America in Loudon County. But our residential real property taxes were going up stratospherically because when you look at it, every dollar real property tax that came into residential, we lose $2 because we had to fund schools and police and fire departments and so forth. And we realized for every dollar of commercial real property tax that came in, We made $97 in profit, but only 13% of the money that was coming into the county was coming in commercially. So a small group got together from within the county to try and figure out what were the assets that we had to offer to companies like Amazon and we realized we had a lot of land, we had water and then we had, you know this enormous amount of dark fiber, unused fibre optic. And so basically the county made it appealing to companies like amazon to come out to Loudon County and other places in northern Virginia and the rest is history. If you look today, we're Loudon County is Loudon County generates a couple $100 million surplus every year. It's real property taxes have come down in in real dollars and the percentage of revenue that comes from commercials like 33 34%. That's really largely driven by the data center ecosystem that my friend over here Shannon was talking. So >>the formula basically is look at the assets resources available that may align with the kind of commercial entities that good. How's their domicile there >>that could benefit. >>So what about power? Because the data centers need power, fiber fiber is great. The main, the main >>power you can build power but the main point is is water for cooling. So I think I think we had an abundance of water which allowed us to build power sources and allowed companies like amazon to build their own power sources. So I think it was really a sort of a uh uh better what do they say? Better lucky than good. So we had a bunch of assets come together that helps. Made us, made us pretty lucky as a, as a region. >>Thanks area too. >>It is nice and >>john, it's really interesting because the vision that john Wood and several of his colleagues had on that economic development board has truly come through and it was reaffirmed in the numbers that we released this week. Um, aws paid $220 million 2020 alone for our data centers in those three counties, including loud >>so amazon's contribution to >>The county. $220 million 2020 alone. And that actually makes up 20% of overall property tax revenues in these counties in 2020. So, you know, the vision that they had 15 years ago, 15, 16 years ago has really come true today. And that's just reaffirmed in these numbers. >>I mean, he's for the amazon. So I'll ask you the question. I mean, there's a lot of like for misinformation going around around corporate reputation. This is clearly an example of the corporation contributing to the, to the society. >>No, no doubt. And you think >>About it like that's some good numbers, 20 million, 30 >>$5 million dollar capital investment. You know, 10, it's, what is it? 8000 9000 >>Jobs. jobs, a W. S. jobs in the Commonwealth alone. >>And then you look at the economic impact on each of those counties financially. It really benefits everybody at the end of the day. >>It's good infrastructure across the board. How do you replicate that? Not everyone's an amazon though. So how do you take the formula? What's your take on best practice? How does this rollout? And that's the amazon will continue to grow, but that, you know, this one company, is there a lesson here for the rest of us? >>I think I think all the data center companies in the cloud companies out there see value in this region. That's why so much of the internet traffic comes through northern Virginia. I mean it's I've heard 70%, I've heard much higher than that too. So I think everybody realizes this is a strategic asset at a national level. But I think the main point to bring out is that every state across America should be thinking about investments from companies like amazon. There are, there are really significant benefits that helps the entire community. So it helps build schools, police departments, fire departments, etcetera, >>jobs opportunities. What's the what's the vision though? Beyond data center gets solar sustainability. >>We do. We have actually a number of renewable energy projects, which I want to talk about. But just one other quick on the data center industry. So I also serve on the data center coalition which is a national organization of data center and cloud providers. And we look at uh states all over this country were very active in multiple states and we work with governors and state governments as they put together different frameworks and policies to incent investment in their states and Virginia is doing it right. Virginia has historically been very forward looking, very forward thinking and how they're trying to attract these data center investments. They have the right uh tax incentives in place. Um and then you know, back to your point about renewable energy over the last several years, Virginia is also really made some statutory changes and other policy changes to drive forward renewable energy in Virginia. Six years ago this week, john I was in a coma at county in Virginia, which is the eastern shore. It's a very rural area where we helped build our first solar farm amazon solar farm in Virginia in 2015 is when we made this announcement with the governor six years ago this week, it was 88 megawatts, which basically at the time quadruple the virginias solar output in one project. So since that first project we at Amazon have gone from building that one facility, quadrupling at the time, the solar output in Virginia to now we're by the end of 2023 going to be 1430 MW of solar power in Virginia with 15 projects which is the equivalent of enough power to actually Enough electricity to power 225,000 households, which is the equivalent of Prince William county Virginia. So just to give you the scale of what we're doing here in Virginia on renewable energy. >>So to me, I mean this comes down to not to put my opinion out there because I never hold back on the cube. It's a posture, we >>count on that. It's a >>posture issue of how people approach business. I mean it's the two schools of thought on the extreme true business. The government pays for everything or business friendly. So this is called, this is a modern story about friendly business kind of collaborative posture. >>Yeah, it's putting money to very specific use which has a very specific return in this case. It's for everybody that lives in the northern Virginia region benefits everybody. >>And these policies have not just attracted companies like amazon and data center building builders and renewable energy investments. These policies are also leading to rapid growth in the cybersecurity industry in Virginia as well. You know john founded his company decades ago and you have all of these cybersecurity companies now located in Virginia. Many of them are partners like >>that. I know john and I both have contributed heavily to a lot of the systems in place in America here. So congratulations on that. But I got to ask you guys, well I got you for the last minute or two cybersecurity has become the big issue. I mean there's a lot of these policies all over the place. But cyber is super critical right now. I mean, where's the red line Shannon? Where's you know, things are happening? You guys bring security to the table, businesses are out there fending for themselves. There's no militia. Where's the, where's the, where's the support for the commercial businesses. People are nervous >>so you want to try it? >>Well, I'm happy to take the first shot because this is and then we'll leave john with the last word because he is the true cyber expert. But I had the privilege of hosting a panel this morning with the director of the cybersecurity and Infrastructure Security agency at the department, Homeland Security, Jenness easterly and the agency is relatively new and she laid out a number of initiatives that the DHS organization that she runs is working on with industry and so they're leaning in their partnering with industry and a number of areas including, you know, making sure that we have the right information sharing framework and tools in place, so the government and, and we in industry can act on information that we get in real time, making sure that we're investing for the future and the workforce development and cyber skills, but also as we enter national cybersecurity month, making sure that we're all doing our part in cyber security awareness and training, for example, one of the things that are amazon ceo Andy Jassy recently announced as he was participating in a White house summit, the president biden hosted in late august was that we were going to at amazon make a tool that we've developed for information and security awareness for our employees free, available to the public. And in addition to that we announced that we were going to provide free uh strong authentication tokens for AWS customers as part of that announcement going into national cybersecurity months. So what I like about what this administration is doing is they're reaching out there looking for ways to work with industry bringing us together in these summits but also looking for actionable things that we can do together to make a difference. >>So my, my perspective echoing on some of Shannon's points are really the following. Uh the key in general is automation and there are three components to automation that are important in today's environment. One is cyber hygiene and education is a piece of that. The second is around mis attribution meaning if the bad guy can't see you, you can't be hacked. And the third one is really more or less around what's called attribution, meaning I can figure out actually who the bad guy is and then report that bad guys actions to the appropriate law enforcement and military types and then they take it from there >>unless he's not attributed either. So >>well over the basic point is we can't as industry hat back, it's illegal, but what we can do is provide the tools and methods necessary to our government counterparts at that point about information sharing, where they can take the actions necessary and try and find those bad guys. >>I just feel like we're not moving fast enough. Businesses should be able to hack back. In my opinion. I'm a hawk on this one item. So like I believe that because if people dropped on our shores with troops, the government will protect us. >>So your your point is directly taken when cyber command was formed uh before that as airlines seeing space physical domains, each of those physical domains have about 100 and $50 billion they spend per year when cyber command was formed, it was spending less than Jpmorgan chase to defend the nation. So, you know, we do have a ways to go. I do agree with you that there needs to be more uh flexibility given the industry to help help with the fight. You know, in this case. Andy Jassy has offered a couple of tools which are, I think really good strong tokens training those >>are all really good. >>We've been working with amazon for a long time, you know, ever since, uh, really, ever since the CIA embrace the cloud, which was sort of the shot heard around the world for cloud computing. We do the security compliance automation for that air gap region for amazon as well as other aspects >>were all needs more. Tell us faster, keep cranking up that software because tell you right now people are getting hit >>and people are getting scared. You know, the colonial pipeline hack that affected everybody started going wait a minute, I can't get gas. >>But again in this area of the line and jenny easterly said this this morning here at the summit is that this truly has to be about industry working with government, making sure that we're working together, you know, government has a role, but so does the private sector and I've been working cyber issues for a long time to and you know, kind of seeing where we are this year in this recent cyber summit that the president held, I really see just a tremendous commitment coming from the private sector to be an effective partner in securing the nation this >>full circle to our original conversation around the Virginia data that you guys are looking at the Loudon County amazon contribution. The success former is really commercial public sector. I mean, the government has to recognize that technology is now lingua franca for all things everything society >>well. And one quick thing here that segues into the fact that Virginia is the cloud center of the nation. Um uh the president issued a cybersecurity executive order earlier this year that really emphasizes the migration of federal systems into cloud in the modernization that jOHN has worked on, johN had a group called the Alliance for Digital Innovation and they're very active in the I. T. Modernization world and we remember as well. Um but you know, the federal government is really emphasizing this, this migration to cloud and that was reiterated in that cybersecurity executive order >>from the, well we'll definitely get you guys back on the show, we're gonna say something. >>Just all I'd say about about the executive order is that I think one of the main reasons why the president thought was important is that the legacy systems that are out there are mainly written on kobol. There aren't a lot of kids graduating with degrees in COBOL. So COBOL was designed in 1955. I think so I think it's very imperative that we move has made these workloads as we can, >>they teach it anymore. >>They don't. So from a security point of view, the amount of threats and vulnerabilities are through the >>roof awesome. Well john I want to get you on the show our next cyber security event. You have you come into a fireside chat and unpack all the awesome stuff that you're doing. But also the challenges. Yes. And there are many, you have to keep up the good work on the policy. I still say we got to remove that red line and identified new rules of engagement relative to what's on our sovereign virtual land. So a whole nother Ballgame, thanks so much for coming. I appreciate it. Thank you appreciate it. Okay, cute coverage here at eight of public sector seven Washington john ferrier. Thanks for watching. Mhm. Mhm.

>>mhm. Here live in Washington D. C. For two days of wall to wall coverage. I'm john for your host of the cube. Got two great guests here, constant Thompson V. P. Of diversity equity inclusion program at a core american council of renewable energy and Blair Anderson, director of public policy industries at AWS. Thanks for coming on the cube. Thanks for having us. So first of all, big announcement on stage max Peterson, head of public sector announced some big news with a core. Tell us what it >>is. Well we are going to be partnered with amazon to do a supply chain study on how we can best diversify the renewable energy supply chain. So we're actually gonna have baseline data on where we should start to be able to create a program that's going to be a model for the renewable energy industry on how to develop and support the success of black women and bipac owned um firms. So >>this program that you're running accelerate accelerate your programs and membership tell more has it worked? And why the successes having, what is amazon's relationship with it Besides funding? Is there other things you can talk about? >>Yeah. So accelerate wouldn't have been possible if it wasn't for people like Shannon Kellogg with a W. S. Um who about a year ago after the George Floyd murders said, you know, what are we doing as a core? He sits on our board um in this area and we had to say nothing. So um Shannon. And a group of leaders got together and workshop this idea. Let's create a membership program for women and minority owned businesses so that they can be successful in renewable energy. Let's pick a cohort and let's do whether it takes to make them successful. Everything from introducing them to business connects, to mentoring them to even legal services for them. >>Well, yeah, this is like an interesting dynamic. Remember Andy Jassy was on stage when he was the ceo of a W S a year ago, I kind of was preaching, you hate that, I said that word, but preaching to the audience build, build, build, there's an entrepreneurship, public sector vibe going on right now, very entrepreneurial across every industry. I mean, this is a real thing that's going on. >>Yeah, so we're super excited about this opportunity, the work that core has done to lead on this program for the last year, especially with Constance coming in, becoming the leader has kind of been able to take this idea that she mentioned that AWS was kind of a founding member at the genesis of it about a year ago. She's taking this idea that many of these folks put on paper And been able to turn it into a really hard substantive efforts to move it forward. So we've been able to have great conversations with many of these 15 companies that have been brought into the program and start building a relationship with them. I think, as you have seen around a WS like we believe strongly in innovation and creativity. the renewable energy industry is very similarly there is a lot of kind of thinking big and innovative spirit that needs to take place in that space and having the diversity at all levels of these companies is kind of an important component to be able to move that entrepreneurship forward. >>You know, cost is one of the things that we've been reporting on until getting on the cube is right in the wheelhouse of what you're doing is a cultural change happening. And that cultural change with amazon and cloud computing is causing structural changes which are opportunities like radical structural changes. So that means old incumbent, the old guard as you guys call it, this can be replaced not because people hate them because they're inadequate. So you start to see this kind of mindset shift, entrepreneurial, impact oriented I can make a change but actually I can level up pretty quick because the people in charge don't know cloud, I mean I hate to put it bluntly like that, but if you're not on that edge, if you're not not on that wave, your driftwood. >>Yeah. You know it's funny you say that I like to call it, our members are making systemic disruptions to the system in a very equitable way, meaning our members are in communities like Chicago Jackson Tennessee there in the north end of texas, they are in um everywhere and they're in the communities, making these systemic disruptions to the way things happen, the way we talk about renewable energy to the way we deploy solar, they're making those kind of changes. So to your point they're doing it, we have to catch up to them because they're already out there, they're moving their entrepreneurial, >>it's like, it's like there's a class of entrepreneurship and evolving and it's like everyone's got the pedigree, this or that knowledge is knowledge and you can apply it in software, you could be shrink wrapped software you put on the shelves called shelf where no successful inventory, give it back cloud computing. If you're not successful. Like right now it's not working. So if you don't have results, no one bought it, it must not work. So it's easy to identify what's working. Yes, so that eliminates a lot of dogma, a lot of weird blocking. It's true, this is a democratization of >>absolutely, I think you're talking about transparency and transparency is one of the tenets of inclusion. If you're truly doing things to be inclusive, transparent and that's where you see the changes, that's exactly what you're talking >>about data driven. That's one thing I love about this data world data is now part of like how apps are built, it's not like a database, then you go fetch a file data is now transparently available. If you know what to look for it if it's available. So the whole old silo mentality, this is one of the amazon strength blair you guys are doing. So I have to ask how is this translating out in the public policy world because you know, when you can make this kind of change quicker, you're gonna have some wins under your belt. Yeah, you gotta double down on those. I >>think, I think there's a lot of transformation we're talking about in this conversation. You take kind of one of the missions we're talking about here, which is around clean energy and the expansion of clean energy, Aws and Amazon. We have procured 10 gigawatts of renewable power and making us the largest corporate procure globally, to kind of put that in maybe a little bit more approachable context, that's the equivalent of powering 2.5 million homes. Um and there's still farther to go to be able to meet that kind of think big that is happening in the industry right now, you have to have a broad, diverse industry to be able to reach all those communities to be, have kind of all types of different leaders in it, because we need everybody at the table both for the industry, but also for the communities that are being served. >>What does sustainability mean to you? Because this is a core focus, I know the energy things huge, but it's not obvious to some people, but it's getting better. What are the what's the core 10ets behind the sustainability strategy? >>Yeah, no, I think there's a lot of different ways you can take a stab at that for us. It's uh probably most uh out there in the public that people talk about is our climate pledge. This is kind of a um goal that we've set to be uh net zero carbon by 2040 which is 10, 10 years ahead of the paris Climate change within that. There are components of that that are related to electric vehicles, clean energy, renewable energy procurement, carbon offset programs around the world. I think throughout all of that is kind of coming back to, as you said, with sustainability and approaching climate change as a as an issue that needs a comprehensive holistic approach to talk >>about some of the stories and the members that you have because is the recruiting strategy climate change? Or is there another like how do you because renewable energy could be a no brainer, but how to get people excited? Like save the world. What's the what's the what's the, what are people aligning with then? What's their reaction? So, >>You know, it's very simply the way we see with our members, most of our members, 87% of them are in the solar area. Many of them when we talk about sustainability, how can people live their lives in a way where they save money on their energy bills? How can communities understand how they can harness their own renewable energy, make a little money from that, but also live their lives in a very peaceful, sustainable, peaceful, sustainable way. Right, so that's part of it as an example, a couple of examples is that we have um 548 capital is a member company. And keep in mind that these are early startup companies. 5 48 capital is in Chicago and their models started off with we want all homes in our communities and these are places in the hood, some of them um son text works with people, it works with spanish speaking customers solely in texas where they explain to them the benefits of renewable energy. They explain the benefits of a sustainability and what it is. I mean that's so that's kind of what we're looking >>at here is just kind of show up and just kind of telling the truth >>exactly and show them the benefits that they've kind of not been leading on. Actually. The other thing is that this is about economics. So this renewable energy movement that we're going through is about economics. It is a it's our next wave of being able to ensure americans are able to live lives in a in a way that's meaningful economic. >>Well you've got visibility on the unit economics event good energy. There's also a community angle. >>Yes, absolutely. >>About some of those stories around the community response to this idea, wow this actually is gettable. Yeah, we >>solar is one of our members and it's owned by the first female community solar own company out of. She's out of Baltimore but she has a solar farm here in D. C. And what she did was was engaged churches in how can you get involved in this renewable energy movement? How can you save money? How can you create a community around around this work? We sold as an example of that um son text, I have to mention them again. They speak with they work with only spanish speaking customers who had no clue about this and who are now making having their lives live better because of it, >>you know, affecting change is hard now you've got a tailwind with structural change in systemic opportunities there. What are the blockers? What are the blockers right now? Is an awareness, is it participation community? >>I'm sorry, it's your show and I've >>interrupted, you know, >>we talk about entrepreneurs in the space, particularly women and those from bipod communities. The first thing that you'll hear is they'll say we don't have access to capital people. The terms around getting capital to start up are tough and their barriers there's so that's one the second is awareness and that's awareness of introducing them to companies that might want to do business with them. So that's something that's a benefit for a core occurs. Members are all people who touch every renewable energy transaction from the finances to the developers to the to the buyers. So this is what makes it unique. So what we're doing with accelerate is breaking down the barriers of access to capital by introducing them to people who can potentially support their work but also introducing them to companies that can help them be a part of their supply chain, which is why the study that max announced is amazing because we're going to be able to have baseline data on what, what are the demographics of the supply chain in the renewable energy and what can we do about it? And we're gonna scale accelerate to be a model for the industry >>and that's the transparency angle. Get the baseline, understand this is classic Amazonian thinking, get the baseline, raise the bar, >>you can see why you get >>so OK, so a lot of great stories, how do people get involved? Obviously amazon is taking the lead leadership role here. What can people do to get involved? >>So if you want to support the program as amazon is a corn dot org accelerate or Thompson at a core dot org. That's my email address. If you'd like to become a member company and accelerate program will be opening up applications towards the latter part of this year november december again a core dot org slash accelerate >>renewable energy. What's the coolest thing you've seen so far in your programme around neutral energy um, could be story, it could be people story could be tech story. What's the coolest thing you've seen spot there? Yeah, you really did. You >>know, I think we have a company called clear look, that's a member there out of Jackson Tennessee and they're actually working with retailers are renewable energy credits to create, to create renewable energy farms in their area. And I, what I think is so cool is that she's disrupting the way that you go about using renewable energy credits. Clear loop dot org. Look them >>up in the new york times. Had a story. I'm just reading California other areas. We have a high density of electric vehicles, it's training the power grid. So this idea of coming in, come back is what it's not sure yet. It's not, this is kind of where it's going. So okay, what's the cool thing you've seen? >>No, for me, I've just enjoyed kind of, I've enjoyed the journey. I think the moment for me where I could see that this was real and this was going to be a impactful program constants organized. It's called a speed dating, a virtual speed dating for us with about eight different companies and it was fascinating to get on, spend some time being able to interact with eight different companies. Um, who we probably would not have ever had kind of introduction to before in the past either. They didn't know how to get in touch with us. We didn't know how to get in touch with them and it kind of opens your eyes to all the different ways. People are approaching this problem and starts the executives who I had in these colors. You can see their wheels spinning the ideas sparking of oh there's some cool ideas here. There's something new that we could do. We should explore further. Nothing I can announce at the moment but lots of lots of good uh I'm >>sure the baseline max got baseline studies. I'm sure there will be a lot of doubling down opportunities on success or not success because you want to have the data, you know what to work on. Its true cause a great mission. I'm really impressed. Congratulations. Thank you announcement and love the programme. Thank you. Take a minute to give a plug anyone or public >>thanks Shannon Kellogg. Shannon was really behind it. He's a member of our board represents a W. S. And was really behind, we gotta do something. It's got to be unique and it's got to be something intentional. And here we are today I want to give a >>great opportunity. Thanks for coming in, appreciate it. Thank you for having more cube coverage here from Washington D. C. Amazon web services, public Sector summit. An event in person where people are face to face. This is great stuff is the cube right back after this short break. Mhm. Mhm. Mhm

>>from the cube studios in Palo alto >>in boston >>connecting with thought leaders all around the >>world. This >>is a cute conversation. Hello and welcome to today's session of the AWS Global Public sector Partner Awards. I'm your host Natalie ehrlich. Today we're going to focus on the following award for best partner transformation. I'm pleased to introduce our guests, josh door smith, vice president of public sector at Effectual and jeremy Yates, deputy technology architect at jenny May. Welcome gentlemen so glad to have you on our show. >>Hi there. Very nice to be here. Thank you so much for having me >>terrific. Well josh, I'd like to start with you. How can companies leverage cloud native solutions to deliver higher quality services? >>So Natalie, that's a great question. And in the public sector and our our government customers, we run into this all the time. It's kind of our bread and butter. What what they can do is the first thing they need to be aware of is you don't have to be afraid of the cloud as some very obscure technology that is just emerging. It's been out for 10, 11 years now, customers across government space are using it lock stock and barrel to do everything from just managing simple applications, simple websites all the way through hosting their entire infrastructure, both in production and for disaster recovery purposes as well. So the first thing to note is just don't be afraid of the cloud. Um secondly, it's, it's imperative that they select the right partner who is able to kind of be there Sherpa to go into however far they want to dip their toe into the, into the proverbial cloud waters. Um to select somebody who knows whatever it is that they need to go do. So if they want to go Aws as we are talking about today, pick a partner who has the right experience, past performance designations and competencies with the cloud that they're interested in. >>Terrific. Well, you know, Jeremy, I'd love to move to you. What does modern modernization mean to jenny May? >>Sure, Thanks Natalie, great to be here. Thanks josh as well, you know. So for jenny May, modernization is really, it's not just technology is holistic across the organization. So that includes things like the business, um not just you know, the the I. T. Division. So we're looking at the various things to modernize like our culture and structural changes within the organization. Um moving to implement some, some proven practices like def sec ops and continuous integration and continuous delivery or deployment. Uh and then, you know, our overall overarching goal is to give the best and most secure technology to the business that we can to meet the Jeannie Mai mission and the needs of our customers >>terrific. Well josh, how is Effectual planning to support jenny Maes modernization plans? >>So we have been supporting jenny May for about 14 months now. Uh and back in september of last year, we rewarded a co prime 10 year contract for Jeannie Mai to do exactly that. It's to provide all things cloud to Jeannie Mai for 10 years on AWS and that's including reselling AWS. That's including providing all sorts of professional services to them. And it's, it's providing some third party software applications to help them support their applications themselves. So what Effectual is doing is kind of a threefold. We are supporting the modernization of their process, which jeremy mentioned a moment ago and that includes in stan shih ating a cloud center of Excellence for jenny May, which enables them to modernize the way they do cloud governance while they're modernizing their technology stack. We're also providing a very expert team of cloud architects and Dempsey cops engineers to be able to, to design the Jeannie Mai environment, collaborating with our co prime uh to ensure that it meets the security requirements, the compliance requirements that jerry mentions. Uh, Jeannie Mai is a federal entity, but it also has to adhere to all the finance industry uh compliance requirements as well. So very strenuous from that perspective. And then the third thing that we're doing to help them kind of along their modernization journey is in stan shih aging infrastructure as code. So in the cloud, rather than building everything in the AWS management console, we script everything to build it automatically, so it improves consistency, it improves the customer experience regardless of which resource is working on it. And it improves disaster recovery capability as well. And also, just quite frankly, the speed by which they can actually deploy things. >>And jeremy, how is this transition helping your security really enhancing it now? >>Uh From a security perspective we're implementing a number of various tools um both, you know, a W. S based as well as other software that josh mentioned. Um So we're able to utilize those in a more scalable manner than we could previously in the traditional data center. Um we've got a number of things such as we're looking at multiple vulnerability management products like 10 of Ohio and Wallace. Um we're using uh tools such as Centra fi for our our pam or privileged access management capabilities. Um Splunk a pretty industry standard. Um software for log and data correlation and analysis um will also be using that for some system and application monitoring. Um as well as uh the Mcafee envision product for endpoint and other cloud service security. So being able to pull all those in in a more scalable and more cost efficient way as well from cloud based services. Uh, it's really helped us be able to get those services and integrate them together in a way that, you know, we may not previously been able to. >>Yeah, terrific. Well, josh, let's move back to you and talk further about compliance. You know, any insight here, how Effectual is building a modern cloud infrastructure to integrate AWS services with third party tools to really achieve compliance with the government requirements. Just any further insight on that >>front? That's a great question. Natalie and I'm gonna tag team with Jeremy on this one if you don't mind, but I'll start off so jenny may obviously I mentioned earlier has federal requirements and financial requirements so focused right now on on those federal aspects. Um, so the tools that Jeremy mentioned a moment ago, we are integrating all of them with a W. S native meaning all of the way we do log aggregation in the various tools within AWS cloudwatch cloud trail. All of those things were implementing an AWS native, integrating them with Splunk to aggregate all of that information. But then one of the key requirements that's coming up with the federal government in the very near future is tick three dot or trusted internet connection. Basically in the first iteration a decade or so ago, the government wanted to limit the amount of points of presence that they have with the public facing internet fast forward several versions to today and they're pushing that that onus back on the various entities like jenny May and like hud, which Jeannie Mai is a part of but they still want to have that kind of central log repository to where all of the, all of the security logs and vulnerability logs and things like that. Get shipped to a central repository and that will be part of DHS. So what effectual has done in partnership with jenny May is create a, a W. S native solution leveraging some of those third party tools that we mentioned earlier to get all of those logs aggregated in a central repository for Ginny MaE to inspect ingest and take action from. But then also provide the mechanism to send that to DHS to do that and correlate that information with everything coming in from feeds across the government. Now that's not required just yet. But we're future proofing jenny Maes infrastructure in order to be able to facilitate adherence to those requirements when it becomes uh required. Um, and so jeremy, I'll pass it over to you to talk a little bit further about that because I know that's one of the things that's near and dear to your sister's heart as well as jenny may overall. >>Yeah, absolutely. Thanks josh. Um, so yeah, we, as you mentioned, we have implemented um, uh, sort of a hybrid tech model right now, um, to to handle compliance on that front. Um, so we're still using a, you know, some services from the legacy or our existing T two dot x models. That that josh was mentioning things such as m tips, um, uh, the Einstein sensors, etcetera. But we're also implementing that take 30 architecture on our own. As josh mentioned that that will allow us to sort of future proof and and seamlessly really transitioned to once we make that decision or guidance comes out or, you know, mandates or such. Um, so that effort is good to future proof house from a compliance perspective. Um, also, you know, the tools that I mentioned, uh, josh reiterated, those are extremely important to our our security and compliance right. Being able to ensure, you know, the integrity and the confidentiality of of our systems and our data is extremely important. Not both, not just both on the r not only on the government side, but as josh mentioned, the finance side as well. >>Terrific. Well, I'd love to get your insight to on AWS workspaces. Um, if either one of you would like to jump in on this question, how did they empower the jenny May team to work remotely through this pandemic? >>That's a great question. I guess I'll start and then we'll throw it to jeremy. Um, so obviously uh effectual started working with jenny May about three weeks after the pandemic formally started. So perfect timing for any new technology initiative. But anyway, we, we started talking with Jeremy and with his leadership team about what is required to actually facilitate and enable our team as well as the government resources and the other contractors working for jenny May to be able to leverage the new cloud environment that we were building and the very obvious solution was to implement a virtual desktop infrastructure uh type solution. And obviously Jeannie Mai had gone all in on amazon web services, so it became the national natural fit to look first at AWS workspaces. Um, so we have implemented that solution. There are now hundreds of jenny May and jenny make contractor resources that have a WS workspaces functioning in the GovCloud regions today and that's a very novel approach to how to facilitate and enable not only our team who is actually configuring the infrastructure, but all the application developers, the security folks and the leadership on the jenny may side to be able to access, review, inspect, check log etcetera, through this remote capability. It's interesting to note that Jeannie Mai has been entirely remote since the pandemic initiated. Jeremy's coming to us from, from west Virginia today, I'm coming to us from national harbor Maryland And we are operating totally remotely with a team of 60 folks about supporting this specific initiative for the cloud, not to mention the hundreds that are supporting the applications that Jamie runs to do its day to day business. So jeremy, if you wouldn't mind talking about that day to day business that jenny may has and, and kind of what the, the mission statement of Jeannie Mai is and how us enabling these workspaces uh facilitates that mission >>or you know, so the part of the overall mission of jenny Maes to, to ensure affordable housing is, is made available to uh, the american public. Um that's hud and, and jenny may as part of that and we provide um mortgage backed securities to help enable that. Um, so we back a lot of V A. Loans, um, F H A, those sort of loans, um, workspaces has been great in that manner from a technology perspective, I think because as you mentioned, josh, it's really eliminated the need for on premise infrastructure, right? We can be geographically dispersed, We can be mobile, um, whether we're from the east coast or west coast, we can access our environment securely. Uh, and then we can, you know, administer and operate and maintain the technology that the business needs to, to fulfill the mission. Um, and because we're able to do that quickly and securely and effectively, that's really helpful for the business >>Terrific. And um, you know, I'd like to shift gears a bit and uh you know, discuss what you're looking ahead toward. What is your vision for 2021? How do you see this partnership evolving? >>Yeah, you >>Take that 1/1. >>Sure. Yeah. Um you know, definitely some of the things we look forward to in 2021 as we evolve here is we're going to continue our cloud journey um you know, through practices like Deb said cops, you realize that uh that journey has never done. It's always a continual improvement process. It's a loop to continually work towards um a few specific things or at least one specific thing that we're looking forward to in the future, as josh mentioned earlier was our arctic three Oh Initiative. Um, so with that we think will be future proofed. Um as there's been a lot of um a lot of recent cyber security activity and things like that, that's going to create um opportunities I think for the government and Jeannie Mai is really looking forward to to leading in that area. >>Mhm and josh, can you weigh in quickly on that? >>Absolutely. Uh First and foremost we're very much looking forward to receiving authority to operate with our production environment. We have been preparing for that for this last year plus. Uh but later on this summer we will achieve that 80 oh status. And we look forward to starting to migrate the applications into production for jenny May. And then for future proof, it's as jerry jerry mentioned, it's a journey and we're looking forward to cloud optimizing all of their applications to ensure that they're spending the right money in the right places uh and and ensuring that they're not spending over on any of the one given area. So we're very excited to optimize and then see what the technology that we're being able to provide to them will bring to them from an idea and a conceptual future for jenny may. >>Well thank you both so very much for your insights. It's been a really fantastic interview. Our guests josh duggar smith as well as jeremy Gates. Really appreciate it. >>Thank you very much. >>Thank you so much. >>Terrific. Well, I'm your host for the cube Natalie or like to stay tuned for more coverage. Thanks so much for watching.